infra/nix/hosts/monoceros/configuration.nix

{
  config,
  lib,
  pkgs,
  ...
}: {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disko-config.nix

    # ./modules/caddy.nix
    ../../modules/base.nix
    ../../modules/dnscrypt.nix

    ./modules/attic.nix
    ./modules/caddy.nix
    ./modules/promtail/promtail.nix
    # ./modules/borgmatic
  ];

  sops = {
    defaultSopsFile = ./secrets.yaml;
    age = {
      # keyFile = "/root/.age/monoceros";
      sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
      generateKey = false;
    };

    secrets = {
      rootPassphrase.owner = "root";
      dnscrypt-proxy-forwardingRules = {
        restartUnits = ["dnscrypt-proxy2.service"];
      };
    };
  };

  # nixpkgs.currentSystem = "x86_64-linux";
  nix.settings.trusted-users = ["@wheel" "root"];

  boot = {
    enableContainers = true;
    # kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
    # kernelPackages = pkgs.linuxPackages_6_12;
    kernelPackages = pkgs.linuxPackages_6_17;
    # forbid hibernation due to zfs-on-root.
    kernelParams = ["nohibernate"];

    # Use the systemd-boot EFI boot loader.
    #boot.loader.systemd-boot.enable = true;
    #boot.loader.systemd-boot.configurationLimit = 42;
    #boot.loader.systemd-boot.editor = true;
    #boot.loader.systemd-boot.netbootxyz.enable = true;
    # boot.loader.efi.canTouchEfiVariables = true;
    loader.grub = {
      efiSupport = false;
    };

    supportedFilesystems = ["ext4" "btrfs" "zfs"];
    zfs.forceImportRoot = false;

    #boot.initrd.secrets = {
    #  # "/root/initrd-ssh-key" = "/root/initrd-ssh-key";
    #  "/root/initrd-ssh-host_ed25519_key" = "/root/initrd-ssh_host_ed25519_key";
    #};
    initrd.kernelModules = ["ext4" "btrfs" "zfs" "e1000e" "dm-snapshot"];
    initrd.network = {
      # This will use udhcp to get an ip address.
      # Make sure you have added the kernel module for your network driver to `boot.initrd.availableKernelModules`,
      # so your initrd can load it!
      # Static ip addresses might be configured using the ip argument in kernel command line:
      # https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
      enable = false;
      udhcpc.enable = false;
      ssh = {
        enable = true;
        # To prevent ssh clients from freaking out because a different host key is used,
        # a different port for ssh is useful (assuming the same host has also a regular sshd running)
        port = 2222;
        # hostKeys paths must be unquoted strings, otherwise you'll run into issues with boot.initrd.secrets
        # the keys are copied to initrd from the path specified; multiple keys can be set
        # you can generate any number of host keys using
        # `ssh-keygen -t ed25519 -N "" -f /path/to/ssh_host_ed25519_key`
        hostKeys = [/root/initrd-ssh_host_ed25519_key];
        ignoreEmptyHostKeys = true;
        authorizedKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIODmLwtQj6ylgdTPo1/H5jW7jsLzwaCTGdIsTQAdc896"];
      };

      postCommands = ''
        echo "zfs load-key zroot/nixos && killall zfs" >> /root/.profile
      '';
    };
    # boot.initrd.systemd.contents

    binfmt = {
      emulatedSystems = [
        "wasm32-wasi"
        "aarch64-linux"
      ];
    };
  };

  networking = {
    # hostId = pkgs.lib.mkForce "00000000";
    hostId = "deadb33f";
    hostName = "monoceros";

    #usePredictableInterfaceNames = false;
    #interfaces.eth0 = {
    #  ipv6.addresses = [ {
    #    address = "2a02:c206:2153:0314:0000:0000:0000:0001";
    #    prefixLength = 64;
    #  }];
    #  ipv4.addresses = [ {
    #    address = "158.220.120.164";
    #    prefixLength = 20;
    #  } ];
    #};

    nftables.enable = true;

    networkmanager.enable = true;

    stevenblack.enable = true;
    stevenblack.block = ["fakenews" "gambling"];

    firewall = {
      allowPing = true;
    };

    # Configure network proxy if necessary
    # networking.proxy.default = "http://user:password@proxy:port/";
    # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  };

  environment.systemPackages = with pkgs; [
    starship
    fastfetch
    vulnix
  ];

  # programs.zsh.enable = true;
  # programs.zsh.promptInit = "eval \"`zinit load sindresorhus/pure`\"";

  users.users.root = {
    shell = pkgs.zsh;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU t14"
    ];
    hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
    subUidRanges = [
      {
        count = 65536;
        startUid = 65536 * 28; # 1835008, docker
      }
    ];
  };

  services = {
    avahi.enable = lib.mkForce false;

    atd.enable = true;

    fail2ban = {
      enable = true;
      # Ban IP after 5 failures
      maxretry = 5;
      ignoreIP = [
        # Whitelist some subnets
        "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
        "dotya.ml"
        # "188.167.250.189"
        "188.167.128.0/17" # AS6830
      ];
      bantime = "24h"; # Ban IPs for one day on the first ban
      bantime-increment = {
        enable = true; # Enable increment of bantime after each violation
        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
        # multipliers = "1 2 4 8 16 32 64";
        maxtime = "168h"; # Do not ban for more than 1 week
        overalljails = true; # Calculate the bantime based on all the violations
      };
    };

    fstrim.enable = true;

    prometheus = {
      enable = false;
      exporters = {
        node = {
          enable = true;
          enabledCollectors = [
            "logind"
            "systemd"
            "sysctl"
            "network_route"
          ];
          disabledCollectors = [
            "arp"
            "tapestats"
          ];
          port = 9100;
        };
      };
    };


    SystemdJournal2Gelf = {
      enable = false;
      graylogServer = "loki.tail530c7.ts.net:12201";
    };


    dnscrypt-proxy2.settings.forwarding_rules = config.sops.secrets.dnscrypt-proxy-forwardingRules.path;
    auto-cpufreq.enable = false;
    power-profiles-daemon.enable = false;
    #tlp.enable =
    #  lib.mkDefault ((lib.versionOlder (lib.versions.majorMinor lib.version) "23.11")
    #    || !config.services.power-profiles-daemon.enable);

    # TS is enabled in the imported module, this is additional config.
    tailscale = {
      useRoutingFeatures = "both";
      # accept-routes = true;
    };

    #zfs = {
    #  autoScrub = {
    #    enable = true;
    #    interval = "weekly";
    #  };
    #  trim.enable = true;
    #};
  };

  systemd = {
    # 25.11
    settings.Manager = {
      RebootWatchdogSec = "2m";
      RuntimeWatchdogSec = "3m";
    };
    # XXX: deprecated in 25.11
    # watchdog.runtimeTime = "3m";
    # watchdog.rebootTime = "2m";
    services = {
        NetworkManager-wait-online.enable = false;
        # NetworkManager-wait-online.serviceConfig.ExecStart = "${pkgs.coreutils}/bin/true";
    };
  };


  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # Does not work with flakes - yet™.
  system.copySystemConfiguration = false;
}