moved common out of systems

common/docker_templates/file_server/sites/000-default.conf

@@ -0,0 +1,17 @@
+<VirtualHost *:80>
+  ServerAdmin admin@domain.com
+
+  DocumentRoot /data/
+  <Directory /data/>
+    Options Indexes FollowSymLinks
+    AllowOverride All
+    Require all granted
+  </Directory>
+
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+
+  # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+</VirtualHost>

common/global/default.nix

@@ -0,0 +1,50 @@
+{
+  inputs,
+  lib,
+  outputs,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./docker.nix
+    ./fail2ban.nix
+    ./libs.nix
+    ./locale.nix
+    ./nh.nix
+    ./nix.nix
+    ./programs.nix
+    ./ssh.nix
+    ./snapshot_manager.nix
+  ];
+
+  boot = {
+    kernelPackages = lib.mkDefault pkgs.linuxPackages_6_10;
+    tmp.useTmpfs = true;
+  };
+
+  hardware.enableRedistributableFirmware = true;
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {inherit inputs outputs;};
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  programs = {
+    zsh.enable = true;
+    fish.enable = true;
+  };
+
+  security.auditd.enable = lib.mkDefault true;
+
+  users.mutableUsers = lib.mkDefault true;
+
+  zramSwap = {
+    enable = lib.mkDefault true;
+    priority = 1000;
+  };
+}

common/global/docker.nix

@@ -0,0 +1,28 @@
+{ lib, ... }:
+{
+  users = {
+    users.docker-service = {
+      isSystemUser = true;
+      group = "docker-service";
+      extraGroups = [ "docker" ];
+      uid = 600;
+    };
+    groups.docker-service = {
+      gid = 600;
+    };
+  };
+
+  virtualisation.docker = {
+    enable = lib.mkDefault true;
+    logDriver = "local";
+    storageDriver = "overlay2";
+    daemon.settings = {
+      experimental = true;
+      exec-opts = [ "native.cgroupdriver=systemd" ];
+      log-opts = {
+        max-size = "10m";
+        max-file = "5";
+      };
+    };
+  };
+}

common/global/fail2ban.nix

@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+{
+  services.fail2ban = {
+    enable = lib.mkIf config.networking.firewall.enable (lib.mkDefault true);
+    maxretry = 5;
+    bantime = "24h";
+    bantime-increment = {
+      enable = true;
+      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      maxtime = "168h";
+      overalljails = true;
+    };
+  };
+}

common/global/libs.nix

@@ -0,0 +1,26 @@
+{ lib, pkgs, ... }:
+{
+  programs.nix-ld = {
+    enable = lib.mkDefault true;
+    libraries = with pkgs; [
+      acl
+      attr
+      bzip2
+      curl
+      glib
+      libglvnd
+      libmysqlclient
+      libsodium
+      libssh
+      libxml2
+      openssl
+      stdenv.cc.cc
+      systemd
+      util-linux
+      xz
+      zlib
+      zlib-ng
+      zstd
+    ];
+  };
+}

common/global/locale.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  time.timeZone = lib.mkDefault "America/New_York";
+  console.keyMap = lib.mkDefault "us";
+
+  i18n = {
+    defaultLocale = lib.mkDefault "en_US.utf8";
+    supportedLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
+    extraLocaleSettings = lib.mkDefault {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+    };
+  };
+}

common/global/nh.nix

@@ -0,0 +1,10 @@
+{
+  programs.nh = {
+    enable = true;
+    clean = {
+      enable = true;
+      dates = "weekly";
+      extraArgs = "--keep-since 7d --keep 3";
+    };
+  };
+}

common/global/nix.nix

@@ -0,0 +1,28 @@
+{
+  inputs,
+  lib,
+  ...
+}: let
+  flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+in {
+  nix = {
+    settings = {
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      auto-optimise-store = lib.mkDefault true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "ca-derivations"
+      ];
+      warn-dirty = false;
+      flake-registry = ""; # disable global flake registries
+    };
+
+    # Add each flake input as a registry and nix_path
+    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}

