nixos_flake_config/nixy/configuration.nix

{
  config,
  nix-xilinx,
  nvim,
  pkgs,
  system,
  zremap,
  ...
}:
{
  imports = [ ];

  system.stateVersion = "23.05";
  system.autoUpgrade.enable = false;
  system.switch = {
    enable = false;
    enableNg = true;
  };

  sops = {
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
      "peerix/private" = {
        sopsFile = ./secrets/peerix.yaml;
        mode = "0400";
        owner = config.users.users.nobody.name;
        group = config.users.users.nobody.group;
      };

      "wg_privkey" = {
        sopsFile = ./secrets/wg_privkey.yaml;
      };

      "wg_preshared/nixy" = {
        sopsFile = ../common/secrets/wg_preshared.yaml;
      };

      "wg_privkey_proton" = {
        sopsFile = ./secrets/wg_privkey_proton.yaml;
      };

      "wg_endpoint_proton" = {
        sopsFile = ./secrets/wg_privkey_proton.yaml;
      };

      "borgbase_enc_key" = {
        sopsFile = ./secrets/borgbase_enc_key.yaml;
        owner = config.users.users.akill.name;
      };

      "borgbase_ssh_key" = {
        sopsFile = ./secrets/borgbase_ssh_key.yaml;
        owner = config.users.users.akill.name;
      };
    };
  };

  nix = {
    optimise.automatic = true;
    gc.automatic = true;
    gc.options = "--delete-older-than 7d";
    package = pkgs.nixVersions.latest;
    settings = {
      sandbox = true;
      experimental-features = [
        "nix-command"
        "flakes"
      ];
    };
  };

  boot = {
    extraModulePackages = with config.boot.kernelPackages; [
      usbip
      v4l2loopback
    ];
    initrd.compressor = "zstd";
    initrd.kernelModules = [ ];
    initrd.systemd.enable = true;
    binfmt.emulatedSystems = [
      "wasm32-wasi"
      "x86_64-windows"
    ];
    kernelParams = [
      "psmouse.synaptics_intertouch=0"
      "mem_sleep_default=deep"
    ];
    kernel.sysctl = {
      "net.core.default_qdisc" = "fq";
      "net.ipv4.tcp_congestion_control" = "bbr";
    };
    loader.efi.canTouchEfiVariables = true;
    loader.systemd-boot = {
      editor = false;
      enable = true;
      memtest86.enable = true;
    };
    readOnlyNixStore = true;
    supportedFilesystems = [
      "f2fs"
      "xfs"
    ];
    tmp.useTmpfs = true;
  };

  security = {
    rtkit.enable = true;
    allowSimultaneousMultithreading = true;
    sudo.enable = true;
    doas.enable = true;
    doas.extraRules = [
      {
        users = [ "akill" ];
        keepEnv = true;
        persist = true;
      }
    ];
  };

  powerManagement = {
    enable = true;
  };

  networking = {
    nftables.enable = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [
        80
        443
        51820
        8020
      ];
    };

    hostName = "nixy";
    nameservers = [
      "127.0.0.1"
      "::1"
    ];
    dhcpcd.extraConfig = "nohook resolv.conf";

    extraHosts = ''
      192.168.88.171 jellyfin.mediabox.lan
      192.168.88.171 jellyseerr.mediabox.lan
      192.168.88.171 mediabox.lan
      192.168.88.171 qbittorrent.mediabox.lan
      192.168.88.1   router.lan
      192.168.88.231 workstation.lan
      192.168.88.121 ender.lan
    '';

    networkmanager = {
      enable = true;
      dns = "none";
      wifi.backend = "iwd";
    };

    wireless.iwd = {
      enable = true;
      settings = {
        General = {
          AddressRandomization = "network";
          #EnableNetworkConfiguration = true;
        };
      };
    };

