nixos/hosts/media/default.nix

{ inputs, config, lib, pkgs, outputs,... }:

{
  imports =
    [ 
      # Disk configuration
      inputs.disko.nixosModules.disko
      (import ../common/disks/std-disk-config.nix { device = "/dev/vda"; })

      # Import core options
      ./hardware-configuration.nix
      ../common/core

      # Create users for this host
      ../common/users/media

    ];

  nixpkgs = {
      overlays = [
        outputs.overlays.additions
        outputs.overlays.modifications
        outputs.overlays.unstable-packages
      ];
      config = {
        allowUnfree = true;
      };
    };
  
  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
      timeout = 3;
    };
  };

  i18n.defaultLocale = "en_GB.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "uk";
    useXkbConfig = false; 
  };

  networking = {
    hostName = "media";
    networkmanager.enable = true;
    enableIPv6 = false;
  };

  services = {
    qemuGuest.enable = true;
    openssh = {
      enable = true;
      ports = [22]; # FIXME: Make this use configVars.networking
      settings.PermitRootLogin = "yes";
      # Fix LPE vulnerability with sudo use SSH_AUTH_SOCK: https://github.com/NixOS/nixpkgs/issues/31611
      # this mitigates the security issue caused by enabling u2fAuth in pam
      authorizedKeysFiles = lib.mkForce ["/etc/ssh/authorized_keys.d/%u"];
    };
  };

  security.pam = {
    sshAgentAuth.enable = true;
    #FIXME the above is deprecated in 24.05 but we will wait until release
    #sshAgentAuth.enable = true;
    services = {
      sudo.u2fAuth = true;
    };
  };

  # ssh-agent is used to pull my private secrets repo from gitlab when deploying nix-config.
 # programs.ssh.startAgent = true;

  environment.systemPackages = builtins.attrValues {
    inherit(pkgs)
    wget
    curl
    git
    rsync;
  };


  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  system.stateVersion = "23.11";
}