refactor: flake dir -> outputs/sys -> nixos

nixos/modules/base/boot/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./loader
+    ./plymouth.nix
+  ];
+}

nixos/modules/base/boot/loader/default.nix

@@ -0,0 +1,17 @@
+{ lib, ... }:
+
+let
+  inherit (lib) types mkOption;
+in
+
+{
+  imports = [
+    ./systemd.nix
+    # ./grub
+  ];
+
+  options.ooknet.boot.loader = mkOption {
+    type = types.enum ["systemd" "grub"];
+    default = "systemd";
+  };
+}

nixos/modules/base/boot/loader/grub.nix

@@ -0,0 +1 @@
+## to be implemented

nixos/modules/base/boot/loader/systemd.nix

@@ -0,0 +1,18 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  bootloader = config.ooknet.boot.loader;
+in
+
+{
+  config = mkIf (bootloader == "systemd") {
+    boot.loader = {
+      systemd-boot = {
+        enable = true;
+        consoleMode = "max";
+      };
+      efi.canTouchEfiVariables = true;
+    };
+  };
+}

nixos/modules/base/boot/plymouth.nix

@@ -0,0 +1,18 @@
+{ lib, config, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.sys.boot.plymouth;
+in
+
+{
+  options.sys.boot.plymouth.enable = mkEnableOption "";
+
+  config = mkIf cfg.enable {
+    boot.plymouth = {
+      enable = true;
+      themePackages = [(pkgs.catppuccin-plymouth.override {variant = "mocha";})];
+      theme = "catppuccin-mocha";
+    };
+  };
+}

nixos/modules/base/default.nix

@@ -0,0 +1,23 @@
+{ lib, ... }:
+
+{
+  imports = [
+    ./shell
+    ./boot
+    ./nix
+    ./displayManager
+    ./networking
+    ./locale.nix
+    ./virtualization
+    ./security
+    ./services
+    ./host
+  ];
+
+
+  options.ooknet = {
+    virtualisation = {
+      enable = lib.mkEnableOption "Enable virtualisation module";
+    };
+  };
+}

nixos/modules/base/displayManager/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./tuigreet.nix
+  ];
+}

nixos/modules/base/displayManager/tuigreet.nix

@@ -0,0 +1,30 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (lib) mkIf;
+  tuigreet = "${pkgs.greetd.tuigreet}/bin/tuigreet";
+  host = config.ooknet.host;
+in
+{
+  config = mkIf (host.type != "phone") {
+    services.greetd = {
+      enable = true;
+      settings = {
+        default_session = {
+          command = "${tuigreet} --time --remember --cmd Hyprland"; # TODO: dont hardcode this
+          user = "greeter";
+        };
+      };
+    };
+
+    systemd.services.greetd.serviceConfig = {
+      Type = "idle";
+      StandardInput = "tty";
+      StandardOutput = "tty";
+      StandardError = "journal"; # Without this errors will spam on screen
+      # Without these bootlogs will spam on screen
+      TTYReset = true;
+      TTYVHangup = true;
+      TTYVTDisallocate = true;
+    };
+  };
+}

nixos/modules/base/host/admin.nix

@@ -0,0 +1,74 @@
+{ lib, config, pkgs, inputs, outputs, self, ... }:
+
+let
+  cfg = config.ooknet.host.admin;
+  ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
+  inherit (lib) mkIf types mkOption;
+in
+
+{
+  options.ooknet.host.admin = {
+    name = mkOption {
+      type = types.str;
+      default = "ooks";
+      description = "Name of the primary user";
+    };
+    shell = mkOption {
+      type = types.enum ["fish" "bash" "zsh"];
+      default = "zsh";
+      description = "The login shell of the primary user";
+    };
+    gitName = mkOption {
+      type = types.str;
+      default = "ooks-io";
+      description = "Github username of admin";
+    };
+    gitEmail = mkOption {
+      type = types.str;
+      default = "ooks@protonmail.com";
+      description = "Github email of admin";
+    };
+    sshKey = mkOption {
+      type = types.str;
+      default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk";
+      description = "The ssh key for the admin user";
+    };
+    homeManager = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enables home manager module for the admin user";
+    };
+  };
+
+  config = {
+    users.users.${cfg.name} = {
+      isNormalUser = true;
+      shell = pkgs.${cfg.shell};
+      initialPassword = "password";
+      openssh.authorizedKeys.keys = [ "${cfg.sshKey}" ];
+      extraGroups = [
+        "wheel"
+        "video"
+        "audio"
+        ] ++ ifTheyExist [
+        "git"
+        "media"
+        "network"
+        "libvirtd"
+        "deluge"
+        "streamer"
+        "torrenter"
+      ];
+    };
+    home-manager = mkIf cfg.homeManager {
+      useGlobalPkgs = true;
+      useUserPackages = true;
+      backupFileExtension = "hm.old";
+      verbose = true;
+      extraSpecialArgs = { inherit inputs outputs self; };
+      users.${cfg.name} = {
+        imports = [ "${self}/home" ];
+      };
+    };
+  };
+}

nixos/modules/base/host/default.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./admin.nix
+    ./name.nix
+    ./type.nix
+    ./role.nix
+    ./hardware
+  ];
+}

nixos/modules/base/host/hardware/common.nix

@@ -0,0 +1,15 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+    hardware = {
+      enableRedistributableFirmware = true;
+      enableAllFirmware = true;
+    };
+  };
+}

nixos/modules/base/host/hardware/cpu/amd.nix

@@ -0,0 +1,42 @@
+{ lib, config, pkgs, ... }:
+
+let
+  inherit (lib) mkMerge mkEnableOption mkIf versionAtLeast versionOlder;
+  inherit (builtins) elem;
+  cpu = config.ooknet.host.hardware.cpu; 
+  cfg = cpu.amd;
+  kernelVersion = config.boot.kernelPackages.kernel.version;
+  kernelVersionAtLeast = versionAtLeast kernelVersion;
+  kernelVersionOlder= versionOlder kernelVersion;
+in
+
+{
+  options.ooknet.host.hardware.cpu.amd.pstate.enable = mkEnableOption "Enable amd pstate module";
+
+  config = mkIf (elem cpu.type ["amd"]) {
+    environment.systemPackages = [pkgs.amdctl];
+    hardware.cpu.amd.updateMicrocode = true;
+    boot = mkMerge [
+      {
+        kernelModules = [
+          "amd-pstate"
+          "amd-kvm" # virtulization
+          "msr" # required for amdctl
+        ];
+      }
+      
+      (mkIf (cfg.pstate.enable && (kernelVersionAtLeast "5.27") && (kernelVersionOlder "6.1")) {
+        kernelParams = ["initcall_blacklist-acpi_cpufreq_init"];
+        kernelModules = ["amd-pstate"];
+      })
+
+      (mkIf (cfg.pstate.enable && (kernelVersionAtLeast "6.1") && (kernelVersionOlder "6.3")) {
+        kernelParams = ["amd_pstate=passive"];
+      })
+
+      (mkIf (cfg.pstate.enable && (kernelVersionAtLeast "6.3")) {
+        kernelParams = ["amd_pstate=active"];
+      })
+    ];
+  };
+}

