nixos/hosts/muffin/default.nix

{
  config,
  lib,
  pkgs,
  hostname,
  username,
  eth_interface,
  service_configs,
  options,
  ...
}:
{
  imports = [
    ../../modules/common.nix

    # muffin-only system modules
    ./hardware.nix
    ../../modules/zfs.nix
    ../../modules/server-impermanence.nix
    ../../modules/usb-secrets.nix
    ../../modules/age-secrets.nix
    ../../modules/server-lanzaboote-agenix.nix
    ../../modules/no-rgb.nix
    ../../modules/server-security.nix
    ../../modules/ntfy-alerts.nix
    ../../modules/server-power.nix
    ../../modules/server-deploy-guard.nix

    ../../services/postgresql.nix
    ../../services/jellyfin
    ../../services/caddy
    ../../services/immich.nix
    ../../services/gitea
    ../../services/minecraft.nix

    ../../services/wg.nix
    ../../services/qbittorrent.nix
    ../../services/bitmagnet.nix

    ../../services/arr/prowlarr.nix
    ../../services/arr/sonarr.nix
    ../../services/arr/radarr.nix
    ../../services/arr/bazarr.nix
    ../../services/arr/jellyseerr.nix
    ../../services/arr/recyclarr.nix
    ../../services/arr/arr-search.nix
    ../../services/arr/torrent-audit.nix
    ../../services/arr/init.nix

    ../../services/soulseek.nix

    # ../../services/llama-cpp.nix
    ../../services/trilium.nix

    ../../services/ups.nix

    ../../services/grafana

    ../../services/bitwarden.nix
    ../../services/firefox-syncserver.nix

    ../../services/matrix

    ../../services/monero

    ../../services/graphing-calculator.nix

    ../../services/ssh.nix

    ../../services/syncthing.nix

    ../../services/ntfy

    ../../services/mollysocket.nix

    ../../services/harmonia.nix

    ../../services/ddns-updater.nix
  ];

  # Hosts entries for CI/CD deploy targets
  networking.hosts."192.168.1.50" = [ "server-public" ];
  networking.hosts."192.168.1.223" = [ "desktop" ];

  # SSH known_hosts for CI runner (pinned host keys)
  environment.etc."ci-known-hosts".text = ''
    server-public ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
    192.168.1.50 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
    git.sigkill.computer ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
    git.gardling.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
  '';

  services.deployGuard.enable = true;

  # Disable serial getty on ttyS0 to prevent dmesg warnings
  systemd.services."serial-getty@ttyS0".enable = false;

  # srvos enables vim, i don't want to use vim, disable it here:
  programs.vim = {
    defaultEditor = false;
  }
  // lib.optionalAttrs (options.programs.vim ? enable) {
    enable = false;
  };

  # https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434
  security.pam.loginLimits = [
    {
      domain = "*";
      type = "soft";
      item = "nofile";
      value = "4096";
    }
  ];

  # muffin overrides default gc retention (30d in common-nix.nix)
  nix.gc.options = lib.mkForce "--delete-older-than 7d";

  # Intel Arc A380 (DG2, 56a5) uses the i915 driver on kernel 6.12.
  # The xe driver's iHD media driver integration has buffer mapping
  # failures on this GPU/kernel combination. i915 works correctly for
  # VAAPI transcode as long as ASPM deep states are disabled for the
  # GPU (see modules/power.nix).
  hardware.intelgpu.driver = "i915";

  # Per-service 2MB hugepage budget calculated in service-configs.nix.
  boot.kernel.sysctl."vm.nr_hugepages" = service_configs.hugepages_2m.total_pages;

  boot = {
    # 6.12 LTS until 2027-03. Kernel 6.18 causes a reproducible ZFS deadlock
    # in dbuf_evict due to page allocator changes (__free_frozen_pages).
    # https://github.com/openzfs/zfs/issues/18426
    kernelPackages = pkgs.linuxPackages_6_12;

    loader = {
      # Use the systemd-boot EFI boot loader.
      # Disabled: ASRock B550M Pro4 AMI UEFI hangs on POST when NixOS
      # writes EFI variables (NVRAM corruption). Lanzaboote boot entries
      # are discovered via BLS Type #2 on the ESP, so this is not needed.
      efi.canTouchEfiVariables = false;

      # 1s timeout
      timeout = 1;
    };

    initrd = {
      compressor = "zstd";
      supportedFilesystems = [ "f2fs" ];
    };
  };

  # Set your time zone.
  time.timeZone = "America/New_York";

  hardware.graphics = {
    enable = true;
    extraPackages = with pkgs; [
      libva-vdpau-driver
      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
      vpl-gpu-rt # QSV on 11th gen or newer
    ];
  };

  # Root-facing admin tools only. User-facing CLI (fish, helix, htop, bottom,
  # tmux, ripgrep, lsof, wget, pfetch-rs, …) is provided via home-manager in
  # home/profiles/terminal.nix — shared with mreow and yarn.
  environment.systemPackages = with pkgs; [
    lm_sensors
    borgbackup
    smartmontools

    intel-gpu-tools
    iotop
    iftop
    powertop

    reflac

    sbctl

    # add `skdump`
    libatasmart
  ];

  networking = {
    nameservers = [
      "1.1.1.1"
      "9.9.9.9"
    ];

    hostName = hostname;
    hostId = "0f712d56";
    firewall.enable = true;

    useDHCP = false;

    # Disabled because of Jellyfin (various issues)
    enableIPv6 = false;

    interfaces.${eth_interface} = {
      ipv4.addresses = [
        {
          address = "192.168.1.50";
          # address = "10.1.1.102";
          prefixLength = 24;
        }
      ];
      ipv6.addresses = [
        {
          address = "fe80::9e6b:ff:fe4d:abb";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = {
      #address = "10.1.1.1";
      address = "192.168.1.1";
      interface = eth_interface;
    };
    # TODO! fix this
    # defaultGateway6 = {
    #   address = "fe80::/64";
    #   interface = eth_interface;
    # };
  };

  users.groups.${service_configs.media_group} = { };

  users.users.gitea-runner = {
    isSystemUser = true;
    group = "gitea-runner";
    home = "/var/lib/gitea-runner";
    description = "Gitea Actions CI runner";
  };
  users.groups.gitea-runner = { };

  users.users.${username} = {
    isNormalUser = true;
    extraGroups = [
      "wheel"
      "video"
      "render"
      service_configs.media_group
    ];
    hashedPasswordFile = config.age.secrets.hashedPass.path;
  };

  services.murmur = {
    enable = true;
    openFirewall = true;
    welcometext = "meow meow meow meow meow :3 xd";
    password = "$MURMURD_PASSWORD";
    environmentFile = config.age.secrets.murmur-password-env.path;
    port = service_configs.ports.public.murmur.port;
  };

  # services.botamusique = {
  #   enable = true;
  #   settings = {
  #     server = {port = config.services.murmur.port;
  #       password = config.services.murmur.password;
  #     };
  #   };
  # };

  # systemd.tmpfiles.rules = [
  #   "Z /tank/music 775 ${username} users"
  # ];

  system.stateVersion = "24.11";
}