# Shared configuration for the physical NixOS laptops (X1, MBP-Asahi). Imported
# from the host table in flake.nix. Platform-specific bits (bootloader EFI var
# touching, firmware, audio, hostname, sshd) stay in the per-machine configs.
{ ... }:
{
  boot.loader.systemd-boot.enable = true;

  features.swayDesktop.enable = true;

  console.keyMap = "dvorak";

  # Wi-Fi via iwd with its built-in DHCP/network configuration.
  networking.wireless.iwd = {
    enable = true;
    settings.General.EnableNetworkConfiguration = true;
  };

  # Default-deny inbound. Hosts that run a listening service open their own
  # ports next to where the service is enabled (e.g. sshd -> 22 on X1).
  networking.firewall.enable = true;
}