initial commit

2025-10-01 13:40:05 -06:00
commit d0fb48d1b0
165 changed files with 10586 additions and 0 deletions
--- a/modules/services/msmtp.nix
+++ b/modules/services/msmtp.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.my.servers;
+in
+{
+  config = lib.mkIf (config.my.secureHost && (cfg.nextcloud.enable or cfg.gitea.enable)) {
+    sops.secrets.smtp-password = { };
+    programs.msmtp = {
+      enable = true;
+      accounts.default = {
+        auth = true;
+        host = "smtp.gmail.com";
+        port = 587;
+        tls = true;
+        from = config.my.smtpemail;
+        user = config.my.smtpemail;
+        passwordeval = "cat ${config.sops.secrets.smtp-password.path}";
+      };
+    };
+  };
+}
--- a/modules/services/network.nix
+++ b/modules/services/network.nix
@@ -0,0 +1,50 @@
+{ config, lib, ... }:
+{
+  options.my.services.network.enable = lib.mkEnableOption "network configuration and services";
+  config = lib.mkIf config.my.services.network.enable {
+    networking = {
+      enableIPv6 = true;
+      firewall.enable = true;
+      dhcpcd.extraConfig = "nohook resolv.conf";
+      networkmanager = {
+        enable = true;
+        dns = "none";
+      };
+      hosts = config.my.ips |> lib.mapAttrs' (hostname: ip: lib.nameValuePair ip [ hostname ]);
+      interfaces."${config.my.interfaces.${config.networking.hostName}}".wakeOnLan.enable = true;
+    };
+    services.dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        ipv6_servers = true;
+        require_dnssec = true;
+        sources.public-resolvers = {
+          urls = [
+            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+          ];
+          cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+        };
+        server_names = [
+          "adfilter-adl"
+          "adfilter-adl-ipv6"
+          "adfilter-per"
+          "adfilter-per-ipv6"
+          "adfilter-syd"
+          "adfilter-syd-ipv6"
+          "mullvad-adblock-doh"
+          "mullvad-doh"
+          "nextdns"
+          "nextdns-ipv6"
+          "quad9-dnscrypt-ip4-filter-pri"
+          "quad9-dnscrypt-ip6-filter-pri"
+          "ibksturm"
+        ];
+      };
+    };
+    systemd.services.dnscrypt-proxy2.serviceConfig = {
+      StateDirectory = "dnscrypt-proxy";
+    };
+  };
+}
--- a/modules/services/nvidia.nix
+++ b/modules/services/nvidia.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.my.services.nvidia.enable = lib.mkEnableOption "NVIDIA GPU drivers and CUDA";
+  config = lib.mkIf config.my.services.nvidia.enable {
+    environment.variables.CUDA_CACHE_PATH = "\${XDG_CACHE_HOME}/nv";
+    boot.kernelParams = lib.mkIf (config.networking.hostName == "workstation") [ "nvidia-drm.fbdev=1" ];
+    services.xserver.videoDrivers = [ "nvidia" ];
+    hardware = {
+      graphics = {
+        enable = true;
+        enable32Bit = true;
+        extraPackages = builtins.attrValues {
+          inherit (pkgs)
+            nvidia-vaapi-driver
+            vaapiVdpau
+            libvdpau-va-gl
+            vulkan-loader
+            mesa
+            ;
+        };
+      };
+      nvidia = {
+        open = config.networking.hostName == "workstation";
+        package = config.boot.kernelPackages.nvidiaPackages.stable;
+        modesetting.enable = true;
+        powerManagement.enable = true;
+        powerManagement.finegrained = false;
+      };
+    };
+  };
+}
--- a/modules/services/printing.nix
+++ b/modules/services/printing.nix
@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  printingDrivers = [
+    pkgs.hplip
+    pkgs.hplipWithPlugin
+  ];
+in
+{
+  options.my.services.printing.enable = lib.mkEnableOption "printing services and drivers";
+  config = lib.mkIf config.my.services.printing.enable {
+    users.users.jawz.packages = [ pkgs.simple-scan ];
+    services.printing = {
+      enable = true;
+      drivers = printingDrivers;
+    };
+    hardware.sane = {
+      enable = true;
+      extraBackends = printingDrivers;
+    };
+  };
+}
--- a/modules/services/sound.nix
+++ b/modules/services/sound.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+{
+  imports = [ inputs.nix-gaming.nixosModules.pipewireLowLatency ];
+  options.my.services.sound.enable = lib.mkEnableOption "audio system and PipeWire";
+  config = lib.mkIf config.my.services.sound.enable {
+    services.pulseaudio.enable = false;
+    security.rtkit.enable = true; # make pipewire realtime-capable
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      lowLatency = {
+        enable = true;
+        quantum = 64;
+        rate = 48000;
+      };
+    };
+  };
+}
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  port = 51820;
+  interface = config.my.interfaces.${config.networking.hostName};
+in
+{
+  options.my.services.wireguard.enable = lib.mkEnableOption "WireGuard VPN configuration";
+  config = lib.mkIf (config.my.services.wireguard.enable && config.my.secureHost) {
+    sops.secrets."wireguard/private".sopsFile = ../../secrets/wireguard.yaml;
+    networking = {
+      firewall.allowedUDPPorts = [ port ];
+      nat = {
+        enable = true;
+        externalInterface = interface;
+        internalInterfaces = [ "wg0" ];
+      };
+      wireguard.interfaces.wg0 = {
+        ips = [ "10.100.0.1/24" ];
+        listenPort = port;
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ${interface} -j MASQUERADE
+        '';
+        privateKeyFile = config.sops.secrets."wireguard/private".path;
+        peers = [
+          {
+            publicKey = "ciupBjCcIpd3K5vlzNMJC8iiyNqB9xXwkSC6UXPKP3g=";
+            allowedIPs = [ "10.100.0.2/32" ];
+          } # phone
+          {
+            publicKey = "JgeA1ElDwR7oLmyGn8RzvxiscMBhR8+L+mEjY1Cq7gk=";
+            allowedIPs = [ "10.100.0.3/32" ];
+          } # tablet
+          {
+            publicKey = "giPVRUTLtqPGb57R4foGZMNS0tjIp2ry6lMKYtqHjn4=";
+            allowedIPs = [ "10.100.0.15/32" ];
+          } # jeancarlos
+          {
+            publicKey = "92JdW/NExg1tUE4cEyl6Yn+0Eex+iFVA37ahPRhRnRM=";
+            allowedIPs = [ "10.100.0.16/32" ];
+          } # gorilia
+        ];
+      };
+    };
+  };
+}