First commit

2026-02-22 17:28:02 +01:00
parent 7a70268785
commit 6bacf1878e
9011 changed files with 114470 additions and 0 deletions
@@ -0,0 +1,81 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # Adjust this path if your module lives elsewhere in the repo
+  flatpakConfPath = ../../../files/conf/apps/flatpak.conf;
+
+  # Parse flatpak.conf: ignore empty lines and comments
+  flatpakApps =
+    let
+      lines = lib.splitString "\n" (builtins.readFile flatpakConfPath);
+      cleaned = map (l: lib.strings.trim l) lines;
+    in
+      builtins.filter (l: l != "" && !(lib.hasPrefix "#" l)) cleaned;
+
+  # Shell script that:
+  # - adds Flathub if missing
+  # - installs missing apps
+  # - (optional) removes apps not in the list
+  syncFlatpaks = pkgs.writeShellScript "sync-flatpaks" ''
+    set -euo pipefail
+
+    # Ensure Flathub remote exists (system-wide)
+    if ! flatpak remotes --system --columns=name | grep -qx flathub; then
+      flatpak remote-add --system --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
+    fi
+
+    desired_apps=(
+      ${lib.concatStringsSep "\n" (map (a: ''"${a}"'') flatpakApps)}
+    )
+
+    # Install desired apps if missing
+    for app in "''${desired_apps[@]}"; do
+      if ! flatpak info --system "$app" >/dev/null 2>&1; then
+        flatpak install --system -y --noninteractive flathub "$app"
+      fi
+    done
+
+    # OPTIONAL: remove system apps not listed (uncomment to enforce strictly)
+    # installed="$(flatpak list --system --app --columns=application | sed '/^$/d')"
+    # for app in $installed; do
+    #   keep=0
+    #   for want in "''${desired_apps[@]}"; do
+    #     if [ "$app" = "$want" ]; then keep=1; break; fi
+    #   done
+    #   if [ "$keep" -eq 0 ]; then
+    #     flatpak uninstall --system -y --noninteractive "$app" || true
+    #   fi
+    # done
+  '';
+in
+{
+  # Native NixOS Flatpak support
+  services.flatpak.enable = true; # enables Flatpak on NixOS :contentReference[oaicite:1]{index=1}
+
+  # Strongly recommended for Flatpak desktop integration
+  # (Adjust portals to your DE/WM if you want, this is a safe default.)
+  xdg.portal = {
+    enable = true;
+    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
+  };
+
+  # Ensure the config file is present on the system (optional but convenient)
+  environment.etc."flatpak/flatpak.conf".source = flatpakConfPath;
+
+  # Run sync after boot and after rebuilds, once networking is up
+  systemd.services.flatpak-sync = {
+    description = "Install Flatpak apps listed in flatpak.conf";
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = syncFlatpaks;
+    };
+
+    # Re-run when the config changes (best-effort)
+    restartTriggers = [ flatpakConfPath ];
+    path = [ pkgs.flatpak pkgs.coreutils pkgs.gnugrep pkgs.gnused ];
+  };
+}
@@ -0,0 +1,41 @@
+{ lib, pkgs, ... }:
+
+let
+  # Adjust this path if you place apps.nix elsewhere in the repo.
+  # Best practice: keep it relative to the flake repo so flakes can read it.
+  packagesConfPath = ../../../files/conf/apps/packages.conf;
+
+  raw = builtins.readFile packagesConfPath;
+
+  # Split into lines, trim whitespace, drop empty lines and comment lines.
+  lines =
+    let
+      all = lib.splitString "\n" raw;
+      trimmed = map lib.strings.trim all;
+    in
+      builtins.filter (l: l != "" && !(lib.hasPrefix "#" l)) trimmed;
+
+  # Resolve a name like:
+  #   "wget" -> pkgs.wget
+  #   "kdePackages.okular" -> pkgs.kdePackages.okular
+  #   "_1password-gui" -> pkgs."_1password-gui"
+  resolvePkg = name:
+    let
+      parts = lib.splitString "." name;
+      found = lib.attrByPath parts null pkgs;
+    in
+      if found == null then
+        throw ''
+          apps.nix: Package "${name}" from ${toString packagesConfPath} not found in pkgs.
