refactor: use flake-parts, change modules structure

author: schererleander <leander@schererleander.de> 2026-01-09 16:57:15 +0100
committer: schererleander <leander@schererleander.de> 2026-01-09 23:13:49 +0100
commit: 3b5a73c436eb22e0cda59469263490705e149cb9 (patch)
tree: ae3f20ca6008b11f71247dfc6e2df8218de9b95c /modules/nixos
parent: ec45aae780da92e12cf82c5a32e336b14b7540ba (diff)
17 files changed, 597 insertions, 0 deletions
diff --git a/modules/nixos/desktop/cinnamon/default.nix b/modules/nixos/desktop/cinnamon/default.nix
new file mode 100644
index 0000000..2561bdb
--- /dev/null
+++ b/modules/nixos/desktop/cinnamon/default.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkIf mkForce;
+  cfg = config.nx.desktop.cinnamon;
+in
+{
+  options.nx.desktop.cinnamon.enable = mkEnableOption "Cinnamon desktop";
+
+  config = mkIf cfg.enable {
+    services.xserver = {
+      enable = true;
+      displayManager.lightdm.enable = true;
+      desktopManager.cinnamon.enable = true;
+    };
+    services.speechd.enable = mkForce false;
+    services.orca.enable = mkForce false;
+    environment.systemPackages = [ pkgs.nemo-preview ];
+  };
+}
diff --git a/modules/nixos/desktop/gnome/default.nix b/modules/nixos/desktop/gnome/default.nix
new file mode 100644
index 0000000..9ffd353
--- /dev/null
+++ b/modules/nixos/desktop/gnome/default.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.desktop.gnome;
+in
+{
+  options.nx.desktop.gnome.enable = mkEnableOption "GNOME desktop";
+
+  config = mkIf cfg.enable {
+    services.displayManager.gdm.enable = true;
+    services.desktopManager.gnome.enable = true;
+    services.gnome.core-developer-tools.enable = false;
+    services.gnome.games.enable = false;
+
+    environment.gnome.excludePackages = with pkgs; [
+      gnome-tour gnome-user-docs epiphany
+    ];
+    environment.systemPackages = with pkgs; [
+      gnomeExtensions.pop-shell gnomeExtensions.blur-my-shell gnome-tweaks
+    ];
+  };
+}
diff --git a/modules/nixos/desktop/kde/default.nix b/modules/nixos/desktop/kde/default.nix
new file mode 100644
index 0000000..5a24f0d
--- /dev/null
+++ b/modules/nixos/desktop/kde/default.nix
@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.desktop.kde;
+in
+{
+  options.nx.desktop.kde.enable = mkEnableOption "KDE Plasma 6 desktop";
+
+  config = mkIf cfg.enable {
+    services.displayManager.sddm = {
+      enable = true;
+      wayland.enable = true;
+    };
+    services.desktopManager.plasma6.enable = true;
+    security.pam.services.sddm.enableKwallet = true;
+    environment.plasma6.excludePackages = with pkgs.kdePackages; [ elisa kate ];
+  };
+}
diff --git a/modules/nixos/dns/default.nix b/modules/nixos/dns/default.nix
new file mode 100644
index 0000000..0b8cf90
--- /dev/null
+++ b/modules/nixos/dns/default.nix
@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkOption types mkIf concatStringsSep;
+  cfg = config.nx.dns;
+in
+{
+  options.nx.dns = {
+    enable = mkEnableOption "DNS-over-TLS via systemd-resolved";
+    servers = mkOption {
+      type = types.listOf types.str;
+      default = [
+        "1.1.1.1#cloudflare-dns.com"
+        "1.0.0.1#cloudflare-dns.com"
+        "9.9.9.9#dns.quad9.net"
+        "149.112.112.112#dns.quad9.net"
+      ];
+    };
+    fallbackServers = mkOption {
+      type = types.listOf types.str;
+      default = [ "8.8.8.8#dns.google" "8.8.4.4#dns.google" ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.resolved = {
+      enable = true;
+      dnssec = "true";
+      dnsovertls = "true";
+      domains = [ "~." ];
+      extraConfig = ''
+        DNSStubListener=yes
+        Cache=yes
+      '';
+    };
+    networking = {
+      nameservers = cfg.servers;
+      networkmanager.dns = lib.mkDefault "systemd-resolved";
+    };
+    systemd.services.systemd-resolved.environment = {
+      DNS = concatStringsSep " " cfg.servers;
+      FallbackDNS = concatStringsSep " " cfg.fallbackServers;
+    };
+  };
+}
diff --git a/modules/nixos/hardware/audio/default.nix b/modules/nixos/hardware/audio/default.nix
new file mode 100644
index 0000000..66c9606
--- /dev/null
+++ b/modules/nixos/hardware/audio/default.nix
