moved common out of systems

common/global/default.nix

@@ -0,0 +1,50 @@
+{
+  inputs,
+  lib,
+  outputs,
+  pkgs,
+  ...
+}:
+{
+  imports = [
+    inputs.home-manager.nixosModules.home-manager
+    ./docker.nix
+    ./fail2ban.nix
+    ./libs.nix
+    ./locale.nix
+    ./nh.nix
+    ./nix.nix
+    ./programs.nix
+    ./ssh.nix
+    ./snapshot_manager.nix
+  ];
+
+  boot = {
+    kernelPackages = lib.mkDefault pkgs.linuxPackages_6_10;
+    tmp.useTmpfs = true;
+  };
+
+  hardware.enableRedistributableFirmware = true;
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {inherit inputs outputs;};
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  programs = {
+    zsh.enable = true;
+    fish.enable = true;
+  };
+
+  security.auditd.enable = lib.mkDefault true;
+
+  users.mutableUsers = lib.mkDefault true;
+
+  zramSwap = {
+    enable = lib.mkDefault true;
+    priority = 1000;
+  };
+}

common/global/docker.nix

@@ -0,0 +1,28 @@
+{ lib, ... }:
+{
+  users = {
+    users.docker-service = {
+      isSystemUser = true;
+      group = "docker-service";
+      extraGroups = [ "docker" ];
+      uid = 600;
+    };
+    groups.docker-service = {
+      gid = 600;
+    };
+  };
+
+  virtualisation.docker = {
+    enable = lib.mkDefault true;
+    logDriver = "local";
+    storageDriver = "overlay2";
+    daemon.settings = {
+      experimental = true;
+      exec-opts = [ "native.cgroupdriver=systemd" ];
+      log-opts = {
+        max-size = "10m";
+        max-file = "5";
+      };
+    };
+  };
+}

common/global/fail2ban.nix

@@ -0,0 +1,14 @@
+{ config, lib, ... }:
+{
+  services.fail2ban = {
+    enable = lib.mkIf config.networking.firewall.enable (lib.mkDefault true);
+    maxretry = 5;
+    bantime = "24h";
+    bantime-increment = {
+      enable = true;
+      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      maxtime = "168h";
+      overalljails = true;
+    };
+  };
+}

common/global/libs.nix

@@ -0,0 +1,26 @@
+{ lib, pkgs, ... }:
+{
+  programs.nix-ld = {
+    enable = lib.mkDefault true;
+    libraries = with pkgs; [
+      acl
+      attr
+      bzip2
+      curl
+      glib
+      libglvnd
+      libmysqlclient
+      libsodium
+      libssh
+      libxml2
+      openssl
+      stdenv.cc.cc
+      systemd
+      util-linux
+      xz
+      zlib
+      zlib-ng
+      zstd
+    ];
+  };
+}

common/global/locale.nix

@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  time.timeZone = lib.mkDefault "America/New_York";
+  console.keyMap = lib.mkDefault "us";
+
+  i18n = {
+    defaultLocale = lib.mkDefault "en_US.utf8";
+    supportedLocales = lib.mkDefault [ "en_US.UTF-8/UTF-8" ];
+    extraLocaleSettings = lib.mkDefault {
+      LC_ADDRESS = "en_US.UTF-8";
+      LC_IDENTIFICATION = "en_US.UTF-8";
+      LC_MEASUREMENT = "en_US.UTF-8";
+      LC_MONETARY = "en_US.UTF-8";
+      LC_NAME = "en_US.UTF-8";
+      LC_NUMERIC = "en_US.UTF-8";
+      LC_PAPER = "en_US.UTF-8";
+      LC_TELEPHONE = "en_US.UTF-8";
+      LC_TIME = "en_US.UTF-8";
+    };
+  };
+}

common/global/nh.nix

@@ -0,0 +1,10 @@
+{
+  programs.nh = {
+    enable = true;
+    clean = {
+      enable = true;
+      dates = "weekly";
+      extraArgs = "--keep-since 7d --keep 3";
+    };
+  };
+}