    wireguard.interfaces = {
      wg0 = {
        ips = [ "10.100.0.6/24" ];
        privateKeyFile = config.sops.secrets."wg_privkey".path;
        peers = [
          {
            publicKey = builtins.readFile ../magpie/wg_pubkey;
            presharedKeyFile = config.sops.secrets."wg_preshared/nixy".path;
            allowedIPs = [ "10.100.0.0/24" ];
            endpoint = "5.75.229.224:51820";
            persistentKeepalive = 25;
          }
        ];
      };

      neox_wg = {
        ips = [ "192.168.51.2/32" ];
        privateKeyFile = config.sops.secrets."wg_privkey".path;
        peers = [
          {
            publicKey = builtins.readFile ../nixy/wg_pubkey_nx;
            allowedIPs = [ "192.168.2.0/24" ];
            endpoint = "185.194.64.26:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
  };

  time.timeZone = "Europe/Sarajevo";

  nixpkgs.config.allowUnfree = true;
  nixpkgs.overlays = [
    nix-xilinx.overlay
    nvim.overlays.${system}.overlay
  ];
  environment = {
    etc = {
      "firejail/qutebrowser.local".text = ''
        whitelist ''${RUNUSER}/qutebrowser
      '';
    };
    extraInit = ''
      unset -v SSH_ASKPASS
    '';
    homeBinInPath = true;
    variables = {
      PATH = "$HOME/.cargo/bin";
    };
  };

  programs = {
    steam = {
      enable = true;
      remotePlay.openFirewall = true;
      dedicatedServer.openFirewall = false;
      localNetworkGameTransfers.openFirewall = true;
    };
    gnupg.agent = {
      enable = true;
      enableSSHSupport = true;
    };
    appimage = {
      enable = true;
      binfmt = true;
    };
    zsh.enable = true;
    firejail.enable = true;
    adb.enable = true;
    wireshark.enable = true;
    sway.enable = true;
  };

  documentation.dev.enable = true;

  # List services that you want to enable:
  systemd = {
    services = {
      "zremap@" = {
        enable = true;
        restartIfChanged = true;
        serviceConfig.Nice = -20;
        unitConfig = {
          Description = "zremap on %I";
          ConditionPathExists = "%I";
        };
        serviceConfig = {
          Type = "simple";
          ExecStart = "${zremap.defaultPackage.${system}}/bin/zremap %I";
        };
      };

      "netns@" = {
        description = "%I network namespace";
        before = [ "network.target" ];
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
          ExecStart = "${pkgs.iproute2}/bin/ip netns add %I";
          ExecStop = "${pkgs.iproute2}/bin/ip netns del %I";
        };
      };

      "wg_proton" = {
        description = "wg network interface";
        bindsTo = [ "netns@wg.service" ];
        requires = [ "network-online.target" ];
        wants = [ "dnscrypt-proxy2_proton.service" ];
        after = [ "netns@wg.service" ];
        before = [ "dnscrypt-proxy2_proton.service" ];
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
          ExecStart = pkgs.writers.writeBash "wg-up" ''
            set -e
            ENDPOINT_IP=$(${pkgs.coreutils-full}/bin/cat "${config.sops.secrets."wg_endpoint_proton".path}")
            ${pkgs.iproute2}/bin/ip link add proton_wg type wireguard
            ${pkgs.iproute2}/bin/ip link set proton_wg netns wg
            ${pkgs.iproute2}/bin/ip -n wg address add 10.2.0.2/32 dev proton_wg
            ${pkgs.iproute2}/bin/ip netns exec wg \
              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" private-key "${
                config.sops.secrets."wg_privkey_proton".path
              }"
            ${pkgs.iproute2}/bin/ip netns exec wg \
              ${pkgs.wireguard-tools}/bin/wg set "proton_wg" peer "g6DkXWKI/68RsLjROIwCEcyB/ZhyK5Q7OWcz1TtqER0=" \
                endpoint "$ENDPOINT_IP:51820" \
                persistent-keepalive "25" \
                allowed-ips "0.0.0.0/0"
            ${pkgs.iproute2}/bin/ip -n wg link set lo up
            ${pkgs.iproute2}/bin/ip -n wg link set proton_wg up
            ${pkgs.iproute2}/bin/ip -n wg route add default dev proton_wg
          '';
          ExecStop = pkgs.writers.writeBash "wg-down" ''
            ${pkgs.iproute2}/bin/ip -n wg route del default dev proton_wg
            ${pkgs.iproute2}/bin/ip -n wg link del proton_wg
          '';
        };
      };

