c'est le bordel un peu

modules/common/base.nix

@@ -0,0 +1,74 @@
+# Module: Base System Configuration
+# Description: Core NixOS configuration with Nix settings, base packages, fonts,
+#              localization (FR), Fish shell, and security (GPG)
+# Services: gvfs, udisks2, gnupg-agent
+{
+  pkgs,
+  customConfig,
+  self,
+  ...
+}: {
+  nix.settings = {
+    experimental-features = ["nix-command" "flakes"];
+    substituters = [
+      "https://cache.nixos.org/"
+      "https://parsec-cloud.cachix.org"
+    ];
+    trusted-public-keys = [
+      "parsec-cloud.cachix.org-1:MuWfCBKBfuUWqwB6xKFK0armIJ+A+Mi++HohuB6YvTk="
+    ];
+  };
+
+  nix.registry.tex.flake = self;
+
+  programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep-since 4d --keep 3";
+    flake = toString customConfig.configFlakePath;
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  time.timeZone = customConfig.timezone;
+
+  services.gvfs.enable = true;
+  services.udisks2.enable = true;
+
+  i18n.defaultLocale = customConfig.locale;
+
+  programs.fish.enable = true;
+  users.defaultUserShell = pkgs.fish;
+
+  environment.systemPackages = with pkgs; [
+    wget
+    jq
+    linuxPackages.cpupower
+
+    element-desktop
+    ntfs3g
+    zip
+    unzip
+
+    scream
+    nixd
+    alejandra
+  ];
+
+  fonts.packages = with pkgs; [
+    nerd-fonts.dejavu-sans-mono
+    nerd-fonts.droid-sans-mono
+    noto-fonts
+    noto-fonts-cjk-sans
+    noto-fonts-color-emoji
+  ];
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # WARNING: DO NOT CHANGE this value after installation!
+  # See: https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion
+  system.stateVersion = "24.05";
+}

modules/common/desktop-i3.nix

@@ -0,0 +1,141 @@
+# Module: i3 Window Manager Configuration
+# Description: Enables X11 with i3 window manager and associated desktop tools
+# Services: xserver with i3
+# Packages: alacritty (terminal), tint2 (panel), rofi (launcher), i3lock, dunst
+{pkgs, ...}: let
+  updatescreen = pkgs.writeShellScript "updatescreens.sh" ''
+    #!/bin/sh
+    i3-msg restart
+    feh --bg-fill --no-xinerama Downloads/fire1.png
+  '';
+in {
+  services.xserver = {
+    enable = true;
+    windowManager.i3.enable = true;
+    autorun = true;
+  };
+
+  services.displayManager.defaultSession = "none+i3";
+
+  programs.i3lock.enable = true;
+  programs.xss-lock = {
+    enable = true;
+    lockerCommand = "${pkgs.i3lock}/bin/i3lock --nofork -c 000000";
+    extraOptions = ["--transfer-sleep-lock"];
+  };
+
+  services.logind.settings.Login = {
+    IdleAction = "suspend";
+    IdleActionSec = "15min";
+
+    HandleLidSwitch = "suspend";
+  };
+
+  services.picom = {
+    enable = true;
+
+    backend = "glx";
+    vSync = true;
+
+    shadow = true;
+    shadowOpacity = 0.8;
+    shadowOffsets = [(-5) (-5)];
+
+    fade = true;
+    fadeDelta = 10;
+    fadeSteps = [0.03 0.03];
+
+    opacityRules = [
+      "80:class_g = 'Alacritty'"
+    ];
+
+    settings = {
+      use-damage = true;
+
+      shadow-radius = 10;
+
+      frame-opacity = 1.0;
+      corner-radius = 20;
+
+      rounded-corners-exclude = [
+        "class_g = 'i3-frame'"
+        "class_g = 'Polybar'"
+      ];
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    alacritty
+    maim
+    xclip
+    dunst
+    dex
+    rofi
+    polybarFull
+    oh-my-posh
+    playerctl
+    zscroll
+    feh
+    glances
+    arandr
+    nautilus
+    brightnessctl
+    busybox
+  ];
+
+  services.autorandr = {
+    enable = true;
+
+    hooks.postswitch = {
+      "desktop-refresh" = builtins.readFile updatescreen;
+    };
+
+    profiles = {
+      listriple = {
+        fingerprint = {
+          eDP-1 = "00ffffffffffff0006af9cd400000000141f0104a522167803f225915758952a1f505400000001010101010101010101010101010101863d80c870b026406c30aa0058d7100000180000000f0000000000000000000000000020000000fd00283c4b4b10010a202020202020000000fe004231363055414e30332e32200a0091";
+          HDMI-1 = "00ffffffffffff0010ac16f04c574e300615010380342078ea1ec5ae4f34b1260e5054a54b008180a940d100714f0101010101010101283c80a070b023403020360006442100001a000000ff00463532354d313231304e574c0a000000fc0044454c4c2055323431300a2020000000fd00384c1e5111000a2020202020200150020329f15090050403020716011f121314201511062309070767030c001000382d83010000e3050301023a801871382d40582c450006442100001e011d8018711c1620582c250006442100009e011d007251d01e206e28550006442100001e8c0ad08a20e02d10103e960006442100001800000000000000000000000000003e";
+          DP-1 = "00ffffffffffff0010ac16f04c3952331314010380342078ea1ec5ae4f34b1260e5054a54b008180a940d100714f0101010101010101283c80a070b023403020360006442100001a000000ff00463532354d3035363352394c0a000000fc0044454c4c2055323431300a2020000000fd00384c1e5111000a202020202020016b020329f15090100403020404011f1f1313131313132309070767030c001000002d83010000e3050000023a801871382d40582c450006442100001e011d007251d01e206e28550006442100001e011d007251d01e206e28550006442100001e011d007251d01e206e285500064421000018000000000000000000000000000077";
+        };
+
+        config = {
+          eDP-1 = {
+            enable = true;
+            primary = true;
+            position = "1200x1020";
+            mode = "1920x1200";
+            rotate = "normal";
+          };
+          DP-1 = {
+            enable = true;
+            position = "3120x563";
+            mode = "1920x1200";
+            rotate = "normal";
+          };
+          HDMI-1 = {
+            enable = true;
+            position = "0x0";
+            mode = "1920x1200";
+            rotate = "left";
+          };
+        };
+      };
+
+      default = {
+        fingerprint = {
+          eDP-1 = "00ffffffffffff0006af9cd400000000141f0104a522167803f225915758952a1f505400000001010101010101010101010101010101863d80c870b026406c30aa0058d7100000180000000f0000000000000000000000000020000000fd00283c4b4b10010a202020202020000000fe004231363055414e30332e32200a0091";
+        };
+
+        config = {
+          eDP-1 = {
+            enable = true;
+            primary = true;
+            position = "0x0";
+            mode = "1920x1200";
+            rotate = "normal";
+          };
+        };
+      };
+    };
+  };
+}

