What a clusterfuck

modules/system/accounts/default.nix

@@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./users
+    ./groups
+  ];
+}

modules/system/accounts/groups/default.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  imports = [
+    ./nfsShare
+  ];
+}

modules/system/accounts/groups/nfsShare/default.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  users.groups.nfsShare = {};
+}

modules/system/accounts/users/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./jimbo
+    ./liquidsoap
+    ./nextcloud
+    ./nginx
+  ];
+}

modules/system/accounts/users/jimbo/default.nix

@@ -0,0 +1,29 @@
+{ pkgs, outputs, ... }:
+{
+  users.users = {
+    jimbo = {
+      description = "Jimbo";
+      hashedPassword = outputs.secrets.jimboAccPass;
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = outputs.secrets.jimKeys;
+      extraGroups = [
+        "wheel"
+        "audio"
+        "video"
+        "input"
+        "disk"
+        "dialout"
+        "networkmanager"
+        "rtkit"
+        "kvm"
+        "libvirtd"
+        "qemu-libvirtd"
+        "nginx"
+        "minecraft"
+        "nfsShare"
+      ];
+      uid = 1000;
+      shell = pkgs.zsh;
+    };
+  };
+}

modules/system/accounts/users/liquidsoap/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  users.users = {
+    nextcloud = {
+      extraGroups = [ "nginx" ];
+      isSystemUser = true;
+    };
+  };
+}

modules/system/accounts/users/nextcloud/default.nix

@@ -0,0 +1,8 @@
+{ ... }: {
+  users.users = { 
+    nextcloud = {
+      extraGroups = [ "nfsShare" ];
+      isSystemUser = true;
+    };
+  };
+}

modules/system/accounts/users/nginx/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  users.users = { 
+    nginx = {
+      extraGroups = [ "turnserver" "virtualMail" ];
+      isSystemUser = true;
+    };
+  };
+}

modules/system/default.nix

@@ -0,0 +1,35 @@
+{ outputs, config, pkgs, ... }: {
+  imports = [
+    ./accounts
+    ./modules/networking
+    ./modules/overlays
+    ./programs/git
+    ./services/garbage-collection
+  ];
+
+  nix = {
+    settings = {
+      experimental-features = "nix-command flakes";
+      auto-optimise-store = true;
+    };
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 1w";
+    };
+  };
+
+  time.timeZone = outputs.secrets.timeZone;
+
+  programs = {
+    zsh.enable = true;
+    nano.enable = false;
+  };
+
+  documentation = {
+    nixos.enable = false;
+    info.enable = false;
+  };
+
+  hardware.enableRedistributableFirmware = true;
+}

modules/system/desktop/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./qt
+    ./wayland
+    ./sway
+  ];
+}

modules/system/desktop/qt/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  qt = {
+    enable = true;
+    style = "gtk2";
+    platformTheme = "gtk2";
+  };
+}

modules/system/desktop/sway/default.nix

@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./greetd
+  ];
+
+  programs.sway = {
+    enable = true;
+    xwayland.enable = true;
+    extraPackages = with pkgs; [
+      swaylock
+      swaybg
+    ];
+  };
+
+  # Allow swaylock to function
+  security.pam.services.swaylock = {};
+
+  xdg.portal = {
+    wlr = {
+      enable = true;
+      settings.screencast = {
+        max_fps = 60;
+        chooser_type = "simple";
+        chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or -B 00000066 -b 00000099";
+      };
+    };
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gtk
+    ];
+  };
+}

modules/system/desktop/sway/greetd/default.nix

@@ -0,0 +1,37 @@
+{ pkgs, ... }:
+{
+  services = {
+    # Configure greetd for "auto" login (single user only)
+    greetd = let
+      startSway = pkgs.writeScript "startsway" ''
+        # Use NVIDIA variables if drivers are in use
+        if lspci -k | grep "Kernel driver in use: nvidia" &> /dev/null; then
+          export LIBVA_DRIVER_NAME=nvidia
+          export GBM_BACKEND=nvidia-drm
+          export __GLX_VENDOR_LIBRARY_NAME=nvidia
+          export WLR_NO_HARDWARE_CURSORS=1
+        else
+          :
+        fi
+
+        export XDG_CURRENT_DESKTOP=sway
+        export QT_QPA_PLATFORM="wayland;xcb"
+
+        sway --unsupported-gpu
+      '';
+    in {
+      enable = true;
+      restart = true;
+      settings = {
+        terminal = {
+          vt = 2;
+          switch = true;
+        };
+        default_session = {
+          command = "${startSway}";
+          user = "jimbo";
+        };
+      };
+    };
+  };
+}

modules/system/desktop/wayland/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, ... }:
+{
+  programs = {
+    dconf.enable = true;
+    light.enable = true;
+    xwayland.enable = true;
+  };
+
+  services = {
+    dbus.enable = true;
+    tlp.enable = true;
+  };
+}

modules/system/devices/bluetooth/default.nix

@@ -0,0 +1,15 @@
+{ ... }:
+{
+  hardware.bluetooth = {
+    enable = true;
+    settings = {
+      General.Experimental = "true";
+      Policy.AutoEnable = "true";
+    };
+  };
+
+  # Lingering helps keep headphones connected
+  systemd.tmpfiles.rules = [
+    "f /var/lib/systemd/linger/jimbo"
+  ];
+}

modules/system/devices/boot/extlinux/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  boot.loader = {
+    generic-extlinux-compatible.enable = true;
+    grub.enable = false;
+  };
+}

modules/system/devices/boot/lanzaboote/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+  };
+}

modules/system/devices/boot/systemd/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    netbootxyz.enable = true;
+  };
+}

modules/system/devices/default.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  imports = [
+    ./bluetooth
+    ./filesystems
+    ./networking
+    ./pipewire
+    ./printing
+    ./security
+    ./udev
+    ./video
+  ];
+}

modules/system/devices/filesystems/default.nix

@@ -0,0 +1,7 @@
+{ lib, ... }:
+{
+  boot.supportedFilesystems = {                             
+    ntfs = true;
+    zfs = lib.mkForce false;
+  };
+}

modules/system/devices/networking/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  networking = {
+    wireless.enable = false;
+    dhcpcd.enable = true;
+    nftables.enable = true;
+  };
+}

modules/system/devices/networking/firewall/pc/default.nix

@@ -0,0 +1,9 @@
+{ outputs, ... }:
+{
+  networking.firewall = {
+    allowPing = false;
+    extraInputRules = ''
+      ip saddr { ${outputs.ips.server}, ${outputs.ips.wgSpan}.1 } accept comment "Accept Server"
+    '';
+  };
+}

modules/system/devices/networking/firewall/server/default.nix

@@ -0,0 +1,56 @@
+{ outputs, ... }:
+{
+  # Allow forwarding
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+  # Configure firewall
+  networking = let
+    mailPorts = "{ 25, 143, 465, 587, 993, 4190 }";
+  in {
+    firewall = {
+      allowPing = false;
+  
+      # Add extra input rules using nftables
+      extraInputRules = ''
+        ip saddr { ${outputs.ips.localSpan}.0/24, ${outputs.ips.wgSpan}.0/24 } tcp dport 2049 accept comment "Accept NFS"
+        ip saddr { ${outputs.ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
+        ip saddr ${outputs.ips.wgSpan}.3 tcp dport ${mailPorts} accept comment "Accept mail"
+      '';
+    };
+  
+    # Enable nftables and forwarding
+    nftables = {
+      tables = {
+        forwarding = {
+          family = "ip";
+          content = ''
+            chain PREROUTING {
+              type nat hook prerouting priority dstnat; policy accept;
+              tcp dport 2211 dnat to ${outputs.ips.pc}:22 comment "SSH to PC"
+              tcp dport 2233 dnat to ${outputs.ips.wgSpan}.3:22 comment "SSH to Oracle VM"
+              
+              udp dport { 27005, 27015, 7777 } dnat to ${outputs.ips.pc} comment "PC Hosted Games"
+              
+              tcp dport { 58010, 57989, 57984 } dnat to ${outputs.ips.pc} comment "PC Sunshine TCP"
+              udp dport { 57998, 57999, 58000 } dnat to ${outputs.ips.pc} comment "PC Sunshine UDP"
+              
+              tcp dport { 38010, 37989, 37984 } dnat to ${outputs.ips.vm} comment "VM Sunshine TCP"
+              udp dport { 37998, 37999, 38000 } dnat to ${outputs.ips.vm} comment "VM Sunshine UDP"
+              
+              udp dport { 7790, 7791, 7792 } dnat to ${outputs.ips.hx} comment "Deus Ex"
+              
+              ip saddr ${outputs.secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${outputs.ips.vm} comment "VM ALVR TCP"
+              ip saddr ${outputs.secrets.cornIP} udp dport { 9943, 9944 } dnat to ${outputs.ips.vm} comment "VM ALVR UDP"
+            }
+            chain POSTROUTING {
+              type nat hook postrouting priority 100; policy accept;
+              oifname "${outputs.ips.netInt}" masquerade
+	      iifname "${outputs.ips.netInt}" oifname "${outputs.ips.wgInt}" masquerade comment "Traffic from public to WireGuard"
+	      tcp dport ${mailPorts} oifname != "${outputs.ips.wgInt}" drop comment "Send mail"
+            }
+          '';
+        };
+      };
+    };
+  };
+}

