monorepo lab stuff, init zen

2025-12-27 22:26:02 -06:00 · 2025-12-27 22:26:02 -06:00 · 645e09f9dd
commit 645e09f9dd
parent cfc15bba89
54 changed files with 67498 additions and 406 deletions
--- a/nixos/modules/net.nix
+++ b/nixos/modules/net.nix
@ -0,0 +1,105 @@
+{ host, pkgs, config, lib, ...}:
+let cfg = config.system-net; in {
+  options.system-net = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    dns = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    openssh = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+      };
+      ports = lib.mkOption {
+        type = lib.types.listOf lib.types.int;
+        default = [22];
+      };
+    };
+    tailscale = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    nfs = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      tailscale.enable = cfg.tailscale;
+      resolved = lib.mkIf cfg.dns {
+        enable = true;
+        fallbackDns = [
+          "1.1.1.1"
+          "9.9.9.9"
+        ];
+      };
+      fail2ban = {
+        enable = true;
+        maxretry = 5;
+        bantime = "1h";
+        ignoreIP = [
+          "172.16.0.0/12"
+          "192.168.0.0/16"
+          "10.0.0.0/8"
+          "tailc353f.ts.net"
+        ];
+        bantime-increment = {
+          enable = true;
+          multipliers = "1 2 4 8 16 32 64 128 256";
+          maxtime = "24h";
+          overalljails = true;
+        };
+      };
+      openssh = {
+        enable = cfg.openssh.enable;
+        ports = cfg.openssh.ports;
+        settings = {
+          PasswordAuthentication = false;
+          PermitRootLogin = "prohibit-password";
+          PermitEmptyPasswords = false;
+          PermitTunnel = false;
+          UseDns = false;
+          KbdInteractiveAuthentication = false;
+          X11Forwarding = false;
+          MaxAuthTries = 3;
+          MaxSessions = 2;
+          ClientAliveInterval = 300;
+          ClientAliveCountMax = 0;
+          TCPKeepAlive = false;
+          AllowTcpForwarding = false;
+          AllowAgentForwarding = false;
+          LogLevel = "VERBOSE";
+        };
+        hostKeys = [
+          {
+            path = "/etc/ssh/ssh_host_ed25519_key";
+            type = "ed25519";
+          }
+        ];
+      };
+    };
+    systemd = {
+      mounts = [{
+        type = "nfs";
+        mountConfig = {
+          Options = "noatime";
+        };
+        what = "consensus:/rice";
+        where = "/mnt/rice";
+      }];
+      automounts = [{
+        wantedBy = [ "multi-user.target" ];
+        automountConfig = {
+          TimeoutIdleSec = "600";
+        };
+        where = "/mnt/rice";
+      }];
+    };
+  };
+}