nixos-config/modules/base.nix

{ config, lib, pkgs, ... }:

{
  # Essential system tools
  environment.systemPackages = with pkgs; [
    git
    git-crypt # used to store secrets in configuration
    git-lfs # not so essential, but required to clone config
    htop
    tmux
    vim
  ];

  # Clean temporary files on boot
  boot.cleanTmpDir = true;

  # Disable firewall
  networking.firewall.enable = lib.mkDefault false;

  # Set zsh as default shell
  programs.zsh.enable = true;
  users.defaultUserShell = pkgs.zsh;

  # Sane swapping
  boot.kernel.sysctl."vm.swapiness" = 10;

  # Store logs persistently
  services.journald.extraConfig = "Storage = persistent";

  # Hard drive monitoring
  services.smartd.enable = true;
  # Network monitoring
  services.vnstat.enable = true;

  # Authentication/Encryption agents
  programs.gnupg.agent.enable = true;
  programs.ssh.startAgent = true;

  # NixOS state version (see https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion)
  system.stateVersion = "20.03";

  # Make sudoers trusted nix users
  nix.trustedUsers = [ "@wheel" ];

  nixpkgs.config = {
    # Explicitly allow unfree packages (rule of thumb: assets ok, code not ok)
    allowUnfreePredicate = (
      pkg: builtins.elem (lib.getName pkg) [
        "corefonts"
        "vista-fonts"
      ]
    );
    # Add unstable channel
    packageOverrides = pkgs: {
      unstable = import (builtins.fetchTarball "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz") {
        config = config.nixpkgs.config;
      };
    };
  };
}