nixos/modules/base/host/hardware/cpu/default.nix

@@ -0,0 +1,18 @@
+{ lib, ... }:
+
+let
+  inherit (lib) types mkOption;
+in
+
+{
+  imports = [
+    ./amd.nix
+    ./intel.nix
+  ];
+
+  options.ooknet.host.hardware.cpu.type = mkOption {
+    type = with types; nullOr (enum ["intel" "amd"]);
+    default = null;
+    description = "Type of cpu system module to use";
+  };
+}

nixos/modules/base/host/hardware/cpu/intel.nix

@@ -0,0 +1,20 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+  cpu = config.ooknet.host.hardware.cpu;
+in
+
+{
+  # TODO: put kvm/gvt behind virtualization module flag
+
+  config = mkIf (elem cpu.type ["intel"]) {
+    boot = {
+      kernelModules = ["kvm-intel"];
+      kernelParams = ["i915.fastboot=1" "enable_gvt=1"];
+    };
+    hardware.cpu.intel.updateMicrocode = true;
+    environment.systemPackages = [pkgs.intel-gpu-tools];
+  };
+}

nixos/modules/base/host/hardware/default.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./cpu
+    ./gpu
+    ./features
+    ./common.nix
+    ./monitors.nix
+  ];
+}

nixos/modules/base/host/hardware/features/audio.nix

@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf;
+  inherit (lib.generators) toLua;
+  inherit (lib.lists) elem optionals;
+  # inherit (builtins) elem;
+  features = config.ooknet.host.hardware.features;
+  hasBT = (elem "bluetooth" features);
+in
+
+{
+  config = mkIf (elem "audio" features) {
+    hardware.pulseaudio.enable = !config.services.pipewire.enable;
+    security.rtkit.enable = config.services.pipewire.enable;
+    services.pipewire = 
+    let
+      quantum = 64;
+      rate = 48000;
+      qr = "${toString quantum}/${toString rate}";
+    in
+    {
+      enable = true;
+
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+
+      # Low latency module provided by notashelf/nyx
+      extraConfig.pipewire."99-lowlatency" = {
+        context = {
+          properties.default.clock.min-quantum = quantum;
+          modules = [
+            {
+              name = "libpipewire-module-rtkit";
+              flags = ["ifexists" "nofail"];
+              args = {
+                nice.level = -15;
+                rt = {
+                  prio = 88;
+                  time.soft = 200000;
+                  time.hard = 200000;
+                };
+              };
+            }
+            {
+              name = "libpipewire-module-protocol-pulse";
+              args = {
+                server.address = ["unix:native"];
+                pulse.min = {
+                  req = qr;
+                  quantum = qr;
+                  frag = qr;
+                };
+              };
+            }
+          ];
+
+          stream.properties = {
+            node.latency = qr;
+            resample.quality = 1;
+          };
+        };
+      };
+
+      wireplumber = {
+        enable = true;
+        configPackages = let
+          matches = toLua {
+            multiline = false;
+            indent = false;
+          } [[["node.name" "matches" "alsa_output.*"]]];
+
+          apply_properties = toLua {} {
+            "audio.format" = "S32LE";
+            "audio.rate" = rate * 2;
+            "api.alsa.period-size" = 2;
+          };
+        in
+          [
+            (pkgs.writeTextDir "share/lowlatency.lua.d/99-alsa-lowlatency.lua" ''
+              alsa_monitor.rules = {
+                {
+                  matches = ${matches};
+                  apply_properties = ${apply_properties};
+                }
+              }
+            '')
+          ]
+          ++ optionals hasBT [
+            (pkgs.writeTextDir "share/bluetooth.lua.d/51-bluez-config.lua" /* lua */ ''
+              bluez_monitor.properties = {
+                ["bluez5.enable-sbc-xq"] = true,
+                ["bluez5.enable-msbc"] = true,
+                ["bluez5.enable-hw-volume"] = true,
+                ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+              }
+            '')
+          ];
+      };
+    };
+
+    systemd.user.services = {
+      pipewire.wantedBy = ["default.target"];
+      pipewire-pulse.wantedBy = ["default.target"];
+    };
+  };
+} 
+
+

nixos/modules/base/host/hardware/features/backlight.nix

@@ -0,0 +1,13 @@
+{ lib, config, ... }:
+
+let
+  features = config.ooknet.host.hardware.features;
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+in
+
+{
+  config = mkIf (elem "backlight" features) {
+    hardware.brillo.enable = true;
+  };
+}

nixos/modules/base/host/hardware/features/battery.nix

@@ -0,0 +1,94 @@
+
+{ lib, config, pkgs, ... }:
+
+let
+  features = config.ooknet.host.hardware.features;
+  cfg = config.ooknet.host.hardware.battery;
+  inherit (lib) mkIf mkDefault mkOption types;
+  inherit (builtins) elem;
+  MHz = x: x * 1000;
+in
+  
+{
+  options.ooknet.host.hardware.battery = {
+    powersave = {
+      minFreq = mkOption {
+        type = types.int;
+        default = 800;
+        description = "Minimum frequency for powersave mode in MHz";
+      };
+      maxFreq = mkOption {
+        type = types.int;
+        default = 1100;
+        description = "Maximum frequency for powersave mode in MHz";
+      };
+    };
+    performance = {
+      minFreq = mkOption {
+        type = types.int;
+        default = 1500;
+        description = "Minimum frequency for performance mode in MHz";
+      };
+      maxFreq = mkOption {
+        type = types.int;
+        default = 2600;
+        description = "Maximum frequency for performance mode in MHz";
+      };
+    };
+  };
+
+  config = mkIf (elem "battery" features) {
+    boot = {
+      kernelModules = ["acpi_call"];
+      extraModulePackages = with config.boot.kernelPackages; [
+        acpi_call
+        cpupower
+      ];
+    };
+
+    services = {
+      auto-cpufreq = {
+        enable = true;
+        settings = {
+          battery = {
+            governor = "powersave";
+            scaling_min_freq = mkDefault (MHz cfg.powersave.minFreq);
+            scaling_max_freq = mkDefault (MHz cfg.powersave.maxFreq);
+            turbo = "never";
+          };
+          charger = {
+            governor = "performance";
+            scaling_min_freq = mkDefault (MHz cfg.performance.minFreq);
+            scaling_max_freq = mkDefault (MHz cfg.performance.maxFreq);
+            turbo = "auto";
+          };
+        };
+      };
+
+      upower = {
+        enable = true;
+        percentageLow = 25;
+        percentageCritical = 5;
+        percentageAction = 3;
+        criticalPowerAction = "Hibernate";
+      };
+
+      undervolt = {
+        enable = true;
+        tempBat = 65;
+      };
+
+      thermald.enable = true;
+
+      power-profiles-daemon.enable = true;
+
+      logind = {
+        lidSwitch = "suspend";
+      };
+    };
+    environment.systemPackages = with pkgs; [
+      acpi
+      powertop
+    ];
+  };
+}