      "dnscrypt-proxy2_proton" = {
        description = "DNSCrypt-proxy client proton";
        wants = [
          "network-online.target"
          "nss-lookup.target"
        ];
        before = [ "nss-lookup.target" ];
        after = [ "wg_proton.service" ];
        partOf = [ "wg_proton.service" ];
        serviceConfig = {
          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
          CacheDirectory = "dnscrypt-proxy";
          DynamicUser = true;
          ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${config.services.dnscrypt-proxy2.configFile}";
          LockPersonality = true;
          LogsDirectory = "dnscrypt-proxy";
          MemoryDenyWriteExecute = true;
          NetworkNamespacePath = "/var/run/netns/wg";
          NonBlocking = true;
          NoNewPrivileges = true;
          PrivateDevices = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectSystem = "strict";
          Restart = "always";
          RestrictAddressFamilies = [
            "AF_INET"
            "AF_INET6"
          ];
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RuntimeDirectory = "dnscrypt-proxy";
          StateDirectory = "dnscrypt-proxy";
          SystemCallArchitectures = "native";
          SystemCallFilter = [
            "@system-service"
            "@chown"
            "~@aio"
            "~@keyring"
            "~@memlock"
            "~@setuid"
            "~@timer"
          ];
        };
      };
    };

    coredump.enable = false;
    extraConfig = ''
      DefaultTimeoutStartSec=30s
      DefaultTimeoutStopSec=30s
    '';
  };

  services = {
    acpid.enable = true;
    dbus.enable = true;
    dbus.implementation = "broker";
    fstrim.enable = true;
    fwupd.enable = true;
    ntp.enable = true;
    openssh.enable = true;
    printing.enable = true;

    pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
    };

    avahi = {
      enable = true;
      nssmdns4 = true;
      openFirewall = true;
    };

    libinput.enable = true;
    xserver = {
      enable = true;
      dpi = 144;
      desktopManager.xterm.enable = false;
      displayManager = {
        lightdm.enable = false;
        startx.enable = true;
      };
      windowManager.i3.enable = false;
    };

    udev = {
      packages = [
        pkgs.openhantek6022
        pkgs.openocd
      ];
      extraRules = ''
        #Xilinx FTDI
        ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Xilinx", MODE:="666"

        #Xilinx Digilent
        ATTR{idVendor}=="1443", MODE:="666"
        ACTION=="add", ATTR{idVendor}=="0403", ATTR{manufacturer}=="Digilent", MODE:="666"

        #Arduino UNO r4
        SUBSYSTEMS=="usb", ATTRS{idVendor}=="2341", MODE:="0666"

        #zremap on new keyboard
        ACTION=="add", SUBSYSTEM=="input", ATTRS{phys}!="", KERNEL=="event[0-9]*", ENV{ID_INPUT_KEY}=="1", ENV{ID_INPUT_KEYBOARD}=="1", TAG+="systemd", ENV{SYSTEMD_WANTS}+="zremap@$env{DEVNAME}.service"
      '';
    };

    tlp = {
      enable = true;
    };

    batteryNotifier = {
      enable = true;
      notifyCapacity = 20;
      suspendCapacity = 10;
    };

    actkbd = {
      enable = true;
      bindings = [
        {
          keys = [ 113 ];
          events = [ "key" ];
          command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master toggle'";
        }

        {
          keys = [ 114 ];
          events = [
            "key"
            "rep"
          ];
          command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%- unmute'";
        }

