configuration.nix/nixos/modules/default.nix

top @ { inputs, moduleWithSystem, ... }: {
  flake.nixosModules = {
    grub = moduleWithSystem ({ ... }: { pkgs, ... }: {
      boot = {
        loader = {
          grub =
            let
              theme = pkgs.sleek-grub-theme.override {
                withBanner = "Hello Ivan";
                withStyle = "bigSur";
              };
            in
            {
              enable = pkgs.lib.mkDefault true;
              useOSProber = true;
              efiSupport = true;
              device = "nodev";
              theme = theme;
              splashImage = "${theme}/background.png";
            };
          efi.canTouchEfiVariables = true;
        };
      };
    });
    base = moduleWithSystem ({ ... }: { pkgs, ... }: {
      imports = [ inputs.hosts.nixosModule ];
      system.stateVersion = top.config.flake.stateVersion;
      nix = { extraOptions = ''experimental-features = nix-command flakes''; };
      i18n.supportedLocales = [ "all" ];
      time.timeZone = "Europe/Prague";
      environment = {
        systemPackages = with pkgs; [ cmatrix uutils-coreutils-noprefix cryptsetup fd file git glibc gnumake mlocate openssh openssl procs ripgrep srm unzip vim zip just nixos-install-tools tshark ];
        sessionVariables = { MAKEFLAGS = "-j 4"; };
        shells = with pkgs; [ bash zsh nushell ];
        enableAllTerminfo = true;
      };
      users.defaultUserShell = pkgs.zsh;
      programs = {
        zsh.enable = true;
        nix-ld.enable = true;
      };
      services = {
        dbus.enable = true;
        logind = {
          killUserProcesses = true;
          powerKeyLongPress = "reboot";
        };
      };
      networking = {
        stevenBlackHosts = {
          enable = true;
          blockFakenews = true;
          blockGambling = true;
          blockSocial = true;
        };
      };
    });
    shell = moduleWithSystem ({ ... }: { pkgs, ... }: {
      programs = {
        starship.enable = true;
        zsh = {
          enableBashCompletion = true;
          syntaxHighlighting.enable = true;
          autosuggestions = {
            enable = true;
            strategy = [ "completion" ];
          };
          shellAliases = {
            cal = "cal $(date +%Y)";
            GG = "git add . && git commit -m 'GG' && git push --set-upstream origin HEAD";
            gad = "git add . && git diff --cached";
            gac = "ga && gc";
            ga = "git add .";
            gc = "git commit";
            dev = "nix develop --command $SHELL";
            eza = "${pkgs.eza}/bin/eza '--long' '--header' '--icons' '--smart-group' '--mounts' '--octal-permissions' '--git'";
            ls = "eza";
            la = "eza --all";
            lt = "eza --git-ignore --all --tree --level=10";
            sc = "systemctl";
            neofetch = "${pkgs.fastfetch}/bin/fastfetch -c all.jsonc";
          };
        };
      };
    });
    sound = moduleWithSystem ({ ... }: { pkgs, ... }: {
      services = {
        pipewire = {
          enable = true;
          alsa.enable = true;
          pulse.enable = true;
        };
      };
      environment.systemPackages = with pkgs; [ pwvucontrol ];
    });
    music = moduleWithSystem ({ ... }: { pkgs, ... }: {
      imports = [ inputs.musnix.nixosModules.musnix ];
      environment.systemPackages = with pkgs; [ guitarix ];
      services.pipewire = {
        jack.enable = true;
        extraConfig = { jack."69-low-latency" = { "jack.properties" = { "node.latency" = "64/48000"; }; }; };
      };
      musnix = {
        enable = true;
        rtcqs.enable = true;
        soundcardPciId = "00:1f.3";
        kernel = {
          realtime = true;
          packages = pkgs.linuxPackages-rt;
        };
      };
    });
    wayland = moduleWithSystem ({ ... }: { ... }: {
      hardware.graphics.enable = true;
      security.pam.services.swaylock = { };
      xdg.portal = {
        enable = true;
        xdgOpenUsePortal = true;
        wlr = {
          enable = true;
          settings = {
            screencast = {
              output_name = "HDMI-A-1";
              max_fps = 60;
            };
          };
        };
        config.common.default = "*";
      };
    });
    security = moduleWithSystem ({ ... }: { ... }: {
      security = {
        sudo = {
          enable = false;
          execWheelOnly = true;
          extraRules = [{ groups = [ "wheel" ]; }];
        };
        doas = {
          enable = true;
          extraRules = [
            {
              groups = [ "wheel" ];
              noPass = true;
              keepEnv = true;
            }
          ];
