2026-06-04 13:57:44 +00:00
|
|
|
# Form-factor-agnostic base for the physical graphical NixOS machines. Imported
|
|
|
|
|
# by both ./laptop.nix and ./desktop.nix; those add only the bits that differ
|
|
|
|
|
# between portable and desktop hosts (chiefly the networking backend).
|
2026-06-04 15:22:07 +01:00
|
|
|
#
|
|
|
|
|
# The bootloader is NOT set here -- it is firmware-specific, not form-factor:
|
|
|
|
|
# UEFI hosts (MBP, Mac Pro 3,1) use systemd-boot, the BIOS-only T400 uses GRUB.
|
|
|
|
|
# Each machine config declares its own.
|
2026-06-04 13:57:44 +00:00
|
|
|
{ ... }:
|
|
|
|
|
{
|
|
|
|
|
features.swayDesktop.enable = true;
|
|
|
|
|
|
|
|
|
|
console.keyMap = "dvorak";
|
|
|
|
|
|
|
|
|
|
# Default-deny inbound. Hosts that run a listening service open their own
|
|
|
|
|
# ports next to where the service is enabled (e.g. sshd -> 22 on X1).
|
|
|
|
|
networking.firewall.enable = true;
|
2026-06-10 14:56:58 +01:00
|
|
|
|
|
|
|
|
# Disk hygiene for the physical hosts. fstrim reclaims unused SSD blocks on a
|
|
|
|
|
# weekly timer; cleanOnBoot wipes /tmp at every boot.
|
|
|
|
|
services.fstrim.enable = true;
|
|
|
|
|
boot.tmp.cleanOnBoot = true;
|
|
|
|
|
|
|
|
|
|
# Audio. PipeWire with the PulseAudio shim covers every graphical host; no
|
|
|
|
|
# per-machine audio config is needed.
|
|
|
|
|
services.pipewire = {
|
|
|
|
|
enable = true;
|
|
|
|
|
pulse.enable = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# swaylock PAM stack. None of these machines has working fingerprint auth, so
|
|
|
|
|
# an empty service is enough -- swaylock falls back to password.
|
|
|
|
|
security.pam.services.swaylock = { };
|
|
|
|
|
|
|
|
|
|
# Redistributable firmware (GPU/Wi-Fi/NIC blobs) for the x86 hosts. Harmless
|
|
|
|
|
# on the Asahi MBP, which supplies its own peripheral firmware out-of-band.
|
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
2026-06-04 13:57:44 +00:00
|
|
|
}
|
