# Form-factor-agnostic base for the physical graphical NixOS machines. Imported
# by both ./laptop.nix and ./desktop.nix; those add only the bits that differ
# between portable and desktop hosts (chiefly the networking backend).
#
# The bootloader is NOT set here -- it is firmware-specific, not form-factor:
# UEFI hosts (MBP, Mac Pro 3,1) use systemd-boot, the BIOS-only T400 uses GRUB.
# Each machine config declares its own.
{ ... }:
{
  features.swayDesktop.enable = true;

  console.keyMap = "dvorak";

  # Default-deny inbound. Hosts that run a listening service open their own
  # ports next to where the service is enabled (e.g. sshd -> 22 on X1).
  networking.firewall.enable = true;

  # Disk hygiene for the physical hosts. fstrim reclaims unused SSD blocks on a
  # weekly timer; cleanOnBoot wipes /tmp at every boot.
  services.fstrim.enable = true;
  boot.tmp.cleanOnBoot = true;

  # Audio. PipeWire with the PulseAudio shim covers every graphical host; no
  # per-machine audio config is needed.
  services.pipewire = {
    enable = true;
    pulse.enable = true;
  };

  # swaylock PAM stack. None of these machines has working fingerprint auth, so
  # an empty service is enough -- swaylock falls back to password.
  security.pam.services.swaylock = { };

  # Redistributable firmware (GPU/Wi-Fi/NIC blobs) for the x86 hosts. Harmless
  # on the Asahi MBP, which supplies its own peripheral firmware out-of-band.
  hardware.enableRedistributableFirmware = true;
}