+          Only packages available on https://search.nixos.org/packages can be installed.
+          Fix the name (or attribute path) and rebuild.
+        ''
+      else
+        found;
+
+  packages = map resolvePkg lines;
+
+in
+{
+  environment.systemPackages = packages;
+}
@@ -0,0 +1,56 @@
+# ~/nixos/modules/nixos/base.nix
+#
+# Shared baseline for ALL hosts.
+# Keep this predictable: explicit imports (no auto-import).
+# Host-specific exceptions belong in hosts/<host>/*.nix
+#
+{ config, pkgs, lib, ... }:
+
+let
+  moduleName = "nixos-base";
+in
+{
+  imports = [
+    # Core system baseline
+    ./core/nix.nix
+    ./core/locale.nix
+    ./core/users.nix
+    ./core/security.nix
+    ./core/fonts.nix
+
+    # Networking baseline
+    ./networking/networkmanager.nix
+    ./networking/firewall.nix
+
+    # Desktop baseline (Wayland/Hyprland)
+    ./desktop/audio.nix
+    ./desktop/portals.nix
+    ./desktop/wm-hyprland.nix
+    ./desktop/greeter.nix
+
+    # Apps baseline
+    ./apps/flatpak.nix
+    ./apps/packages.nix
+
+    # Services baseline
+    ./services/sshd.nix
+    ./services/printing.nix
+    #./services/syncthing.nix
+  ];
+
+    desktop.greeter.enable = true;
+    #make sure existing files can be overwritten
+    home-manager.backupFileExtension = "hm-bak";
+
+    environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
+}
+
+
+
+
+
+
+
+
+
+
@@ -0,0 +1,33 @@
+# Baseline fonts for the system (NixOS 25.05+ / 26.05 compatible)
+#
+# Note:
+# - `noto-fonts-cjk` was deprecated/split into:
+#   - noto-fonts-cjk-sans
+#   - noto-fonts-cjk-serif
+
+{ config, lib, pkgs, ... }:
+
+let
+  moduleName = "nixos-fonts";
+
+  has = name: builtins.hasAttr name pkgs;
+in
+{
+  fonts = {
+    # Keep your existing setup idea: install baseline font packages system-wide
+    packages =
+      (with pkgs; [
+        noto-fonts
+        noto-fonts-color-emoji
+      ])
+      # CJK split (new)
+      ++ lib.optionals (has "noto-fonts-cjk-sans") [ pkgs.noto-fonts-cjk-sans ]
+      ++ lib.optionals (has "noto-fonts-cjk-serif") [ pkgs.noto-fonts-cjk-serif ];
+
+    # Optional: common baseline toggle (leave as-is if you already set it elsewhere)
+    # enableDefaultPackages = lib.mkDefault true;
+  };
+
+  # Breadcrumb for debugging
+  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
+}
@@ -0,0 +1,10 @@
+{ config, pkgs, lib, ... }:
+
+let
+  moduleName = "nixos-locale";
+in
+{
+  time.timeZone = "Europe/Amsterdam";
+  i18n.defaultLocale = "en_US.UTF-8";
+  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
+}
@@ -0,0 +1,54 @@
+# ~/nixos/modules/nixos/core/nix.nix
+#
+# Purpose:
+# - Shared baseline Nix configuration for ALL hosts
+# - Flakes enabled
+# - Reasonable garbage collection defaults
+# - Allow unfree packages (needed for Brave/Vivaldi/Opera etc.)
+
+{ config, lib, pkgs, ... }:
+
+let
+  moduleName = "nixos-core-nix";
+in
+{
+  # Required for Brave/Vivaldi/Opera and other proprietary software.