modules/system/devices/networking/wireguard/client/default.nix

@@ -0,0 +1,22 @@
+{ outputs, ... }:
+{
+  networking.firewall = {
+    allowedUDPPorts = [ 51820 ];
+  };
+
+  networking.wireguard.interfaces = {
+    "${outputs.ips.wgInt}" = {
+      # Define IP of client in per device config
+      listenPort = 51820;
+      privateKey = outputs.secrets.wgClientPriv;
+      peers = [
+        { # 0.0.0.0 makes wg act like a traditional VPN
+          publicKey = outputs.secrets.wgServerPub;
+          allowedIPs = [ "0.0.0.0/0" ];
+          endpoint = "sv.${outputs.secrets.jimDomain}:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}

modules/system/devices/networking/wireguard/host/default.nix

@@ -0,0 +1,36 @@
+{ outputs, ... }:
+{
+  networking = {
+    nat = {
+      enable = true;
+      externalInterface = "${outputs.ips.netInt}";
+      internalInterfaces = [ "${outputs.ips.wgInt}" ];
+    };
+    firewall.allowedUDPPorts = [ 51820 ];
+  };
+
+  networking.wireguard = {
+    enable = true;
+    interfaces = {
+      "${outputs.ips.wgInt}" = {
+        ips = [ "${outputs.ips.wgSpan}.1/24" ];
+        listenPort = 51820;
+        privateKey = outputs.secrets.wgServerPriv;
+        peers = [
+          { # Jimbo Pixel 9
+            publicKey = outputs.secrets.wgPixel9Pub;
+            allowedIPs = [ "${outputs.ips.wgSpan}.2/32" ];
+          }
+          { # Oracle VM
+            publicKey = outputs.secrets.wgOraclePub;
+            allowedIPs = [ "${outputs.ips.wgSpan}.3/32" ];
+          }
+          { # General Nix
+            publicKey = outputs.secrets.wgClientPub;
+            allowedIPs = [ "${outputs.ips.wgSpan}.16/28" ];
+          }
+        ];
+      };
+    };
+  };
+}

modules/system/devices/networking/wireless/default.nix

@@ -0,0 +1,7 @@
+{ lib, config, ... }:
+{
+  networking = {
+    wireless.iwd.enable = true;
+    enableB43Firmware = true;
+  };
+}

modules/system/devices/pipewire/default.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  services = {
+    pipewire = {
+      enable = true;
+      audio.enable = true;
+      wireplumber = {
+        enable = true;
+        configPackages = [
+          (pkgs.writeTextDir "share/wireplumber/wireplumber.conf.d/11-bluetooth-policy.conf" ''
+            wireplumber.settings = { bluetooth.autoswitch-to-headset-profile = false }
+          '')
+        ];
+      };
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse.enable = true;
+      #jack.enable = true;
+    };
+  };
+}

modules/system/devices/printing/default.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+  services = {
+    printing = {
+      enable = true;
+      drivers = with pkgs; [hplip];
+      webInterface = false;
+    };
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+      openFirewall = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    system-config-printer
+  ];
+}

modules/system/devices/udev/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./pdp
+    ./oculus
+  ];
+}

modules/system/devices/udev/oculus/default.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+{
+  services.udev = let
+    oculusRules = pkgs.writeTextFile {
+      name = "10-oculus.rules";
+      text = ''KERNEL=="hidraw*", ATTRS{idVendor}=="0e6f", ATTRS{idProduct}=="0184", MODE="0660", TAG+="uaccess"'';
+      destination = "/etc/udev/rules.d/10-oculus.rules";
+    };
+  in {
+    packages = [
+      oculusRules
+    ];
+  };
+}

modules/system/devices/udev/pdp/default.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+{
+  services.udev = let
+    pdpRules = pkgs.writeTextFile {
+      name = "10-pdp.rules";
+      text = ''SUBSYSTEM=="usb", ATTR{idVendor}=="2833", MODE="0666"'';
+      destination = "/etc/udev/rules.d/10-pdp.rules";
+    };
+  in {
+    packages = [
+      pdpRules
+    ];
+  };
+}

modules/system/devices/video/default.nix

@@ -0,0 +1,12 @@
+{ pkgs, ... }:
+{
+  hardware.opengl = {
+    enable = true;
+    driSupport32Bit = true;
+    extraPackages = with pkgs; [
+      vulkan-loader
+      vulkan-validation-layers
+      vulkan-extension-layer
+    ];
+  };
+}

modules/system/devices/video/nouveau/default.nix

@@ -0,0 +1,4 @@
+{ config, lib, ... }:
+{
+  services.xserver.videoDrivers = [ "nouveau" ];
+}

modules/system/devices/video/nvidia/default.nix

@@ -0,0 +1,10 @@
+{ pkgs, config, lib, ... }:
+{
+  services.xserver.videoDrivers = [ "nvidia" ];
+  hardware.nvidia = {
+    modesetting.enable = true;
+    nvidiaSettings = false;
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+    open = false;
+  };
+}

modules/system/fonts/default.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }: {
+  fonts = {
+    packages = with pkgs; [
+      liberation_ttf
+      twitter-color-emoji
+      noto-fonts
+      sarasa-gothic
+      ubuntu_font_family
+      (nerdfonts.override {
+        fonts = [
+          "UbuntuMono"
+        ];
+      })
+    ];
+    fontconfig.defaultFonts.emoji = [
+      "Twitter Color Emoji"
+    ];
+  };
+
+  console = {
+    font = "${pkgs.terminus_font}/share/consolefonts/ter-u22n.psf.gz";
+    packages = with pkgs; [ terminus_font ];
+  };
+}

modules/system/hardware/cyberspark/default.nix

@@ -0,0 +1,110 @@
+{ config, outputs, lib, pkgs, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    blacklistedKernelModules = [
+      "pcspkr"
+    ];               
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+	"ehci_pci"
+	"ahci"
+	"nvme"
+	"usbhid"
+	"sd_mod"
+	"sr_mod"
+      ];
+      kernelModules = [
+        "kvm-intel"
+      ];
+    };
+    swraid = {
+      enable = true;
+      mdadmConf = ''
+        MAILADDR jimbo@${outputs.secrets.jimDomain}
+      '';
+    };
+  };
+
+  # Mounting options
+  fileSystems = {
+    "/" = { 
+      device = "/dev/disk/by-uuid/8f81cab7-9381-4950-b77f-b85c5fdbad16";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/2034-754A";
+      fsType = "vfat";
+    };
+    "/export/JimboNFS" = {
+      device = "/dev/disk/by-uuid/713fcd92-534c-4153-8e04-e0c6fe5f6a51";
+      fsType = "ext4";
+      noCheck = true;
+    };
+
+    # Atrocity of bindmounts
+    "/home/jimbo/JimboNFS" = {
+      device = "/export/JimboNFS";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/mnt/nextcloud/data/JimboNFS" = {
+      device = "/export/JimboNFS";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/var/lib/bitwarden_rs" = {
+      device = "/export/JimboNFS/System/var/lib/bitwarden_rs";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/var/lib/gitea" = {
+      device = "/export/JimboNFS/System/var/lib/gitea";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/var/lib/matrix-synapse" = {
+      device = "/export/JimboNFS/System/var/lib/matrix-synapse";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/var/lib/nextcloud" = {
+      device = "/export/JimboNFS/System/var/lib/nextcloud";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/var/lib/owncast" = {
+      device = "/export/JimboNFS/System/var/lib/owncast";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/var/lib/mastodon" = {
+      device = "/export/JimboNFS/System/var/lib/mastodon";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/srv/minecraft" = {
+      device = "/export/JimboNFS/System/srv/minecraft";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+    "/var/lib/private/photoprism/originals" = {
+      device = "/export/JimboNFS/Photos/Galleries";
+      fsType = "none";
+      options = [ "bind" ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/ec422cad-bf93-4b15-b989-2c807f1073a4"; }
+  ];
+
+  # Hardware settings
+  networking.useDHCP = lib.mkDefault true;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

