{ pkgs, lib, ... }: { environment.systemPackages = with pkgs; [ bat black blade-formatter cmake cifs-utils coreutils bluetuith bluez bluez-tools cargo claude-code clevis cliphist dunst eza fd ffmpeg fira-code-symbols fish freetube fuzzel fzf git gh ghostty gopass gopass-jsonapi gopls hyprpicker htmx-lsp imagemagick inkscape pavucontrol pciutils poppler jetbrains.datagrip jq lazygit lf libreoffice libvirt linux-firmware lua-language-server luarocks lutris mpv nerd-fonts.monaspace neovim niri nixd nixfmt-rfc-style (wrapOBS { plugins = with obs-studio-plugins; [ wlrobs obs-pipewire-audio-capture ]; }) php php84Packages.composer php84Packages.php-cs-fixer phpactor podman-compose podman-tui prettierd playerctl qemu_full qmk resvg ripgrep rust-analyzer sshfs starship stow stylua sops superhtml swayimg texlab texlive.combined.scheme-full tmux thunderbird tor-browser unzip virt-manager virt-viewer vscode-langservers-extracted wineWow64Packages.waylandFull winetricks wl-clipboard xdg-user-dirs xwayland-satellite yazi zathura zig_0_15 zls_0_15 zoxide ]; hardware.keyboard.qmk.enable = true; programs = { fish.enable = true; virt-manager.enable = true; direnv.enable = true; gnupg.agent = { enable = true; enableSSHSupport = true; }; nix-ld.enable = true; niri.enable = true; dconf.enable = true; }; virtualisation.containers.enable = true; virtualisation.podman = { enable = true; dockerCompat = true; defaultNetwork.settings.dns_enabled = true; }; virtualisation.spiceUSBRedirection.enable = true; virtualisation.libvirtd = { enable = true; extraConfig = '' user="user" ''; onBoot = "ignore"; onShutdown = "shutdown"; qemu = { package = pkgs.qemu_full; verbatimConfig = '' cgroup_device_acl = [ "/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", "/dev/ptmx", "/dev/kvm", "/dev/kvmfr0" ] ''; runAsRoot = false; }; }; programs.steam = { enable = true; remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; localNetworkGameTransfers.openFirewall = true; }; programs.firejail = { enable = true; wrappedBinaries = { chromium = { executable = "${pkgs.chromium}/bin/chromium"; profile = "${pkgs.firejail}/etc/firejail/chromium.profile"; extraArgs = [ "--env=GTK_THEME=Adwaita:dark" "--netns=wg0ns" "--dns=1.1.1.1" ]; }; mpv = { executable = "${lib.getBin pkgs.mpv}/bin/mpv"; profile = "${pkgs.firejail}/etc/firejail/mpv.profile"; }; claude = { executable = "${pkgs.claude-code}/bin/claude"; # profile = "${pkgs.firejail}/etc/firejail/nodejs-common.profile"; extraArgs = [ "--netns=wg0ns" "--dns=1.1.1.1" "--whitelist=~/.cargo" "--whitelist=$${HOME}/.claude" "--whitelist=$${HOME}/.config/claude-code" "--whitelist=$${HOME}/dev" "--whitelist=$${HOME}/work" "--whitelist=/tmp" "--read-only=/nix" "--caps.drop=all" "--ipc-namespace" "--seccomp" "--seccomp.block-secondary" "--nodvd" "--nogroups" "--notv" "--nou2f" "--protocol=unix,inet,inet6,netlink" ]; }; tor-browser = { executable = "${pkgs.tor-browser}/bin/tor-browser"; profile = "${pkgs.firejail}/etc/firejail/tor-browser-en-us.profile"; extraArgs = [ "--netns=wg0ns" "--dns=1.1.1.1" ]; }; freetube = { executable = "${pkgs.freetube}/bin/freetube"; profile = "${pkgs.firejail}/etc/firejail/freetube.profile"; extraArgs = [ "--netns=wg0ns" "--dns=1.1.1.1" ]; }; }; }; }