@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.hardware.audio;
+in
+{
+  options.nx.hardware.audio.enable = mkEnableOption "PipeWire audio";
+
+  config = mkIf cfg.enable {
+    security.rtkit.enable = true;
+    services.pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      wireplumber.enable = true;
+    };
+  };
+}
diff --git a/modules/nixos/hardware/bluetooth/default.nix b/modules/nixos/hardware/bluetooth/default.nix
new file mode 100644
index 0000000..1bb9014
--- /dev/null
+++ b/modules/nixos/hardware/bluetooth/default.nix
@@ -0,0 +1,24 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.hardware.bluetooth;
+in
+{
+  options.nx.hardware.bluetooth.enable = mkEnableOption "Bluetooth support";
+
+  config = mkIf cfg.enable {
+    hardware.bluetooth = {
+      enable = true;
+      powerOnBoot = true;
+      settings = {
+        General = {
+          Experimental = true;
+          FastConnectable = true;
+        };
+        Policy = {
+          AutoEnable = true;
+        };
+      };
+    };
+  };
+}
diff --git a/modules/nixos/hardware/printer/default.nix b/modules/nixos/hardware/printer/default.nix
new file mode 100644
index 0000000..749c766
--- /dev/null
+++ b/modules/nixos/hardware/printer/default.nix
@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.hardware.printer;
+in
+{
+  options.nx.hardware.printer.enable = mkEnableOption "printer support";
+
+  config = mkIf cfg.enable {
+    services.printing = {
+      enable = true;
+      drivers = [ pkgs.brlaser ];
+    };
+    services.avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
+  };
+}
diff --git a/modules/nixos/hardware/wooting/default.nix b/modules/nixos/hardware/wooting/default.nix
new file mode 100644
index 0000000..62a4b78
--- /dev/null
+++ b/modules/nixos/hardware/wooting/default.nix
@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.hardware.wooting;
+in
+{
+  options.nx.hardware.wooting.enable = mkEnableOption "Wooting keyboard support";
+
+  config = mkIf cfg.enable {
+    services.udev.packages = [ pkgs.wooting-udev-rules ];
+    environment.systemPackages = [ pkgs.wootility ];
+  };
+}
diff --git a/modules/nixos/mullvad-vpn/default.nix b/modules/nixos/mullvad-vpn/default.nix
new file mode 100644
index 0000000..d2c18b1
--- /dev/null
+++ b/modules/nixos/mullvad-vpn/default.nix
@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.mullvad-vpn;
+in
+{
+  options.nx.mullvad-vpn.enable = mkEnableOption "Mullvad VPN";
+
+  config = mkIf cfg.enable {
+    services.mullvad-vpn.enable = true;
+    environment.systemPackages = [ pkgs.mullvad-vpn ];
+  };
+}
diff --git a/modules/nixos/openssh/default.nix b/modules/nixos/openssh/default.nix
new file mode 100644
index 0000000..22f7df5
--- /dev/null
+++ b/modules/nixos/openssh/default.nix
@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config.nx.services.openssh;
+in
+{
+  options.nx.services.openssh = {
+    enable = mkEnableOption "OpenSSH server";
+    allowedUsers = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      settings.AllowUsers = cfg.allowedUsers;
+    };
+  };
+}
diff --git a/modules/nixos/plymouth/default.nix b/modules/nixos/plymouth/default.nix
new file mode 100644
index 0000000..f89777e
--- /dev/null
+++ b/modules/nixos/plymouth/default.nix
@@ -0,0 +1,36 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.plymouth;
+in
+{
+  options.nx.plymouth.enable = mkEnableOption "Plymouth";
+
+  config = mkIf cfg.enable {
+    boot = {
+      kernelParams = [
+        "quiet"
+        "splash"
+        "boot.shell_on_fail"
+        "udev.log_priority=3"
+        "rd.systemd.show_status=auto"
+      ];
+      consoleLogLevel = 3;
+      loader.systemd-boot.consoleMode = "max";
+      plymouth = {
+        enable = true;
+        theme = "lone";
+        themePackages = with pkgs; [
+          (adi1090x-plymouth-themes.override {
+            selected_themes = [ "lone" ];
+          })
+        ];
+      };
+    };
+  };
+}
diff --git a/modules/nixos/server/fail2ban/default.nix b/modules/nixos/server/fail2ban/default.nix
new file mode 100644
index 0000000..21020b5
--- /dev/null
+++ b/modules/nixos/server/fail2ban/default.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config.nx.server.fail2ban;