        };
        polkit.enable = true;
        rtkit.enable = true;
      };
    });
    intranet = {
      networking.wg-quick.interfaces = {
        wg0 = {
          address = [ "10.0.0.2/32" ];
          privateKeyFile = "/etc/wireguard/privatekey";
          peers = [
            {
              publicKey = "5FiTLnzbgcbgQLlyVyYeESEd+2DtwM1JHCGz/32UcEU=";
              allowedIPs = [ "0.0.0.0/0" "::/0" ];
              endpoint = "37.205.13.29:51820";
              persistentKeepalive = 25;
            }
          ];
        };
      };
      services.openssh = {
        enable = true;
        settings = {
          PermitRootLogin = "prohibit-password";
        };
      };
    };
    wireless = {
      networking = {
        wireless = {
          enable = true;
          networks = {
            "Smart-Hostel-2.4" = {
              psk = "smarttrans.bg";
            };
            "Yohohostel2.4G" = {
              psk = "kaskamaska";
            };
            "Nomado_Guest" = {
              psk = "welcomehome";
            };
            "HostelMusala Uni" = {
              psk = "mhostelm";
            };
            "BOUTIQUE APARTMENTS" = {
              psk = "boutique26";
            };
            "Safestay" = {
              psk = "AlldayrooftopBAR";
            };
            "HOSTEL JASMIN 2" = {
              psk = "Jasmin2024";
            };
            "HOME" = {
              psk = "iloveprague";
            };
            "Vodafone-B925" = {
              psk = "7aGh3FE6pN4p4cu6";
            };
            "O2WIFIZ_EXT" = {
              psk = "iloveprague";
            };
            "KOTEKLAN_GUEST" = {
              psk = "koteklankotek";
            };
            "3G" = {
              hidden = true;
            };
          };
        };
      };
    };
    ivand = moduleWithSystem ({ ... }: { pkgs, ... }:
      let
        homeMods = top.config.flake.homeManagerModules;
      in
      {
        imports = [ inputs.home-manager.nixosModules.default ];
        home-manager = {
          backupFileExtension = "bak";
          useUserPackages = true;
          useGlobalPkgs = true;
          users.ivand = { ... }: {
            imports = with homeMods; [
              base
              ivand
              shell
              util
              swayland
              web
            ];
          };
        };
        fonts.packages = with pkgs; [ (nerdfonts.override { fonts = [ "FiraCode" ]; }) noto-fonts noto-fonts-emoji noto-fonts-lgc-plus ];
        users = {
          users = {
            ivand = {
              isNormalUser = true;
              createHome = true;
              extraGroups = [
                "adbusers"
                "adm"
                "audio"
                "bluetooth"
                "dialout"
                "flatpak"
                "kvm"
                "mlocate"
                "realtime"
                "render"
                "video"
                "wheel"
              ];
            };
          };
          extraGroups = {
            mlocate = { };
            realtime = { };
          };
        };
        programs.dconf.enable = true;
      });
    flatpak = {
      xdg = {
        portal = {
          enable = true;
          wlr.enable = true;
          config.common.default = "*";
        };
      };
      services.flatpak.enable = true;
    };
    ai = moduleWithSystem ({ ... }: { ... }: {
      services = { ollama.enable = true; };
    });
    anon = moduleWithSystem ({ ... }: { pkgs, ... }: {
      environment.systemPackages = with pkgs; [ tor-browser ];
    });
    cryptocurrency = moduleWithSystem ({ ... }: { pkgs, ... }: {
      environment.systemPackages = with pkgs; [ monero-cli ];
      services = { monero.enable = true; };
    });
    monero-miner = moduleWithSystem ({ ... }: { ... }: {
      services = {
        xmrig = {
          enable = true;
          settings = {
            autosave = true;
            cpu = true;
            opencl = false;
            cuda = false;
            pools = [
              {
                url = "pool.supportxmr.com:443";
                user = "48e9t9xvq4M4HBWomz6whiY624YRCPwgJ7LPXngcc8pUHk6hCuR3k6ENpLGDAhPEHWaju8Z4btxkbENpcwaqWcBvLxyh5cn";
                keepalive = true;
                tls = true;
              }
            ];
          };
        };
      };
    });
    vps = moduleWithSystem ({ ... }: { ... }: {
      imports = [
        inputs.vpsadminos.nixosConfigurations.container
      ];
    });
    mailserver = moduleWithSystem ({ ... }: { config
                                            , pkgs
                                            , ...