nixos/modules/base/host/hardware/features/bluetooth.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, self, ... }:
+
+let
+  features = config.ooknet.host.hardware.features;
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+in
+
+{
+  config = mkIf (elem "bluetooth" features) {
+    hardware.bluetooth = {
+      enable = true;
+      package = pkgs.bluez5-experimental;
+    };
+  
+    environment.systemPackages = with pkgs; [
+      self.packages.${pkgs.system}.live-buds-cli
+  	  bluetuith
+  	];
+
+    # https://github.com/NixOS/nixpkgs/issues/114222
+    systemd.user.services.telephony_client.enable = false;
+  };
+}

nixos/modules/base/host/hardware/features/default.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) types mkOption;
+in
+
+{
+  imports = [
+    ./bluetooth.nix
+    ./backlight.nix
+    ./battery.nix
+    ./ssd.nix
+    ./audio.nix
+    ./video.nix
+  ];
+
+  options.ooknet.host.hardware.features = mkOption {
+    type = with types; listOf (enum ["audio" "video" "bluetooth" "backlight" "battery" "ssd"]);
+    default = [];
+    description = "What extra hardware feature system modules to use";
+  };
+}

nixos/modules/base/host/hardware/features/ssd.nix

@@ -0,0 +1,23 @@
+{ lib, config, ... }:
+
+let
+  features = config.ooknet.host.hardware.features;
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+in
+
+{
+  config = mkIf (elem "ssd" features) {
+    services.fstrim = {
+      enable = true;
+    };
+    # only run fstrim while connected on AC
+    systemd.services.fstrim = {
+      unitConfig.ConditionACPower = true;
+      serviceConfig = {
+        Nice = 19;
+        IOSchedulingClass = "idle";
+      };
+    }; 
+  };
+}

nixos/modules/base/host/hardware/features/video.nix

@@ -0,0 +1,32 @@
+{ lib, config, pkgs, ... }:
+
+let
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+  isx86Linux = pkgs: with pkgs.stdenv; hostPlatform.isLinux && hostPlatform.isx86;
+  features = config.ooknet.host.hardware.features;
+in
+
+{
+  config = mkIf (elem "video" features) {
+    hardware = {
+      opengl = {
+        enable = true;
+        driSupport = true;
+        driSupport32Bit = isx86Linux pkgs;
+      };
+    };
+    xdg.portal = {
+      enable = true;
+      xdgOpenUsePortal = true;
+      extraPortals = with pkgs; [
+        xdg-desktop-portal-hyprland
+        xdg-desktop-portal-gtk
+      ];
+      config = {
+        common.default = ["gtk"];
+        hyprland.default = ["gtk" "hyprland"];
+      };
+    };
+  };
+}

nixos/modules/base/host/hardware/gpu/amd.nix

@@ -0,0 +1,29 @@
+{ config, lib, pkgs, ... }:
+
+let
+  gpu = config.ooknet.host.hardware.gpu;
+  inherit (lib) mkIf mkDefault;
+  inherit (builtins) elem;
+in
+
+{
+  config = mkIf (elem gpu.type ["amd"]) {
+    hardware.opengl = {
+      extraPackages = with pkgs; [
+        vulkan-tools
+        vulkan-loader
+        vulkan-extension-layer
+        vulkan-validation-layers
+        # amdvlk
+        mesa
+      ];
+      extraPackages32 = [ pkgs.driversi686Linux.amdvlk ];
+    };
+    boot = {
+      initrd.kernelModules = ["amdgpu"];
+      kernelModules = ["amdgpu"];
+    };
+    environment.systemPackages = [ pkgs.nvtopPackages.amd ];
+    services.xserver.videoDrivers = mkDefault ["modesetting" "amdgpu"];
+  };
+}

nixos/modules/base/host/hardware/gpu/default.nix

@@ -0,0 +1,19 @@
+{ lib, ... }:
+
+let
+  inherit (lib) types mkOption;
+in
+
+{
+  imports = [
+    ./amd.nix
+    ./intel.nix
+    ./nvidia.nix
+  ];
+
+  options.ooknet.host.hardware.gpu.type = mkOption {
+    type = with types; nullOr (enum ["intel" "amd" "nvidia"]);
+    default = null;
+    description = "Type of gpu system module to use";
+  };
+}

nixos/modules/base/host/hardware/gpu/intel.nix

@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+let
+  gpu = config.ooknet.host.hardware.gpu;
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+
+  # vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
+in
+
+{
+  config = mkIf (elem gpu.type ["intel"]) {
+    
+    services.xserver.videoDrivers = ["modesetting"];
+    hardware.opengl = {
+      extraPackages = with pkgs; [
+        vaapiIntel
+        vaapiVdpau
+        libvdpau-va-gl
+
+        intel-compute-runtime
+        intel-media-driver
+      ];
+      extraPackages32 = with pkgs.pkgsi686Linux; [
+        vaapiIntel
+        vaapiVdpau
+        libvdpau-va-gl
+
+        intel-media-driver
+      ];
+    };
+    boot.initrd.kernelModules = ["i915"];    
+    environment.variables = mkIf config.hardware.opengl.enable {
+      VDPAU_DRIVER = "va_gl";
+    };
+  };
+}

