From c4eed0e32ff25859428d8f25426bfeaa452085e4 Mon Sep 17 00:00:00 2001
From: Lilith <ole@benstem.de>
Date: Thu, 27 Feb 2025 01:27:54 +0100
Subject: [PATCH] system

---
 system/audio.nix       |  9 +++++++
 system/networking.nix  | 19 +++++++++++++
 system/nfs.nix         | 13 +++++++++
 system/nix.nix         | 15 +++++++++++
 system/persistence.nix | 60 ++++++++++++++++++++++++++++++++++++++++++
 system/ssh.nix         | 11 ++++++++
 system/steam.nix       |  5 ++++
 system/syncthing.nix   | 49 ++++++++++++++++++++++++++++++++++
 system/wayland.nix     | 24 +++++++++++++++++
 9 files changed, 205 insertions(+)
 create mode 100644 system/audio.nix
 create mode 100644 system/networking.nix
 create mode 100644 system/nfs.nix
 create mode 100644 system/nix.nix
 create mode 100644 system/persistence.nix
 create mode 100644 system/ssh.nix
 create mode 100644 system/steam.nix
 create mode 100644 system/syncthing.nix
 create mode 100644 system/wayland.nix

diff --git a/system/audio.nix b/system/audio.nix
new file mode 100644
index 00000000..888fa8d7
--- /dev/null
+++ b/system/audio.nix
@@ -0,0 +1,9 @@
+{...}: {
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+}
diff --git a/system/networking.nix b/system/networking.nix
new file mode 100644
index 00000000..7c25b5e2
--- /dev/null
+++ b/system/networking.nix
@@ -0,0 +1,19 @@
+{...}: {
+  networking.networkmanager = {
+    enable = true;
+    wifi.macAddress = "random";
+    ethernet.macAddress = "random";
+  };
+
+  networking.nftables = {
+    enable = true;
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22 # ssh
+      22000 # syncthing
+    ];
+  };
+}
diff --git a/system/nfs.nix b/system/nfs.nix
new file mode 100644
index 00000000..03f7b533
--- /dev/null
+++ b/system/nfs.nix
@@ -0,0 +1,13 @@
+{ ... }: {
+  fileSystems."/mnt/nas" = {
+    device = "nixserver:/share";
+    fsType = "nfs";
+    options = [
+      "nfsvers=4.2"
+      "noauto"
+      "x-systemd.automount"
+      "x-systemd.idle-timeout=600"
+      "_netdev"
+    ];
+  };
+}
diff --git a/system/nix.nix b/system/nix.nix
new file mode 100644
index 00000000..870b737e
--- /dev/null
+++ b/system/nix.nix
@@ -0,0 +1,15 @@
+{...}: {
+  nix = {
+    gc = {
+      automatic = true;
+      dates = "05:30";
+      options = "--delete-older-than 7d";
+    };
+    settings = {
+      keep-outputs = true;
+      auto-optimise-store = true;
+      experimental-features = ["nix-command" "flakes"];
+      trusted-users = ["root" "@wheel"];
+    };
+  };
+}
diff --git a/system/persistence.nix b/system/persistence.nix
new file mode 100644
index 00000000..359b9c80
--- /dev/null
+++ b/system/persistence.nix
@@ -0,0 +1,60 @@
+{impermanence, conf, lib, config, ...}: {
+  imports = [impermanence.nixosModule];
+
+  environment.persistence."/persist/data" = {
+    hideMounts = true;
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/var/lib/bluetooth"
+    ];
+    files = [];
+
+    users.lilith = {
+      directories = [
+        ".config/syncthing"
+        ".config/sops"
+        ".config/keepassxc"
+        ".config/obsidian"
+        ".config/vesktop"
+        ".gnupg"
+        ".ssh"
+
+        ".thunderbird"
+        ".mozilla"
+
+        "nixos"
+        "sync"
+        "obsidian"
+        "code"
+        ".keepass"
+      ];
+      files = [];
+    }
+  };
+
+  environment.persistence."/persist/cache" = {
+    hideMounts = true;
+    directories = [
+      "/root/.cache/nix"
