nix/maskiner/core/configuration.nix

{
  inputs,
  config,
  pkgs,
  myhostname,
  ...
}:
let
  theme = "mocha";
  modulesDirectory = ../../moduler;
in
{
  imports = [
    ./hardware-configuration.nix

    (modulesDirectory + /users.nix)
    (modulesDirectory + /git.nix)
    (modulesDirectory + /network.nix)
    (modulesDirectory + /programs.nix)
    (modulesDirectory + /system.nix)
    (modulesDirectory + /dev.nix)
    (modulesDirectory + /sound.nix)
    (modulesDirectory + /programs/kubernetes-tools.nix)

    (modulesDirectory + /services/base)

    (modulesDirectory + /programs/hyprland)
    (modulesDirectory + /programs/confetti)
    (modulesDirectory + /programs/nixvim)
  ];

  kubernetes-tools.enable = true;
  networking.hostName = myhostname;

  security.pki.certificateFiles = [
    ../../root_ca.crt
  ];

  stylix = {
    enable = true;
    base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-${theme}.yaml";
  };

  hyprland = {
    enable = true;
    theme = theme;
  };

  nixvim = {
    enable = true;
    theme = theme;
    lsp_jobb = true;
  };
  sops.defaultSopsFile = ../../secrets/sops.yaml;
  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
  sops.secrets.build-service = { };
  sops.secrets.fredrik-wastring = { };
  sops.secrets.fw-qemu = { };
  sops.secrets.fleet-enroll-secret = {
    owner = "root";
    group = "root";
    mode = "0400";
  };
  sops.secrets.github_token = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.grafana_token = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.jira_token = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.opencode_atlassian_env = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.google_oauth_client_id_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.google_oauth_client_secret_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.user_google_email_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.mssql_server_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.mssql_database_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.mssql_user_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.mssql_password_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.vault_addr_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };
  sops.secrets.vault_token_core = {
    owner = "fw";
    group = "users";
    mode = "0400";
  };

  environment.systemPackages = [ pkgs.cifs-utils ];

  # Ollama service for running local LLMs
  services.ollama = {
    enable = true;
    package = pkgs.ollama-rocm; # AMD GPU support
    # Optional: specify host and port if you want to access from other machines
    # host = "0.0.0.0";
    # port = 11434;
  };

  services.hister = {
    enable = true;

    # Optional: Set via Nix options (takes precedence over config file)
    # port = 4433;
    dataDir = "/var/lib/hister";  # NixOS Recommend: "/var/lib/hister"
    # Home-Manager Recommend: "~/.local/share/hister"
    # Darwin Recommend: "~/Library/Application Support/hister"

    # Optional (NixOS only): open `port` in the system firewall.
    # Setting `port` alone no longer mutates the firewall.
    # openFirewall = true;

    # Optional: Use existing YAML config file
    # configPath = /path/to/config.yml;

    # Optional: Inject secrets (e.g. HISTER__APP__ACCESS_TOKEN) via a
    # systemd EnvironmentFile instead of placing them in the world-readable
    # Nix store. Honored by the NixOS module and the Linux home-manager
    # user service; ignored on launchd (Darwin).
    # environmentFile = "/run/secrets/hister.env";

    # Optional: Inline configuration (rendered to YAML and passed via HISTER_CONFIG)
    # Note: Only one of configPath or settings can be used.
    # Accepts any key the server accepts — see the upstream `app`, `server`,
    # `indexer`, `crawler`, `hotkeys`, `extractors`, and
    # `sensitive_content_patterns` blocks.
    settings = {
      app = {
        search_url = "https://google.com/search?q={query}";
        log_level = "info";
      };
      server = {
        address = "127.0.0.1:4433";
        database = "db.sqlite3";
      };
      hotkeys = {
        "/" = "focus_search_input";
        "enter" = "open_result";
        "alt+enter" = "open_result_in_new_tab";
        "alt+j" = "select_next_result";
        "alt+k" = "select_previous_result";
        "alt+o" = "open_query_in_search_engine";
      };
    };
  };

  systemd.services.fleet-osquery = {
    description = "osquery enrolled to Fleet";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];

    serviceConfig = {
      Restart = "always";
      RestartSec = "5s";
      StateDirectory = "osquery";
      RuntimeDirectory = "osquery";

