nix/systems/nixos-fw16/default.nix

{ config
, lib
, pkgs
, modulesPath
, system
, inputs
, ...
}: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    inputs.nixos-hardware.nixosModules.common-hidpi
    inputs.nixos-hardware.nixosModules.framework-16-7040-amd
    ../../os-mods/age
    ../../os-mods/net_disks/oeko.nix
    ../../os-mods/amdgpu
    ../../os-mods/cachix
    ../../os-mods/common
    ../../os-mods/desktop
    ../../os-mods/desktop/audio.nix
    ../../os-mods/desktop/gaming.nix
    ../../os-mods/desktop/printing.nix
    ../../os-mods/netdata/client.nix
    ../../os-mods/network
    ../../os-mods/ryzenapu
    ../../os-mods/virt
    ../../users
    ./disks.nix
  ];

  # age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRFEtmoq36QmvAwv/xIVdvaf+B9Scbm5cUFFkP/c1nS root@nixos-f16";
  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIANI+JugoOABEG49405FrbVwbTT/cbYamNZC5Tb01/xp root@nixos-fw16";

  nix.settings.builders-use-substitutes = true;
  nix.distributedBuilds = true;
  nix.buildMachines = [ ];
  # [
  #   {
  #     hostName = "nixremote@nixos-desk";
  #     system = "x86_64-linux";
  #     protocol = "ssh";
  #     maxJobs = 0;
  #     speedFactor = 0;
  #     supportedFeatures = [
  #       "benchmark"
  #       "big-parallel"
  #       "kvm"
  #       "nixos-test"
  #       "gccarch-x86-64-v3"
  #       "gccarch-znver3"
  #     ];
  #     mandatoryFeatures = [ ];
  #   }
  #   {
  #     hostName = "nixremote@nixos-pulse";
  #     system = "x86_64-linux";
  #     protocol = "ssh";
  #     maxJobs = 0;
  #     speedFactor = 1;
  #     supportedFeatures = [
  #       "benchmark"
  #       "big-parallel"
  #       "kvm"
  #       "nixos-test"
  #       "gccarch-x86-64-v3"
  #       "gccarch-znver2"
  #     ];
  #     mandatoryFeatures = [ ];
  #   }
  # ];

  ####################
  systemd.user = {
    services.modprobed-db = {
      description = "modprobed-db service to scan and store new kernel modules";
      wants = [ "modprobed-db.timer" ];
      wantedBy = [ "default.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.modprobed-db}/bin/modprobed-db storesilent";
        ExecStop = "${pkgs.modprobed-db}/bin/modprobed-db storesilent";
        Type = "simple";
      };
      path = builtins.attrValues {
        inherit (pkgs) gawk getent coreutils gnugrep gnused kmod;
      };
    };
    timers.modprobed-db = {
      wantedBy = [ "timers.target" ];
      partOf = [ "modprobed-db.service" ];
      timerConfig = {
        Persistent = true;
        OnUnitActiveSec = "1h";
      };
    };
  };
  ################

  security.sudo-rs.wheelNeedsPassword = lib.mkForce true; # unneded due to fp sensor

  # Power mgmt
  services.input-remapper.enable = true;
  services.power-profiles-daemon.enable = true;
  # powerManagement.powertop.enable = true;
  programs.corectrl.gpuOverclock.enable = lib.mkForce false; # TODO Check if needed
  programs.adb.enable = true;
  ####

  nix.settings.system-features = [
    "benchmark"
    "big-parallel"
    "kvm"
    "nixos-test"
    "gccarch-znver1"
    "gccarch-znver2"
    "gccarch-znver3"
    "gccarch-znver4"
  ];
  # nixpkgs.hostPlatform.gcc.arch = "znver2";

  chaotic = {
    # scx = {
    # enable = false; # temp
    # scheduler = "scx_bpfland";
    # package = pkgs.scx;
    # };
    nyx = {
      overlay.enable = true;
      # overlay.onTopOf = "user-pkgs"; # needed ?
      # overlay.flakeNixpkgs.config = pkgs.config; # needed ?
    };
  };

  # specialisation = {
  # linux-latest.configuration = {
  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
  # };
  # linux-zen.configuration = {
  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_zen;
  # };
  # linux-cachyos.configuration = {
  #   boot.kernelPackages = lib.mkForce pkgs.linuxPackages_cachyos;
  # };
  # };
  boot = {
    # kernelPackages = pkgs.linuxPackages_latest; # bootstrap
    # kernelPackages = pkgs.linuxPackages_zen; # bootstrap
    # kernelPackages = pkgs.linuxPackages_cachyos; # bootstrap
    # kernelPackages = pkgs.pkgsAMD64Microarchs.znver4.linuxPackages_cachyos;

    # kernelPackages = pkgs.linuxPackages_latest;
    # kernelPackages = pkgs.pkgsAMD64Microarchs.znver4.linuxPackages_cachyos-rc;
    # kernelPackages = pkgs.pkgsAMD64Microarchs.znver2.linuxPackages_cachyos-rc;
    # kernelPackages = pkgs.linuxPackages_cachyos;
    kernelPackages = pkgs.pkgsAMD64Microarchs.znver4.linuxPackages_cachyos;

    kernelPatches = [ ];
    kernelParams = [
      # "systemd.unit=emergency.target"
      # "amdgpu.ppfeaturemask=0xfffd7fff" # gpu overclockfoo for LACT /fanctrl # Provokes crashyness ??
      "systemd.setenv=SYSTEMD_SULOGIN_FORCE=1"
      # "rescue"
      "pcie_aspm=force" # TODO Check hibernate without
      "pcie_aspm.policy=powersupersave"
      "rtc_cmos.use_acpi_alarm=1" # reduce S0 sleep wakeups
      "gpiolib_acpi.ignore_interrupt=AMDI0009:00@9" # mask IRQ 9 ?
    ];
    loader = {
      timeout = 0;
      systemd-boot = {
        # enable = false; # due to lanzaboote
        enable = true; # bootstrap
        configurationLimit = 12;

