nixos-config/machines/Hypervisor-VM/default.nix

{ modulesPath, inputs, lib, pkgs, config, options, ... }: {
  imports = with inputs.self; [
    # "${toString modulesPath}/profiles/qemu-guest.nix"
    "${toString modulesPath}/profiles/hardened.nix"
    # ./imports/qemu-vm.nix

    ./hardware-configuration.nix
    nixosRoles.hypervisor
    nixosProfiles.direnv
  ];

  # build hell
  environment.noXlibs = lib.mkForce false;
  # minimal profile
  documentation.nixos.enable = lib.mkForce false;
  programs.command-not-found.enable = lib.mkForce false;
  xdg.autostart.enable = lib.mkForce false;
  xdg.icons.enable = lib.mkForce false;
  xdg.mime.enable = lib.mkForce false;
  xdg.sounds.enable = lib.mkForce false;
  services.udisks2.enable = lib.mkForce false;

  # boot
  boot = {
    zfs.forceImportAll = lib.mkForce false;
    # loader.grub.enable = true;
    loader.systemd-boot = {
      enable = true;
      editor = false;
      configurationLimit = 8;
    };
    # loader.efi.canTouchEfiVariables = true;
    kernelPackages = pkgs.linuxPackages_hardened;
    kernelModules = [ "tcp_bbr" ];
    kernelParams = [
      "zswap.enabled=0"
      "quiet"
      "scsi_mod.use_blk_mq=1"
      "modeset"
      "nofb"
      "pti=off"
      "spectre_v2=off"
      "kvm.ignore_msrs=1"
      "rd.systemd.show_status=auto"
      "rd.udev.log_priority=3"
    ];
    kernel.sysctl = {
      "kernel.sysrq" = false;
      "net.core.default_qdisc" = "sch_fq_codel";
      "net.ipv4.conf.all.accept_source_route" = false;
      "net.ipv4.icmp_ignore_bogus_error_responses" = true;
      "net.ipv4.tcp_congestion_control" = "bbr";
      "net.ipv4.tcp_fastopen" = 3;
      "net.ipv4.tcp_rfc1337" = true;
      "net.ipv4.tcp_syncookies" = true;
      "net.ipv6.conf.all.accept_source_route" = false;
      # disable ipv6
      "net.ipv6.conf.all.disable_ipv6" = true;
      "net.ipv6.conf.default.disable_ipv6" = true;
    };
    kernel.sysctl = {
      "vm.swappiness" = 1;
    };
    cleanTmpDir = true;
    initrd = {
      availableKernelModules = [ "tg3" ];
      postDeviceCommands = lib.mkAfter ''
        zfs rollback -r rpool/enc/nixos/empty@start
      '';
      # network = {
      #   enable = true;
      #   ssh = {
      #     enable = true;
      #     port = 2222;
      #     # hostKeys = [ /root/ssh_host_key ];
      #     hostKeys = [ /home/alukard/ssh_host_key ];
      #     authorizedKeys = config.users.users.alukard.openssh.authorizedKeys.keys;
      #   };
      #   postCommands = ''
      #     echo "zfs load-key -a; killall zfs" >> /root/.profile
      #   '';
      # };
    };
  };

  # security.polkit.enable = true;
  # system.nssModules = lib.mkForce [ ];

  # services.nscd.enable = false;

  deviceSpecific.devInfo = {
    cpu = {
      vendor = "intel";
      clock = 2300;
      cores = 4;
    };
    drive = {
      type = "sdd";
      speed = 500;
      size = 500;
    };
    gpu = {
      vendor = "other";
    };
    bigScreen = false;
    ram = 12;
  };
  deviceSpecific.enableVirtualisation = true;
  deviceSpecific.wireguard.enable = false;
  deviceSpecific.isServer = true;

  services.zfs.autoScrub.enable = true;
  services.zfs.autoScrub.interval = "daily";

  # hardened
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [];
  networking.firewall.allowedUDPPorts = [];
  systemd.coredump.enable = false;
  programs.firejail.enable = true;
  # scudo memalloc is unstable
  # environment.memoryAllocator.provider = "libc";
  # environment.memoryAllocator.provider = "graphene-hardened";

  networking.wireless.enable = false;
  networking.networkmanager.enable = false;
  networking.hostName = config.device;

  services.timesyncd.enable = false;
  services.openntpd.enable = true;
  networking.timeServers = [
    "0.ru.pool.ntp.org"
    "1.ru.pool.ntp.org"
    "2.ru.pool.ntp.org"
    "3.ru.pool.ntp.org"
    "0.europe.pool.ntp.org"
    "1.europe.pool.ntp.org"
    "2.europe.pool.ntp.org"
    "3.europe.pool.ntp.org"
  ] ++ options.networking.timeServers.default;

  # virtualisation
  virtualisation.oci-containers.backend = lib.mkForce "podman";
  virtualisation.docker.enable = lib.mkForce false;
  virtualisation.podman = {
    enable = true;
    dockerCompat = true;
    dockerSocket.enable = true;
  };

  fonts.enableDefaultFonts = lib.mkForce false;
  fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];

  home-manager.users.alukard.home.packages = with pkgs; [ bat podman-compose ];

  home-manager.users.alukard.xdg.mime.enable = false;
  home-manager.users.alukard.home.stateVersion = "22.11";
  system.stateVersion = "22.11";
}