7 files changed, 211 insertions, 0 deletions

diff --git a/modules/nixosModules/desktop/default.nix b/modules/nixosModules/desktop/default.nix
index 4aa338c..411c361 100644
--- a/modules/nixosModules/desktop/default.nix
+++ b/modules/nixosModules/desktop/default.nix
@@ -2,14 +2,37 @@
   flake.nixosModules.desktop = {pkgs, ...}: {
     imports = [
       self.nixosModules.gaming
+      self.nixosModules.mullvad
       self.nixosModules.pipewire
       self.nixosModules.printing
+      self.nixosModules.tailscaleDesktop
       self.nixosModules.thunar
     ];
 
     hardware.bluetooth.enable = true;
     environment.systemPackages = [ 
       self.packages.${pkgs.stdenv.hostPlatform.system}.zen-browser
+
+      pkgs.bitwarden-desktop
+      pkgs.brave
+      pkgs.discord
+      pkgs.feishin
+      pkgs.ffmpeg-full
+      pkgs.gimp3
+      pkgs.libreoffice
+      pkgs.mpv
+      pkgs.obsidian
+      pkgs.qbittorrent
+      pkgs.thunderbird
+      pkgs.ungoogled-chromium
+      pkgs.vlc
+      pkgs.winetricks
+      pkgs.wineWow64Packages.stable
     ];
+
+    programs.nix-ld.enable = true;
+
+    services.upower.enable = true;
+    services.playerctld.enable = true;
   };
 }
diff --git a/modules/nixosModules/desktop/mullvad.nix b/modules/nixosModules/desktop/mullvad.nix
new file mode 100644
index 0000000..9f2892c
--- /dev/null
+++ b/modules/nixosModules/desktop/mullvad.nix
@@ -0,0 +1,22 @@
+{lib, ...}: {
+  flake.nixosModules.mullvad = { pkgs, ... }: {
+    services.mullvad-vpn = {
+      enable = true;
+      package = pkgs.mullvad-vpn;
+      enableExcludeWrapper = true;
+    };
+
+    # allow tailscale traffic through
+    networking.nftables.tables.mullvad_tailscale = {
+      content = ''
+        chain output {
+          type route hook output priority 0; policy accept;
+          ip daddr 100.64.0.0/10 ct mark set 0x00000f41 meta mark set 0x6d6f6c65;
+        }
+      '';
+      family = "inet";
+    };
+
+    systemd.services.tailscaled.serviceConfig.Environment = [ "TS_DEBUG_FIREWALL_MODE=nftables" ];
+  };
+}
diff --git a/modules/nixosModules/desktop/pipewire.nix b/modules/nixosModules/desktop/pipewire.nix
index 46e3926..bf05dbd 100644
--- a/modules/nixosModules/desktop/pipewire.nix
+++ b/modules/nixosModules/desktop/pipewire.nix
@@ -8,5 +8,7 @@
       pulse.enable = true;
       socketActivation = true;
     };
+
+    environment.systemPackages = [ pkgs.pwvucontrol ];
   };
 }
diff --git a/modules/nixosModules/desktop/tailscale.nix b/modules/nixosModules/desktop/tailscale.nix
new file mode 100644
index 0000000..f2ab9fc
--- /dev/null
+++ b/modules/nixosModules/desktop/tailscale.nix
@@ -0,0 +1,75 @@
+{ lib, ... }: {
+  flake.nixosModules.tailscaleDesktop = { config, ... }: {
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = "client";
+      openFirewall = true;
+    };
+    
+    networking.firewall = {
+      enable = lib.mkDefault true;
+      trustedInterfaces = [ "tailscale0" ];
+      allowedUDPPorts = [ config.services.tailscale.port ];
+    };
+  };
+
+  flake.nixosModules.nasClient = { pkgs, ... }: {
+    boot.supportedFilesystems = [ "nfs" ];
+
+    environment.systemPackages = with pkgs; [ nfs-utils ];
+
+    fileSystems."/mnt/data" = {
+      device = "100.64.0.2:/tank/data";
+      fsType = "nfs4";
+
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "nofail"
+        "_netdev"
+
+        "hard"
+        "noatime"
+
+        "x-systemd.mount-timeout=10"
+        "x-systemd.idle-timeout=600"
+      ];
+    };
+
+    fileSystems."/mnt/backups" = {