common/global/programs.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    git
+    python312
+  ];
+}

common/global/snapshot_config.toml

@@ -0,0 +1,29 @@
+["default"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/home"]
+15_min = 8
+hourly = 24
+daily = 14
+monthly = 0
+
+["root_pool/root"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/nix"]
+15_min = 4
+hourly = 0
+daily = 0
+monthly = 0
+
+["root_pool/var"]
+15_min = 8
+hourly = 24
+daily = 30
+monthly = 6

common/global/snapshot_manager.nix

@@ -0,0 +1,44 @@
+{ inputs, pkgs, lib, config, ... }:
+let
+  cfg = config.services.snapshot_manager;
+in
+{
+  options = {
+    services.snapshot_manager = {
+      enable = lib.mkOption {
+        default = true;
+        example = true;
+        description = "Whether to enable k3s-net.";
+        type = lib.types.bool;
+      };
+      path = lib.mkOption {
+        type = lib.types.path;
+        description = "Path that needs to be updated via git pull";
+        default = ./snapshot_config.toml;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd = {
+      services."snapshot_manager" = {
+        description = "ZFS Snapshot Manager";
+        requires = [ "zfs-import.target" ];
+        after = [ "zfs-import.target" ];
+        path = [ pkgs.zfs ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/snapshot_manager --config-file='${cfg.path}'";
+        };
+      };
+      timers."snapshot_manager" = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "15m";
+          OnUnitActiveSec = "15m";
+          Unit = "snapshot_manager.service";
+        };
+      };
+    };
+  };
+}

common/global/ssh.nix

@@ -0,0 +1,71 @@
+{ lib, ... }:
+{
+  services = {
+    openssh = {
+      enable = lib.mkDefault true;
+      extraConfig = "StreamLocalBindUnlink yes";
+
+      hostKeys = [
+        {
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_rsa_key";
+          type = "rsa";
+        }
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+        {
+          path = "/etc/ssh/ssh_host_ecdsa_key";
+          type = "ecdsa";
+        }
+      ];
+
+      settings = {
+        AllowAgentForwarding = "no";
+        AllowTcpForwarding = lib.mkDefault "yes";
+        ChallengeResponseAuthentication = "no";
+        ClientAliveCountMax = lib.mkDefault 2;
+        Compression = "NO";
+        IgnoreRhosts = "yes";
+        LogLevel = lib.mkDefault "VERBOSE";
+        MaxAuthTries = 3;
+        MaxSessions = lib.mkDefault 2;
+        PasswordAuthentication = false;
+        PermitEmptyPasswords = "no";
+        PermitRootLogin = lib.mkForce "no";
+        TcpKeepAlive = "no";
+        X11Forwarding = lib.mkDefault false;
+        KexAlgorithms = [
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group-exchange-sha256"
+        ];
+
+        Ciphers = [
+          "chacha20-poly1305@openssh.com"
+          "aes256-gcm@openssh.com"
+          "aes128-gcm@openssh.com"
+          "aes256-ctr"
+          "aes192-ctr"
+          "aes128-ctr"
+        ];
+
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+          "hmac-sha2-512"
+          "hmac-sha2-256"
+          "umac-128@openssh.com"
+        ];
+      };
+    };
+
+    endlessh-go = {
+      enable = lib.mkDefault true;
+      port = 22;
+    };
+  };
+
+    networking.firewall.allowedTCPPorts = [ 22 ];
+}

common/optional/desktop.nix

@@ -0,0 +1,12 @@
+{
+  services = {
+    desktopManager.plasma6.enable = true;
+    xserver = {
+      enable = true;
+      xkb = {
+        layout = "us";
+        variant = "";
+      };
+    };
+  };
+}