modules/system/hardware/firefly/default.nix

@@ -0,0 +1,113 @@
+{ config, lib, pkgs, outputs, modulesPath, ... }:
+let
+  # Set common boot paramaters
+  commonKernelParams = [
+    # Nvidia settings
+    "nvidia_drm.fbdev=1"
+    "nouveau.config=NvGspRm=1"
+
+    # VM/GPU passthrough
+    "amd_iommu=on"
+    "iommu=pt"
+    "nested=1"
+
+    # Virtualization nonsense
+    "transparent_hugepage=never"
+
+    # Isolate devices into IOMMU groups
+    "pcie_acs_override=downstream,multifunction"
+    "pci=routeirq"
+  ];              
+in {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  # Set all boot options
+  boot = {
+    kernelPackages = pkgs.unstable.linuxPackages_zen;    
+    blacklistedKernelModules = [
+      "pcspkr"
+    ];               
+    kernel.sysctl."vm.max_map_count" = 2147483642;       
+    kernelParams = commonKernelParams ++ [
+      "vfio-pci.ids=10de:1f82,10de:10fa"
+    ];
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+	"xhci_pci"
+	"ahci"
+	"usbhid"
+	"usb_storage"
+	"sd_mod"
+      ];
+      kernelModules = [
+        "vfio"
+	"vfio_pci"
+	"vfio_iommu_type1"
+	"kvm-amd"
+      ];
+    };
+  };
+
+  # Additional entry to boot from the second GPU
+  specialisation = {
+    gputwo.configuration = {
+      boot.kernelParams = commonKernelParams ++ ["vfio-pci.ids=10de:2504,10de:228e"];
+    };
+  };
+
+  # Mount everything as necessary
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/f0786b07-8303-416f-87ff-276bfd696387";
+      fsType = "bcachefs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/EF6D-9009";
+      fsType = "vfat";
+    };
+    "/etc/libvirt" = {
+      device = "/dev/disk/by-label/Qemu";
+      options = ["nosuid" "nodev" "nofail"];
+    };
+    "/var/lib/libvirt" = {
+      depends = ["/etc/libvirt"];
+      device = "/etc/libvirt/varlibvirt";
+      options = ["bind" "rw"];
+    };
+    "/mnt/Linux1" = {
+      device = "/dev/disk/by-label/Linux1";
+      options = ["nosuid" "nodev" "nofail" "x-gvfs-show"];
+    };
+    "/mnt/Linux2" = {
+      device = "/dev/disk/by-label/Linux2";
+      options = ["nosuid" "nodev" "nofail" "x-gvfs-show"];
+    };
+    "/mnt/Windows1" = {
+      device = "/dev/disk/by-label/Windows1";
+      options = ["nosuid" "nodev" "noauto"];
+    };
+    "/mnt/Windows2" = {
+      device = "/dev/disk/by-label/Windows2";
+      options = ["nosuid" "nodev" "noauto"];
+    };
+    "/home/jimbo/JimboNFS" = {
+      device = "${outputs.ips.server}:/export/JimboNFS";
+      fsType = "nfs4";
+      options = ["x-systemd.automount" "_netdev" "nofail" "noauto"];
+    };
+  };
+
+  # Set the swap partition
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/2e4c5120-716d-4cdc-84a0-c9e6391760db";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface.
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

modules/system/hardware/shuttleworth/default.nix

@@ -0,0 +1,42 @@
+{ config, outputs, lib, pkgs, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ ];
+      kernelModules = [ ];
+    };
+    blacklistedKernelModules = [
+      "pcspkr"
+    ];               
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/25738e24-385e-4bcf-bff5-d0e6274003b6";
+      fsType = "btrfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/01D2-E962";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+    "/home/jimbo/Downloads" = {
+      device = "/dev/disk/by-uuid/f0b6cf4e-9576-4ab5-96ae-2a7e57599a35";
+      fsType = "btrfs";
+    };
+    "/home/jimbo/JimboNFS" = {
+      device = "${outputs.ips.wgSpan}.1:/export/JimboNFS";
+      fsType = "nfs4";
+      options = ["x-systemd.automount" "_netdev" "nofail" "noauto"];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/95c43e5a-b53d-41fd-99a3-54181510070e"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

modules/system/programs/appimage/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  programs.appimage = {
+    enable = true;
+    binfmt = true;
+  };
+}

modules/system/programs/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./appimage
+    ./gaming
+    ./git
+    ./security
+  ];
+}

modules/system/programs/gaming/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  programs.gamemode = {
+    enable = true;
+    settings.general.renice = 10;
+  };
+
+  hardware.steam-hardware.enable = true;
+}

modules/system/programs/git/default.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  imports = [
+    ./gpg
+  ];
+
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+  };
+}

modules/system/programs/git/gpg/default.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    git-crypt
+  ];
+}

modules/system/programs/security/apparmor/default.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  security.apparmor.enable = true;
+}

modules/system/programs/security/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  imports = [
+    ./apparmor
+    ./doas
+    ./gnome-keyring
+    ./polkit
+  ];
+}

modules/system/programs/security/doas/default.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  security = {
+    sudo.enable = false;
+    doas = {
+      enable = true;
+      extraRules = [
+        { # Give wheel root access
+          groups = ["wheel"];
+          keepEnv = true;
+          persist = true;
+        }
+      ];
+    };
+  };
+}

modules/system/programs/security/gnome-keyring/default.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.gnome.gnome-keyring.enable = true;
+}

modules/system/programs/security/polkit/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  security = {
+    polkit.enable = true;
+    rtkit.enable = true;
+  };
+}

modules/system/services/acme/default.nix

@@ -0,0 +1,13 @@
+{ outputs, ... }:
+{
+  security.acme = { 
+    acceptTerms = true;
+    defaults.email = outputs.secrets.jimEmail;
+    certs = {       
+      "turn.${outputs.secrets.jimDomain}" = {
+        group = "turnserver";
+        postRun = "systemctl restart coturn.service";
+      };
+    };
+  };
+}

modules/system/services/ddclient/default.nix

@@ -0,0 +1,23 @@
+{ pkgs, outputs, ... }:
+{
+  services.ddclient = {
+    enable = true;
+    protocol = "cloudflare";
+    use = "web, web=https://ipinfo.io/ip";
+    zone = "${outputs.secrets.jimDomain}";
+    username = "token";
+    passwordFile = "${pkgs.writeText "cloudflareapikey" outputs.secrets.flareApiKey}";
+    domains = [
+      "${outputs.secrets.jimDomain}"
+      "*.${outputs.secrets.jimDomain}"
+      "sv.${outputs.secrets.jimDomain}"
+      "git.${outputs.secrets.jimDomain}"
+      "rtmp.${outputs.secrets.jimDomain}"
+      "turn.${outputs.secrets.jimDomain}"
+      "dew.${outputs.secrets.jimDomain}"
+      "john.${outputs.secrets.jimDomain}"
+      "beta.${outputs.secrets.jimDomain}"
+      "rogue.${outputs.secrets.jimDomain}"
+    ];
+  };
+}

modules/system/services/fileserver/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./local
+    ./public
+  ];
+}

modules/system/services/fileserver/local/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./nfs
+    ./samba
+  ];
+}

