initial commit

modules/cli-tools.nix

@@ -0,0 +1,3 @@
+{
+  programs.tmux.enable = true;
+}

modules/default.nix

@@ -0,0 +1,19 @@
+{domain, ...}: {
+  options.weinturm = {
+  };
+
+  imports = [
+    ./cli-tools.nix
+    ./fish.nix
+    ./impermanence.nix
+    ./networking.nix
+    ./nix.nix
+    ./security.nix
+    ./sshd.nix
+    ./zram.nix
+  ];
+
+  config = {
+    networking.domain = domain;
+  };
+}

modules/fish.nix

@@ -0,0 +1,3 @@
+{
+  programs.fish.enable = true;
+}

modules/impermanence.nix

@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  options.weinturm = with lib; {
+    impermanence = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to enable impermanence";
+      };
+      rootDevice = with types;
+        mkOption {
+          type = nullOr str;
+          default = null;
+          description = ''
+            The device which contains the btrfs root subvolume
+          '';
+        };
+    };
+  };
+  config = let
+    cfg = config.weinturm.impermanence;
+  in
+    lib.mkIf cfg.enable {
+      fileSystems."/persist".neededForBoot = true;
+
+      environment.persistence."/persist".directories = [
+        "/var/lib/nixos"
+      ];
+
+      boot.initrd.postDeviceCommands = let
+        rootDevice =
+          if cfg.rootDevice == null
+          then ""
+          else cfg.rootDevice;
+      in
+        lib.mkAfter ''
+          mkdir /mnt
+          mount -t btrfs "${rootDevice}" /mnt
+          btrfs subvolume list -o /mnt/root | cut -f9 -d' ' | while read subvolume; do
+            btrfs subvolume delete "/mnt/$subvolume"
+          done
+          btrfs subvolume delete /mnt/root
+          btrfs subvolume snapshot /mnt/root-blank /mnt/root
+        '';
+    };
+}

modules/networking.nix

@@ -0,0 +1,3 @@
+{
+  networking.nftables.enable = true;
+}

modules/nix.nix

@@ -0,0 +1,52 @@
+{
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: {
+  nix = {
+    package = pkgs.nixVersions.stable;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+
+    daemonCPUSchedPolicy = "idle";
+    daemonIOSchedClass = "idle";
+    daemonIOSchedPriority = 7;
+
+    nixPath = [
+      "nixpkgs=${inputs.nixpkgs}"
+    ];
+
+    settings = {
+      trusted-users = ["@wheel"];
+      auto-optimise-store = true;
+      allowed-users = ["@wheel"];
+
+      log-lines = lib.mkDefault 25;
+
+      # Avoid disk full issues
+      max-free = lib.mkDefault (3000 * 1024 * 1024);
+      min-free = lib.mkDefault (512 * 1024 * 10);
+
+      download-buffer-size = lib.mkDefault (512 * 1024 * 1024);
+    };
+
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 30d";
+      randomizedDelaySec = "60 min";
+    };
+  };
+
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = 250;
+
+  nixpkgs.overlays = with inputs; [
+    self.overlays.default
+  ];
+
+  environment.systemPackages = with pkgs; [
+    cached-nix-shell
+    git
+  ];
+}

modules/security.nix

@@ -0,0 +1,18 @@
+{
+  boot = {
+    tmp.cleanOnBoot = true;
+    kernel.sysctl = {
+      "kernel.kptr_restrict" = 1;
+      "kernel.yama.ptrace_scope" = 1;
+      "kernel.kexec_load_disabled" = 1;
+    };
+    kernelParams = [
+      "lockdown=integrity"
+    ];
+  };
+
+  security = {
+    polkit.enable = true;
+    sudo.wheelNeedsPassword = false;
+  };
+}

modules/sshd.nix

@@ -0,0 +1,67 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  services.openssh = {
+    enable = true;
+    settings = {
+      KbdInteractiveAuthentication = false;
+      Ciphers = [
+        "aes256-gcm@openssh.com"
+      ];
+      # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
+      PasswordAuthentication = false;
+      StreamLocalBindUnlink = true; # unbind gnupg sockets if they exists
+      UseDns = false;
+      X11Forwarding = false;
+    };
+    hostKeys =
+      if config.weinturm.impermanence.enable
+      then [
+        {
+          type = "ed25519";
+          path = "/persist/etc/ssh/ssh_host_ed25519_key";
+        }
+      ]
+      else [
+        {
+          type = "ed25519";
+          path = "/etc/ssh/ssh_host_ed25519_key";
+        }
+      ];
+    authorizedKeysFiles = lib.mkIf (!config.services.gitlab.enable) (lib.mkForce ["/etc/ssh/authorized_keys.d/%u"]);
+  };
+
+  networking.nftables.tables."nixos-fw".content = lib.mkOrder 20 ''
+    set ssh-ratelimit-v4 {
+      type ipv4_addr
+      timeout 60s
+      flags dynamic
+    }
+
+    set ssh-ratelimit-v6 {
+      type ipv6_addr
+      timeout 60s
+      flags dynamic
+    }
+  '';
+
+  # Implement connection rate limit
+  services.openssh.openFirewall = false;
+  networking.firewall.extraInputRules = lib.mkOrder 5 (
+    let
+      ports = builtins.concatStringsSep ", " (map builtins.toString config.services.openssh.ports);
+    in ''
+      tcp dport { ${ports} } update @ssh-ratelimit-v4 { ip saddr limit rate 1/second burst 10 packets } accept
+      tcp dport { ${ports} } update @ssh-ratelimit-v6 { ip6 saddr limit rate 1/second burst 10 packets } accept
+    ''
+  );
+}

modules/zram.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.weinturm.zram;
+in {
+  options.weinturm = with lib; {
+    zram = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to enable zram swap";
+      };
+    };
+  };
+  config = {
+    zramSwap = {
+      inherit (cfg) enable;
+      algorithm = "zstd";
+      memoryPercent = 60;
+      priority = 1;
+    };
+  };
+}