+      device = "100.64.0.2:/tank/backups";
+      fsType = "nfs4";
+
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "nofail"
+        "_netdev"
+
+        "hard"
+        "noatime"
+
+        "x-systemd.mount-timeout=10"
+        "x-systemd.idle-timeout=600"
+      ];
+    };
+
+    fileSystems."/mnt/media" = {
+      device = "100.64.0.2:/tank/media";
+      fsType = "nfs4";
+
+      options = [
+        "x-systemd.automount"
+        "noauto"
+        "nofail"
+        "_netdev"
+
+        "hard"
+        "noatime"
+
+        "x-systemd.mount-timeout=10"
+        "x-systemd.idle-timeout=600"
+      ];
+    };
+  };
+}
diff --git a/modules/nixosModules/server/default.nix b/modules/nixosModules/server/default.nix
index c9bbfa9..a32f049 100644
--- a/modules/nixosModules/server/default.nix
+++ b/modules/nixosModules/server/default.nix
@@ -4,9 +4,12 @@
     imports = [
       self.nixosModules.arr
       self.nixosModules.cgit
+      self.nixosModules.headscale
       self.nixosModules.jellyfin
+      self.nixosModules.navidrome
       self.nixosModules.nginx
       self.nixosModules.radicale
+      self.nixosModules.tailscaleServer
     ];
   };
 }
diff --git a/modules/nixosModules/server/navidrome.nix b/modules/nixosModules/server/navidrome.nix
new file mode 100644
index 0000000..5e319ca
--- /dev/null
+++ b/modules/nixosModules/server/navidrome.nix
@@ -0,0 +1,31 @@
+{ self, ... }: {
+  flake.nixosModules.navidrome = { config, ... }: let
+    cfg = config.hostOptions.server;
+  in {
+    imports = [
+      self.nixosModules.hostOptions
+      self.nixosModules.nginx
+    ];
+
+    services.navidrome = {
+      enable = true;
+      settings = {
+        MusicFolder = "${cfg.mediaPath}/audio";
+        DataFolder = "${cfg.dataPath}/navidrome";
+        Address = "127.0.0.1";
+        Port = 4533;
+        EnableTranscoding = true;
+        EnableMediaDeletion = true;
+        Scanner.PurgeMissing = "always";
+        EnableSharing = true;
+        DefaultShareExpiration = "24h";
+      };
+    };
+
+    services.nginx.virtualHosts."music.${cfg.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:4553";
+    };
+  };
+}
diff --git a/modules/nixosModules/server/tailscale.nix b/modules/nixosModules/server/tailscale.nix
new file mode 100644
index 0000000..41d4b5d
--- /dev/null
+++ b/modules/nixosModules/server/tailscale.nix
@@ -0,0 +1,55 @@
+{ self, ... }: { 
+
+  flake.nixosModules.tailscaleServer = { config, ... }: let
+    cfg = config.hostOptions.server;
+  in {
+    imports = [
+      self.nixosModules.hostOptions
+    ];
+
+    services.tailscale = {
+      enable = true;
+      useRoutingFeatures = "server";
+      extraUpFlags = [
+        "--login-server=https://headscale.${cfg.domain}"
+        "--advertise-exit-node"
+      ];
+    };
+  };
+
+  flake.nixosModules.headscale = { config, ... }: let
+    cfg = config.hostOptions.server;
+  in {
+    imports = [
+      self.nixosModules.hostOptions
+    ];
+
+    services.headscale = {
+      enable = true;
+      port = 8085;
+      settings = {
+        server_url = "https://headscale.${cfg.domain}";
+        dns = {
+          magic_dns = false;
+          nameservers.global = [ "1.1.1.1" "9.9.9.9" ];
+        };
+        prefixes = {
+          v4 = "100.64.0.0/10";
+          v6 = "fd7a:115c:a1e0::/48";
+        };
+      };
+    };
+
+    services.nginx.virtualHosts."headscale.${cfg.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8085";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+    };
+  };
+}