modules/system/services/fileserver/local/nfs/default.nix

@@ -0,0 +1,9 @@
+{ ... }:
+{
+  services.nfs.server = {
+    enable = true;
+    exports = ''
+      /export/JimboNFS *(rw,no_subtree_check)
+    '';
+  };
+}

modules/system/services/fileserver/local/samba/default.nix

@@ -0,0 +1,36 @@
+{ outputs, ... }:
+{
+  services = {
+    samba = {
+      enable = true;
+      securityType = "user";
+      openFirewall = true;
+      extraConfig = ''
+        workgroup = WORKGROUP
+        server string = JimSMB
+        security = user 
+        hosts allow = ${outputs.ips.localSpan}. 127.0.0.1 localhost
+        hosts deny = 0.0.0.0/0
+        guest account = nobody
+        map to guest = bad user
+      '';
+      shares = {
+        roms = {
+          comment = "Samba share with my ROMs";
+          path = "/export/JimboNFS/Downloads/GameFiles/ROMS";
+          browseable = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          "create mask" = "0644";
+          "directory mask" = "0755";
+        };
+      };
+    };
+
+    # Advertise to Windows
+    samba-wsdd = {
+      enable = true;
+      openFirewall = true;
+    };
+  };
+}

modules/system/services/fileserver/public/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./nextcloud
+    ./photoprism
+  ];
+}

modules/system/services/fileserver/public/nextcloud/default.nix

@@ -0,0 +1,45 @@
+{ pkgs, outputs, ... }:
+{
+  services = {
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud29;
+      hostName = "cloud.${outputs.secrets.jimDomain}";
+      datadir = "/mnt/nextcloud";
+      https = true;
+      config = {
+        adminuser = "jimbo";
+        adminpassFile = "/mnt/nextcloud/password.txt";
+      };
+      settings = {
+        trusted_proxies = [ "127.0.0.1" ];
+        trusted_domains = [ "cloud.${outputs.secrets.jimDomain}" ];
+        overwriteprotocol = "https";
+        mail_smtphost = "mx.${outputs.secrets.jimDomain}";
+        mail_domain = "${outputs.secrets.jimDomain}";
+        mail_from_address = "noreply";
+        mail_smtpauth = "true";
+        mail_smtpname = "noreply@${outputs.secrets.jimDomain}";
+        mail_smtppassword = outputs.secrets.noreplyPassword;
+        mail_smtpmode = "smtp";
+        mail_smtpport = 587;
+      };
+    };
+
+    nginx.virtualHosts."cloud.${outputs.secrets.jimDomain}" =  {
+      enableACME = true;
+      addSSL = true;
+      locations."/" = {
+        proxyWebsockets = true;
+        extraConfig = "
+         location /.well-known/carddav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+          location /.well-known/caldav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+       ";
+      };
+    };
+  };
+}

modules/system/services/fileserver/public/photoprism/default.nix

@@ -0,0 +1,30 @@
+{ outputs, ... }:
+{
+  services = {
+    photoprism = {
+      enable = true;
+      port = 2342;
+      originalsPath = "/var/lib/private/photoprism/originals";
+      address = "0.0.0.0";
+      settings = {
+        PHOTOPRISM_ADMIN_USER = "jimbo";
+        PHOTOPRISM_ADMIN_PASSWORD = "${outputs.secrets.prismAdminPass}";
+        PHOTOPRISM_DEFAULT_LOCALE = "en";
+        PHOTOPRISM_DATABASE_DRIVER = "mysql";
+        PHOTOPRISM_DATABASE_NAME = "photoprism";
+        PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
+        PHOTOPRISM_DATABASE_USER = "photoprism";
+        PHOTOPRISM_SITE_URL = "https://gallery.${outputs.secrets.jimDomain}";
+        PHOTOPRISM_SITE_TITLE = "Jimbo's PhotoPrism";
+      };
+    };
+    nginx.virtualHosts."gallery.${outputs.secrets.jimDomain}" =  {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:2342";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

modules/system/services/forgejo/default.nix

@@ -0,0 +1,39 @@
+{ outputs, ... }:
+{
+  imports = [
+    ./nginx
+  ];
+
+  services = {
+    forgejo = {
+      enable = true;
+      settings = {
+        server = {
+          DOMAIN = "git.${outputs.secrets.jimDomain}";
+          ROOT_URL = "https://git.${outputs.secrets.jimDomain}:443";
+          HTTP_PORT = 3110;
+          SSH_PORT = 2299;
+          START_SSH_SERVER = true;
+        };
+        ui = {
+          DEFAULT_THEME = "forgejo-dark";
+        };
+        mailer = {
+          ENABLED = true;
+          SMTP_ADDR = "mx.${outputs.secrets.jimDomain}";
+          FROM = "Jimbo's Git <noreply@${outputs.secrets.jimDomain}>";
+          USER = "noreply@${outputs.secrets.jimDomain}";
+          PASSWD = outputs.secrets.noreplyPassword;
+          PROTOCOL = "smtps";
+        };
+        service = {
+          REGISTER_EMAIL_CONFIRM = true;
+          DISABLE_REGISTRATION = true;
+        };
+      };
+    };
+  };
+
+  # Allow Forgejo's SSH to work
+  networking.firewall.allowedTCPPorts = [ 2299 ];
+}

modules/system/services/forgejo/nginx/default.nix

@@ -0,0 +1,11 @@
+{ outputs, ... }:
+{
+  services.nginx.virtualHosts."git.${outputs.secrets.jimDomain}" =  {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:3110";
+      proxyWebsockets = true;
+    };
+  };
+}

modules/system/services/icecast/default.nix

@@ -0,0 +1,65 @@
+{ pkgs, outputs, ... }:
+{
+  imports = [
+    ./nginx
+  ];
+
+  services = {
+    icecast = {
+      enable = true;
+      listen.port = 265;
+      hostname = "icecast.${outputs.secrets.jimDomain}";
+      admin = {
+        user = "jimbo";
+        password = "${outputs.secrets.castAdminPass}";
+      };
+      extraConf = ''
+        <authentication>
+          <source-password>${outputs.secrets.castSourcePass}</source-password>
+        </authentication>
+        
+        <location>Canada</location>
+        <admin>jimbo@jimbosfiles.com</admin>
+        
+        <mount type="normal">
+          <mount-name>/jimbops.opus</mount-name>
+          <stream-name>JimBops Radio</stream-name>
+          <stream-description>Music gathered by me, Jimbo.</stream-description>
+          <stream-url>https://icecast.jimbosfiles.com/jimbops.opus</stream-url>
+          <genre>Anything</genre>
+          <type>application/ogg</type>
+          <subtype>vorbis</subtype>
+        </mount>
+      '';
+    };
+
+    # The audio stream
+    liquidsoap.streams = {
+      jimbops = pkgs.writeText "liquidjim" ''
+        settings.log.stdout.set(true)
+        settings.init.allow_root.set(true)
+        settings.scheduler.fast_queues.set(2)
+        settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"])
+        
+        # Define the source with random playlist
+        jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/"))
+        
+        # Ensure the stream never stops
+        jimbops_fallback = fallback([jimbops, jimbops])
+        
+        # Output configuration to Icecast
+        output.icecast(
+	  %ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)),
+          host="127.0.0.1",
+          port=265,
+          password="${outputs.secrets.castSourcePass}",
+          public=true,
+          icy_metadata=["artist", "title"],
+          mount="jimbops.opus",
+	  encoding = "UTF-8",
+          jimbops_fallback
+        )
+      '';
+    };
+  };
+}

modules/system/services/icecast/nginx/default.nix

@@ -0,0 +1,14 @@
+{ pkgs, outputs, ... }:
+{
+  services.nginx.virtualHosts."icecast.${outputs.secrets.jimDomain}" =  {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:265";
+      proxyWebsockets = true;
+      extraConfig = ''
+        add_header Ice-Public "1";
+      '';
+    };
+  };
+}

