treewide: initial commit

nixos/modules/default.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./fail2ban.nix
+    ./sysctl.nix
+    ./host.nix
+    ./snapper.nix
+    ./substituters.nix
+  ];
+}

nixos/modules/fail2ban.nix

@@ -0,0 +1,41 @@
+{ config, lib, ... }:
+let
+  cfg = config.fail2ban;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    ;
+in
+{
+  options.fail2ban = {
+    enable = mkEnableOption "" // {
+      default = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.logRefusedConnections = false;
+
+    services.fail2ban = {
+      enable = true;
+
+      maxretry = 6;
+      bantime = "5m";
+      bantime-increment = {
+        enable = true;
+        multipliers = "1 2 6 24 288 864 2016 8640";
+        rndtime = "5m";
+      };
+
+      jails = {
+        DEFAULT.settings.findtime = "15m";
+
+        sshd = lib.mkForce ''
+          enabled = true
+          mode = aggressive
+          port = ${lib.strings.concatMapStringsSep "," toString config.services.openssh.ports}
+        '';
+      };
+    };
+  };
+}

nixos/modules/host.nix

@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+let
+  cfg = config.host;
+  inherit (lib) mkOption types;
+in
+{
+  options.host = {
+    name = mkOption { type = types.str; };
+  };
+
+  config = {
+    environment.variables.HOSTNAME = cfg.name;
+    networking.hostName = cfg.name;
+  };
+}

nixos/modules/snapper.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.snapper;
+  inherit (lib)
+    mkEnableOption
+    mkOption
+    mkIf
+    types
+    ;
+in
+{
+  options.snapper = {
+    enable = mkEnableOption "" // {
+      default = true;
+    };
+
+    interval = mkOption {
+      default = "daily";
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.snapper = {
+      snapshotInterval = cfg.interval;
+
+      configs = {
+        home = {
+          SUBVOLUME = "/home";
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+
+          TIMELINE_LIMIT_HOURLY = 24;
+          TIMELINE_LIMIT_DAILY = 7;
+          TIMELINE_LIMIT_WEEKLY = 0;
+          TIMELINE_LIMIT_MONTHLY = 3;
+          TIMELINE_LIMIT_YEARLY = 0;
+        };
+
+        persist = {
+          SUBVOLUME = "/persist";
+          TIMELINE_CREATE = true;
+          TIMELINE_CLEANUP = true;
+
+          TIMELINE_LIMIT_HOURLY = 24;
+          TIMELINE_LIMIT_DAILY = 7;
+          TIMELINE_LIMIT_WEEKLY = 0;
+          TIMELINE_LIMIT_MONTHLY = 3;
+          TIMELINE_LIMIT_YEARLY = 0;
+        };
+      };
+    };
+
+    environment.systemPackages = [ pkgs.snapper ];
+  };
+}

nixos/modules/substituters.nix

@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.substituters;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    optionals
+    ;
+in
+{
+  options.substituters = {
+    enable = mkEnableOption "" // {
+      default = true;
+    };
+
+    garnix = mkEnableOption "" // {
+      default = true;
+    };
+
+    nix-community = mkEnableOption "" // {
+      default = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    nix.settings = {
+      substituters =
+        (optionals cfg.garnix [ "https://cache.garnix.io" ])
+        ++ (optionals cfg.nix-community [ "https://nix-community.cachix.org" ]);
+      trusted-public-keys =
+        (optionals cfg.garnix [
+          "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+        ])
+        ++ (optionals cfg.nix-community [
+          "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        ]);
+    };
+  };
+}

nixos/modules/sysctl.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.sysctl;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    ;
+in
+{
+  options.sysctl = {
+    enable = mkEnableOption "" // {
+      default = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    boot.kernel.sysctl = {
+      "vm.page-cluster" = 0;
+      "vm.swappiness" = 100;
+      "vm.watermark_boost_factor" = 1;
+    };
+  };
+}