                                            }: {
      imports = [
        inputs.simple-nixos-mailserver.nixosModule
      ];
      mailserver = {
        enable = true;
        localDnsResolver = false;
        fqdn = "mail.idimitrov.dev";
        domains = [ "idimitrov.dev" "mail.idimitrov.dev" ];
        loginAccounts = {
          "ivan@idimitrov.dev" = {
            hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm";
            aliases = [ "admin@idimitrov.dev" ];
          };
          "security@idimitrov.dev" = {
            hashedPassword = "$2b$05$rTVIQD98ogXeCBKdk/YufulWHqpMCAlb7SHDPlh5y8Xbukoa/uQLm";
          };
        };
        certificateScheme = "acme-nginx";
        hierarchySeparator = "/";
      };
      services = {
        dovecot2.sieve.extensions = [ "fileinto" ];
        roundcube = {
          enable = true;
          package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
          plugins = [
            "persistent_login"
          ];
          hostName = "${config.mailserver.fqdn}";
          extraConfig = ''
            $config['smtp_host'] = "tls://${config.mailserver.fqdn}";
            $config['smtp_user'] = "%u";
            $config['smtp_pass'] = "%p";
          '';
        };
        nginx.virtualHosts =
          let
            restrictToVpn = ''
              allow 10.0.0.2/32;
              allow 10.0.0.3/32;
              allow 10.0.0.4/32;
              deny all;
            '';
          in
          {
            "${config.mailserver.fqdn}" = {
              extraConfig = restrictToVpn;
            };
          };
        postgresql.enable = true;
      };
      security = {
        acme = {
          acceptTerms = true;
          defaults.email = "security@idimitrov.dev";
        };
      };
    });
    nginx = moduleWithSystem ({ ... }: { pkgs, ... }: {
      services = {
        nginx =
          let
            webshiteConfig = ''
              add_header 'Referrer-Policy' 'origin-when-cross-origin';
              add_header X-Content-Type-Options nosniff;
            '';
            extensions = [ "html" "txt" "png" "jpg" "jpeg" ];
            serveStatic = exts: ''
              try_files $uri $uri/ ${pkgs.lib.strings.concatStringsSep " " (builtins.map (x: "$uri." + "${x}") exts)} =404;
            '';
          in
          {
            enable = true;
            recommendedGzipSettings = true;
            recommendedOptimisation = true;
            recommendedProxySettings = true;
            recommendedTlsSettings = true;
            sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
            virtualHosts = {
              "idimitrov.dev" = {
                enableACME = true;
                forceSSL = true;
                locations."/" = {
                  root = "${pkgs.webshite}";
                  extraConfig = serveStatic extensions;
                };
                extraConfig = webshiteConfig;
              };
              "www.idimitrov.dev" = {
                enableACME = true;
                forceSSL = true;
                locations."/" = {
                  root = "${pkgs.webshite}";
                  extraConfig = serveStatic extensions;
                };
                extraConfig = webshiteConfig;
              };
              "src.idimitrov.dev" = {
                enableACME = true;
                forceSSL = true;
                locations."/" = {
                  proxyPass = "http://127.0.0.1:3001";
                };
              };
              "pic.idimitrov.dev" = {
                enableACME = true;
                forceSSL = true;
                locations."/" = {
                  root = "/var/pic";
                  extraConfig = ''
                    autoindex on;
                    ${serveStatic ["png"]}
                  '';
                };
              };
            };
          };
        gitea = {
          enable = true;
          appName = "src";
          database = {
            type = "postgres";
          };
          settings = {
            server = {
              DOMAIN = "src.idimitrov.dev";
              ROOT_URL = "https://src.idimitrov.dev/";
              HTTP_PORT = 3001;
            };
            repository = {
              DEFAULT_BRANCH = "master";
            };
            service = {
              DISABLE_REGISTRATION = true;
            };
          };
        };
        postgresql = {
          enable = true;
          ensureUsers = [
            {
              name = "root";
              ensureClauses = {
                superuser = true;
                createrole = true;
                createdb = true;
              };
            }
          ];
        };
      };
    });
    wireguard-output = moduleWithSystem ({ ... }: { pkgs, ... }: {
      networking = {
        nat = {
          enable = true;
          enableIPv6 = true;
          externalInterface = "venet0";
          internalInterfaces = [ "wg0" ];
        };
        wg-quick.interfaces = {
          wg0 =
            let
              iptables = "${pkgs.iptables}/bin/iptables";
              ip6tables = "${pkgs.iptables}/bin/ip6tables";
            in
            {
              address = [ "10.0.0.1/32" ];
              listenPort = 51820;