modules/system/services/mailserver/default.nix

@@ -0,0 +1,49 @@
+{ pkgs, outputs, ... }: 
+{
+  imports = [
+    ./nginx
+    ./roundcube
+  ];
+
+  mailserver = rec {
+    enable = true;
+    openFirewall = false;
+    domains = [ "${outputs.secrets.jimDomain}" ];
+    fqdn = "mx.${outputs.secrets.jimDomain}";
+    certificateScheme = "acme-nginx";
+    localDnsResolver = false;
+    redis.port = 1515;
+
+    # Dmarc info
+    dmarcReporting = {
+      enable = true;
+      domain = "${outputs.secrets.jimDomain}";
+      localpart = "noreply";
+      organizationName = "Jimbo's Files";
+    };
+        
+    # A list of accounts, passwords generated with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "noreply@${outputs.secrets.jimDomain}" = {
+        hashedPasswordFile = pkgs.writeText "noreply" outputs.secrets.noreplyMailHash;
+        sendOnly = true;
+      };    
+      "jimbo@${outputs.secrets.jimDomain}" = {
+        hashedPasswordFile = pkgs.writeText "jimbo" outputs.secrets.jimboMailHash;
+        aliases = [ "james@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
+      };
+      "lunamoonlight@${outputs.secrets.jimDomain}" = {
+        hashedPasswordFile = pkgs.writeText "luna" outputs.secrets.lunaMailHash;
+      };
+      "freecorn1854@${outputs.secrets.jimDomain}" = {
+        hashedPasswordFile = pkgs.writeText "freecorn" outputs.secrets.freecornMailHash;
+      };
+      "tinyattack09@${outputs.secrets.jimDomain}" = {
+        hashedPasswordFile = pkgs.writeText "tiny" outputs.secrets.tinyMailHash;
+      };
+    };
+  };
+
+  # Assign the correct port
+  services.redis.servers.rspamd.port = 1515;
+}

modules/system/services/mailserver/nginx/default.nix

@@ -0,0 +1,11 @@
+{ pkgs, outputs, ... }: 
+{
+  services.nginx.virtualHosts."mx.${outputs.secrets.jimDomain}" =  {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:1390";
+      proxyWebsockets = true;
+    };
+  };
+}

modules/system/services/mailserver/roundcube/default.nix

@@ -0,0 +1,12 @@
+{ pkgs, outputs, ... }: 
+{
+  services.roundcube = {
+   enable = true;
+   hostName = "mail.${outputs.secrets.jimDomain}";
+   extraConfig = ''
+     $config['smtp_server'] = "tls://mx.${outputs.secrets.jimDomain}";
+     $config['smtp_user'] = "%u";
+     $config['smtp_pass'] = "%p";
+   '';
+  };
+}

modules/system/services/minecraft/common/default.nix

@@ -0,0 +1,69 @@
+{ pkgs, ... }:
+{
+  # Common properties
+  serverProperties = {
+    enforce-secure-profile = false;
+    max-players = 20;
+    online-mode = false;
+    spawn-protection = 0;
+    view-distance = 10;
+    simulation-distance = 10;
+    white-list = true;
+  };
+
+  # Common whitelist
+  whitelist = {
+    K5G = "8656dc10-6050-4a17-b29e-88c4babbc54c";
+    JimmJam = "2f7affee-e10b-450f-a5e2-44c79a14a109";
+    Foxzilla04 = "f583f591-ad9b-4a30-8d91-514881b31394";
+    DewDemolisher = "9205524f-3886-483d-b471-82bb9905671a";
+    Freecorn1854 = "8299cd8d-3cd4-4779-8180-0d9db6dc12a9";
+    Tinyattack09 = "aaa8e9e2-4e51-4925-b9df-8a9504aec5d5";
+    Ankha3000 = "dd65a277-f618-411e-812c-900c9c7e82d9";
+    catoiico = "01f10cdf-c146-437e-99b1-2278b5dbe420";
+    Sp0ok7 = "016c3daa-3dd5-4631-ae79-3a6f48d7cbe6";
+    PooxterMooxter = "c973f4b5-ab50-45e3-b3eb-36286a6f66aa";
+  };
+
+  # Common plugins
+  paperSymlinks = {
+    "plugins/Backuper.jar" = builtins.fetchurl {
+      url = "https://cdn.modrinth.com/data/7cMAqMND/versions/DqtME18V/Backuper-3.1.0.jar";
+      sha256 = "0lml9mz8ky2g9iy5xb61s15biwlbxfi5w4mfamxfin2kl4w6ggq9";
+    };
+    "plugins/BungeeGuard.jar" = builtins.fetchurl {
+      url = "https://github.com/lucko/BungeeGuard/releases/download/v1.3.3/BungeeGuard.jar";
+      sha256 = "0cackavwk7kl71hn1i78hcvkdp7q81srq35nranpvysbmm8v34vk";
+    };
+    "plugins/EssentialsX.jar" = builtins.fetchurl {
+      url = "https://github.com/EssentialsX/Essentials/releases/download/2.20.1/EssentialsX-2.20.1.jar";
+      sha256 = "0hpm3fk073f2z8aah9l1inq27h9kd60jb2c1grcs8326v85s6bl0";
+    };
+    "plugins/EssentialsXChat.jar" = builtins.fetchurl {
+      url = "https://github.com/EssentialsX/Essentials/releases/download/2.20.1/EssentialsXChat-2.20.1.jar";
+      sha256 = "19jwfymqgvjk0vkm1blhq2q6gi7jkgqznp6bxc3k1sqw4hh5raj0";
+    };
+    "plugins/LuckPerms.jar" = builtins.fetchurl {
+      url = "https://download.luckperms.net/1556/bukkit/loader/LuckPerms-Bukkit-5.4.141.jar";
+      sha256 = "02ad0dl34vdk6b1wyflqa6wq440xrh5w7yf3z3w1x1g089myddw4";
+    };
+    "plugins/ProtocolLib.jar" = builtins.fetchurl {
+      url = "https://ci.dmulloy2.net/job/ProtocolLib/lastSuccessfulBuild/artifact/build/libs/ProtocolLib.jar";
+      sha256 = "16krc7pyav4khnaxkyg27i5yxsgcdkildrn4nm5bhzh1f0ngqv2s";
+    };
+    "plugins/Vault.jar" = builtins.fetchurl {
+      url = "https://github.com/MilkBowl/Vault/releases/download/1.7.3/Vault.jar";
+      sha256 = "07fhfz7ycdlbmxsri11z02ywkby54g6wi9q0myxzap1syjbyvdd6";
+    };
+    "plugins/VoiceChat.jar" = builtins.fetchurl {
+      url = "https://cdn.modrinth.com/data/9eGKb6K1/versions/nS19YToN/voicechat-bukkit-2.5.20.jar";
+      sha256 = "023wjx0zxf9rc2x9vsqg398wapz0nlwfs5g6c8pci3qx75i5s4jx";
+    };
+  };
+
+  # Config files
+  configFiles = {
+    "plugins/Essentials/config.yml" = ./essentialsconfig.yml;
+    "plugins/voicechat/voicechat-server.properties" = ./vcserver.properties;
+  };
+}

modules/system/services/minecraft/common/vcserver.properties

@@ -0,0 +1,36 @@
+# Simple Voice Chat server config v2.5.16
+
+# The port of the voice chat server, "-1" sets the port to the Minecraft servers port
+port=-1
+# The distance to where the voice can be heard
+max_voice_distance=48.0
+# The multiplier the voice distance will be reduced by when sneaking
+crouch_distance_multiplier=1.0
+# The multiplier the voice distance will be reduced by when whispering
+whisper_distance_multiplier=0.5
+# The opus codec
+codec=VOIP
+# The maximum size in bytes in a voice packet
+# Set this to a lower value if your voice packets don't arrive
+mtu_size=1024
+# The frequency in which keep alive packets are sent
+# Setting this to a higher value may result in timeouts
+keep_alive=1000
+# If group chats are allowed
+enable_groups=true
+# If players are allowed to record the voice chat
+allow_recording=true
+# If spectators are allowed to talk to other players
+spectator_interaction=false
+# If spectators can talk to players they are spectating
+spectator_player_possession=false
+# If players without the mod should get kicked from the server
+force_voice_chat=false
+# The amount of milliseconds, the server should wait to check if the player has the mod installed
+# Only active when force_voice_chat is set to true
+login_timeout=10000
+# The range where the voice chat should broadcast audio to
+# A value <0 means 'max_voice_distance'
+broadcast_range=-1.0
+# If the voice chat server should reply to pings
+allow_pings=true