+      "/var/lib/btrfs"
+      "/var/lib/nixos"
+      "/var/lib/systemd/backlight"
+      "/var/lib/systemd/timers"
+      "/var/log"
+    ];
+    files = [
+      "/etc/machine-id"
+    ];
+
+    users.lilith = {
+      directories = [
+        ".cache/nix"
+        ".cache/keepassxc"
+        ".cargo"
+        ".local/state/wireplumber"
+        "tmp"
+      ];
+      files = [];
+    };
+  };
+}
diff --git a/system/ssh.nix b/system/ssh.nix
new file mode 100644
index 00000000..3aeb7287
--- /dev/null
+++ b/system/ssh.nix
@@ -0,0 +1,11 @@
+{...}: {
+  networking.firewall.allowedTCPPorts = [22];
+  services.openssh = {
+    enable = true;
+    ports = [22];
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
+}
diff --git a/system/steam.nix b/system/steam.nix
new file mode 100644
index 00000000..d2df690f
--- /dev/null
+++ b/system/steam.nix
@@ -0,0 +1,5 @@
+{...}: {
+  programs.steam.enable = true;
+
+  programs.steam.remotePlay.openFirewall = true;
+}
diff --git a/system/syncthing.nix b/system/syncthing.nix
new file mode 100644
index 00000000..27cb61bc
--- /dev/null
+++ b/system/syncthing.nix
@@ -0,0 +1,49 @@
+{ config, ...}: let 
+    host = networking.hostName;
+  in {
+
+  sops.secrets."syncthing/key.pem" = {
+    sopsFile = ../hosts/${host}/secrets/default.yaml;
+  };
+  sops.secrets."syncthing/cert.pem" = {
+    sopsFile = ../hosts/${host}/secrets/default.yaml;
+  };
+
+  services.syncthing = {
+    enable = true;
+
+    user = lilith;
+    dataDir = "/home/lilith";
+    configDir = "/home/lilith/.config/syncthing";
+
+    overrideDevices = true;
+    overrideFolders = true;
+
+    settings = {
+      key = config.sops.secrets."syncthing/key.pem".path;
+      cert = config.sops.secrets."syncthing/cert.pem".path;
+
+      devices = {
+        "phone" = {id = "C2CKYRP-72UNJRX-MUPZIUY-CCHQYGF-6T4NA6B-MO7AEZB-RSN5EAG-CN2JCAF";};
+        "nixserver" = {id = "DW6GTZ3-3JPAHLO-UEB3LBL-AWOX3BT-QPI7ODT-OZ6Q4YR-K3KK22C-5RY3XQZ";};
+        "lilith-pc" = {id = "37HHP4Q-NNQRQPQ-MVSIHAX-BK2A3GL-O6K4WXA-Y7ZQ5GZ-BY4UTFH-LG4HYAY";};
+        "lilith-pad" = {id = "GQJA6WA-G5YZZSN-4OOQMVE-JPIR22N-VFHPY4O-XMRG37D-DALH4R2-7DCTMQK";};
+        "lilith-old" = {id = "MSUZJ6K-4CIFE5D-ILO6FE4-SPRPTZI-VEWZQ7F-ECARCCF-2VLVMDQ-2HQUAAS";};
+      };
+      folders = {
+        "rdcj2-mfyb4" = {
+          path = "/home/lilith/sync";
+          devices = ["phone" "nixserver" "lilith-pad" "lilith-pc"  "lilith-old"];
+        };
+        "sdpfs-2beqd" = {
+          path = "/home/lilith/.keepass";
+          devices = ["phone" "nixserver" "lilith-pad" "lilith-pc"  "lilith-old"];
+        };
+        "7qim7-yzqpn" = {
+          path = "/home/lilith/obsidian";
+          devices = ["phone" "nixserver" "lilith-pad" "lilith-pc"  "lilith-old"];
+        };
+      };
+    };
+  };
+}
diff --git a/system/wayland.nix b/system/wayland.nix
new file mode 100644
index 00000000..57faec4d
--- /dev/null
+++ b/system/wayland.nix
@@ -0,0 +1,24 @@
+{...}: {
+  hardware.graphics.enable = true;
+  
+  security.polkit.enable = true;
+  security.pam.services.hyprlock = {};
+
+  services.dbus.enable = true;
+
+  programs.hyprland.enable = true;
+
+  services.greetd = {
+    enable = true;
+    settings = {
+      default_session = {
+        user = "lilith";
+        command = "Hyprland";
+      };
+      initial_session = {
+        user = "lilith";
+        command = "Hyprland";
+      };
+    };
+  };
+}