              privateKeyFile = "/etc/wireguard/privatekey";
              postUp = ''
                ${iptables} -A FORWARD -i wg0 -j ACCEPT
                ${iptables} -t nat -A POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
                ${ip6tables} -A FORWARD -i wg0 -j ACCEPT
                ${ip6tables} -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
              '';
              preDown = ''
                ${iptables} -D FORWARD -i wg0 -j ACCEPT
                ${iptables} -t nat -D POSTROUTING -s 10.0.0.1/24 -o venet0 -j MASQUERADE
                ${ip6tables} -D FORWARD -i wg0 -j ACCEPT
                ${ip6tables} -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o venet0 -j MASQUERADE
              '';
              peers = [
                {
                  publicKey = "kI93V0dVKSqX8hxMJHK5C0c1hEDPQTgPQDU8TKocVgo=";
                  allowedIPs = [ "10.0.0.2/32" ];
                }
                {
                  publicKey = "RqTsFxFCcgYsytcDr+jfEoOA5UNxa1ZzGlpx6iuTpXY=";
                  allowedIPs = [ "10.0.0.3/32" ];
                }
                {
                  publicKey = "1e0mjluqXdLbzv681HlC9B8BfGN8sIXIw3huLyQqwXI=";
                  allowedIPs = [ "10.0.0.4/32" ];
                }
              ];
            };
        };
      };
    });
    anonymous-dns = moduleWithSystem ({ ... }: { ... }: {
      networking = {
        nameservers = [ "127.0.0.1" "::1" ];
        dhcpcd.extraConfig = "nohook resolv.conf";
      };
      services = {
        dnscrypt-proxy2 = {
          enable = true;
          settings = {
            cache = false;
            ipv4_servers = true;
            ipv6_servers = true;
            dnscrypt_servers = true;
            doh_servers = false;
            odoh_servers = false;
            require_dnssec = true;
            require_nolog = true;
            require_nofilter = true;
            anonymized_dns = {
              routes = [
                {
                  server_name = "*";
                  via = [ "sdns://gQ8yMTcuMTM4LjIyMC4yNDM" ];
                }
              ];
            };
            sources.public-resolvers = {
              urls = [
                "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
                "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
              ];
              cache_file = "/var/lib/dnscrypt-proxy/public-resolvers.md";
              minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
            };
          };
        };
      };
    });
    firewall = moduleWithSystem ({ ... }: { lib, ... }: {
      networking = {
        firewall = lib.mkForce {
          enable = true;
          allowedTCPPorts = [
            25 # smtp
            465 # smtps
            80 # http
            443 # https
          ];
          allowedUDPPorts = [
            25
            465
            80
            443
            51820 # wireguard
          ];
          extraCommands = ''
            iptables -N vpn  # create a new chain named vpn
            iptables -A vpn --src 10.0.0.2 -j ACCEPT  # allow
            iptables -A vpn --src 10.0.0.3 -j ACCEPT  # allow
            iptables -A vpn --src 10.0.0.4 -j ACCEPT  # allow
            iptables -A vpn -j DROP  # drop everyone else
            iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
          '';
          extraStopCommands = ''
            iptables -F vpn
            iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
            iptables -X vpn
          '';
        };
      };
    });
    rest = moduleWithSystem ({ ... }: { pkgs, ... }: {
      fileSystems."/mnt/export1981" = {
        device = "172.16.128.47:/nas/5490";
        fsType = "nfs";
        options = [ "nofail" ];
      };
      users = {
        users.ivand = {
          isNormalUser = true;
          hashedPassword = "$2b$05$hPrPcewxj4qjLCRQpKBAu.FKvKZdIVlnyn4uYsWE8lc21Jhvc9jWG";
          extraGroups = [ "wheel" "adm" "mlocate" ];
          openssh.authorizedKeys.keys = [
            ''
              ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcLkzuCoBEg+wq/H+hkrv6pLJ8J5BejaNJVNnymlnlo ivan@idimitrov.dev
            ''
          ];
        };
        extraGroups = { mlocate = { }; };
      };
      services = {
        openssh = {
          enable = true;
          settings = {
            PermitRootLogin = "prohibit-password";
          };
        };
      };
      systemd = {
        timers = {
          bingwp = {
            wantedBy = [ "timers.target" ];
            timerConfig = {
              OnCalendar = "*-*-* 10:00:00";
              Persistent = true;
            };
          };
        };
        services = {
          bingwp = {
            description = "Download bing image of the day";
            script = ''
              ${pkgs.nushell}/bin/nu -c "http get ('https://bing.com' + ((http get https://www.bing.com/HPImageArchive.aspx?format=js&n=1).images.0.url)) | save  ('/var/pic' | path join ( [ (date now | format date '%Y-%m-%d'), '.png' ] | str join ))"
              ${pkgs.nushell}/bin/nu -c "${pkgs.toybox}/bin/ln -sf (ls /var/pic | where type == file | get name | sort | last) /var/pic/latest.png"
            '';
          };
        };
      };
    });
  };
}