+  nixpkgs.config.allowUnfree = true;
+
+  nix = {
+    # Enable flakes + nix-command everywhere (baseline)
+    settings.experimental-features = [ "nix-command" "flakes" ];
+
+    # Why:
+    # - Keeps the store from growing forever
+    # - Still allows rollbacks for a while
+    settings.auto-optimise-store = true;
+
+    # Reasonable default: allow Nix to use all CPU cores
+    settings.max-jobs = lib.mkDefault "auto";
+  };
+
+  # Automatic cleanup of old generations and store garbage
+  #
+  # Why:
+  # - On multi-machine setups, store growth is one of the main annoyances.
+  # - This is safe and keeps machines tidy.
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 14d";
+  };
+
+  # Keep a limited number of boot entries / system generations
+  #
+  # Why:
+  # - Still safe for rollbacks
+  # - Prevents /boot from filling up on some setups
+  boot.loader.systemd-boot.configurationLimit = lib.mkDefault 10;
+
+  nix.settings.download-buffer-size = 67108864;
+
+
+  # Optional: breadcrumb for debugging module load order
+  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
+}
@@ -0,0 +1,39 @@
+# ~/nixos/modules/nixos/core/security.nix
+#
+# Purpose:
+# - Security primitives that are shared across all hosts:
+#   - polkit (desktop authorization framework)
+#   - sudo baseline (privilege escalation)
+#
+# Keep this file conservative: it should not introduce host-specific behavior.
+
+{ config, lib, pkgs, ... }:
+
+{
+  # Polkit is commonly needed on desktop systems (including Wayland compositors)
+  # for privileged actions (network, power, mounting, etc.).
+  security.polkit.enable = true;
+
+  # Sudo baseline.
+  security.sudo = {
+    enable = true;
+
+    # Hardening: only wheel members can *execute* sudo at all.
+    # This reduces exposure if a non-wheel user exists.
+    execWheelOnly = true;
+
+    # Keep password requirement (safer baseline).
+    # If you want passwordless sudo for wheel, override elsewhere.
+    wheelNeedsPassword = true;
+
+    # Optional: sane defaults; adjust as you like.
+    extraConfig = ''
+      Defaults timestamp_timeout=5
+      Defaults pwfeedback
+    '';
+  };
+
+  # If you want to fully manage users declaratively (stronger security posture),
+  # you can enable this — but it can surprise you if you expect to use `passwd`.
+  # users.mutableUsers = false;
+}
@@ -0,0 +1,29 @@
+{ config, pkgs, lib, ... }:
+
+let
+  username = "henrov";
+  initialpwd= "Welkom01!";
+  moduleName = "nixos-users";
+in
+{
+  users.users.${username} = {
+    #initialPassword = initialpwd;
+    isNormalUser = true;
+
+    # Add your user to groups needed for admin + network + typical desktop input/video access
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+      "video"
+      "input"
+      "audio"
+    ];
+
+    # If you want zsh explicitly per-user (instead of defaultUserShell):
+    # shell = pkgs.zsh;
+  };
+
+  # If you want a simple "proof this module was applied" marker at the *system* level:
+  # (This creates /etc/nixos-users.loaded)
+  environment.etc."nixos-users.loaded".text = "loaded\n";
+}
@@ -0,0 +1,60 @@
+# ~/nixos/modules/nixos/desktop/audio.nix
+#
+# Baseline audio stack:
+# - PipeWire as the audio server
+# - PulseAudio compatibility via pipewire-pulse
+# - ALSA compatibility (+ 32-bit ALSA for games/legacy)
+# - WirePlumber session manager
+# - RTKit for better realtime scheduling (often reduces crackling under load)
+#
+# IMPORTANT (NixOS option churn):
+# - On some nixpkgs revisions the old `hardware.pulseaudio` option was renamed to
+#   `services.pulseaudio`. We set the *services* one explicitly.
+# - Avoid `lib.mkForce` on pulseaudio enable/disable here because certain revisions
+#   have had type/override weirdness; use plain booleans instead.
+
+{ config, lib, pkgs, ... }:
+
+let
+  moduleName = "nixos-audio";
+in
+{
+  # ---- Disable the standalone PulseAudio daemon ----
+  #
+  # We want PipeWire to provide PulseAudio compatibility (pipewire-pulse),
+  # not a separate pulseaudio service.