common/global/nix.nix

@@ -0,0 +1,28 @@
+{
+  inputs,
+  lib,
+  ...
+}: let
+  flakeInputs = lib.filterAttrs (_: lib.isType "flake") inputs;
+in {
+  nix = {
+    settings = {
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      auto-optimise-store = lib.mkDefault true;
+      experimental-features = [
+        "nix-command"
+        "flakes"
+        "ca-derivations"
+      ];
+      warn-dirty = false;
+      flake-registry = ""; # disable global flake registries
+    };
+
+    # Add each flake input as a registry and nix_path
+    registry = lib.mapAttrs (_: flake: {inherit flake;}) flakeInputs;
+    nixPath = lib.mapAttrsToList (n: _: "${n}=flake:${n}") flakeInputs;
+  };
+}

common/global/programs.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    git
+    python312
+  ];
+}

common/global/snapshot_config.toml

@@ -0,0 +1,29 @@
+["default"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/home"]
+15_min = 8
+hourly = 24
+daily = 14
+monthly = 0
+
+["root_pool/root"]
+15_min = 8
+hourly = 24
+daily = 0
+monthly = 0
+
+["root_pool/nix"]
+15_min = 4
+hourly = 0
+daily = 0
+monthly = 0
+
+["root_pool/var"]
+15_min = 8
+hourly = 24
+daily = 30
+monthly = 6

common/global/snapshot_manager.nix

@@ -0,0 +1,44 @@
+{ inputs, pkgs, lib, config, ... }:
+let
+  cfg = config.services.snapshot_manager;
+in
+{
+  options = {
+    services.snapshot_manager = {
+      enable = lib.mkOption {
+        default = true;
+        example = true;
+        description = "Whether to enable k3s-net.";
+        type = lib.types.bool;
+      };
+      path = lib.mkOption {
+        type = lib.types.path;
+        description = "Path that needs to be updated via git pull";
+        default = ./snapshot_config.toml;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd = {
+      services."snapshot_manager" = {
+        description = "ZFS Snapshot Manager";
+        requires = [ "zfs-import.target" ];
+        after = [ "zfs-import.target" ];
+        path = [ pkgs.zfs ];
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/snapshot_manager --config-file='${cfg.path}'";
+        };
+      };
+      timers."snapshot_manager" = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "15m";
+          OnUnitActiveSec = "15m";
+          Unit = "snapshot_manager.service";
+        };
+      };
+    };
+  };
+}

common/global/ssh.nix

@@ -0,0 +1,71 @@
+{ lib, ... }:
+{
+  services = {
+    openssh = {
+      enable = lib.mkDefault true;
+      extraConfig = "StreamLocalBindUnlink yes";
+
+      hostKeys = [
+        {
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_rsa_key";
+          type = "rsa";
+        }
+        {
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+        {
+          path = "/etc/ssh/ssh_host_ecdsa_key";
+          type = "ecdsa";
+        }
+      ];
+
+      settings = {
+        AllowAgentForwarding = "no";
+        AllowTcpForwarding = lib.mkDefault "yes";
+        ChallengeResponseAuthentication = "no";
+        ClientAliveCountMax = lib.mkDefault 2;
+        Compression = "NO";
+        IgnoreRhosts = "yes";
+        LogLevel = lib.mkDefault "VERBOSE";
+        MaxAuthTries = 3;
+        MaxSessions = lib.mkDefault 2;
+        PasswordAuthentication = false;
+        PermitEmptyPasswords = "no";
+        PermitRootLogin = lib.mkForce "no";
+        TcpKeepAlive = "no";
+        X11Forwarding = lib.mkDefault false;
+        KexAlgorithms = [
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group-exchange-sha256"
+        ];
+
+        Ciphers = [
+          "chacha20-poly1305@openssh.com"
+          "aes256-gcm@openssh.com"
+          "aes128-gcm@openssh.com"
+          "aes256-ctr"
+          "aes192-ctr"
+          "aes128-ctr"
+        ];
+
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+          "hmac-sha2-512"
+          "hmac-sha2-256"
+          "umac-128@openssh.com"
+        ];
+      };
+    };
+
+    endlessh-go = {
+      enable = lib.mkDefault true;
+      port = 22;
+    };
+  };
+
+    networking.firewall.allowedTCPPorts = [ 22 ];
+}