+in
+{
+  options.nx.server.fail2ban = {
+    enable = mkEnableOption "fail2ban service";
+    bantime = mkOption {
+      description = "default bantime";
+      type = types.str;
+      default = "1h";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.fail2ban = {
+      enable = true;
+      bantime = cfg.bantime;
+    };
+  };
+}
diff --git a/modules/nixos/server/nextcloud/default.nix b/modules/nixos/server/nextcloud/default.nix
new file mode 100644
index 0000000..7325c92
--- /dev/null
+++ b/modules/nixos/server/nextcloud/default.nix
@@ -0,0 +1,159 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config.nx.server.nextcloud;
+in
+{
+  options.nx.server.nextcloud = {
+    enable = mkEnableOption "Nextcloud server";
+    user = mkOption {
+      description = "System user for paths like SSH keys";
+      type = types.str;
+    };
+    adminUser = mkOption {
+      description = "Admin user";
+      type = types.str;
+      default = "schererleander";
+    };
+    adminPassFile = mkOption {
+      description = "Admin user key file";
+      type = types.str;
+      default = "/etc/nextcloud-admin-pass";
+    };
+    hostName = mkOption {
+      description = "Nextcloud hostname";
+      type = types.str;
+      default = "cloud.schererleander.de";
+    };
+    backup = mkOption {
+      description = "enable borgbase backups";
+      type = types.bool;
+      default = true;
+    };
+    backupSshKeyPath = mkOption {
+      description = "SSH key path for borgbase backup";
+      type = types.str;
+      default = "/home/${cfg.user}/.ssh/borgbase-nextcloud";
+    };
+    jail = mkOption {
+      description = "setup fail2ban jail";
+      type = types.bool;
+      default = config.nx.server.fail2ban.enable;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud32;
+      hostName = cfg.hostName;
+      https = true;
+      database.createLocally = true;
+      maxUploadSize = "16G";
+      config = {
+        dbtype = "mysql";
+        adminuser = cfg.adminUser;
+        adminpassFile = cfg.adminPassFile;
+      };
+      settings = {
+        maintenance_window_start = 2; # 02:00
+        default_phone_region = "de";
+        overwriteProtocol = "https";
+        trusted_domains = [ cfg.hostName ];
+        logtimezone = config.time.timeZone;
+        log_type = "file";
+      };
+      phpOptions."opcache.interned_strings_buffer" = "64";
+    };
+
+    services.nginx.virtualHosts = mkIf ((config.nx.server.nginx or { }).enable or false) {
+      "${cfg.hostName}" = {
+        forceSSL = true;
+        sslCertificate = config.nx.server.nginx.sslCertificate;
+        sslCertificateKey = config.nx.server.nginx.sslCertificateKey;
+      };
+    };
+
+    services.borgbackup.jobs.nextcloud = mkIf cfg.backup {
+      paths = [
+        "/var/lib/nextcloud"
+        "/var/lib/backup/nextcloud/db"
+      ];
+      repo = "h8xn8qvo@h8xn8qvo.repo.borgbase.com:repo";
+      encryption.mode = "none";
+      environment = {
+        BORG_RSH = "ssh -i ${cfg.backupSshKeyPath} -o StrictHostKeyChecking=accept-new";
+        TMPDIR = "/var/tmp";
+      };
+      compression = "auto,lzma";
+      startAt = "daily";
+      readWritePaths = [
+        "/var/lib/backup"
+        "/var/lib/nextcloud"
+      ];
+      preHook = ''
+        set -euo pipefail
+        INSTALL="${pkgs.coreutils}/bin/install"
+        FIND="${pkgs.findutils}/bin/find"
+        MYSQLDUMP="${pkgs.mariadb.client}/bin/mariadb-dump"
+        GZIP="${pkgs.gzip}/bin/gzip"
+        OCC="${lib.getExe config.services.nextcloud.occ}"
+
+        # This command requires write access to /var/lib/backup.
+        $INSTALL -d -m 0750 -o root -g root /var/lib/backup/nextcloud/db
+
+        trap "$OCC maintenance:mode --off >/dev/null 2>&1 || true" EXIT
+
+        $OCC maintenance:mode --on
+
+        # Make a consistent database dump without locking the site.
+        $MYSQLDUMP --single-transaction --quick --lock-tables=false --databases nextcloud \
+          | $GZIP -c > /var/lib/backup/nextcloud/db/nextcloud-$(date +%F-%H%M%S).sql.gz
+
+        # Delete local dump files older than 14 days.