        {
          keys = [ 115 ];
          events = [
            "key"
            "rep"
          ];
          command = "/run/current-system/sw/bin/runuser -l akill -c 'amixer -q set Master 5%+ unmute'";
        }

        {
          keys = [ 224 ];
          events = [ "key" ];
          command = "${pkgs.light}/bin/light -U 5";
        }

        {
          keys = [ 225 ];
          events = [ "key" ];
          command = "${pkgs.light}/bin/light -A 5";
        }
      ];
    };

    dnscrypt-proxy2 = {
      enable = true;
      settings = {
        ipv6_servers = true;
        require_dnssec = true;
        require_nolog = true;
        require_nofilter = true;
        http3 = true;

        sources.public-resolvers = {
          urls = [
            "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
            "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
          ];
          cache_file = "public-resolvers.md";
          minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
        };
      };
    };

    borgbackup.jobs."borgbase" =
      let
        user = config.users.users.akill;
        home = user.home;
      in
      {
        user = user.name;
        paths = [
          (home + "/pic/priv")
          (home + "/pproj")
          (home + "/videos/priv")
        ];
        exclude = [
          "**/.ccls_cache"
          "**/*.d"
          "**/*.map"
          "**/*.o"
          "**/zig-cache"
          "**/zig-out"
        ];
        repo = "ssh://oda929rv@oda929rv.repo.borgbase.com/./repo";
        encryption = {
          mode = "repokey-blake2";
          passCommand = "${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgbase_enc_key".path}";
        };
        environment.BORG_RSH = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgbase_ssh_key".path}";
        compression = "auto,zstd";
        startAt = "daily";
      };

    nix-serve = {
      enable = false;
      secretKeyFile = "/var/cache-priv-key.pem";
    };

    journald.extraConfig = ''
      SystemMaxUse=50M
    '';

    logind.extraConfig = ''
      KillUserProcesses=yes
    '';

    seafile = {
      enable = false;
      initialAdminPassword = "admin";
      adminEmail = "asmir.abdulahovic@gmail.com";
      ccnetSettings = {
        General = {
          SERVICE_URL = "http://127.0.0.1:8020";
        };
      };
      seafileSettings = {
        fileserver = {
          host = "0.0.0.0";
          port = 8082;
        };
      };
    };
  };

  fonts = {
    fontconfig = {
      cache32Bit = true;
      allowBitmaps = true;
      useEmbeddedBitmaps = true;
      defaultFonts = {
        monospace = [ "JetBrainsMono" ];
      };
    };

    packages = with pkgs; [
      dejavu_fonts
      dina-font
      fira-code
      fira-code-symbols
      font-awesome_6
      inconsolata
      iosevka
      jetbrains-mono
      liberation_ttf
      libertine
      noto-fonts
      noto-fonts-cjk-sans
      noto-fonts-color-emoji
      noto-fonts-emoji
      proggyfonts
      siji
      terminus_font
      terminus_font_ttf
      ubuntu_font_family
      vistafonts
    ];
  };

  virtualisation = {
    libvirtd = {
      enable = true;
      allowedBridges = [
        "virbr0"
        "br0"
      ];
    };
    spiceUSBRedirection.enable = true;
    containers.storage.settings = {
      storage = {
        graphroot = "/var/lib/containers/storage";
        runroot = "/run/containers/storage";
      };
    };
    podman = {
      enable = true;
      autoPrune.enable = true;
      dockerCompat = true;
    };
  };

  hardware = {
    bluetooth = {
      enable = true;
      settings = {
        General = {
          Enable = "Source,Sink,Media,Socket";
        };
      };
    };

    graphics = {
      enable = true;
      extraPackages = [ ];
    };
    rtl-sdr.enable = true;
  };

  zramSwap = {
    enable = false;
    algorithm = "zstd";
  };

  users.users.akill = {
    isNormalUser = true;
    shell = pkgs.zsh;
    extraGroups = [
      "wireshark"
      "kvm"
      "tty"
      "audio"
      "sound"
      "adbusers"
      "dialout"
      "wheel"
    ];
  };
}