monorepo lab stuff, init zen

2025-12-27 22:26:02 -06:00 · 2025-12-27 22:26:02 -06:00 · 645e09f9dd
commit 645e09f9dd
parent cfc15bba89
54 changed files with 67498 additions and 406 deletions
--- a/nixos/modules/net.nix
+++ b/nixos/modules/net.nix
@ -0,0 +1,105 @@
+{ host, pkgs, config, lib, ...}:
+let cfg = config.system-net; in {
+  options.system-net = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    dns = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    openssh = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+      };
+      ports = lib.mkOption {
+        type = lib.types.listOf lib.types.int;
+        default = [22];
+      };
+    };
+    tailscale = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    nfs = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      tailscale.enable = cfg.tailscale;
+      resolved = lib.mkIf cfg.dns {
+        enable = true;
+        fallbackDns = [
+          "1.1.1.1"
+          "9.9.9.9"
+        ];
+      };
+      fail2ban = {
+        enable = true;
+        maxretry = 5;
+        bantime = "1h";
+        ignoreIP = [
+          "172.16.0.0/12"
+          "192.168.0.0/16"
+          "10.0.0.0/8"
+          "tailc353f.ts.net"
+        ];
+        bantime-increment = {
+          enable = true;
+          multipliers = "1 2 4 8 16 32 64 128 256";
+          maxtime = "24h";
+          overalljails = true;
+        };
+      };
+      openssh = {
+        enable = cfg.openssh.enable;
+        ports = cfg.openssh.ports;
+        settings = {
+          PasswordAuthentication = false;
+          PermitRootLogin = "prohibit-password";
+          PermitEmptyPasswords = false;
+          PermitTunnel = false;
+          UseDns = false;
+          KbdInteractiveAuthentication = false;
+          X11Forwarding = false;
+          MaxAuthTries = 3;
+          MaxSessions = 2;
+          ClientAliveInterval = 300;
+          ClientAliveCountMax = 0;
+          TCPKeepAlive = false;
+          AllowTcpForwarding = false;
+          AllowAgentForwarding = false;
+          LogLevel = "VERBOSE";
+        };
+        hostKeys = [
+          {
+            path = "/etc/ssh/ssh_host_ed25519_key";
+            type = "ed25519";
+          }
+        ];
+      };
+    };
+    systemd = {
+      mounts = [{
+        type = "nfs";
+        mountConfig = {
+          Options = "noatime";
+        };
+        what = "consensus:/rice";
+        where = "/mnt/rice";
+      }];
+      automounts = [{
+        wantedBy = [ "multi-user.target" ];
+        automountConfig = {
+          TimeoutIdleSec = "600";
+        };
+        where = "/mnt/rice";
+      }];
+    };
+  };
+}
--- a/nixos/modules/nix.nix
+++ b/nixos/modules/nix.nix
@ -0,0 +1,46 @@
+{ host, pkgs, config, lib, ...}:
+let cfg = config.system-nix; in {
+  options.system-nix = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs = {
+      nix-index = {
+        enableBashIntegration = false;
+        enableZshIntegration = false;
+      };
+      nix-index-database.comma.enable = true;
+    };
+    nix = {
+      package = pkgs.nixVersions.nix_2_31; # https://github.com/serokell/deploy-rs/issues/340
+      settings = {
+        auto-optimise-store = true;
+        substituters = [
+          "https://install.determinate.systems"
+          "https://nvim-treesitter-main.cachix.org"
+        ];
+        trusted-public-keys = [
+          "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
+          "nvim-treesitter-main.cachix.org-1:cbwE6blfW5+BkXXyeAXoVSu1gliqPLHo2m98E4hWfZQ="
+        ];
+        trusted-users = [ host.username ];
+        experimental-features = [
+          "nix-command"
+          "flakes"
+        ];
+        # lazy-trees = true; # https://github.com/serokell/deploy-rs/issues/340
+      };
+      channel.enable = false;
+      nixPath = [ "nixpkgs=flake:nixpkgs" ];
+      gc = {
+        automatic = true;
+        dates = "00:00";
+        options = "--delete-older-than 14d";
+      };
+    };
+  };
+}
--- a/nixos/modules/pkgs.nix
+++ b/nixos/modules/pkgs.nix
@ -0,0 +1,17 @@
+{ pkgs, config, lib, ...}:
+let cfg = config.system-pkgs; in {
+  options.system-pkgs = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      git
+      vim
+      tmux
+    ];
+  };
+}
--- a/nixos/modules/system.nix
+++ b/nixos/modules/system.nix
@ -0,0 +1,78 @@
+{ host, config, lib, ...}:
+let cfg = config.system-sys; in {
+  options.system-sys = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    swapSize = lib.mkOption {
+      type = lib.types.int;
+      default = 4;
+    };
+    zram = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    documentation = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    time.timeZone = "America/Chicago";
+    boot.tmp.cleanOnBoot = true;
+    zramSwap.enable = cfg.zram;
+    security.sudo-rs = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+    swapDevices = [
+      {
+        device = "/swapfile";
+        size = cfg.swapSize * 1024;
+      }
+    ];
+    documentation = lib.mkIf cfg.documentation {
+      enable = lib.mkDefault false;
+      info.enable = lib.mkDefault false;
+      man.enable = lib.mkDefault false;
+      nixos.enable = lib.mkDefault false;
+    };
+    networking = {
+      domain = "";
+      hostName = host.hostName;
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [
+          22
+        ];
+        logRefusedConnections = true;
+      };
+    };
+    users = {
+      groups.plugdev = { };
+      groups.${host.username} = { };
+      users.${host.username} = {
+        isNormalUser = true;
+        group = "${host.username}";
+        home = "/home/e";
+        extraGroups = [
+          "wheel"
+          "plugdev"
+          "video"
+          "adbusers"
+          "network"
+        ];
+        openssh.authorizedKeys.keys = [
+          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
+          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone
+        ];
+      };
+    };
+    users.users.root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
+    ];
+  };
+}