init

modules/nixos/base.nix

@@ -0,0 +1,63 @@
+# Module: Base System Configuration
+# Description: Core NixOS configuration with Nix settings, base packages, fonts,
+#              localization (FR), Fish shell, and security (GPG)
+# Services: gvfs, udisks2, gnupg-agent
+
+{ pkgs, customConfig, ... }:
+
+{
+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+    substituters = [
+      "https://cache.nixos.org/"
+      "https://parsec-cloud.cachix.org"
+    ];
+    trusted-public-keys = [
+      "parsec-cloud.cachix.org-1:MuWfCBKBfuUWqwB6xKFK0armIJ+A+Mi++HohuB6YvTk="
+    ];
+  };
+
+  programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep-since 4d --keep 3";
+    flake = builtins.toString customConfig.configFlakePath;
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  time.timeZone = customConfig.timezone;
+
+  services.gvfs.enable = true;
+  services.udisks2.enable = true;
+
+  i18n.defaultLocale = customConfig.locale;
+
+  programs.fish.enable = true;
+  users.defaultUserShell = pkgs.fish;
+
+  environment.systemPackages = with pkgs; [
+    wget
+    jq
+    linuxPackages.cpupower
+
+    element-desktop
+    ntfs3g
+    zip
+    unzip
+  ];
+
+  fonts.packages = with pkgs; [
+     nerd-fonts.dejavu-sans-mono
+     nerd-fonts.droid-sans-mono
+  ];
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # WARNING: DO NOT CHANGE this value after installation!
+  # See: https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion
+  system.stateVersion = "24.05";
+}

modules/nixos/desktop-i3.nix

@@ -0,0 +1,31 @@
+# Module: i3 Window Manager Configuration
+# Description: Enables X11 with i3 window manager and associated desktop tools
+# Services: xserver with i3
+# Packages: alacritty (terminal), tint2 (panel), rofi (launcher), i3lock, dunst
+
+{ pkgs, ... }:
+
+{
+  services.xserver.enable = true;
+  services.xserver.windowManager.i3.enable = true;
+  services.xserver.autorun = true;
+
+  environment.systemPackages = with pkgs; [
+    alacritty
+    tint2
+    awesome
+    maim
+    xclip
+    dunst
+    xss-lock
+    dex
+    rofi
+    i3status
+    i3blocks
+    oh-my-posh
+    glances
+    arandr
+    nautilus
+    brightnessctl
+  ];
+}

