{ host, pkgs, config, lib, ...}: let cfg = config.system-net; in { options.system-net = { enable = lib.mkOption { type = lib.types.bool; default = true; }; dns = lib.mkOption { type = lib.types.bool; default = true; }; openssh = { enable = lib.mkOption { type = lib.types.bool; default = true; }; ports = lib.mkOption { type = lib.types.listOf lib.types.int; default = [22]; }; }; tailscale = lib.mkOption { type = lib.types.bool; default = true; }; nfs = lib.mkOption { type = lib.types.bool; default = false; }; }; config = lib.mkIf cfg.enable { services = { tailscale.enable = cfg.tailscale; resolved = lib.mkIf cfg.dns { enable = true; fallbackDns = [ "1.1.1.1" "9.9.9.9" ]; }; fail2ban = { enable = true; maxretry = 5; bantime = "1h"; ignoreIP = [ "172.16.0.0/12" "192.168.0.0/16" "10.0.0.0/8" "tailc353f.ts.net" ]; bantime-increment = { enable = true; multipliers = "1 2 4 8 16 32 64 128 256"; maxtime = "24h"; overalljails = true; }; }; openssh = { enable = cfg.openssh.enable; ports = cfg.openssh.ports; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; PermitEmptyPasswords = false; PermitTunnel = false; UseDns = false; KbdInteractiveAuthentication = false; X11Forwarding = false; MaxAuthTries = 3; MaxSessions = 2; ClientAliveInterval = 300; ClientAliveCountMax = 0; TCPKeepAlive = false; AllowTcpForwarding = false; AllowAgentForwarding = false; LogLevel = "VERBOSE"; }; hostKeys = [ { path = "/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } ]; }; }; systemd = { mounts = [{ type = "nfs"; mountConfig = { Options = "noatime"; }; what = "consensus:/rice"; where = "/mnt/rice"; }]; automounts = [{ wantedBy = [ "multi-user.target" ]; automountConfig = { TimeoutIdleSec = "600"; }; where = "/mnt/rice"; }]; }; }; }