        memtest86.enable = true;
        # bootCounting.enable = true; # reverted atm
      };
      efi.canTouchEfiVariables = true;
    };

    lanzaboote = {
      # enable = true;
      configurationLimit = 12;
      # pkiBundle = "/etc/secureboot";
      pkiBundle = "/var/lib/sbctl";
    };
    initrd = {
      availableKernelModules = [
        "nvme"
        "xhci_pci"
        "thunderbolt"
        "uas" # needed ?
        "usbhid"
        "usb_storage"
        "sd_mod"
      ];
      kernelModules = [ ];
      systemd.enable = true;
    };

    extraModulePackages = [ ];
  };

  networking = {
    hostName = "nixos-fw16";
    extraHosts = ''
      192.168.0.20    opnsense.oekonzept.local
      192.168.0.75    monitor.oekonzept.de
      192.168.0.151   rosa.oekonzept.de
      192.168.0.171   karl.oekonzept.de
      192.168.0.206   vewadb.oekonzept.de
      192.168.0.191   vewadb2.oekonzept.de
      192.168.0.190   vpn.oekonzept.de
      192.168.0.180   vewasmb.oekonzept.de
      192.168.0.91    puppet.oekonzept.de
      192.168.0.1     srv-nas-01.oekonzept.net
      192.168.0.1     nas-01.oekonzept.net
      192.168.0.171   git.oekonzept.net
      192.168.0.171   office.oekonzept.net
      192.168.0.171   libreoffice.oekonzept.net
      192.168.0.171   cockpit.oekonzept.net
      192.168.0.171   auth.oekonzept.net
      192.168.0.171   netdata.oekonzept.net
      192.168.0.171   cloud.oekonzept.net
      192.168.0.171   bw.oekonzept.net
      192.168.0.171   kasm.oekonzept.net
      192.168.0.171   warden.oekonzept.net
      192.168.0.171   oproject.oekonzept.net
      192.168.0.171   netbox.oekonzept.net
      192.168.0.171   passwords.oekonzept.net
      192.168.0.171   pass.oekonzept.net
      192.168.0.171   camt.oekonzept.net
      192.168.0.171   camt-eth.oekonzept.net
      192.168.0.171   camt-cbg.oekonzept.net
      176.9.242.147   fe3f3294-c93a-4aca-895e-abe6c858dbd5-llama-cpp.redvau.lt
    '';
    interfaces = {
      eth0 = {
        useDHCP = false;
        ipv4.addresses = [
          {
            address = "192.168.0.21";
            prefixLength = 24;
          }
        ];
        ipv4.routes = [
          {
            address = "192.168.0.0";
            prefixLength = 24;
          }
          {
            address = "0.0.0.0";
            prefixLength = 0;
            via = "192.168.0.5";
          }
        ];
      };
    };
  };

  systemd = {
    services = {
      # Do not manage HID devices with powertop to prevent annoying keyboard/mouse sleeps
      # Disabled atm as I disabled Powertop
      # powertop.postStart = ''
      # HIDDEVICES=$(ls /sys/bus/usb/drivers/usbhid | grep -oE '^[0-9]+-[0-9\.]+' | sort -u)
      # for i in $HIDDEVICES; do
      #   echo -n "Enabling " | cat - /sys/bus/usb/devices/$i/product
      #   echo 'on' > /sys/bus/usb/devices/$i/power/control
      # done
      # '';

      # This manually configures the automatically created network-adresses service to be more flexible
      # regarding booting without the the device being available on boot
      # It prevents slow timeouts & errors on boot while preserving Plug & Play ability
      network-addresses-eth0.unitConfig = {
        ConditionPathExists = "/sys/class/net/eth0";
        BindsTo = lib.mkForce null;
      };
    };
  };
  services.udev.extraRules = ''
    # Framework Laptop 16 - LED Matrix
    SUBSYSTEMS=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0020", MODE="0660", TAG+="uaccess"
    # C1 Minimal Microcontroller Module (Template for DIY Module)
    SUBSYSTEMS=="usb", ATTRS{idVendor}=="32ac", ATTRS{idProduct}=="0022", MODE="0660", TAG+="uaccess"
    # USB-C dock ethernet
    ACTION=="add", KERNEL=="eth0", TAG+="systemd", ENV{SYSTEMD_WANTS}="network-addresses-eth0.service"
    ACTION=="remove", KERNEL=="eth0", RUN+="${pkgs.systemd}/bin/systemctl stop network-addresses-eth0.service"
    # Might help suspend:
    SUBSYSTEM=="pci", ATTR{power/control}="auto"
    # ACTION=="add", SUBSYSTEM=="serio", DRIVERS=="atkbd", ATTR{power/wakeup}="disabled"
  '';

  environment.systemPackages = with pkgs; [
    ryzenadj
    lm_sensors
    coreutils-full
    cpu-x
    fw-ectool
    sbctl # secureboot debugging/config/mgmt
    # android-tools
    input-remapper
  ];

  hardware = {
    enableRedistributableFirmware = true;
    i2c.enable = true;

    cpu.amd = {
      updateMicrocode = true;
      ryzen-smu.enable = true;
    };
    sensor.iio.enable = true;
  };

  zramSwap.enable = true;

  system.stateVersion = "24.05";
}