july rice

2025-07-27 22:02:16 -05:00 · 2025-07-27 22:02:16 -05:00 · 89ab499605
commit 89ab499605
parent 73f2340ac0
10 changed files with 95 additions and 39 deletions
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -17,6 +17,7 @@
        "plugdev"
        "video"
        "adbusers"
+        "network"
      ];
    };
  };
--- a/nixos/consensus/configuration.nix
+++ b/nixos/consensus/configuration.nix
@ -26,8 +26,8 @@
    tmux
  ];
  services = {
-    zfs.autoScrub.enable = true;
-    zfs.autoSnapshot.enable = true;
+    # zfs.autoScrub.enable = true;
+    # zfs.autoSnapshot.enable = true;
    tailscale.enable = true;
    k3s = {
      enable = true;
@ -36,16 +36,53 @@
        "--disable=traefik"
      ];
    };
+    fail2ban = {
+      enable = true;
+      maxretry = 5;
+      bantime = "1h";
+      ignoreIP = [
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+        "tailc353f.ts.net"
+      ];
+
+      bantime-increment = {
+        enable = true;
+        multipliers = "1 2 4 8 16 32 64 128 256";
+        maxtime = "24h";
+        overalljails = true;
+      };
+    };
    openssh = {
      enable = true;
      ports = [2022];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "prohibit-password";
+        PermitEmptyPasswords = false;
+        PermitTunnel = false;
+        UseDns = false;
+        KbdInteractiveAuthentication = false;
+        X11Forwarding = false;
+        MaxAuthTries = 3;
+        MaxSessions = 2;
+        ClientAliveInterval = 300;
+        ClientAliveCountMax = 0;
+        TCPKeepAlive = false;
+        AllowTcpForwarding = false;
+        AllowAgentForwarding = false;
+        LogLevel = "VERBOSE";
      };
+      hostKeys = [
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
    };
    immich = {
-      enable = true;
+      # enable = true;
+      enable = false;
      port = 2283;
      host = "localhost";
      openFirewall = true;
@ -73,9 +110,9 @@
  };
  boot = {
    tmp.cleanOnBoot = true;
-    supportedFilesystems = ["zfs"];
-    zfs.forceImportRoot = false;
-    zfs.extraPools = ["rice"];
+    # supportedFilesystems = ["zfs"];
+    # zfs.forceImportRoot = false;
+    # zfs.extraPools = ["rice"];
  };
  networking.hostId = "91238132";
  zramSwap.enable = false;
--- a/nixos/consensus/hardware-configuration.nix
+++ b/nixos/consensus/hardware-configuration.nix
@ -1,10 +1,19 @@
-{ lib, modulesPath, ... }:
 {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
  boot.loader.grub.device = "/dev/nvme0n1";
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/mapper/vg-root"; fsType = "btrfs"; };
-  fileSystems."/var" = { device = "/dev/mapper/vg-var"; fsType = "btrfs"; };
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+  boot.initrd.kernelModules = ["nvme"];
+  fileSystems."/" = {
+    device = "/dev/mapper/vg-root";
+    fsType = "btrfs";
+  };
+  fileSystems."/var" = {
+    device = "/dev/mapper/vg-var";
+    fsType = "btrfs";
+  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nixos/t14/configuration.nix
+++ b/nixos/t14/configuration.nix
@ -1,7 +1,7 @@
 {
-pkgs,
-attrs,
-...
+  pkgs,
+  attrs,
+  ...
 }: let
  # Horrid workaround for https://github.com/nix-community/home-manager/issues/1011
  homeManagerSessionVars = "/etc/profiles/per-user/${attrs.username}/etc/profile.d/hm-session-vars.sh";
@ -24,6 +24,7 @@ in {
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
    kernelPackages = pkgs.linuxPackages_latest;
+    blacklistedKernelModules = ["bluetooth"];
  };
  # Networking
  networking = {
@ -84,6 +85,7 @@ in {
      ];
    };
    ledger.enable = true;
+    enableAllFirmware = true;
  };
  services = {
    resolved = {
@ -103,8 +105,8 @@ in {
    tlp = {
      enable = true;
      settings = {
-        START_CHARGE_THRESH_BAT0 = 40;
-        STOP_CHARGE_THRESH_BAT0 = 80;
+        START_CHARGE_THRESH_BAT0 = 60;
+        STOP_CHARGE_THRESH_BAT0 = 90;
        CPU_BOOST_ON_AC = 1;
        CPU_BOOST_ON_BAT = 0;
        CPU_SCALING_GOVERNOR_ON_AC = "performance";
@ -113,11 +115,12 @@ in {
        CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
        PLATFORM_PROFILE_ON_BAT = "low-power";
        PLATFORM_PROFILE_ON_AC = "performance";
+        DEVICES_TO_DISABLE_ON_STARTUP = "bluetooth";

        CPU_MIN_PERF_ON_AC = 0;
        CPU_MAX_PERF_ON_AC = 100;
        CPU_MIN_PERF_ON_BAT = 0;
-        CPU_MAX_PERF_ON_BAT = 20;
+        CPU_MAX_PERF_ON_BAT = 40;
      };
    };
    ratbagd.enable = true; # Logitech
--- a/nixos/t14/hardware-configuration.nix
+++ b/nixos/t14/hardware-configuration.nix
@ -10,15 +10,20 @@
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
-
-  boot.initrd.availableKernelModules = ["nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
-  boot.initrd.kernelModules = ["amdgpu"];
-  boot.kernelModules = ["kvm-amd"];
-  boot.extraModulePackages = [];
+  boot = {
+    initrd.availableKernelModules = ["nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
+    initrd.kernelModules = ["amdgpu"];
+    kernelModules = ["kvm-amd"];
+    extraModulePackages = [];
+    tmp = {
+      useTmpfs = true;
+    };
+  };

  fileSystems."/" = {
    device = "/dev/disk/by-uuid/f56e8356-3915-4ff8-957c-de7f9a72b326";
    fsType = "btrfs";
+    options = ["compress=lzo"];
  };

  fileSystems."/boot" = {