nix/systems/x86_64-linux/penguin/default.nix

{
  pkgs,
  inputs,
  lib,
  config,
  ...
}:
let
  inherit (inputs) disko home-manager;
in
{
  imports = [
    disko.nixosModules.disko
    home-manager.nixosModules.home-manager
    ./disko-config.nix
    ./hardware-configuration.nix
  ];
  config = {

    my_users.enable = true;
    my_nix.enable = true;

    age.secrets.k3s.file = ../../../secrets/k3s.age;

    my_k3s = {
      enable = true;
      tokenFile = config.age.secrets.k3s.path;
      serverAddr = "https://10.222.0.13:6443";
      extraFlags = [
        "--disable=servicelb"
        "--disable=traefik"
        "--node-ip 10.222.0.249"
        "--flannel-iface ztxh6lvd6t"
        "--flannel-backend=host-gw"
        "--tls-san 10.222.0.249"
      ];
      nvidia = true;
    };
    networking.hostName = "penguin";

    boot = {
      tmp.cleanOnBoot = true;
      loader = {
        systemd-boot.enable = true;
        efi.canTouchEfiVariables = true;
      };

      initrd.network = {
        enable = true;
        ssh = {
          enable = true;
          hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
          authorizedKeys = lib.concatLists (
            lib.mapAttrsToList (
              name: user: if lib.elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else [ ]
            ) config.users.users
          );
        };
      };
    };

    time.timeZone = "Asia/Singapore";

    networking = {
      networkmanager.enable = true;
      nftables.enable = true;
      firewall = {
        enable = true;
        allowedTCPPorts = [
          22
          3000
          3001
        ];
        trustedInterfaces = [
          "tailscale0"
          "ztxh6lvd6t"
        ];
      };
    };

    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
    };

    users.users.cs3223 = lib.snowfall.mkUser {
      shell = pkgs.nushell;
      isNormalUser = true;
      extraGroups = [ "wheel" ];
    };

    services.tailscale.enable = true;
    nixpkgs.config = {
      cudaSupport = true;
    };

    programs._1password.enable = true;

    environment.systemPackages = with pkgs; [
      git
      neovim
      btop
    ];

    virtualisation.podman = {
      enable = true;
      dockerCompat = false;
      defaultNetwork.settings.dns_enabled = true;
    };

    hardware.graphics.enable = true;
    services.xserver.videoDrivers = [ "nvidia" ];
    hardware.nvidia.open = true;

    services.zerotierone = {
      enable = true;
      joinNetworks = [ "23992b9a659115b6" ];
    };
    system.stateVersion = "25.11";
  };
}