nixos/modules/base/host/hardware/gpu/nvidia.nix

@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+
+let
+  gpu = config.ooknet.host.hardware.gpu;
+  inherit (lib) mkIf mkDefault;
+  inherit (builtins) elem;
+  production = config.boot.kernelPackages.nvidiaPackages.production;
+  # beta = config.boot.kernelPackages.nvidiaPackages.beta;
+in
+
+{
+# TODO: make option to choose nvidia package
+  config = mkIf (elem gpu.type ["nvidia"]) {
+    hardware = {
+      nvidia = {
+        open = mkDefault true;
+        package = production;
+        forceFullCompositionPipeline = true;
+        nvidiaSettings = false;
+        nvidiaPersistenced = true;
+        modesetting.enable = true;
+        powerManagement = {
+          enable = mkDefault true;
+          finegrained = mkDefault false;
+        };
+      };
+      opengl = {
+        extraPackages = with pkgs; [ nvidia-vaapi-driver ];
+        extraPackages32 = with pkgs.pkgsi686Linux; [ nvidia-vaapi-driver ];
+      };
+    };
+    environment.systemPackages = with pkgs; [
+
+      libva
+      libva-utils
+
+      vulkan-loader
+      vulkan-validation-layers
+      vulkan-tools
+      vulkan-extension-layer
+
+      mesa
+
+      nvtopPackages.nvidia
+    ];
+    environment.sessionVariables = {
+      LIBVA_DRIVER_NAME = "nvidia";
+      NVD_BACKEND = "direct";
+    };
+  };
+}

nixos/modules/base/host/hardware/monitors.nix

@@ -0,0 +1,62 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkOption types;
+  cfg = config.ooknet.host.hardware.monitors;
+in
+{
+  options.ooknet.host.hardware.monitors = mkOption {
+    type = types.listOf (types.submodule {
+      options = {
+        name = mkOption {
+          type = types.str;
+          example = "DP-1";
+        };
+        primary = mkOption {
+          type = types.bool;
+          default = false;
+        };
+        width = mkOption {
+          type = types.int;
+          example = 1920;
+        };
+        height = mkOption {
+          type = types.int;
+          example = 1080;
+        };
+        refreshRate = mkOption {
+          type = types.int;
+          default = 60;
+        };
+        x = mkOption {
+          type = types.int;
+          default = 0;
+        };
+        y = mkOption {
+          type = types.int;
+          default = 0;
+        };
+        transform = mkOption {
+          type = types.int;
+          default = 0;
+        };
+        enabled = mkOption {
+          type = types.bool;
+          default = true;
+        };
+        workspace = mkOption {
+          type = types.nullOr types.str;
+          default = null;
+        };
+      };
+    });
+    default = [ ];
+  };
+  config = {
+    assertions = [{
+      assertion = ((lib.length cfg) != 0) ->
+        ((lib.length (lib.filter (m: m.primary) cfg)) == 1);
+      message = "Exactly one monitor must be set to primary.";
+    }];
+  };
+}

nixos/modules/base/host/name.nix

@@ -0,0 +1,21 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) types mkOption;
+  cfg = config.ooknet.host;
+in
+
+{
+  options.ooknet.host = {
+    name = mkOption {
+      type = types.str;
+      default = "ooksgeneric";
+      description = "Name of host machine";
+    };
+  };
+
+  config = {
+    networking.hostName = cfg.name;
+    environment.sessionVariables.HN = cfg.name;
+  };
+}

nixos/modules/base/host/role.nix

@@ -0,0 +1,13 @@
+{ lib, ... }:
+
+let
+  inherit (lib) types mkOption;
+in
+
+{
+  options.ooknet.host.function = mkOption {
+    type = with types; listOf (enum ["gaming" "workstation" "media-server"]);
+    default = [];
+    description = "Host's primary function/s";
+  };
+}

nixos/modules/base/host/type.nix

@@ -0,0 +1,13 @@
+{ lib, ... }:
+
+let
+  inherit (lib) mkOption types;
+in
+
+{
+  options.ooknet.host.type = mkOption {
+    type = types.enum ["desktop" "laptop" "mixed" "server" "phone" "laptop" "micro" "vm"];
+    default = "";
+    description = "Declare what type of device the host is";
+  };  
+}

nixos/modules/base/locale.nix

@@ -0,0 +1,17 @@
+{ lib, ... }: 
+
+let
+  inherit (lib) mkDefault;
+in
+
+{
+  i18n = {
+    defaultLocale = mkDefault "en_US.UTF-8";
+    supportedLocales = mkDefault [
+      "en_US.UTF-8/UTF-8"
+    ];
+  };
+  time.timeZone = mkDefault "Pacific/Auckland";
+  location.provider = "geoclue2";
+  services.geoclue2.enable = true;
+}

nixos/modules/base/networking/default.nix

@@ -0,0 +1,29 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  imports = [
+    ./firewall.nix
+    ./tools.nix
+    ./ssh.nix
+    ./tcp.nix
+    ./resolved.nix
+    ./tailscale.nix
+  ];
+
+  config = mkIf (host.type != "phone") {
+    networking.networkmanager = {
+      enable = true;
+      dns = "systemd-resolved";
+    };
+
+    systemd = {
+      network.wait-online.enable = false;
+      services.NetworkManager-wait-online.enable = false;
+    };
+  };
+}

nixos/modules/base/networking/firewall.nix

@@ -0,0 +1,18 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        443 # https
+        57621 # spotify
+      ];
+    };
+  };
+}

nixos/modules/base/networking/resolved.nix

@@ -0,0 +1,19 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+    services.resolved = {
+      enable = true;
+      fallbackDns = ["9.9.9.9"];
+      # allow-downgrade is vulnerable to downgrade attacks
+      extraConfig = ''
+         DNSOverTLS=yes # or allow-downgrade
+      '';
+    };
+  };
+}

nixos/modules/base/networking/ssh.nix

@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf mkDefault;
+  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBn3ff3HaZHIyH4K13k8Mwqu/o7jIABJ8rANK+r2PfJk";
+  phoneKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINredx07UAk2l1wUPujYnmJci1+XEmcUuSX0DIYg6Vzz";
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+    environment.sessionVariables.SSH_AUTH_SOCK = "~/.1password/agent.sock";
+
+    services.openssh = {
+      enable = true;
+      settings = {
+        UseDns = false;
+        PasswordAuthentication = false;
+        AuthenticationMethods = "publickey";
+        UsePAM = false;
+        PermitRootLogin = "no";
+        StreamLocalBindUnlink = "yes";
+        KbdInteractiveAuthentication = mkDefault false;
+      };
+    };
+
+    programs = {
+      ssh = {
+        knownHosts = {
+          "192.168.1.36".publicKey = phoneKey;
+        };
+      };
+      gnupg.agent = {
+        enable = true;
+        enableSSHSupport = true;
+      };
+    };
+  };
+}