modules/common/net.nix

@@ -0,0 +1,103 @@
+# Module: Network Configuration
+# Description: Network setup with dnscrypt-proxy for encrypted DNS, WiFi networks
+#              configuration via wpa_supplicant, and hostname settings
+# Services: dnscrypt-proxy (primary + backup), wpa_supplicant
+# Security: WiFi credentials stored via sops-nix secrets
+{
+  config,
+  lib,
+  pkgs,
+  customConfig,
+  ...
+}: let
+  backupToml = pkgs.writeText "dnscrypt-proxy-backup.toml" ''
+    listen_addresses = ["127.0.0.2:53"]
+    server_names = ["dns0-eu"]
+
+    [sources.public-resolvers]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md']
+    cache_file = '/var/lib/dnscrypt-proxy-backup/public-resolvers.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+  '';
+in {
+  networking.nftables.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowPing = true;
+    # allowedTCPPorts = [ ... ]; # keep closed by default
+    interfaces.docker0 = {
+      allowedUDPPorts = [53];
+      allowedTCPPorts = [53];
+    };
+  };
+
+  networking.hostName = customConfig.hostname;
+  # Pick only one of the below networking options.
+  networking.wireless.enable = true;
+  # networking.wireless.userControlled = true;
+  # networking.wireless.secretsFile = config.sops.secrets.wifi.path;
+
+  # Load encrypted WiFi networks configuration via wpa_supplicant include files.
+  # This is supported by the NixOS module and keeps SSIDs out of the Nix store.
+  networking.wireless.extraConfigFiles = lib.mkIf (config.sops.secrets ? wifi-networks) [
+    config.sops.secrets.wifi-networks.path
+  ];
+
+  networking.wireless.enableHardening = false;
+
+  # systemd.services.wpa_supplicant.after = [ "sops-install-secrets.service" ];
+  # systemd.services.wpa_supplicant.requires = [ "sops-install-secrets.service" ];
+
+  # You can also define networks in Nix if you prefer (less secure - names visible):
+  # networking.wireless.networks = { ... };
+
+  networking.interfaces.lo.ipv4.addresses = [
+    {
+      address = "127.0.0.1";
+      prefixLength = 8;
+    }
+    {
+      address = "127.0.0.2";
+      prefixLength = 8;
+    }
+  ];
+
+  networking.nameservers = ["127.0.0.1" "127.0.0.2"];
+
+  # networking.networkmanager.dns = "none";
+  services.resolved.enable = false;
+
+  services.dnscrypt-proxy = {
+    enable = true;
+    settings = {
+      listen_addresses = ["127.0.0.1:53" "172.17.0.1:53"];
+      server_names = ["amaury"];
+      bootstrap_resolvers = [];
+      sources = {};
+      static = {
+        "amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
+      };
+      cache = true;
+      ignore_system_dns = true;
+      timeout = 5000;
+    };
+  };
+
+  systemd.services."dnscrypt-proxy-backup" = {
+    description = "dnscrypt-proxy backup (dns0-eu)";
+    after = ["network.target"];
+    wantedBy = ["multi-user.target"];
+    serviceConfig = {
+      ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${backupToml}";
+      Restart = "on-failure";
+      NoNewPrivileges = true;
+      DynamicUser = true;
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    };
+  };
+
+  systemd.services.dnscrypt-proxy.serviceConfig = {
+    StateDirectory = "dnscrypt-proxy";
+  };
+}

