nix/nixos/modules/net.nix

{
  host,
  pkgs,
  config,
  lib,
  ...
}:
let
  cfg = config.machine.net;
in
{
  options.machine.net = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = true;
    };
    dns = lib.mkOption {
      type = lib.types.bool;
      default = true;
    };
    openssh = {
      enable = lib.mkOption {
        type = lib.types.bool;
        default = true;
      };
      ports = lib.mkOption {
        type = lib.types.listOf lib.types.int;
        default = [ 22 ];
      };
    };
    tailscale = lib.mkOption {
      type = lib.types.bool;
      default = true;
    };
    nfs = lib.mkOption {
      type = lib.types.bool;
      default = false;
    };
  };

  config = lib.mkIf cfg.enable {
    services = {
      tailscale.enable = cfg.tailscale;
      resolved = lib.mkIf cfg.dns {
        enable = true;
        fallbackDns = [
          "1.1.1.1"
          "9.9.9.9"
        ];
      };
      fail2ban = {
        enable = true;
        maxretry = 5;
        bantime = "1h";
        ignoreIP = [
          "172.16.0.0/12"
          "192.168.0.0/16"
          "10.0.0.0/8"
          "tailc353f.ts.net"
        ];
        bantime-increment = {
          enable = true;
          multipliers = "1 2 4 8 16 32 64 128 256";
          maxtime = "24h";
          overalljails = true;
        };
      };
      openssh = {
        enable = cfg.openssh.enable;
        ports = cfg.openssh.ports;
        settings = {
          PasswordAuthentication = false;
          PermitRootLogin = "prohibit-password";
          PermitEmptyPasswords = false;
          PermitTunnel = false;
          UseDns = false;
          KbdInteractiveAuthentication = false;
          X11Forwarding = false;
          MaxAuthTries = 3;
          MaxSessions = 2;
          ClientAliveInterval = 300;
          ClientAliveCountMax = 0;
          TCPKeepAlive = false;
          AllowTcpForwarding = false;
          AllowAgentForwarding = false;
          LogLevel = "VERBOSE";
        };
        hostKeys = [
          {
            path = "/etc/ssh/ssh_host_ed25519_key";
            type = "ed25519";
          }
        ];
      };
    };
    systemd = {
      # mounts = [
      #   {
      #     type = "nfs";
      #     mountConfig = {
      #       Options = "noatime";
      #     };
      #     what = "zen:/tank/home";
      #     where = "/mnt/home";
      #   }
      # ];
      # automounts = [
      #   {
      #     wantedBy = [ "multi-user.target" ];
      #     automountConfig = {
      #       TimeoutIdleSec = "600";
      #     };
      #     where = "/mnt/home";
      #   }
      # ];
    };
  };
}