nixos/modules/base/networking/tailscale.nix

@@ -0,0 +1,62 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.ooknet.networking.tailscale;
+  inherit (config.services) tailscale;
+  inherit (lib.lists) optionals;
+  inherit (lib.types) bool listOf str; 
+  inherit (lib.strings) concatStringsSep;
+  inherit (lib) mkIf mkEnableOption mkOption mkDefault;
+in
+
+{
+  options.ooknet.networking.tailscale = {
+    enable = mkEnableOption "Enable tailscale system module";
+    server = mkOption {
+      type = bool;
+      default = false;
+      description = "Define if the host is a server";
+    };
+    client = mkOption {
+      type = bool;
+      default = cfg.enable;
+      description = "Define if the host is a client";
+    };
+    tag = mkOption {
+      type = listOf str;
+      default = 
+        if cfg.client then ["tag:client"]
+        else if cfg.server then ["tag:server"]
+        else [];
+      description = "Sets host tag depending on if server/client";
+    };
+    operator = mkOption {
+      type = str;
+      default = "ooks";
+      description = "Name of the tailscale operator";
+    };
+  };
+  
+  config = mkIf cfg.enable {
+
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = mkDefault "both";
+      # permitCertUid = "root";
+      extraUpFlags = 
+        [ "--ssh" "--operator=$USER" ]
+        ++ optionals cfg.server [ "--advertise-exit-node" ]
+        ++ optionals (cfg.tags != []) ["--advertise-tags" (concatStringsSep "," cfg.tags)]; 
+    };
+
+    networking.firewall = {
+      allowedUDPPorts = [tailscale.port];
+      trustedInterfaces = ["${tailscale.interfaceName}"];
+      checkReversePath = "loose";
+    };
+
+    systemd.network.wait-online.ignoredInterfaces = ["${tailscale.interfaceName}"];
+
+    environment.systemPackages = [ pkgs.tailscale ];
+  };
+}

nixos/modules/base/networking/tcp.nix

@@ -0,0 +1,79 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  # nyx module
+  config = mkIf (host.type != "phone") {
+    boot = {
+      kernelModules = ["tls" "tcp_bbr"];
+      kernel.sysctl = {
+        # TCP hardening
+        # Prevent bogus ICMP errors from filling up logs.
+        "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
+        # Reverse path filtering causes the kernel to do source validation of
+        # packets received from all interfaces. This can mitigate IP spoofing.
+        "net.ipv4.conf.default.rp_filter" = 1;
+        "net.ipv4.conf.all.rp_filter" = 1;
+        # Do not accept IP source route packets (we're not a router)
+        "net.ipv4.conf.all.accept_source_route" = 0;
+        "net.ipv6.conf.all.accept_source_route" = 0;
+        # Don't send ICMP redirects (again, we're on a router)
+        "net.ipv4.conf.all.send_redirects" = 0;
+        "net.ipv4.conf.default.send_redirects" = 0;
+        # Refuse ICMP redirects (MITM mitigations)
+        "net.ipv4.conf.all.accept_redirects" = 0;
+        "net.ipv4.conf.default.accept_redirects" = 0;
+        "net.ipv4.conf.all.secure_redirects" = 0;
+        "net.ipv4.conf.default.secure_redirects" = 0;
+        "net.ipv6.conf.all.accept_redirects" = 0;
+        "net.ipv6.conf.default.accept_redirects" = 0;
+        # Protects against SYN flood attacks
+        "net.ipv4.tcp_syncookies" = 1;
+        # Incomplete protection again TIME-WAIT assassination
+        "net.ipv4.tcp_rfc1337" = 1;
+        # And other stuff
+        "net.ipv4.conf.all.log_martians" = true;
+        "net.ipv4.conf.default.log_martians" = true;
+        "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+        "net.ipv6.conf.default.accept_ra" = 0;
+        "net.ipv6.conf.all.accept_ra" = 0;
+        "net.ipv4.tcp_timestamps" = 0;
+
+        # TCP optimization
+        # TCP Fast Open is a TCP extension that reduces network latency by packing
+        # data in the sender’s initial TCP SYN. Setting 3 = enable TCP Fast Open for
+        # both incoming and outgoing connections:
+        "net.ipv4.tcp_fastopen" = 3;
+        # Bufferbloat mitigations + slight improvement in throughput & latency
+        "net.ipv4.tcp_congestion_control" = "bbr";
+        "net.core.default_qdisc" = "cake";
+
+        # Other stuff that I am too lazy to document
+        "net.core.optmem_max" = 65536;
+        "net.core.rmem_default" = 1048576;
+        "net.core.rmem_max" = 16777216;
+        "net.core.somaxconn" = 8192;
+        "net.core.wmem_default" = 1048576;
+        "net.core.wmem_max" = 16777216;
+        "net.ipv4.ip_local_port_range" = "16384 65535";
+        "net.ipv4.tcp_max_syn_backlog" = 8192;
+        "net.ipv4.tcp_max_tw_buckets" = 2000000;
+        "net.ipv4.tcp_mtu_probing" = 1;
+        "net.ipv4.tcp_rmem" = "4096 1048576 2097152";
+        "net.ipv4.tcp_slow_start_after_idle" = 0;
+        "net.ipv4.tcp_tw_reuse" = 1;
+        "net.ipv4.tcp_wmem" = "4096 65536 16777216";
+        "net.ipv4.udp_rmem_min" = 8192;
+        "net.ipv4.udp_wmem_min" = 8192;
+        "net.netfilter.nf_conntrack_generic_timeout" = 60;
+        "net.netfilter.nf_conntrack_max" = 1048576;
+        "net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
+        "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
+      };
+    };
+  };
+}

nixos/modules/base/networking/tools.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    traceroute
+    mtr
+    tcpdump
+  ];
+
+  programs = {
+    wireshark.enable = true;
+    bandwhich.enable = true;
+  };
+}

nixos/modules/base/nix/default.nix

@@ -0,0 +1,49 @@
+{ lib, config, pkgs, inputs, ... }:
+
+let
+  inherit (lib) mkIf mapAttrs mapAttrsToList;
+  host = config.ooknet.host;
+in
+
+{
+  imports = [
+    ./nh.nix
+    ./nixpkgs.nix
+    ./subs.nix
+  ];
+
+  config = mkIf (host.type != "phone") {
+    environment = {
+      systemPackages = with pkgs; [
+        git
+        deadnix
+        statix
+      ];
+      defaultPackages = [];
+      etc = {
+        "nix/flake-channels/nixpkgs".source = inputs.nixpkgs;
+        "nix/flake-channels/home-manager".source = inputs.nixpkgs;
+      };
+    };
+    nix = {
+      registry = mapAttrs (_: v: {flake = v;}) inputs;
+      nixPath = mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;
+      optimise = {
+        automatic = true;
+        dates = [ "18:00" ];
+      };
+      gc = {
+        automatic = true;
+        dates = "Sun *-*-* 17:00";
+        options = "--delete-older-than 30d";
+      };
+      settings = {
+        flake-registry = "/etc/nix/registry.json";
+        allowed-users = [ "root" "@wheel" ];
+        trusted-users = [ "root" "@wheel" ];
+        experimental-features = [ "nix-command" "flakes" ];
+        builders-use-substitutes = true;
+      };
+    };
+  };
+}