modules/system/services/minecraft/default.nix

@@ -0,0 +1,19 @@
+{ inputs, ... }:
+{
+  imports = [
+    inputs.minecraft.nixosModules.minecraft-servers
+    ./servers/velocity
+    ./servers/dewdemolisher
+    ./servers/johnside
+    ./servers/roguecraft
+    ./servers/blockworld
+    ./servers/uberbeta
+  ];
+
+  nixpkgs.overlays = [ inputs.minecraft.overlay ];
+
+  services.minecraft-servers = {
+    enable = true;
+    eula = true;
+  };
+}

modules/system/services/minecraft/servers/blockworld/default.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+let
+  common = import ../common.nix { inherit pkgs; };
+in {
+  services.minecraft-servers.servers.blockworld = {
+    enable = true;
+    autoStart = false;
+    package = pkgs.paperServers.paper-1_21_1;
+    jvmOpts = "-Xmx3072M";
+    serverProperties = common.serverProperties // {
+      difficulty = 2;
+      server-port = 30012;
+      motd = "\\u00A7fArchival \\u00A7l\\u00A7n\\u00A7cBloxelcom \\u00A7r\\u00A7fMinecraft server.";
+    };
+    whitelist = common.whitelist;
+    symlinks = common.paperSymlinks;
+    files = common.configFiles;
+  };
+}

modules/system/services/minecraft/servers/dewdemolisher/default.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+let
+  common = import ../common.nix { inherit pkgs; };
+in {
+  services.minecraft-servers.servers.dewdemolisher = {
+    enable = true;
+    package = pkgs.paperServers.paper-1_21_1;
+    jvmOpts = "-Xmx2000M";
+    serverProperties = common.serverProperties // {
+      difficulty = 2;
+      server-port = 30010;
+      motd = "\\u00A7l\\u00A7aDew Demolisher is here.";
+    };
+    whitelist = common.whitelist;
+    symlinks = common.paperSymlinks;
+    files = common.configFiles;
+  };
+}

modules/system/services/minecraft/servers/johnside/default.nix

@@ -0,0 +1,67 @@
+{ pkgs, outputs, ... }:
+let
+  common = import ../common.nix { inherit pkgs; };
+in {
+  services = {
+    minecraft-servers.servers.johnside = {
+      enable = true;
+      package = pkgs.paperServers.paper-1_20_6;
+      jvmOpts = "-Xmx2500M";
+      serverProperties = common.serverProperties // {
+        difficulty = 2;
+        server-port = 30009;
+        motd = "\\u00A7l\\u00A79Johnside SMP\\u00A7r \\u00A7l\\u00A7fworld for \\u00A74John lovers only.";
+      };
+      whitelist = common.whitelist;
+      symlinks = common.paperSymlinks // {
+        "plugins/BlueMap.jar" = builtins.fetchurl {
+          url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar";
+          sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw";
+        };
+        "plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl {
+          url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar";
+          sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr";
+        };
+        "plugins/BlueMapMarkerManager.jar" = builtins.fetchurl {
+          url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar";
+          sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d";
+        };
+        "plugins/CustomDiscs.jar" = builtins.fetchurl {
+          url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar";
+          sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d";
+        };
+        "plugins/NotTooExpensive.jar" = builtins.fetchurl {
+          url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar";
+          sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d";
+        };
+        "plugins/SilkTouchHands.jar" = builtins.fetchurl {
+          url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar";
+          sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w";
+        };
+      };
+      files = common.configFiles;
+    };
+
+    # BlueMap webhost
+    nginx.virtualHosts."john.${outputs.secrets.jimDomain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:31010";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  # Allow Nginx to read and write to paths
+  systemd.services.nginx.serviceConfig = {
+    ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ];
+  };
+
+  # Open HTTP and HTTPs ports
+  networking.firewall = {
+    allowedTCPPorts = [
+      80 443 # Nginx
+    ];
+  };
+}

modules/system/services/minecraft/servers/roguecraft/default.nix

@@ -0,0 +1,36 @@
+{ pkgs, outputs, ... }:
+let
+  common = import ../common.nix { inherit pkgs; };
+in {
+  services = {
+    minecraft-servers.servers.roguecraft = {
+      enable = true;
+      package = pkgs.paperServers.paper-1_21_1;
+      jvmOpts = "-Xmx3000M";
+      serverProperties = common.serverProperties // {
+        difficulty = 3;
+        server-port = 30014;
+        motd = "\\u00A7l\\u00A7bJimbo's \\u00A7cRoguecraft \\u00A7bserver.";
+	require-resource-pack = true;
+	resource-pack = "https://${outputs.secrets.jimDomain}/roguecraftresourcepackredir";
+	resource-pack-sha1 = "b540c0562aba90c3ead2356bb9cb74fcf0db36b3";
+      };
+      whitelist = common.whitelist;
+      symlinks = common.paperSymlinks;
+      files = common.configFiles // {
+        "world/datapacks/roguecraft.zip" = builtins.fetchurl {
+          url = "https://${outputs.secrets.jimDomain}/roguecraftdatapackredir";
+          sha256 = "04zrkvzvi1i898al45fh9j3k635sf9qhwca7phbv4ynkfl8bz3q3";
+        };
+      };
+    };
+    nginx.virtualHosts."${outputs.secrets.jimDomain}".locations = {
+      "/roguecraftdatapackredir" = {
+        return = "301 https://cdn.modrinth.com/data/HtKjVijx/versions/Rme4c23R/Roguecraft%201.2.6%20-%20Data%20Pack.zip";
+      };
+      "/roguecraftresourcepackredir" = {
+        return = "301 https://cdn.modrinth.com/data/HtKjVijx/versions/C6bITJnq/Roguecraft%201.2.5.4%20-%20Resource%20Pack.zip";
+      };
+    };
+  };
+}

modules/system/services/minecraft/servers/uberbeta/default.nix

@@ -0,0 +1,22 @@
+{ pkgs, ... }:
+let
+  common = import ../common.nix { inherit pkgs; };
+  uberBukkitZip = pkgs.fetchzip {
+    url = "https://github.com/Moresteck/Project-Poseidon-Uberbukkit/releases/download/2.0.0/uberbukkit-2.0.0-java17.zip";
+    sha256 = "m4hgcqXJ43SnBGn6qNBGeEcXFv5Q8f/VFYJmx3aJ9PE=";
+    stripRoot = false;
+  };
+  uberBukkit = pkgs.vanillaServers.vanilla.overrideAttrs (oldAttrs: {
+    src = "${uberBukkitZip}/uberbukkit-2.0.0.jar";
+  });
+in {
+  services.minecraft-servers.servers.uberbeta = {
+    enable = true;
+    package = uberBukkit;
+    jvmOpts = "-Xmx512M";
+    serverProperties = common.serverProperties // {
+      difficulty = 3;
+      server-port = 30005;
+    };
+  };
+}