+        $FIND /var/lib/backup/nextcloud/db -type f -name "*.sql.gz" -mtime +14 -delete || true
+      '';
+      postHook = ''
+        set -euo pipefail
+        ${lib.getExe config.services.nextcloud.occ} maintenance:mode --off || true
+      '';
+    };
+
+    services.fail2ban = mkIf cfg.jail {
+      jails = {
+        nextcloud = {
+          enabled = true;
+          settings = {
+            backend = "systemd";
+            journalmatch = "SYSLOG_IDENTIFIER=Nextcloud";
+            # END modification to work with syslog instead of logile
+            port = 443;
+            protocol = "tcp";
+            filter = "nextcloud";
+            maxretry = 3;
+            bantime = 86400;
+            findtime = 43200;
+          };
+        };
+      };
+    };
+
+    environment.etc = mkIf cfg.jail {
+      # Adapted failregex for syslogs
+      "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault (
+        pkgs.lib.mkAfter ''
+          [Definition]
+          _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+          failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+                        ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+          datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+        ''
+      );
+    };
+  };
+}
diff --git a/modules/nixos/server/nginx/default.nix b/modules/nixos/server/nginx/default.nix
new file mode 100644
index 0000000..2bdaba1
--- /dev/null
+++ b/modules/nixos/server/nginx/default.nix
@@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config.nx.server.nginx;
+in
+{
+  options.nx.server.nginx = {
+    enable = mkEnableOption "nginx reverse proxy" // {
+      default = true;
+    };
+    hostName = mkOption {
+      description = "url of server";
+      type = types.str;
+      default = "schererleander.de";
+    };
+    sslCertificate = mkOption {
+      description = "ssl certificate to use";
+      type = types.nullOr types.str;
+      default = "/etc/ssl/${cfg.hostName}/fullchain.pem";
+    };
+    sslCertificateKey = mkOption {
+      description = "ssl certificate key to use";
+      type = types.nullOr types.str;
+      default = "/etc/ssl/${cfg.hostName}/privkey.key";
+    };
+  };
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      appendHttpConfig = ''
+        map $scheme $hsts_header {
+            https   "max-age=31536000; includeSubdomains; preload";
+        }
+        add_header Strict-Transport-Security $hsts_header;
+        #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;
+        add_header 'Referrer-Policy' 'same-origin';
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+      '';
+    };
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}
diff --git a/modules/nixos/server/openssh/default.nix b/modules/nixos/server/openssh/default.nix
new file mode 100644
index 0000000..675ceaf
--- /dev/null
+++ b/modules/nixos/server/openssh/default.nix
@@ -0,0 +1,54 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) mkEnableOption mkOption types mkIf;
+  cfg = config.nx.server.openssh;
+in
+{
+  options.nx.server.openssh = {
+    enable = mkEnableOption "OpenSSH server";
+    port = mkOption {
+      description = "Port for openssh";
+      type = types.port;
+      default = 8693;
+    };
+    allowedUsers = mkOption {
+      description = "Users allowed to SSH";
+      type = types.listOf types.str;
+      default = [ ];
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+      ports = [ cfg.port ];
+      settings = {
+        PasswordAuthentication = false;
+        AllowUsers = cfg.allowedUsers;
+        X11Forwarding = false;
+        PermitRootLogin = "yes";
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    services.fail2ban = {
+      jails = {
+        sshd = {
+          enabled = true;
+          settings = {
+            port = 8693;
+            backend = "systemd";
+            maxretry = 4;
+            findtime = "10m";
+            bantime = "1h";
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/modules/nixos/server/site/default.nix b/modules/nixos/server/site/default.nix
new file mode 100644
index 0000000..be603c6
--- /dev/null
+++ b/modules/nixos/server/site/default.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.server.site;
+in
+{
+  imports = [
+    inputs.site.nixosModules.default
+  ];
+
+  options.nx.server.site = {
+    enable = mkEnableOption "personal website";
+  };
+
+  config = mkIf cfg.enable {
+    services.site = {
+      enable = true;
+      domain = "schererleander.de";
+      sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem";
+      sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key";
+    };
+  };
+}
diff --git a/modules/nixos/steam/default.nix b/modules/nixos/steam/default.nix
new file mode 100644
index 0000000..d708139
--- /dev/null
+++ b/modules/nixos/steam/default.nix
@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+  cfg = config.nx.steam;
+in
+{
+  options.nx.steam = {
+    enable = mkEnableOption "Steam gaming platform";
+    protontricks = mkEnableOption "protontricks" // {
+      default = true;
+    };
+    gamescope = mkEnableOption "gamescope session compositor";
+  };
+
+  config = mkIf cfg.enable {
+    programs.steam = {
+      enable = true;
+      protontricks.enable = cfg.protontricks;
+      gamescopeSession.enable = cfg.gamescope;
+      extraCompatPackages = [ pkgs.proton-ge-bin ];
+    };
+  };
+}
author	schererleander <leander@schererleander.de>	2026-01-09 16:57:15 +0100
committer	schererleander <leander@schererleander.de>	2026-01-09 23:13:49 +0100
commit	3b5a73c436eb22e0cda59469263490705e149cb9 (patch)
tree	ae3f20ca6008b11f71247dfc6e2df8218de9b95c /modules/nixos
parent	ec45aae780da92e12cf82c5a32e336b14b7540ba (diff)