nixos/modules/base/nix/nh.nix

@@ -0,0 +1,18 @@
+{ pkgs, lib, config, ... }: 
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+  # TODO: i dont't want to hardcode this.
+    environment.variables.FLAKE = "/home/ooks/.config/ooknet/";
+
+    programs.nh = {
+      enable = true;
+      package = pkgs.nh;
+    };
+  };
+}

nixos/modules/base/nix/nixpkgs.nix

@@ -0,0 +1,25 @@
+{ lib, config, inputs, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+    nixpkgs = {
+      config = {
+        allowUnfree = true;
+        permittedInsecurePackages = [
+          "openssl-1.1.1u"
+          "electron-25.9.0"
+        ];
+      };
+      overlays = [
+        (final: prev: {
+          zjstatus = inputs.zjstatus.packages.${prev.system}.default;
+        })
+      ];
+    };
+  };
+}

nixos/modules/base/nix/subs.nix

@@ -0,0 +1,33 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+    nix.settings = {
+      substituters = [
+        "https://cache.nixos.org?priority=10"
+        "https://fufexan.cachix.org"
+        "https://helix.cachix.org"
+        "https://hyprland.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://nix-gaming.cachix.org"
+        "https://anyrun.cachix.org"
+        "https://nixpkgs-wayland.cachix.org"
+      ];
+
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
+        "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
+        "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
+        "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+      ];
+    };
+  };
+}

nixos/modules/base/security/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./kernel.nix
+    ./pam.nix
+    ./polkit.nix
+    ./sudo.nix
+  ];
+}

nixos/modules/base/security/kernel.nix

@@ -0,0 +1,195 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) optionals mkForce concatLists;
+  inherit (builtins) elem;
+  features = config.ooknet.host.hardware.features;
+in
+
+{
+  security = {
+    # Protects the kernel from being tampered with at runtime. prevents the ability to hibernate.
+    protectKernelImage = true; 
+
+    # page table isolation (PTI) is a kernel option designed to protect against
+    # side-channel attacks, including Meltdown & Spectre vunerabilities.  
+    forcePageTableIsolation = true;
+
+    # locking kernel modules during runtime breaks certain services by stopping them from being
+    # loaded at runtime. we use some of these services, so we disable this kernel option.
+    lockKernelModules = false;
+
+    # we enable simultaneous multithreading (SMT) because while it increases our attack surface
+    # disabling it comes at a large perfomance loss.
+    allowSimultaneousMultithreading = true;
+
+    # slight increase in attack surface, but allows for sandboxing
+    allowUserNamespaces = true;
+
+    # we don't need unpivileged user namespaces unless we are messing with containers so we disable
+    unprivilegedUsernsClone = false;
+  };
+
+  boot = {
+    kernel = {
+      sysctl = {
+        # obfuscate kernel pointers to protect against attacks that rely on memory layout of the kernel
+        "kernel.kptr_restrict" = 2;
+
+        # we don't make use of sysrq so we disable it to protect ourselves against potential physical attacks
+        "kernel.sysrq" = mkForce 0;
+
+        # limits the exposer of the kernel memory address via dmesg
+        "kernel.dmesg_restrict" = 1;
+        
+        # we are not a kernel developer so we disable this to prevent potential information leaks & attacks
+        "kernel.ftrace_enabled" = false;
+
+        # disables performance events for all non-root users, root can only acess events that are explicitly
+        # enabled.
+        "kernel.perf_event_paranoid" = 3;
+
+        # disables the use of berkeley packet filter (BPF) to unpriviliged users.
+        "kernel.unprivileged_bpf_disabled" = 1;
+
+        # prevents potentially leaking sensitive information from the boot console kernel log.
+        "kernel.printk" = "3 3 3 3";
+
+        # just-in-time (JIT) compiler for the berkeley packet filter (BPF). disable this as we dont make use
+        # of it and reduces potential security risks.
+        "net.core.bpf_jit_enable" = false;
+
+        # disables core dumps for SUID and SGID this reduces the risk of exposing sensitive information
+        # that might reside in the memory at the time of a crash
+        "fs.suid_dumpable" = 0;
+
+        # enforces strict access to files only allows the user or root to write regular files
+        "fs.protected_regular" = 2;
+        "fs.protected_fifos" = 2;
+
+        # disables the automatic loading of TTY line disciplines
+        "dev.tty.ldisc_autoload" = "0";
+      };
+    };
+
+    # https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+    kernelParams = [
+      # kernel errors can trigger something known as an "oops", by settings oops=panic we add a fail-safe
+      # mechanism to ensure that in the advent of an oops the system reboots, preventing the system from running
+      # in a potentially compromised state.
+      "oops=panic"
+
+      # enforces signature checking on all kernel modules before they are loaded.
+      "module.sig_enforce=1"
+
+      # enables memory page poisoning, increasing the difficulty for attackers to exploit
+      # use-after-free vulnerabillities.
+      "page_poison=on"
+
+      # enables kernel adress space layout randomization (KASLR) which mitigates memory exploits
+      # & increases system entropy.
+      "page_alloc.shuffle=1"
+
+      # randomizes the kernel stack offset, mitigating stack-based attacks.
+      "randomize_kstack_offset=on"
+
+      # lockdown aims to restrict certain kernel functionality that could be exploited by an attacker with
+      # user space code.
+      "lockdown=confidentiality"
+
+      # disables a common interface that contains sensitive info on the kernel
+      "debugfs=off"
+
+      # prevent kernel from blanking plymouth out of the frame buffer console 
+      "fbcon=nodefer"
+
+      # enables auditing of integrity measurement events
+      "integrity_audit=1"
+
+      # increases memory safety by modifying the state of the memory objects more closely & helps detecting
+      # & identifying bugs
+      "slub_debug=FZP"
+
+      # disables the legacy vyscall mechanism, reducing attack surface.
+      "vsyscall=none"
+      
+      # reduce exposure to heap attacks by preventing different slab caches from being merged.
+      "slab_nomerge"
+
+      
+      "rootflags=noatime"
+      "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
+    ];
+    blacklistedKernelModules = concatLists [
+      # Obscure network protocols
+      [
+        "dccp" # Datagram Congestion Control Protocol
+        "sctp" # Stream Control Transmission Protocol
+        "rds" # Reliable Datagram Sockets
+        "tipc" # Transparent Inter-Process Communication
+        "n-hdlc" # High-level Data Link Control
+        "netrom" # NetRom
+        "x25" # X.25
+        "ax25" # Amatuer X.25
+        "rose" # ROSE
+        "decnet" # DECnet
+        "econet" # Econet
+        "af_802154" # IEEE 802.15.4
+        "ipx" # Internetwork Packet Exchange
+        "appletalk" # Appletalk
+        "psnap" # SubnetworkAccess Protocol
+        "p8022" # IEEE 802.3
+        "p8023" # Novell raw IEEE 802.3
+        "can" # Controller Area Network
+        "atm" # ATM
+      ]
+
+      # Old or rare or insufficiently audited filesystems
+      [
+        "adfs" # Active Directory Federation Services
+        "affs" # Amiga Fast File System
+        "befs" # "Be File System"
+        "bfs" # BFS, used by SCO UnixWare OS for the /stand slice
+        "cifs" # Common Internet File System
+        "cramfs" # compressed ROM/RAM file system
+        "efs" # Extent File System
+        "erofs" # Enhanced Read-Only File System
+        "exofs" # EXtended Object File System
+        "freevxfs" # Veritas filesystem driver
+        "f2fs" # Flash-Friendly File System
+        "vivid" # Virtual Video Test Driver (unnecessary, and a historical cause of escalation issues)
+        "gfs2" # Global File System 2
+        "hpfs" # High Performance File System (used by OS/2)
+        "hfs" # Hierarchical File System (Macintosh)
+        "hfsplus" # " same as above, but with extended attributes
+        "jffs2" # Journalling Flash File System (v2)
+        "jfs" # Journaled File System - only useful for VMWare sessions
+        "ksmbd" # SMB3 Kernel Server
+        "minix" # minix fs - used by the minix OS
+        "nfsv3" # " (v3)
+        "nfsv4" # Network File System (v4)
+        "nfs" # Network File System
+        "nilfs2" # New Implementation of a Log-structured File System
+        "omfs" # Optimized MPEG Filesystem
+        "qnx4" # extent-based file system used by the QNX4 and QNX6 OSes
+        "qnx6" # "
+        "squashfs" # compressed read-only file system (used by live CDs)
+        "sysv" # implements all of Xenix FS, SystemV/386 FS and Coherent FS.
+        "udf" # https://docs.kernel.org/5.15/filesystems/udf.html
+      ]
+
+      # Disable Thunderbolt and FireWire to prevent DMA attacks
+      [
+        "thunderbolt"
+        "firewire-core"
+      ]
+
+      # if bluetooth is enabled, whitelist the module
+      # necessary for bluetooth dongles to work
+      (optionals (! (elem "bluetooth" features)) [
+        "bluetooth" # let bluetooth work
+        "btusb" # let bluetooth dongles work
+      ])
+    ];
+  };
+}