modules/system/services/minecraft/servers/velocity/default.nix

@@ -0,0 +1,50 @@
+{ pkgs, ... }:
+let
+  common = import ../common.nix { inherit pkgs; };
+in {
+  services.minecraft-servers.servers.velocity = {
+    enable = true;
+    package = pkgs.velocityServers.velocity;
+    jvmOpts = "-Xmx512M";
+    symlinks = {
+      "plugins/Geyser.jar" = builtins.fetchurl {
+        url = "https://download.geysermc.org/v2/projects/geyser/versions/2.4.2/builds/660/downloads/velocity";
+        sha256 = "09z938v6xrgbiba8rxgi7cdh3xxkv9fdampy15k6fmwddmj9y4a2";
+      };
+      "plugins/Floodgate.jar" = builtins.fetchurl {
+        url = "https://download.geysermc.org/v2/projects/floodgate/versions/2.2.3/builds/109/downloads/velocity";
+        sha256 = "1hxdf38qzpzdnyn2gn1152fyd54bi37i0ayc82dgcjf0qrcbmv0c";
+      };
+      "plugins/LuckPerms.jar" = builtins.fetchurl {
+        url = "https://download.luckperms.net/1556/velocity/LuckPerms-Velocity-5.4.141.jar";
+        sha256 = "0j5f7r3g8h4f8z8ppakwfk96hijp3slr0vxyj9v8x4h8w5rcl9d1";
+      };
+      "plugins/SkinsRestorer.jar" = builtins.fetchurl {
+        url = "https://github.com/SkinsRestorer/SkinsRestorer/releases/download/15.4.2/SkinsRestorer.jar";
+        sha256 = "14nl9mi958bfqwqz9182cxj7m6l15kalq3wjmjqzy50s52si35wf";
+      };
+      "plugins/ViaVersion.jar" = builtins.fetchurl {
+        url = "https://github.com/ViaVersion/ViaVersion/releases/download/5.0.3/ViaVersion-5.0.3.jar";
+        sha256 = "02gf91ysialgvbl0w8awa0dsi1yb33ac7clmz0wika1xigk9z10r";
+      };
+      "plugins/ViaBackwards.jar" = builtins.fetchurl {
+        url = "https://github.com/ViaVersion/ViaBackwards/releases/download/5.0.3/ViaBackwards-5.0.3.jar";
+        sha256 = "1wqk68pjrzl1zhajb9lxa1s6wzj85rb0c2riycv9yysr5bcxssqi";
+      };
+      "plugins/Voicechat.jar" = builtins.fetchurl {
+        url = "https://cdn.modrinth.com/data/9eGKb6K1/versions/svvcJhgC/voicechat-velocity-2.5.20.jar";
+        sha256 = "0nw85x24qa9skbhfgbhsjl2r7d9xshr9f04nnq490zbgz7716lqq";
+      };
+    };
+  };
+
+  # Open ports for proxy
+  networking.firewall = {
+    allowedTCPPorts = [
+      25565 19132 30013 5657 # Minecraft server info
+    ];
+    allowedUDPPorts = [
+      25565 19132 30013 # Minecraft server, VC, and Bedrock
+    ];
+  };
+}

modules/system/services/misc/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services = {
+    snowflake-proxy.enable = true;
+    logrotate.checkConfig = false;
+  };
+}

modules/system/services/mpd/default.nix

@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  services.mpd = {
+    enable = true;
+    user = "jimbo";
+    group = "users";
+    musicDirectory = "/home/jimbo/JimboNFS/Music";
+    playlistDirectory = "/home/jimbo/JimboNFS/Music/Playlists";
+    extraConfig = ''
+      audio_output {
+        type "pipewire"
+        name "Local Pipewire"
+      }
+    '';
+  };
+
+  systemd.services.mpd.environment = {
+    XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.jimbo.uid}";
+  };
+}

modules/system/services/mysql/default.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    dataDir = "/var/lib/mysql";
+    ensureDatabases = [
+      "minecraft"
+      "photoprism"
+    ];
+    ensureUsers = [
+      {
+        name = "minecraft";
+        ensurePermissions = {
+          "minecraft.*" = "ALL PRIVILEGES";
+        };
+      }
+      {
+        name = "photoprism";
+        ensurePermissions = {
+          "photoprism.*" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+  };
+}

modules/system/services/networkfs/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services = {
+    gvfs.enable = true;
+    udisks2.enable = true;
+  };
+}

modules/system/services/nginx/default.nix

@@ -0,0 +1,75 @@
+{ pkgs, outputs, ... }:
+{
+  services.nginx = {
+    enable = true;
+    package = (pkgs.nginx.override {
+      modules = with pkgs.nginxModules; [ rtmp ];
+    });
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      # Landing page
+      "${outputs.secrets.jimDomain}" =  {
+        enableACME = true;
+        addSSL = true;
+        root = "/var/www/Jimbo-Landing-Page";
+        locations = {
+          "/.well-known/matrix/client" = {
+            extraConfig = ''
+              default_type application/json;
+              return 200 '
+              {
+                "m.homeserver": {
+                  "base_url": "https://matrix.${outputs.secrets.jimDomain}"
+                },
+                "m.identity_server": {
+                  "base_url": "https://matrix.org"
+                },
+                "org.matrix.msc3575.proxy": {
+                  "url": "https://matrix.${outputs.secrets.jimDomain}"
+                }
+              }';
+            '';
+          };
+          "/.well-known/matrix/server" = {
+            extraConfig = ''
+              default_type application/json;
+              return 200 '{"m.server": "matrix.${outputs.secrets.jimDomain}:443"}';
+            '';
+          };
+        };
+      };
+    };
+    appendConfig = ''
+      rtmp {
+        server {
+          listen 1935;
+          chunk_size 4096;
+          allow publish all;
+          application stream {
+            record off;
+            live on;
+            allow play all;
+            hls on;
+            hls_path /var/www/Jimbo-Landing-Page/streams/hls/;
+            hls_fragment_naming system;
+            hls_fragment 3;
+            hls_playlist_length 40;
+          }
+        }
+      }
+    '';
+  };
+
+  # Allow Nginx to read and write to paths
+  systemd.services.nginx.serviceConfig = {
+    ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ];
+  };
+
+  # Open HTTP and HTTPs ports
+  networking.firewall.allowedTCPPorts = [
+    80 443
+  ];
+}

modules/system/services/school/default.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.globalprotect.enable = true;
+}

modules/system/services/social/default.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./matrix
+    ./mastodon
+    ./lemmy
+    ./pixelfed
+    ./owncast
+  ];
+}

modules/system/services/social/lemmy/default.nix

@@ -0,0 +1,22 @@
+{ outputs, ... }:
+{
+  imports = [
+    ./nginx
+  ];
+
+  services.lemmy = {
+    enable = true;
+    nginx.enable = true;
+    database.createLocally = true;
+    settings = {
+      hostname = "lemmy.${outputs.secrets.jimDomain}";
+      email = {
+        smtp_server = "mx.${outputs.secrets.jimDomain}:587";
+        smtp_login = "noreply@${outputs.secrets.jimDomain}";
+        smtp_from_address = "Jimbo's Lemmy <noreply@${outputs.secrets.jimDomain}>";
+        smtp_password = outputs.secrets.noreplyPassword;
+        tls_type = "starttls";
+      };
+    };
+  };
+}

modules/system/services/social/lemmy/nginx/default.nix

@@ -0,0 +1,7 @@
+{ outputs, ... }:
+{
+  services.nginx.virtualHosts."lemmy.${outputs.secrets.jimDomain}" =  {
+    enableACME = true;
+    forceSSL = true;
+  };
+}

modules/system/services/social/mastodon/default.nix

@@ -0,0 +1,18 @@
+{ pkgs, outputs, ... }:
+{
+  services.mastodon = {
+    enable = true;
+    localDomain = "social.${outputs.secrets.jimDomain}";
+    streamingProcesses = 4;
+    configureNginx = true;
+    smtp = {
+      createLocally = false;
+      host = "mx.${outputs.secrets.jimDomain}";
+      port = 587;
+      authenticate = true;
+      fromAddress = "Jimbo's Mastodon <noreply@${outputs.secrets.jimDomain}>";
+      user = "noreply@${outputs.secrets.jimDomain}";
+      passwordFile = pkgs.writeText "smtp_pass.txt" outputs.secrets.noreplyPassword;
+    };
+  };
+}

modules/system/services/social/matrix/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./synapse
+    ./element
+  ];
+}

modules/system/services/social/matrix/element/default.nix

@@ -0,0 +1,25 @@
+{ pkgs, outputs, ... }:
+{
+  imports = [
+    ./nginx
+  ];
+
+  nixpkgs.config.element-web.conf = {
+    default_server_config = {
+      "m.homeserver" = {
+        base_url = "https://matrix.${outputs.secrets.jimDomain}";
+        server_name = "matrix.${outputs.secrets.jimDomain}";
+      };
+    };
+    branding = {
+      #welcome_background_url = "https://staging.${outputs.secrets.jimDomain}/images/backgrounds/bloxelcom-sunset.jpg";
+      #auth_header_logo_url = "https://staging.${outputs.secrets.jimDomain}/images/logos/bloxelcom.png";
+    };
+    embedded_pages = {
+      home_url = "https://www.${outputs.secrets.jimDomain}/";
+    };
+    disable_custom_urls = true;
+    disable_guests = true;
+    default_theme = "dark";
+  };
+}

