nix-config/nixos/framework/configuration.nix

{
  config,
  pkgs,
  lib,
  mypkgs,
  ...
}: {
  imports = [./hardware-configuration.nix];
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets."tailscale-auth-key" = {};

  boot.bootspec.enable = true;
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/etc/secureboot";
  };
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernelPackages = pkgs.linuxPackages_6_11;

  nixpkgs.config.allowUnfree = true;

  system.stateVersion = "23.11"; # Did you read the comment?
  networking = {
    hostName = "framework";
    search = ["1.1.1.1" "1.0.0.1" "8.8.8.8"];
    networkmanager.enable = true;
  };

  time.timeZone = "Europe/Berlin";
  i18n.defaultLocale = "en_US.UTF-8";

  hardware.graphics = {
    enable = true;
    extraPackages = [pkgs.vaapiVdpau];
  };

  hardware.rtl-sdr.enable = true;

  hardware.bluetooth.enable = true;

  security.pam.services.swaylock = {};
  security.pam.services.hyprlock = {};

  fonts.packages = with pkgs; [
    font-awesome
    nerd-fonts.fira-mono
    mypkgs.comic-mono
  ];

  services = {
    illum.enable = true;
    fwupd.enable = true;
    fprintd.enable = false; # currently broken
    pcscd.enable = true;
    tlp = {
      enable = true;
      settings = {
        # AC
        CPU_SCALING_GOVERNOR_ON_AC = "performance";
        CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
        CPU_MIN_PERF_ON_AC = 0;
        CPU_MAX_PERF_ON_AC = 100;

        # BAT
        CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
        CPU_ENERGY_PERF_POLICY_ON_BAT = "power";
        CPU_MIN_PERF_ON_BAT = 0;
        CPU_MAX_PERF_ON_BAT = 50;
      };
    };

    openssh = {
      enable = true;
      settings = {
        PermitRootLogin = "yes";
      };
    };

    xserver = {
      enable = true;
      xkb.layout = "us";
      videoDrivers = ["amdgpu"];

      desktopManager = {
        xterm.enable = false;
        gnome.enable = false;
        plasma5.enable = false;
      };

      displayManager = {
        gdm = {
          enable = true;
          wayland = true;
        };
      };
    };

    logind = {
      lidSwitch = "suspend";
      lidSwitchDocked = "ignore";
      lidSwitchExternalPower = "ignore";
      extraConfig = "HoldoffTimeoutSec=300s";
    };

    tailscale = {
      enable = true;
      extraUpFlags = [
        "--accept-routes=true"
      ];
      authKeyFile = config.sops.secrets."tailscale-auth-key".path;
    };
  };

  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
  };

  services.blueman.enable = true;
  services.libinput.enable = true;

  users.users.patrick = {
    isNormalUser = true;
    extraGroups = ["wheel" "plugdev"];
  };

  environment.systemPackages = with pkgs; [
    vim
    wget
    curl
    htop
    podman
    pinentry
    qemu
    OVMF
  ];

  programs = {
    hyprland.enable = true;
    gnupg.agent.enable = true;
    ssh.enableAskPassword = false; # disable setting of $SSH_ASKPASS
  };
}