{ modulesPath, lib, pkgs, sops, config, ... }@args: { imports = [ ./disk-config.nix ]; hardware.facter.reportPath = ./facter.json; nix = { extraOptions = '' experimental-features = ca-derivations nix-command flakes ''; settings = { substituters = [ "https://cache.nixos.org" "https://cache.ngi0.nixos.org/" ]; trusted-public-keys = [ "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" ]; }; }; sops = { defaultSopsFile = ./secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.generateKey = false; secrets = { luks_passphrase = { }; kj_hashed_password = { neededForUsers = true; }; ssh_host_key_ed25519 = { }; ssh_host_key_rsa = { }; }; }; boot.loader.systemd-boot.enable = true; system.stateVersion = "25.11"; swapDevices = [ { device = "/swap/swapfile"; size = 32768; } ]; security.sudo.enable = true; users.mutableUsers = false; users.groups.kjtsanaktsidis = { }; users.users = { kjtsanaktsidis = { createHome = true; isNormalUser = true; description = "KJ Tsanaktsidis"; group = "kjtsanaktsidis"; extraGroups = [ "wheel" "networkmanager" ]; shell = pkgs.zsh; hashedPasswordFile = config.sops.secrets.kj_hashed_password.path; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAC/BtvW1c1RbBI8eeGo7oOH2y9byBaxWVDHsErgaE+s kjtsanaktsidis@KJMacbookGroq.local" "ssh-ed25519 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsyhMLrlNiffDrqz0s46hZF8IdR9/qX63TUyllK0LCA kj@KJ-PC" ]; }; }; # Enable systemd-resolved for DNS services.resolved = { enable = true; llmnr = "true"; extraConfig = '' MulticastDNS=yes ''; }; networking.hostName = "labsrv01"; networking.nameservers = [ "127.0.0.53" ]; networking.networkmanager = { enable = true; dns = "systemd-resolved"; # Enable mDNS on NetworkManager connections connectionConfig = { "connection.mdns" = "2"; # 2 = yes (resolve & register) }; }; services.openssh = { enable = true; hostKeys = [ { type = "ed25519"; path = config.sops.secrets.ssh_host_key_ed25519.path; } { type = "rsa"; path = config.sops.secrets.ssh_host_key_rsa.path; } ]; }; environment.systemPackages = with pkgs; [ sbctl ]; # Enable zsh system-wide programs.zsh.enable = true; # Disable Alt+Left/Right virtual terminal switching console.keyMap = "us"; # Create systemd service to disable only Alt+Arrow VT switching systemd.services.disable-alt-arrow-vt = { description = "Disable Alt+Arrow VT switching"; wantedBy = [ "multi-user.target" ]; after = [ "systemd-vconsole-setup.service" ]; script = '' # Define string sequences for Alt+Arrow that generate proper terminal escape sequences cat << 'EOF' | ${pkgs.kbd}/bin/loadkeys string F200 = "\033[1;3D" string F201 = "\033[1;3C" alt keycode 105 = F200 alt keycode 106 = F201 EOF ''; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; }; # Create and enroll Secure Boot keys on first boot systemd.services.sbctl-setup = { description = "Create and enroll Secure Boot keys"; wantedBy = [ "multi-user.target" ]; unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID"; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' echo "Creating Secure Boot keys..." ${pkgs.sbctl}/bin/sbctl create-keys # Check if we're in Setup Mode if ${pkgs.sbctl}/bin/sbctl status | grep -q "Setup Mode"; then echo "UEFI is in Setup Mode, enrolling keys..." ${pkgs.sbctl}/bin/sbctl enroll-keys --microsoft else echo "WARNING: UEFI is not in Setup Mode. Please clear Secure Boot keys in UEFI and reboot." fi ''; }; }