modules/common/obs.nix

@@ -0,0 +1,11 @@
+{pkgs, ...}: {
+  programs.obs-studio = {
+    enable = true;
+
+    enableVirtualCamera = true;
+
+    plugins = with pkgs.obs-studio-plugins; [
+      obs-pipewire-audio-capture
+    ];
+  };
+}

modules/common/parsec.nix

@@ -0,0 +1,28 @@
+# Module: Parsec Cloud Client
+# Description: Installs Parsec Cloud client (v3) with CLI and GUI
+# Dependencies: parsec-cloud-nix flake input
+# Note: Requires increased Node.js heap size during build (workaround)
+{
+  pkgs,
+  parsec-cloud-nix,
+  ...
+}: let
+  pc = parsec-cloud-nix.packages.${pkgs.stdenv.hostPlatform.system};
+
+  # WORKAROUND: Parsec build runs out of memory without increased heap size
+  # This increases Node.js memory limit from default 512MB to 8GB
+  nativeBuildPatched = pc.parsec-cloud.v3.native-client-build.overrideAttrs (old: {
+    NODE_OPTIONS = "--max-old-space-size=8192";
+  });
+
+  parsecClientPatched = pc.parsec-cloud.v3.client.override {
+    native-client-build = nativeBuildPatched;
+  };
+
+  parsecCli = pc.parsec-cloud.v3.cli;
+in {
+  environment.systemPackages = [
+    parsecClientPatched
+    parsecCli
+  ];
+}

modules/common/users.nix

@@ -0,0 +1,66 @@
+# Module: User Configuration
+# Description: Defines the main user 'alice' with groups, permissions, and user packages
+# Packages: Browsers (Firefox), Office (LibreOffice), Development (VSCode, Git),
+#           Media (VLC, Spotify), Communication (Slack, Thunderbird), and more
+{
+  pkgs,
+  customConfig,
+  ...
+}: {
+  users.users."${customConfig.username}" = {
+    isNormalUser = true;
+    home = "/home/${customConfig.username}";
+    # Base groups - docker/vboxusers are added by virtualization.nix if enabled
+    extraGroups = ["wheel" "audio" "dialout" "plugdev"];
+    packages = with pkgs; [
+      # Browsers & Web
+      firefox
+
+      # Office & Productivity
+      libreoffice
+      onlyoffice-desktopeditors
+      obsidian
+      ticktick
+      nextcloud-client
+
+      # Development
+      neovim
+      git
+      vscode
+      zotero
+      tcpdump
+      pandoc
+      libsecret
+
+      # Communication
+      slack
+      thunderbird
+      discord
+
+      # Media & Creative
+      vlc
+      spotify
+      mixxx
+      pympress
+
+      # Gaming & Entertainment
+      prismlauncher # Minecraft launcher
+      # widelands           # Strategy game
+      wasistlos # Game
+      signal-desktop
+      moonlight-qt # Game streaming
+
+      # System & Cloud
+      rclone
+      fuse3
+      pavucontrol
+      tree
+      sops
+      age
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCMzLza+1iFSUgZaPzEwpRNW/CvcsbXh8vJ9RevwFntNZdZIVc/j5OLRy+GOojlZdar070PkKDO+Pmtqu1uQ4XE+onqmsxom5JGyYaSScB3l33CLL2jBT7mBqBOVDuTBj3ACLT8fS1eUolI7erShvIH9VUvrg83bZ2CvgA/DjJLHfVCpvx9EsG0Q00k27LNU7yXga8sjK1YikA+o1bKTWavCGOWkZMFXOVeEDR+arOQ440s6f6eg7C+30V02ijRLA6pWFAkj2/fMaD+44IPMVjOj96vvPUJrlL1N7BDPxBlj1rrB35+pUkpVIN4B0etqnkrJIV+IxtmSpkNHr52Y7nkTu3mOWn1P0DcOdR5OA8JZRbSkbL/QW4GzFWs3eN7CMOMwKQdO+1J/wL4U7qrmKEYwcNaprqlDF0SIPp0+l/VWNMe6uK0r5iZwp355PUSR+Zc5skf74wMsZ1LokUlihdI+E6TNGvmDgjqKx6OrI3dyP/eW7xtR7KvbdoaUjy8AE8= alice@nixos"
+    ];
+  };
+}

modules/common/yubikey.nix

@@ -0,0 +1,11 @@
+# Module: YubiKey Authentication
+# Description: Enables YubiKey-based PAM auth for login and sudo across systems
+# TODO
+{pkgs, ...}: {
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+
+  services.udev.packages = [pkgs.yubikey-personalization];
+}