nixos/modules/base/security/pam.nix

@@ -0,0 +1,23 @@
+{
+  security = {
+    pam = {
+      loginLimits = [
+        {
+          domain = "@wheel";
+          item = "nofile";
+          type = "soft";
+          value = "524288";
+        }
+        {
+          domain = "@wheel";
+          item = "nofile";
+          type = "hard";
+          value = "1048576";
+        }
+      ];
+      services = {
+        hyprlock = {};
+      };
+    };
+  };
+}

nixos/modules/base/security/polkit.nix

@@ -0,0 +1,19 @@
+
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkDefault mkIf;
+in
+
+{
+  security.polkit = {
+    enable = true;
+    debug = mkDefault true;
+    extraConfig = mkIf config.security.polkit.debug ''
+      /* Log authorization checks. */
+      polkit.addRule(function(action, subject) {
+        polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
+      });
+    '';
+  };
+}

nixos/modules/base/security/sudo.nix

@@ -0,0 +1,60 @@
+{ lib, ... }: 
+
+let
+  inherit (lib) mkDefault mkForce;
+in
+
+{
+  # nyx module
+  security = {
+    sudo-rs.enable = mkForce false; # we don't want the rust sudo fork
+    sudo = {
+      enable = true;
+      wheelNeedsPassword = mkDefault false; # only use false here if the extraRules below are enabled
+      execWheelOnly = mkForce true; # only allow wheel to execute sudo
+      extraConfig = /* shell */ ''
+        Defaults lecture = never # disable sudo lecture
+        Defaults pwfeedback # password feedback
+        Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
+        Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
+      '';
+      extraRules = [
+        {
+          # allow wheel group to run nixos-rebuild without password
+          groups = ["wheel"];
+          commands = let
+            currentSystem = "/run/current-system/";
+            storePath = "/nix/store/";
+          in [
+            {
+              command = "${storePath}/*/bin/switch-to-configuration";
+              options = ["SETENV" "NOPASSWD"];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nix-store";
+              options = ["SETENV" "NOPASSWD"];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nix-env";
+              options = ["SETENV" "NOPASSWD"];
+            }
+            {
+              command = "${currentSystem}/sw/bin/nixos-rebuild";
+              options = ["NOPASSWD"];
+            }
+            {
+              # let wheel group collect garbage without password
+              command = "${currentSystem}/sw/bin/nix-collect-garbage";
+              options = ["SETENV" "NOPASSWD"];
+            }
+            {
+              # let wheel group interact with systemd without password
+              command = "${currentSystem}/sw/bin/systemctl";
+              options = ["NOPASSWD"];
+            }
+          ];
+        }
+      ];
+    };
+  };
+}

nixos/modules/base/services/dbus.nix

@@ -0,0 +1,17 @@
+{ lib, config, pkgs, ... }:
+
+let
+  inherit (lib) mkIf;
+  inherit (lib.lists) any elem;
+  hasFunction = f: elem f config.ooknet.host.function;
+in
+
+{
+  config = mkIf (any hasFunction ["workstation" "gaming"]) {
+    services.dbus = {
+      enable = true;
+      packages = with pkgs; [ dconf gcr udisks2 ];
+      implementation = "broker";
+    };
+  };
+}

nixos/modules/base/services/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [ 
+  ./system76Scheduler.nix
+  ./dbus.nix
+  ./gnome.nix
+  ./gvfs.nix
+  ];
+}

nixos/modules/base/services/gnome.nix

@@ -0,0 +1,18 @@
+{ lib, config, pkgs, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host; 
+in
+
+{
+  config = mkIf (host.type != "phone" && host.type != "server") {
+    services = {
+      gnome = {
+        glib-networking.enable = true;
+        gnome-keyring.enable = true;
+      };
+      udev.packages = [ pkgs.gnome.gnome-settings-daemon ];
+    };
+  };
+}

