camera network

flake.nix

@@ -29,6 +29,7 @@
       inherit system;
       config = {
         allowUnfree = true;
+	nvidia.acceptLicense = true;
       };
       overlays = [
         nur.overlays.default

src/system/machines/desktop/system.nix

@@ -94,7 +94,24 @@ in
       enable = true;
       allowedTCPPorts = [ 22 80 443 ];
     };
-    nameservers = [ "192.168.0.154" ];
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # Explicit subdomains -> local server
+      address = [
+        "/git.ramos.codes/192.168.0.154"
+        "/ln.ramos.codes/192.168.0.154"
+        "/photos.ramos.codes/192.168.0.154"
+        "/test.ramos.codes/192.168.0.154"
+        "/electrum.ramos.codes/192.168.0.154"
+        "/immich.ramos.codes/192.168.0.154"
+        "/forgejo.ramos.codes/192.168.0.154"
+        "/frigate.ramos.codes/192.168.0.154"
+      ];
+      server = [ "192.168.0.1" ];
+    };
   };
 
   services = {

src/system/machines/server/system.nix

@@ -102,12 +102,19 @@
   networking = {
     hostName = "server";
     useDHCP = false;
-    interfaces.eno1 = {
+    interfaces.enp2s0f0 = {
       ipv4.addresses = [{
         address = "192.168.0.154";
         prefixLength = 24;
       }];
     };
+    # Camera network - isolated, no gateway
+    interfaces.enp2s0f1 = {
+      ipv4.addresses = [{
+        address = "192.168.1.1";
+        prefixLength = 24;
+      }];
+    };
     defaultGateway = "192.168.0.1";
     nameservers = [ "1.1.1.1" "8.8.8.8" ];
     firewall = {
@@ -131,6 +138,12 @@
         "8.8.8.8"
       ];
       cache-size = 1000;
+
+      # Camera network DHCP (isolated - no gateway = no internet)
+      interface = "enp2s0f1";
+      bind-interfaces = true;
+      dhcp-range = "192.168.1.100,192.168.1.200,24h";
+      # No gateway option = cameras can't route to internet
     };
   };
 

src/system/machines/workstation/hardware.nix

@@ -80,13 +80,19 @@
       enable = true;
       enable32Bit = true;
     };
+
     nvidia = {
       open = false;
       powerManagement.enable = false;
       powerManagement.finegrained = false;
       modesetting.enable = true;
       nvidiaSettings = true;
-      package = config.boot.kernelPackages.nvidiaPackages.stable;
+      package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
+	version = "550.120";
+	sha256_64bit = "sha256-gBkoJ0dTzM52JwmOoHjMNwcN2uBN46oIRZHAX8cDVpc=";
+	settingsSha256 = "sha256-fPfIPwpIijoUpNlAUt9C8EeXR5In633qnlelL+btGbU=";
+	persistencedSha256 = lib.fakeSha256;
+      };
     };
   };
 

src/system/modules/bitcoin/config/bitcoin.conf

@@ -16,3 +16,5 @@ listenonion=1
 torcontrol=127.0.0.1:9051
 
 txindex=1
+
+dbcache=1024

src/system/modules/forgejo/default.nix

@@ -52,6 +52,7 @@ in
           APP_SLOGAN = "";
         };
 
+        service.REQUIRE_SIGNIN_VIEW = false;
         server = {
           DOMAIN = "git.${domain}";
           ROOT_URL = "https://git.${domain}/";

src/system/modules/nginx/default.nix

@@ -28,12 +28,25 @@ in
       };
     };
 
+    services.sslh = {
+      enable = true;
+      listenAddresses = [ "0.0.0.0" ];
+      port = 443;
+      settings = {
+        protocols = [
+          { name = "ssh"; host = "127.0.0.1"; port = "22"; }
+          { name = "tls"; host = "127.0.0.1"; port = "4443"; }
+        ];
+      };
+    };
+
     services.nginx = {
       enable = true;
       recommendedTlsSettings = true;
       recommendedOptimisation = true;
       recommendedGzipSettings = true;
       eventsConfig = "worker_connections 4096;";
+      defaultSSLListenPort = 4443;
 
       # Catch-all default - friendly error for unknown subdomains
       virtualHosts."_" = {