{ config, lib, pkgs, inputs, ... }: let inherit (lib) mkDefault; channelPath = i: "/etc/nix/channels/${i}"; mapInputs = fn: map fn (builtins.filter (n: n != "self") (builtins.attrNames inputs)); # yes this is a bad way to detect which option should be used (or exists) # but i'm lazy. please do not copy this passwordFile = if lib.versionAtLeast config.system.stateVersion "23.11" then "hashedPasswordFile" else "passwordFile"; in { imports = [ ../shared ]; environment.systemPackages = with pkgs; [man-pages man-pages-posix]; documentation.man = { generateCaches = mkDefault true; man-db.enable = mkDefault true; }; i18n = { supportedLocales = [ "en_US.UTF-8/UTF-8" ]; defaultLocale = "en_US.UTF-8"; }; networking.networkmanager = { enable = mkDefault true; dns = mkDefault "systemd-resolved"; }; nix = { nixPath = mapInputs (i: "${i}=${channelPath i}"); gc.dates = mkDefault "weekly"; settings.trusted-users = ["root" "@wheel"]; }; programs = { git.enable = mkDefault true; vim.defaultEditor = mkDefault true; }; security = { apparmor.enable = mkDefault true; audit.enable = mkDefault true; auditd.enable = mkDefault true; polkit.enable = mkDefault true; rtkit.enable = mkDefault true; sudo.execWheelOnly = true; }; services = { dbus.apparmor = mkDefault "enabled"; resolved = { enable = mkDefault true; dnssec = mkDefault "allow-downgrade"; extraConfig = mkDefault '' [Resolve] DNS=1.1.1.1 1.0.0.1 DNSOverTLS=yes ''; }; journald.extraConfig = '' MaxRetentionSec=1w ''; }; system.activationScripts."upgrade-diff" = { supportsDryActivation = true; text = '' ${pkgs.nvd}/bin/nvd --nix-bin-dir=${config.nix.package}/bin diff /run/current-system "$systemConfig" ''; }; systemd.tmpfiles.rules = mapInputs (i: "L+ ${channelPath i} - - - - ${inputs.${i}.outPath}"); users = { defaultUserShell = pkgs.bash; mutableUsers = false; users.root = { home = mkDefault "/root"; uid = mkDefault config.ids.uids.root; group = mkDefault "root"; "${passwordFile}" = mkDefault config.age.secrets.rootPassword.path; }; }; }