infra/nix/os/devices/steveej-t14/system.nix

{
  pkgs,
  lib,
  config,
  repoFlake,
  ...
}:
let
  localTcpPorts = [
    22

    # syncthing
    22000

    # iperf3
    5201
  ];

  localUdpPorts = [
    # syncthing
    22000
    21027
  ];
in
{
  nix.settings = {
    substituters = [ ];
    trusted-public-keys = [ ];
  };

  nix.distributedBuilds = true;
  nix.buildMachines = [
    {
      hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;
      # TODO: make this a reference
      sshUser = "nix-remote-builder";
      protocol = "ssh-ng";
      system = "x86_64-linux";
      maxJobs = 32;
      speedFactor = 100;
      supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features;
    }

    {
      hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;
      # TODO: make this a reference
      sshUser = "nix-remote-builder";
      protocol = "ssh-ng";
      system = "aarch64-linux";
      maxJobs = 32;
      speedFactor = 100;
      supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features;
    }
  ];

  networking.networkmanager.enable = true;

  networking.extraHosts = '''';

  networking.bridges."virbr1".interfaces = [ ];
  networking.interfaces."virbr1".ipv4.addresses = [
    {
      address = "10.254.254.254";
      prefixLength = 24;
    }
  ];

  # needed to make wireguard managed by networkmanager route all traffic through it
  networking.firewall.checkReversePath = false;

  networking.firewall.enable = true;
  services.openssh.openFirewall = false;

  # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
  networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts;
  networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts;
  networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts;
  networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts;

  networking.firewall.logRefusedConnections = false;
  networking.usePredictableInterfaceNames = false;

  services.fwupd.enable = true;

  services.fprintd.enable = true;
  security.pam.services = {
    login.fprintAuth = true;
    sudo.fprintAuth = true;
  };

  # virtualization
  virtualisation = {
    libvirtd = {
      enable = true;
    };

    virtualbox.host = {
      enable = false;
      addNetworkInterface = false;
    };

    podman = {
      enable = true;
      dockerCompat = true;
      # defaultNetwork.dnsname.enable = true;
    };
  };

  services.samba.extraConfig = ''
    # client min protocol = NT1
  '';

  security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];

  services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ];

  hardware.ledger.enable = true;

  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}