system/modules/workstation.nix

# Form-factor-agnostic base for the physical graphical NixOS machines. Imported
# by both ./laptop.nix and ./desktop.nix; those add only the bits that differ
# between portable and desktop hosts (chiefly the networking backend).
#
# The bootloader is NOT set here -- it is firmware-specific, not form-factor:
# UEFI hosts (MBP, Mac Pro 3,1) use systemd-boot, the BIOS-only T400 uses GRUB.
# Each machine config declares its own.
{ ... }:
{
  features.swayDesktop.enable = true;

  console.keyMap = "dvorak";

  # Default-deny inbound. Hosts that run a listening service open their own
  # ports next to where the service is enabled (e.g. sshd -> 22 on X1).
  networking.firewall.enable = true;
}
refactor(nixos): extract workstation.nix base from laptop.nix 2026-06-04 13:57:44 +00:00			`# Form-factor-agnostic base for the physical graphical NixOS machines. Imported`
			`# by both ./laptop.nix and ./desktop.nix; those add only the bits that differ`
			`# between portable and desktop hosts (chiefly the networking backend).`
refactor(nixos): declare bootloader per-host, not in workstation.nix 2026-06-04 15:22:07 +01:00			`#`
			`# The bootloader is NOT set here -- it is firmware-specific, not form-factor:`
			`# UEFI hosts (MBP, Mac Pro 3,1) use systemd-boot, the BIOS-only T400 uses GRUB.`
			`# Each machine config declares its own.`
refactor(nixos): extract workstation.nix base from laptop.nix 2026-06-04 13:57:44 +00:00			`{ ... }:`
			`{`
			`features.swayDesktop.enable = true;`

			`console.keyMap = "dvorak";`

			`# Default-deny inbound. Hosts that run a listening service open their own`
			`# ports next to where the service is enabled (e.g. sshd -> 22 on X1).`
			`networking.firewall.enable = true;`
			`}`