modules/nixos/net.nix

@@ -0,0 +1,98 @@
+# Module: Network Configuration
+# Description: Network setup with dnscrypt-proxy for encrypted DNS, WiFi networks
+#              configuration via wpa_supplicant, and hostname settings
+# Services: dnscrypt-proxy (primary + backup), wpa_supplicant
+# Security: WiFi credentials stored via sops-nix secrets
+
+{ config, lib, pkgs, customConfig, ... }:
+
+let
+  backupToml = pkgs.writeText "dnscrypt-proxy-backup.toml" ''
+    listen_addresses = ["127.0.0.2:53"]
+    server_names = ["dns0-eu"]
+    
+    [sources.public-resolvers]
+    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md']
+    cache_file = '/var/lib/dnscrypt-proxy-backup/public-resolvers.md'
+    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
+    refresh_delay = 72
+  '';
+
+  userHome = "/home/${customConfig.username}";
+in
+
+{
+  networking.nftables.enable = true;
+  networking.firewall = {
+    enable = true;
+    allowPing = true;
+    # allowedTCPPorts = [ ... ]; # keep closed by default
+    interfaces.docker0 = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [ 53 ];
+    };
+  };
+
+  networking.hostName = customConfig.hostname;
+  # Pick only one of the below networking options.
+  networking.wireless.enable = true;
+  # networking.wireless.userControlled = true;
+  # networking.wireless.secretsFile = config.sops.secrets.wifi.path;
+
+  # Load encrypted WiFi networks configuration via wpa_supplicant include files.
+  # This is supported by the NixOS module and keeps SSIDs out of the Nix store.
+  networking.wireless.extraConfigFiles = lib.mkIf (config.sops.secrets ? wifi-networks) [
+    config.sops.secrets.wifi-networks.path
+  ];
+
+  networking.wireless.enableHardening = false;
+
+  # systemd.services.wpa_supplicant.after = [ "sops-install-secrets.service" ];
+  # systemd.services.wpa_supplicant.requires = [ "sops-install-secrets.service" ];
+  
+  # You can also define networks in Nix if you prefer (less secure - names visible):
+  # networking.wireless.networks = { ... };
+
+  networking.interfaces.lo.ipv4.addresses = [
+    { address = "127.0.0.1"; prefixLength = 8; }
+    { address = "127.0.0.2"; prefixLength = 8; }
+  ];
+
+  networking.nameservers = [ "127.0.0.1" "127.0.0.2" ];
+
+  # networking.networkmanager.dns = "none";
+  services.resolved.enable = false;
+
+  services.dnscrypt-proxy = {
+    enable = true;
+    settings = {
+      listen_addresses = [ "127.0.0.1:53" "172.17.0.1:53" ];
+      server_names = [ "amaury" ];
+      bootstrap_resolvers = [];
+      sources = {};
+      static = {
+    	  "amaury".stamp = "sdns://AgcAAAAAAAAADTgyLjY0LjIzNy4yNDYADWFtYXVyeWpvbHkuZnIUL2Rucy1xdWVyeS9pZC1hbWF1cnk";
+      };
+      cache = true;
+      ignore_system_dns = true;
+      timeout = 5000;
+    };
+  };
+
+  systemd.services."dnscrypt-proxy-backup" = {
+    description = "dnscrypt-proxy backup (dns0-eu)";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy -config ${backupToml}";
+      Restart = "on-failure";
+      NoNewPrivileges = true;
+      DynamicUser = true;
+      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+    };
+  };
+
+  systemd.services.dnscrypt-proxy.serviceConfig = {
+    StateDirectory = "dnscrypt-proxy";
+  };
+}

modules/nixos/parsec.nix

@@ -0,0 +1,28 @@
+# Module: Parsec Cloud Client
+# Description: Installs Parsec Cloud client (v3) with CLI and GUI
+# Dependencies: parsec-cloud-nix flake input
+# Note: Requires increased Node.js heap size during build (workaround)
+
+{ pkgs, parsec-cloud-nix, ... }:
+
+let
+  pc = parsec-cloud-nix.packages.${pkgs.stdenv.hostPlatform.system};
+
+  # WORKAROUND: Parsec build runs out of memory without increased heap size
+  # This increases Node.js memory limit from default 512MB to 8GB
+  nativeBuildPatched = pc.parsec-cloud.v3.native-client-build.overrideAttrs (old: {
+    NODE_OPTIONS = "--max-old-space-size=8192";
+  });
+
+  parsecClientPatched = pc.parsec-cloud.v3.client.override {
+    native-client-build = nativeBuildPatched;
+  };
+
+  parsecCli = pc.parsec-cloud.v3.cli;
+in
+{
+  environment.systemPackages = [
+    parsecClientPatched
+    parsecCli
+  ];
+}

modules/nixos/wireless-networks.nix

@@ -0,0 +1,16 @@
+# Module: Wireless Networks Configuration (Encrypted)
+# Description: WiFi networks configuration fully encrypted with sops-nix
+# Security: Network names, SSIDs, and all configuration stored in encrypted secrets
+# Files: ~/.config/secrets/wifi-networks.yaml (encrypted with sops)
+# Note: The actual networks are loaded at runtime from the encrypted file
+
+{ config, lib, pkgs, ... }:
+
+{
+  # WiFi networks are loaded from encrypted file at runtime
+  # The file is in wpa_supplicant.conf format and gets included by wpa_supplicant
+  # This approach keeps network names and configuration completely private
+  
+  # Note: If wifi-networks secret doesn't exist yet, this won't cause errors
+  # You can still use the old method (networking.wireless.networks in Nix) if needed
+}

modules/nixos/yubikey.nix

@@ -0,0 +1,13 @@
+# Module: YubiKey Authentication
+# Description: Enables YubiKey-based PAM auth for login and sudo across systems
+
+{ pkgs, ... }:
+
+{
+  security.pam.services = {
+    login.u2fAuth = true;
+    sudo.u2fAuth = true;
+  };
+
+  services.udev.packages = [ pkgs.yubikey-personalization ];
+}