nixos-configuration/modules/default.nix

{ lib, ... }:

{
  options.jalr = {
    gui.enable = lib.mkEnableOption "GUI";
    workstation.enable = lib.mkEnableOption "Workstation";
  };

  imports = [
    ../pkgs/modules.nix
    ./autologin.nix
    ./aws.nix
    ./bluetooth.nix
    ./bootloader
    ./dji-goggles.nix
    ./dnsmasq.nix
    ./fish.nix
    ./fonts.nix
    ./journald.nix
    ./kdeconnect.nix
    ./kvm-switch-enable-screen.nix
    ./libvirt.nix
    ./localization.nix
    ./mailserver
    ./mute-indicator.nix
    ./nix.nix
    ./obs.nix
    ./pipewire.nix
    ./podman.nix
    ./printers
    ./qbittorrent
    ./sdr.nix
    ./sshd.nix
    ./sudo.nix
    ./sway.nix
    ./tor.nix
    ./tradebyte
    ./udmx.nix
    ./uefi.nix
    ./unfree.nix
    ./wireshark.nix
    ./yubikey-gpg.nix
  ];

  config = {
    boot = {
      tmp.cleanOnBoot = true;
      kernel.sysctl = {
        "kernel.kptr_restrict" = 1;
        "kernel.yama.ptrace_scope" = 1;
        "kernel.kexec_load_disabled" = 1;
      };
      kernelParams = [
        "lockdown=integrity"
      ];
    };

    security.polkit.enable = true;

    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "security@jalr.de";
      };
    };
  };
}