ndsakjdsalkj

base.nix

@@ -26,6 +26,9 @@
     smartmontools
     testdisk
     usbutils
+  ] ++ lib.optionals (builtins.elem config.nixpkgs.system [ "x86_64-linux" "aarch64_linux"]) [
+    cage
+    weston
   ];
 
   # TODO: selectively whitelist?
@@ -33,7 +36,6 @@
   nixpkgs.config.allowUnfreePredicate = (pkg: true);
   nixpkgs.config.nonfreeLicensing = true; # used by ffmpeg
 
-  # TODO: per host?
   hardware.enableRedistributableFirmware = true;
 
   nix.settings.experimental-features = [
@@ -49,10 +51,8 @@
   nix.gc.automatic = true;
   nix.gc.dates     = "weekly";
   nix.gc.options   = "--delete-older-than 30d";
-  nix.extraOptions = ''
-    min-free = ${toString (1 * 1024 * 1024 * 1024)}
-    max-free = ${toString (5 * 1024 * 1024 * 1024)}
-  '';
+  nix.settings.min-free = 1 * 1024 * 1024 * 1024;
+  nix.settings.max-free = 5 * 1024 * 1024 * 1024;
 
   services.thermald.enable = lib.mkIf (config.nixpkgs.system == "x86_64-linux") true;
 
@@ -67,7 +67,5 @@
     noto-fonts-extra
   ];
 
-  # firewall
-  services.fail2ban.enable = config.services.openssh.enable;
   networking.firewall.enable = true; # default
 }