common/optional/libvirt.nix

@@ -0,0 +1,7 @@
+{
+  virtualisation.libvirtd.enable = true;
+  programs.virt-manager.enable = true;
+  virtualisation.spiceUSBRedirection.enable = true;
+
+  programs.dconf.enable = true;
+}

common/optional/scanner.nix

@@ -0,0 +1,6 @@
+{
+  hardware.sane = {
+    enable = true;
+    drivers.scanSnap.enable = true;
+  };
+}

common/optional/ssh_decrypt.nix

@@ -0,0 +1,15 @@
+{ config, ... }:
+{
+  boot.initrd = {
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 2222;
+        hostKeys = [ "/etc/ssh/initrd_ssh_host_ed25519_key" ];
+        authorizedKeys = config.users.users.richie.openssh.authorizedKeys.keys;
+      };
+    };
+    availableKernelModules = [ "igb" ];
+  };
+}

common/optional/steam.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [mangohud steam-run];
+  hardware.steam-hardware.enable = true;
+
+  programs = {
+    gamemode.enable = true;
+    steam = {
+      enable = true;
+      gamescopeSession.enable = true;
+      remotePlay.openFirewall = true;
+      localNetworkGameTransfers.openFirewall = true;
+      extraCompatPackages = with pkgs; [proton-ge-bin];
+      extest.enable = true;
+    };
+  };
+}

common/optional/syncthing_base.nix

@@ -0,0 +1,19 @@
+{
+  services.syncthing = {
+    enable = true;
+    user = "richie";
+    overrideDevices = true;
+    overrideFolders = true;
+    dataDir = "/home/richie/Syncthing";
+    configDir = "/home/richie/.config/syncthing";
+    settings = {
+      devices = {
+        phone.id = "LTGPLAE-M4ZDJTM-TZ3DJGY-SLLAVWF-CQDVEVS-RGCS75T-GAPZYK3-KUM6LA5"; # cspell:disable-line
+        jeeves.id = "ICRHXZW-ECYJCUZ-I4CZ64R-3XRK7CG-LL2HAAK-FGOHD22-BQA4AI6-5OAL6AG"; # cspell:disable-line
+        ipad.id = "KI76T3X-SFUGV2L-VSNYTKR-TSIUV5L-SHWD3HE-GQRGRCN-GY4UFMD-CW6Z6AX"; # cspell:disable-line
+        bob.id = "CJIAPEJ-VO74RR4-F75VU6M-QNZAMYG-FYUJG7Y-6AT62HJ-355PRPL-PJFETAZ"; # cspell:disable-line
+        rhapsody-in-green.id = "ASL3KC4-3XEN6PA-7BQBRKE-A7JXLI6-DJT43BY-Q4WPOER-7UALUAZ-VTPQ6Q4"; # cspell:disable-line
+      };
+    };
+  };
+}

common/optional/systemd-boot.nix

@@ -0,0 +1,6 @@
+{
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+}

common/optional/update.nix

@@ -0,0 +1,19 @@
+{ lib, ... }:
+{
+  services.autopull = {
+    enable = lib.mkDefault true;
+    repo.dotfiles = {
+      enable = lib.mkDefault true;
+      ssh-key = lib.mkDefault "/root/.ssh/id_ed25519_ghdeploy";
+      path = lib.mkDefault /root/dotfiles;
+    };
+  };
+
+  system.autoUpgrade = {
+    enable = lib.mkDefault true;
+    flags = [ "--accept-flake-config" ];
+    randomizedDelaySec = "1h";
+    persistent = true;
+    flake = "github:RAD-Development/nix-dotfiles";
+  };
+}

common/optional/yubikey.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  services.pcscd.enable = true;
+
+  environment.systemPackages = [ pkgs.yubioath-flutter ];
+}

common/optional/zerotier.nix

@@ -0,0 +1,6 @@
+{
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "e4da7455b2ae64ca" ];
+  };
+}