+  services.pulseaudio.enable = false;
+
+  # ---- PipeWire ----
+  services.pipewire = {
+    enable = true;
+
+    # PulseAudio compatibility server (pipewire-pulse)
+    pulse.enable = true;
+
+    # ALSA compatibility (+ 32-bit for Steam/older apps)
+    alsa = {
+      enable = true;
+      support32Bit = true;
+    };
+
+    # Recommended policy/session manager
+    wireplumber.enable = true;
+
+    # Optional JACK compatibility (leave off unless you need it)
+    jack.enable = false;
+  };
+
+  # Realtime scheduling broker commonly used by PipeWire
+  security.rtkit.enable = true;
+
+  # Useful tooling
+  environment.systemPackages = with pkgs; [
+    pavucontrol
+    helvum
+    alsa-utils
+  ];
+
+  # Breadcrumb for debugging module load order
+  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
+}
@@ -0,0 +1,91 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.desktop.greeter;
+in
+{
+  options.desktop.greeter = {
+    enable = lib.mkEnableOption "greetd + tuigreet greeter (starts Hyprland)";
+
+    greeterConfSource = lib.mkOption {
+      type = lib.types.path;
+      default = ../../../files/conf/greeter/greeter.conf;
+      description = "Path to greeter.conf in your repo; will be installed to /etc/xdg/greeter/greeter.conf";
+    };
+
+    vt = lib.mkOption {
+      type = lib.types.int;
+      default = 1;
+      description = "Virtual terminal (VT) greetd runs on (typically 1).";
+    };
+
+    extraArgs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ "--time" "--remember" "--remember-session" "--asterisks" ];
+      description = "Extra command-line arguments passed to tuigreet.";
+    };
+
+    useDbusRunSession = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Wrap Hyprland with dbus-run-session (often helps session env).";
+    };
+
+    installGreeterPackages = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Add tuigreet (and optional qtgreet) to systemPackages.";
+    };
+
+    enableTty1Fix = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Ensure greetd owns tty1 (avoids boot console overriding greetd).";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # greetd + tuigreet configuration
+    services.greetd = {
+      enable = true;
+      settings = {
+        terminal.vt = cfg.vt;
+
+        default_session = {
+          # greetd service runs the greeter as this user
+          user = "greetd";
+
+          # Build: tuigreet ... --cmd <Hyprland>
+          command =
+            let
+              hyprCmd =
+                if cfg.useDbusRunSession
+                then "${pkgs.dbus}/bin/dbus-run-session ${pkgs.hyprland}/bin/Hyprland"
+                else "${pkgs.hyprland}/bin/Hyprland";
+
+              tuigreetArgs = lib.concatStringsSep " " cfg.extraArgs;
+            in
+              "${pkgs.tuigreet}/bin/tuigreet ${tuigreetArgs} --cmd ${hyprCmd}";
+        };
+      };
+    };
+
+    # Install your custom greeter config into /etc/xdg/greeter/greeter.conf
+    environment.etc."xdg/greeter/greeter.conf".source = cfg.greeterConfSource;
+
+    # Supporting bits (Wayland sessions almost always want these)
+    services.dbus.enable = lib.mkDefault true;
+    security.polkit.enable = lib.mkDefault true;
+
+    # Optional: keep greeter tools available system-wide
+    environment.systemPackages = lib.mkIf cfg.installGreeterPackages (with pkgs; [
+      tuigreet
+      qtgreet
+    ]);
+
+    # Fix "Graphical System started" but no greeter: ensure tty1 isn’t stolen by console/getty
+    boot.kernelParams = lib.mkIf cfg.enableTty1Fix [ "console=tty1" ];
+    systemd.services."getty@tty1".enable = lib.mkIf cfg.enableTty1Fix false;
+    systemd.services."autovt@tty1".enable = lib.mkIf cfg.enableTty1Fix false;
+  };
+}
@@ -0,0 +1,67 @@
+# Atomic responsibility:
+# - System-wide XDG basics
+# - System-wide xdg-desktop-portal + chosen backends
+# - A sane portals.conf selection (prevents “wrong backend” surprises)
+#
+# Notes:
+# - Keep ALL portal-related config here (do not also configure xdg.portal in wm-hyprland.nix).