nixos/modules/base/services/gvfs.nix

@@ -0,0 +1,12 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf ( host.type != "phone") {
+    services.gvfs.enable = true;
+  };
+}

nixos/modules/base/services/system76Scheduler.nix

@@ -0,0 +1,20 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+
+    services.system76-scheduler = {
+      enable = true;
+    };
+    # fix suspend issues
+    powerManagement = {
+      powerDownCommands = "systemctl stop system76-scheduler";
+      resumeCommands = "systemctl start system76-scheduler";
+    };
+  };
+}

nixos/modules/base/shell/bash/default.nix

@@ -0,0 +1,17 @@
+{ lib, config, pkgs, ... }:
+
+let
+  inherit (lib) mkIf;
+  adminShell = config.ooknet.host.admin.shell;
+  cfg = config.ooknet.shell.zsh;
+in
+
+{
+  config = mkIf (adminShell == "bash" || cfg.enable) {
+    programs.bash = {
+      enable = true;
+    };
+    environment.pathsToLink = ["/share/bash-completion"];
+  };
+}
+

nixos/modules/base/shell/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./fish
+    ./bash
+    ./zsh
+  ];
+}

nixos/modules/base/shell/fish/default.nix

@@ -0,0 +1,22 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption;
+  adminShell = config.ooknet.host.admin.shell;
+  cfg = config.ooknet.shell.fish;
+in
+
+{
+  options.ooknet.shell.fish.enable = mkEnableOption "Enable fish module";
+
+  config = mkIf (adminShell == "fish" || cfg.enable) {
+    programs.fish = {
+      enable = true;
+      vendor = {
+        completions.enable = true;
+        config.enable = true;
+        functions.enable = true;
+      };
+    };
+  };
+}

nixos/modules/base/shell/zsh/default.nix

@@ -0,0 +1,25 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption;
+  adminShell = config.ooknet.host.admin.shell;
+  cfg = config.ooknet.shell.zsh;
+in
+
+{
+
+  options.ooknet.shell.zsh.enable = mkEnableOption "Enable zsh module";
+
+  config = mkIf (adminShell == "zsh" || cfg.enable) {
+    programs.zsh = {
+      enable = true;
+      enableCompletion = true;
+      syntaxHighlighting.enable = true;
+      autosuggestions = {
+        enable = true;
+        async = true;
+      };
+    };
+    environment.pathsToLink = ["/share/zsh"];
+  };
+}

nixos/modules/base/virtualization/default.nix

@@ -0,0 +1,33 @@
+{ lib, config, pkgs, ... }:
+
+let
+  cfg = config.ooknet.virtualisation;
+in
+
+{
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      virt-manager
+      virt-viewer
+      spice 
+      spice-gtk
+      spice-protocol
+      win-virtio
+      win-spice
+      gnome.adwaita-icon-theme
+    ];
+  
+    virtualisation = {
+      libvirtd = {
+        enable = true;
+        qemu = {
+          swtpm.enable = true;
+          ovmf.enable = true;
+          ovmf.packages = [ pkgs.OVMFFull.fd ];
+        };
+      };
+      spiceUSBRedirection.enable = true;
+    };
+    services.spice-vdagentd.enable = true;
+  };
+}

nixos/modules/roles/gaming/default.nix

@@ -0,0 +1,69 @@
+{ lib, config, pkgs, ... }:
+
+let
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+  steamFix = pkgs.steam.override {
+    extraPkgs = pkgs: with pkgs; [
+      xorg.libXcursor
+      xorg.libXi
+      xorg.libXinerama
+      xorg.libXScrnSaver
+      libpng
+      libpulseaudio
+      libvorbis
+      stdenv.cc.cc.lib
+      libkrb5
+      keyutils
+      mangohud
+      winetricks
+      protontricks
+      gtk3
+      gtk3-x11
+    ];
+  };
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (elem "gaming" host.function) {
+    hardware.opengl.extraPackages = [ pkgs.gamescope ];
+    services.flatpak.enable = true;
+    programs = {
+      steam = {
+        enable = true;
+        package = steamFix;
+        extraCompatPackages = [ pkgs.proton-ge-bin.steamcompattool ];
+      };
+      gamescope = {
+        enable = true;
+        capSysNice = true;
+      };
+      gamemode = {
+        enable = true;
+        settings = {
+          general = {
+            renice = 15;
+            softrealtime = "auto";
+          };
+           custom = {
+            start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
+            end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
+          };
+        };
+      };
+    };
+    networking.firewall = {
+      allowedTCPPorts = [ 3074 ];
+      allowedUDPPorts = [
+        88
+        500
+        3074
+        2075
+        3544
+        4500
+      ];
+    };
+  };
+}
+

nixos/modules/roles/media-server/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./services
+  ];
+}

nixos/modules/roles/media-server/services/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./nixarr.nix
+  ];
+}

nixos/modules/roles/media-server/services/nixarr.nix

@@ -0,0 +1,25 @@
+{ config, inputs, ... }:
+
+let
+  admin = config.ooknet.host.admin;
+in
+  
+{
+  imports = [ inputs.nixarr.nixosModules.default ];
+  nixarr = {
+    enable = true;
+    mediaDir = "/jellyfin";
+    stateDir = "/var/lib/nixarr";
+    mediaUsers = ["${admin.name}"];
+
+    jellyfin.enable = true;
+    sonarr.enable = true;
+    radarr.enable = true;
+    prowlarr.enable = true;
+    transmission.enable = true;
+  };
+  fileSystems."/jellyfin" = {
+    device = "/dev/disk/by-label/jellyfin";
+    fsType = "btrfs";
+  };
+}

nixos/modules/roles/workstation/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./programs
+  ];
+}

nixos/modules/roles/workstation/programs/1password.nix

@@ -0,0 +1,18 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (host.type != "phone") {
+    programs = {
+      _1password.enable = true;
+      _1password-gui = {
+        enable = true;
+        polkitPolicyOwners = [ "${host.admin.name}" ];
+      };
+    };
+  };
+}

nixos/modules/roles/workstation/programs/dconf.nix

@@ -0,0 +1,13 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkIf;
+  inherit (builtins) elem;
+  host = config.ooknet.host;
+in
+
+{
+  config = mkIf (elem "workstation" host.function){
+    programs.dconf.enable = true;
+  };
+}

nixos/modules/roles/workstation/programs/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./dconf.nix
+    ./kdeconnect.nix
+    ./1password.nix
+  ];
+}

nixos/modules/roles/workstation/programs/kdeconnect.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  programs.kdeconnect = {
+    enable = true;
+  };
+}