modules/system/services/social/matrix/element/nginx/default.nix

@@ -0,0 +1,8 @@
+{ pkgs, outputs, ... }:
+{
+  services.nginx.virtualHosts."chat.${outputs.secrets.jimDomain}" = {
+    enableACME = true;
+    addSSL = true;
+    root = "${pkgs.element-web}";
+  };
+}

modules/system/services/social/matrix/synapse/coturn/default.nix

@@ -0,0 +1,37 @@
+{ outputs, config, ... }:
+{
+  services = {
+    coturn = {
+      enable = true;
+      no-cli = true;
+      no-tcp-relay = true;
+      min-port = 49000;
+      max-port = 50000;
+      use-auth-secret = true;
+      static-auth-secret = "will be world readable for local users :(";
+      realm = "turn.${outputs.secrets.jimDomain}";
+      cert = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/fullchain.pem";
+      pkey = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/key.pem";
+    };
+
+    # Enable coturn on Synapse
+    matrix-synapse.settings = {
+      turn_uris = [
+        "turn:turn.${outputs.secrets.jimDomain}:3478?transport=udp"
+        "turn:turn.${outputs.secrets.jimDomain}:3478?transport=tcp"
+      ];
+      turn_shared_secret = config.services.coturn.static-auth-secret;
+      turn_user_lifetime = "1h";
+    };
+  };
+
+  # Open coturn ports
+  networking.firewall = {
+    allowedUDPPorts = [
+      3478 5349
+    ];
+    allowedUDPPortRanges = [
+      { from = 49000; to = 50000; }
+    ];
+  };
+}

modules/system/services/social/matrix/synapse/coturn/nginx/default.nix

@@ -0,0 +1,13 @@
+{ outputs, config, ... }:
+{
+  services.nginx.virtualHosts."turn.${outputs.secrets.jimDomain}" = {
+    enableACME = true;
+    forceSSL = true;
+    listen = [{
+      addr = "0.0.0.0";
+      port = 80;
+      ssl = false; 
+    }];
+    locations."/".proxyPass = "http://127.0.0.1:1380";
+  };
+}

modules/system/services/social/matrix/synapse/default.nix

@@ -0,0 +1,57 @@
+{ pkgs, outputs, ... }:
+{
+  imports = [
+    ./coturn
+    ./slidingsync
+    ./nginx
+  ];
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "${outputs.secrets.jimDomain}";
+      public_baseurl = "https://matrix.${outputs.secrets.jimDomain}";
+      suppress_key_server_warning = true;
+
+      listeners = [{
+        port = 8008;
+        bind_addresses = [ "::" "0.0.0.0" ];
+        resources = [ { compress = false;  names = [ "client" "federation" ]; } ];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+      }];
+
+      email = {
+        notif_from = "Jimbo's Matrix <noreply@${outputs.secrets.jimDomain}>";
+        smtp_host = "mx.${outputs.secrets.jimDomain}";
+        smtp_user = "noreply@${outputs.secrets.jimDomain}";
+        smtp_pass = outputs.secrets.noreplyPassword;
+        enable_tls = true;
+        smtp_port = 587;
+        require_transport_security = true;
+      };
+
+      # Disable registration without email
+      registrations_require_3pid = [ "email" ];
+
+      # Allow only this range of emails
+      allowed_local_3pids = [{
+        medium = "email";
+        pattern = "^[^@]+@jimbosfiles\\.com$";
+      }];
+
+      # Set the type of database
+      database.name = "sqlite3";
+
+      # Allow account registration
+      enable_registration = true;
+
+      # General settings
+      url_preview_enabled = true;
+      max_upload_size = "50M";
+      report_stats = false;
+      burst_count = 15;
+    };
+  };
+}

modules/system/services/social/matrix/synapse/nginx/default.nix

@@ -0,0 +1,14 @@
+{ outputs, ... }:
+{
+  services.nginx.virtualHosts."matrix.${outputs.secrets.jimDomain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations = {
+      "/".extraConfig = ''return 403;'';
+      "/client".proxyPass = "http://127.0.0.1:8009";
+      "/_matrix".proxyPass = "http://127.0.0.1:8008";
+      "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
+      "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+    };
+  };
+}

modules/system/services/social/matrix/synapse/slidingsync/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, outputs, ... }:
+{
+  services.matrix-sliding-sync = {
+    enable = true;
+    settings = {
+      SYNCV3_SERVER = "https://matrix.${outputs.secrets.jimDomain}";
+      SYNCV3_BINDADDR = "0.0.0.0:8009";
+    };
+    environmentFile = pkgs.writeText "matrixsecret" ''
+      SYNCV3_SECRET=${outputs.secrets.matrixSecret}
+    '';
+  };
+}

modules/system/services/social/owncast/default.nix

@@ -0,0 +1,13 @@
+{ outputs, ... }:
+{
+  imports = [
+    ./nginx
+  ];
+
+  services.owncast = {
+    enable = true;
+    port = 8060;
+    rtmp-port = 1945;
+    listen = "0.0.0.0";
+  };
+}

modules/system/services/social/owncast/nginx/default.nix

@@ -0,0 +1,11 @@
+{ outputs, ... }:
+{
+  services.nginx.virtualHosts."live.${outputs.secrets.jimDomain}" =  {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8060";
+      proxyWebsockets = true;
+    };
+  };
+}

modules/system/services/social/pixelfed/default.nix

@@ -0,0 +1,32 @@
+{ pkgs, outputs, ... }:
+{
+  services.pixelfed = {
+    enable = true;
+    domain = "pics.${outputs.secrets.jimDomain}";
+    secretFile = pkgs.writeText "appkey" outputs.secrets.pixelfedKey;
+    settings = {
+      APP_NAME = ''"Jimbo's Pixelfed"'';
+      INSTANCE_DESCRIPTION = ''"The Jimbosfiles Pixelfed Instance"'';
+      INSTANCE_CONTACT_EMAIL = "jimbo@${outputs.secrets.jimDomain}";
+      OPEN_REGISTRATION = true;
+      APP_LOCALE = "en";
+      INSTANCE_DISCOVER_PUBLIC = false;
+      STORIES_ENABLED = true;
+
+      # Mail config
+      ENFORCE_EMAIL_VERIFICATION = true;
+      MAIL_FROM_ADDRESS = "noreply@${outputs.secrets.jimDomain}";
+      MAIL_FROM_NAME = ''"Jimbo's Pixelfed <noreply@${outputs.secrets.jimDomain}>"'';
+      MAIL_ENCRYPTION = "tls";
+      MAIL_DRIVER = "smtp";
+      MAIL_HOST = "mx.${outputs.secrets.jimDomain}";
+      MAIL_PORT = 587;
+      MAIL_USERNAME = "noreply@${outputs.secrets.jimDomain}";
+      MAIL_PASSWORD = "${outputs.secrets.noreplyPassword}";
+    };
+    nginx = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}

modules/system/services/ssh/default.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  imports = [
+    ./fail2ban
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PrintLastLog = "no";
+      PasswordAuthentication = false;
+      UsePAM = false;
+    };
+  };
+}

modules/system/services/ssh/fail2ban/default.nix

@@ -0,0 +1,9 @@
+{ outputs, ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "5m";
+    ignoreIP = [ "${outputs.ips.localSpan}.0/24" ];
+  };
+}

modules/system/services/sunshine/default.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  services.sunshine = {
+    enable = true;
+    settings.port = 57989;
+    autoStart = false;
+  };
+}

modules/system/services/transmission/default.nix

@@ -0,0 +1,15 @@
+{ pkgs, outputs, ... }:
+{
+  imports = [
+    ./nginx
+  ];
+
+  services.transmission = {
+    enable = true;
+    credentialsFile = pkgs.writeText "credentials" outputs.secrets.transmissionCredFile;
+    openPeerPorts = true;
+    settings = {
+      rpc-authentication-required = true;
+    };
+  };
+}

modules/system/services/transmission/nginx/default.nix

@@ -0,0 +1,11 @@
+{ outputs, ... }:
+{
+  services.nginx.virtualHosts."torrent.${outputs.secrets.jimDomain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:9091";
+      proxyWebsockets = true;
+    };
+  };
+}