+# - xdg.portal.config.common sets defaults via portals.conf(5) and is supported by NixOS. :contentReference[oaicite:0]{index=0}
+# - If you enable xdg.portal.wlr.enable elsewhere, it auto-adds xdg-desktop-portal-wlr to extraPortals. :contentReference[oaicite:1]{index=1}
+#   (We do NOT do that here because Hyprland typically uses xdg-desktop-portal-hyprland instead.)
+# - xdg-desktop-portal-gtk is commonly needed for OpenURI/FileChooser support. :contentReference[oaicite:2]{index=2}
+
+{ config, lib, pkgs, ... }:
+{
+  ##########################################################################
+  # XDG basics (system)
+  ##########################################################################
+  xdg = {
+    menus.enable = true;
+    mime.enable  = true;
+  };
+
+  ##########################################################################
+  # Portals (system)
+  ##########################################################################
+  xdg.portal = {
+    enable = true;
+
+    # Prefer Hyprland portal for compositor-integrated features (screensharing, etc),
+    # and GTK for things like OpenURI/FileChooser compatibility.
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-hyprland
+      xdg-desktop-portal-gtk
+    ];
+
+    # Explicit portal routing via portals.conf (prevents “random backend chosen” issues).
+    # This writes /etc/xdg/xdg-desktop-portal/portals.conf. :contentReference[oaicite:3]{index=3}
+    config.common = {
+      # Default backend order for interfaces where multiple backends exist.
+      default = [ "hyprland" "gtk" ];
+
+      # (Optional, but often helpful) Ensure GTK handles common UX portals reliably.
+      "org.freedesktop.impl.portal.FileChooser" = [ "gtk" ];
+      "org.freedesktop.impl.portal.OpenURI"     = [ "gtk" ];
+    };
+  };
+
+  ##########################################################################
+  # Environment defaults (system)
+  ##########################################################################
+  environment.sessionVariables = {
+    # Encourage GTK apps to use portals for file picker / open-uri on Wayland.
+    GTK_USE_PORTAL = "1";
+
+    # Desktop identity hints used by some apps / portal logic.
+    # (Set once here; don’t duplicate in HM and NixOS.)
+    XDG_CURRENT_DESKTOP = "Hyprland";
+    XDG_SESSION_DESKTOP = "Hyprland";
+  };
+
+  ##########################################################################
+  # Optional: small, non-invasive tooling for troubleshooting
+  ##########################################################################
+  environment.systemPackages = with pkgs; lib.mkAfter [
+    xdg-utils
+  ];
+}
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+
+let
+  repoHyprDir = ../../../files/conf/hypr;
+in
+{
+  programs.hyprland.enable = true;
+
+  services.dbus.enable = lib.mkDefault true;
+  security.polkit.enable = lib.mkDefault true;
+
+  # Publish to XDG config dir so Hyprland finds it
+  environment.etc."xdg/hypr".source = repoHyprDir;
+
+  # Optional breadcrumb
+  environment.etc."nixlog/loaded.nixos-desktop-wm-hyprland".text = "loaded\n";
+}
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+let
+  moduleName = "nixos-firewall";
+
+  # Why:
+  # - You had LAN-specific allow rules. Keeping the CIDR as a single variable
+  #   makes it easy to override per-host or per-network later.
+  #
+  # If your LAN changes, override this value in hosts/<host>/networking.nix.
+  homeLanCidr = "192.168.2.0/24";
+in
+{
+  # Why:
+  # - Use nftables backend (modern default direction).
+  # - Matches your existing config and plays nicely with custom rules.
+  networking.nftables.enable = true;
+
+  networking.firewall = {
+    enable = true;
+
+    # Why:
+    # - Strong baseline: nothing inbound is open unless explicitly allowed.