      ExecStart = ''
        ${pkgs.osquery}/bin/osqueryd \
          --host_identifier=uuid \
          --pidfile=/run/osquery/osqueryd.pid \
          --extensions_socket=/run/osquery/osquery.em \
          --database_path=/var/lib/osquery/osquery.db \
          --enroll_tls_endpoint=/api/osquery/enroll \
          --config_plugin=tls \
          --config_tls_endpoint=/api/osquery/config \
          --logger_plugin=tls \
          --logger_tls_endpoint=/api/osquery/log \
          --distributed_plugin=tls \
          --distributed_tls_read_endpoint=/api/osquery/distributed/read \
          --distributed_tls_write_endpoint=/api/osquery/distributed/write \
          --tls_hostname=fleet.internalifacts.se:443 \
          --enroll_secret_path=${config.sops.secrets.fleet-enroll-secret.path} \
          --tls_server_certs=/etc/ssl/certs/ca-certificates.crt
      '';
    };
  };

  fileSystems."/mnt/testweb/C" = {
    device = "//192.168.0.226/C$";
    fsType = "cifs";
    options =
      let
        automount_opts =
          "x-systemd.automount,noauto,x-systemd.idle-timeout=60,"
          + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in
      [
        "${automount_opts},credentials=${toString config.sops.secrets.build-service.path},vers=3.0"
      ];
  };

  fileSystems."/mnt/testdb/C" = {
    device = "//192.168.0.203/C$";
    fsType = "cifs";
    options =
      let
        automount_opts =
          "x-systemd.automount,noauto,x-systemd.idle-timeout=60,"
          + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in
      [
        "${automount_opts},credentials=${toString config.sops.secrets.build-service.path},vers=3.0"
      ];
  };

  fileSystems."/mnt/elastic-internal/C" = {
    device = "//192.168.0.204/C$";
    fsType = "cifs";
    options =
      let
        automount_opts =
          "x-systemd.automount,noauto,x-systemd.idle-timeout=60,"
          + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in
      [
        "${automount_opts},credentials=${toString config.sops.secrets.build-service.path},vers=3.0"
      ];
  };

  fileSystems."/mnt/dev-machine2/C" = {
    device = "//192.168.0.149/C$";
    fsType = "cifs";
    options =
      let
        automount_opts =
          "x-systemd.automount,noauto,x-systemd.idle-timeout=60,"
          + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in
      [
        "${automount_opts},credentials=${toString config.sops.secrets.build-service.path},vers=3.0"
      ];
  };

  fileSystems."/mnt/hyperv2/C" = {
    device = "//192.168.0.48/C$";
    fsType = "cifs";
    options =
      let
        automount_opts =
          "x-systemd.automount,noauto,x-systemd.idle-timeout=60,"
          + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in
      [
        "${automount_opts},credentials=${toString config.sops.secrets.fredrik-wastring.path},vers=3.0"
      ];
  };

  fileSystems."/mnt/hyperv1/C" = {
    device = "//192.168.0.143/C$";
    fsType = "cifs";
    options =
      let
        automount_opts =
          "x-systemd.automount,noauto,x-systemd.idle-timeout=60,"
          + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in
      [
        "${automount_opts},credentials=${toString config.sops.secrets.fredrik-wastring.path},vers=3.0"
      ];
  };

  fileSystems."/mnt/fw-qemu/C" = {
    device = "//10.0.2.4/qemu/C$";
    fsType = "cifs";
    options =
      let
        automount_opts =
          "x-systemd.automount,noauto,x-systemd.idle-timeout=60,"
          + "x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
      in
      [
        "${automount_opts},credentials=${toString config.sops.secrets.fw-qemu.path},vers=3.0"
      ];
  };

  home-manager.extraSpecialArgs = {
    inherit inputs pkgs myhostname;
  };
  home-manager.users.fw = {
    opencode.mcpEnabled = {
      az = false;
      k8s = true;
      github = true;
      jira = false;
      google = true;
      mssql = true;
      vault = false;
    };
    imports = [
      ./../../moduler/home.nix
      ./../../moduler/programs/waybar
      inputs.catppuccin.homeModules.catppuccin
    ];
    waybar = {
      enable = true;
      profile = "desktop";
      theme = theme;
    };
    gtk = {
      enable = true;
      iconTheme = {
        name = "oomox-gruvbox-dark";
        package = pkgs.gruvbox-dark-icons-gtk;
      };
    };
    kitty = {
      enable = true;
      theme = theme;
    };
    fish = {
      theme = theme;
    };
    k9s = {
      enable = true;
      theme = theme;
    };
    oh-my-posh = {
      enable = true;
      theme = theme;
    };
    catppuccin = {
      librewolf = {
        enable = true;
        flavor = theme;
        accent = "peach";
      };
    };
    stylix.targets = {
      lazygit.enable = false;
      fish.enable = false;
      kitty.enable = false;
      waybar.enable = false;
      tmux.enable = false;
      k9s.enable = false;
    };
  };

  boot.kernelPackages = pkgs.linuxPackages_latest;

  system.stateVersion = "25.05";
}