system/modules/workstation.nix

# Form-factor-agnostic base for the physical graphical NixOS machines. Imported
# by both ./laptop.nix and ./desktop.nix; those add only the bits that differ
# between portable and desktop hosts (chiefly the networking backend).
#
# The bootloader is NOT set here -- it is firmware-specific, not form-factor:
# UEFI hosts (MBP, Mac Pro 3,1) use systemd-boot, the BIOS-only T400 uses GRUB.
# Each machine config declares its own.
{ lib, pkgs, ... }:
{
  features.swayDesktop.enable = true;

  console.keyMap = "dvorak";

  # Intel thermal management. x86 only -- the Asahi MBP governs its own SoC
  # thermals, and thermald is an Intel-platform daemon.
  services.thermald.enable = lib.mkIf pkgs.stdenv.hostPlatform.isx86_64 true;

  # Default-deny inbound. Hosts that run a listening service open their own
  # ports next to where the service is enabled (e.g. sshd -> 22 on X1).
  networking.firewall.enable = true;

  # Disk hygiene for the physical hosts. fstrim reclaims unused SSD blocks on a
  # weekly timer; cleanOnBoot wipes /tmp at every boot.
  services.fstrim.enable = true;
  boot.tmp.cleanOnBoot = true;

  # Userspace OOM killer: act on memory pressure early instead of letting the
  # kernel OOM-thrash. Matters on the 4 GiB T400 and the elderly Mac Pro.
  services.earlyoom.enable = true;

  # Firmware updates via LVFS. No-op on the Asahi MBP (Apple-managed firmware),
  # useful for UEFI/SSD updates on the x86 hosts.
  services.fwupd.enable = true;

  # Audio. PipeWire with the PulseAudio shim covers every graphical host; no
  # per-machine audio config is needed.
  services.pipewire = {
    enable = true;
    pulse.enable = true;
  };

  # swaylock PAM stack. None of these machines has working fingerprint auth, so
  # an empty service is enough -- swaylock falls back to password.
  security.pam.services.swaylock = { };

  # Redistributable firmware (GPU/Wi-Fi/NIC blobs) for the x86 hosts. Harmless
  # on the Asahi MBP, which supplies its own peripheral firmware out-of-band.
  hardware.enableRedistributableFirmware = true;
}
refactor(nixos): extract workstation.nix base from laptop.nix 2026-06-04 13:57:44 +00:00			`# Form-factor-agnostic base for the physical graphical NixOS machines. Imported`
			`# by both ./laptop.nix and ./desktop.nix; those add only the bits that differ`
			`# between portable and desktop hosts (chiefly the networking backend).`
refactor(nixos): declare bootloader per-host, not in workstation.nix 2026-06-04 15:22:07 +01:00			`#`
			`# The bootloader is NOT set here -- it is firmware-specific, not form-factor:`
			`# UEFI hosts (MBP, Mac Pro 3,1) use systemd-boot, the BIOS-only T400 uses GRUB.`
			`# Each machine config declares its own.`
feat(nixos): physical-host services — power, bluetooth, OOM, firmware 2026-06-10 16:26:44 +01:00			`{ lib, pkgs, ... }:`
refactor(nixos): extract workstation.nix base from laptop.nix 2026-06-04 13:57:44 +00:00			`{`
			`features.swayDesktop.enable = true;`

			`console.keyMap = "dvorak";`

feat(nixos): physical-host services — power, bluetooth, OOM, firmware 2026-06-10 16:26:44 +01:00			`# Intel thermal management. x86 only -- the Asahi MBP governs its own SoC`
			`# thermals, and thermald is an Intel-platform daemon.`
			`services.thermald.enable = lib.mkIf pkgs.stdenv.hostPlatform.isx86_64 true;`

refactor(nixos): extract workstation.nix base from laptop.nix 2026-06-04 13:57:44 +00:00			`# Default-deny inbound. Hosts that run a listening service open their own`
			`# ports next to where the service is enabled (e.g. sshd -> 22 on X1).`
			`networking.firewall.enable = true;`
feat(nixos): disk hygiene, dedupe shared options, fix MacPro docs 2026-06-10 14:56:58 +01:00
			`# Disk hygiene for the physical hosts. fstrim reclaims unused SSD blocks on a`
			`# weekly timer; cleanOnBoot wipes /tmp at every boot.`
			`services.fstrim.enable = true;`
			`boot.tmp.cleanOnBoot = true;`

feat(nixos): physical-host services — power, bluetooth, OOM, firmware 2026-06-10 16:26:44 +01:00			`# Userspace OOM killer: act on memory pressure early instead of letting the`
			`# kernel OOM-thrash. Matters on the 4 GiB T400 and the elderly Mac Pro.`
			`services.earlyoom.enable = true;`

			`# Firmware updates via LVFS. No-op on the Asahi MBP (Apple-managed firmware),`
			`# useful for UEFI/SSD updates on the x86 hosts.`
			`services.fwupd.enable = true;`

feat(nixos): disk hygiene, dedupe shared options, fix MacPro docs 2026-06-10 14:56:58 +01:00			`# Audio. PipeWire with the PulseAudio shim covers every graphical host; no`
			`# per-machine audio config is needed.`
			`services.pipewire = {`
			`enable = true;`
			`pulse.enable = true;`
			`};`

			`# swaylock PAM stack. None of these machines has working fingerprint auth, so`
			`# an empty service is enough -- swaylock falls back to password.`
			`security.pam.services.swaylock = { };`

			`# Redistributable firmware (GPU/Wi-Fi/NIC blobs) for the x86 hosts. Harmless`
			`# on the Asahi MBP, which supplies its own peripheral firmware out-of-band.`
			`hardware.enableRedistributableFirmware = true;`
refactor(nixos): extract workstation.nix base from laptop.nix 2026-06-04 13:57:44 +00:00			`}`