+    # - You then selectively allow what you need (SSH ports live in sshd.nix).
+    allowedTCPPorts = [ ];
+    allowedUDPPorts = [ ];
+
+    # Why:
+    # - These are “quality of life” LAN services you had already:
+    #   - KDE Connect: TCP/UDP 1714-1764
+    #   - mDNS: UDP 5353 (printer discovery / Avahi-style discovery)
+    #
+    # Notes:
+    # - These rules ONLY allow traffic originating from homeLanCidr.
+    # - On other networks they effectively do nothing.
+    # - If you don’t use KDE Connect or mDNS, delete these blocks.
+    extraInputRules = ''
+      # KDE Connect (TCP/UDP 1714-1764) from home LAN
+      ip saddr ${homeLanCidr} tcp dport 1714-1764 accept
+      ip saddr ${homeLanCidr} udp dport 1714-1764 accept
+
+      # mDNS / discovery (UDP 5353) from home LAN
+      ip saddr ${homeLanCidr} udp dport 5353 accept
+    '';
+
+    # Optional baseline knobs (kept conservative):
+    #
+    # Why:
+    # - Logging refused packets can be noisy on laptops that roam networks.
+    # - Leave disabled by default; enable temporarily for debugging.
+    logRefusedConnections = lib.mkDefault false;
+  };
+
+  # Optional: leave a breadcrumb in /etc for debugging module load order
+  # (handy while refactoring; remove once stable).
+  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
+}
@@ -0,0 +1,34 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Keep NetworkManager off (avoids nm-applet + keyring + agent ecosystem)
+  networking.networkmanager.enable = false;
+
+  # iwd provides Wi-Fi auth/roaming; configurable via networking.wireless.iwd.settings
+  networking.wireless.iwd = {
+    enable = true;
+
+    # Optional but useful defaults
+    settings = {
+      Settings = {
+        AutoConnect = true;
+      };
+      Network = {
+        EnableIPv6 = true;
+      };
+    };
+  };
+
+  # GUI (with tray indicator via `iwgtk -i`)
+  environment.systemPackages = with pkgs; [
+    iwd
+    iwgtk
+  ];
+
+  # Allow non-root Wi-Fi control (common pattern for iwd tooling)
+  users.users.henrov.extraGroups = [ "netdev" ];
+
+  # Ensure you still get IP addresses (default on NixOS is usually OK,
+  # but this makes it explicit)
+  networking.useDHCP = lib.mkDefault true;
+}
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+let
+  moduleName = "nixos-printers";
+in
+{
+  # ---- Printing (CUPS) ----
+  services.printing = {
+    enable = true;
+    # Good general compatibility. Many modern printers work driverless (IPP Everywhere),
+    # but these help with older models and various formats.
+    drivers = with pkgs; [
+      cups-filters
+      gutenprint
+    ];
+  };
+
+  # ---- Network printer discovery (mDNS / DNS-SD) ----
+  services.avahi = {
+    enable = true;
+    # Resolve .local names + discover services on IPv4
+    nssmdns4 = true;
+    # You're controlling firewall rules in firewall.nix
+    openFirewall = false;
+  };
+
+  # ---- Optional GUI tool to add/manage printers ----
+  environment.systemPackages = with pkgs; [
+    system-config-printer
+  ];
+
+  # allow admin actions in printer GUI (usually already present on desktop systems)
+  security.polkit.enable = true;
+  environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
+}
@@ -0,0 +1,18 @@
+# SSH client only (no server).
+# - Installs OpenSSH client tools (ssh, scp, sftp, ssh-keygen, etc.)
+# - Enables ssh-agent for user sessions
+
+{ config, lib, pkgs, ... }:
+
+{
+  # Install the OpenSSH client tools
+  environment.systemPackages = with pkgs; [
+    #openssh
+  ];
+
+  # Start ssh-agent automatically for users (handy baseline)
+  programs.ssh.startAgent = true;
+
+  # Explicitly ensure the SSH server is NOT enabled
+  services.openssh.enable = false;
+}