vmix.nix/lib/images/windows/templates/registry/default.nix

# Offline registry customization templates.
# Each file returns raw registry entries (no header).
# Templates are composed into bundles via mkReg which adds the .reg header.
{ ... }:
let
  regHeader = "Windows Registry Editor Version 5.00";
  mkReg = entries: ''
    ${regHeader}
    ${entries}
  '';

  rdpEntries = import ./rdp.nix;
  telemetryEntries = import ./telemetry.nix;
  errorReportingEntries = import ./error-reporting.nix;
  defenderEntries = import ./defender.nix;
  updatesEntries = import ./updates.nix;
  smartScreenEntries = import ./smart-screen.nix;
  hibernationEntries = import ./hibernation.nix;
  systemRestoreEntries = import ./system-restore.nix;
  networkEntries = import ./insecure-samba.nix;
  privacyEntries = import ./privacy.nix;
  aiEntries = import ./ai.nix;
  consumerEntries = import ./consumer.nix;
  performanceEntries = import ./performance.nix;
  disableUcpdEntries = import ./disable-ucpd.nix;

in rec {
  # === Individual templates ===
  disableTelemetry = { name = "no-telemetry"; windowsRegistry = mkReg telemetryEntries; };
  disableErrorReporting = { name = "no-wer"; windowsRegistry = mkReg errorReportingEntries; };
  disableDefender = { name = "no-defender"; windowsRegistry = mkReg defenderEntries; };
  disableUpdates = { name = "no-updates"; windowsRegistry = mkReg updatesEntries; };
  disableSmartScreen = { name = "no-smartscreen"; windowsRegistry = mkReg smartScreenEntries; };
  disableHibernation = { name = "no-hibernate"; windowsRegistry = mkReg hibernationEntries; };
  disableSystemRestore = { name = "no-restore"; windowsRegistry = mkReg systemRestoreEntries; };
  networkTweaks = { name = "network"; windowsRegistry = mkReg networkEntries; };
  disablePrivacyTracking = { name = "no-tracking"; windowsRegistry = mkReg privacyEntries; };
  disableAI = { name = "no-ai"; windowsRegistry = mkReg aiEntries; };
  disableConsumerFeatures = { name = "no-consumer"; windowsRegistry = mkReg consumerEntries; };
  performanceTweaks = { name = "performance"; windowsRegistry = mkReg performanceEntries; };
  disableUCPD = { name = "no-ucpd"; windowsRegistry = mkReg disableUcpdEntries; };

  # === Convenience bundles ==

  # Hardened: comprehensive debloat for lab VMs
  hardened = {
    name = "hardened";
    windowsRegistry = mkReg (
      telemetryEntries
      + errorReportingEntries
      + defenderEntries
      + updatesEntries
      + smartScreenEntries
      + hibernationEntries
      + systemRestoreEntries
      + networkEntries
      + privacyEntries
      + aiEntries
      + consumerEntries
      + performanceEntries
    );
  };
}