feat: add disko config for redshift

feat: add redshift (vps) host
feat: add rollback service for btrfs
2025-03-10 19:10:28 +03:00 · 2025-03-10 19:08:13 +03:00 · 2025-03-10 19:06:21 +03:00 · 2025-03-10 19:04:49 +03:00 · 2025-03-10 19:01:22 +03:00 · 2025-03-10 18:46:44 +03:00
25 changed files with 1476 additions and 57 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,14 @@
 keys:
  - &ataraxia age1n0prg9vynuwc56gn0xfe5qde8wqcd4uzg5ghhhetu2024ckvjyvqxf49el
  - &redshift age1d4mqql020mpne9r3vtt4l9ywfzfq7zpa3mad33syxln2kldkjsxqgju90f
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
          - *ataraxia
          - *redshift
  - path_regex: secrets/redshift/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
          - *ataraxia
          - *redshift
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -16,9 +16,9 @@
                "nixos": {
                    "expr": "(builtins.getFlake \"${workspaceFolder}\").nixosConfigurations.NixOS-VM.options",
                },
-                // "home-manager": {
+                "home-manager": {
-                //     "expr": "(builtins.getFlake \"${workspaceFolder}\").homeConfigurations.NixOS-VM.options",
+                    "expr": "(builtins.getFlake \"${workspaceFolder}\").nixosConfigurations.NixOS-VM.options.home-manager",
-                // },
+                },
            },
        },
    }
--- a/.yamllint
+++ b/.yamllint
@ -0,0 +1,3 @@
 extends: default
 rules:
  document-start: disable
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1740828104,
+        "lastModified": 1741367062,
-        "narHash": "sha256-tsbyfl+hC+p9XrQ+TlwwC7YXh9wHZlOMeGG0HQnMKQY=",
+        "narHash": "sha256-xVKNSa/gzjncWJWEpdAnufTg2lU9vXKk9OjFRAAkmQE=",
        "owner": "AtaraxiaSjel",
        "repo": "nur",
-        "rev": "1aecfeba906e88c0a2f6e76d112eb81d8da12c1d",
+        "rev": "6b8ac8dfa8123f29f7ab68b8c82287e2fed2f49a",
        "type": "github"
      },
      "original": {
@ -120,6 +120,28 @@
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat_3",
        "nixpkgs": [
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
        "lastModified": 1727447169,
        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
        "owner": "serokell",
        "repo": "deploy-rs",
        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
        "type": "github"
      },
      "original": {
        "owner": "serokell",
        "repo": "deploy-rs",
        "type": "github"
      }
    },
    "devenv": {
      "inputs": {
        "cachix": "cachix",
@ -231,17 +253,17 @@
    "devenv_4": {
      "inputs": {
        "cachix": "cachix_3",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
        "git-hooks": "git-hooks",
        "nix": "nix_4",
        "nixpkgs": "nixpkgs_7"
      },
      "locked": {
-        "lastModified": 1740678151,
+        "lastModified": 1741348424,
-        "narHash": "sha256-q0tKL+Yny0wkLCHRBHQ97YhjorNLnbnyjc+FnQZyKkM=",
+        "narHash": "sha256-nPwbJpX8AxmzbgRd2m6KHIbyN1xavq1BaBdJzO/lkW0=",
        "owner": "cachix",
        "repo": "devenv",
-        "rev": "af151da5e3d7391fe778050da00d8e7cefa2d087",
+        "rev": "8f8c96bb1e0c6a59a97592328dc61b9fdbe7474b",
        "type": "github"
      },
      "original": {
@ -250,6 +272,26 @@
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1740485968,
        "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
        "owner": "nix-community",
        "repo": "disko",
        "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "disko",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -283,6 +325,22 @@
      }
    },
    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_4": {
      "flake": false,
      "locked": {
        "lastModified": 1733328505,
@ -366,11 +424,11 @@
        "nixpkgs-lib": "nixpkgs-lib_2"
      },
      "locked": {
-        "lastModified": 1738453229,
+        "lastModified": 1741352980,
-        "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+        "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+        "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
        "type": "github"
      },
      "original": {
@ -430,7 +488,7 @@
    },
    "flake-utils_3": {
      "inputs": {
-        "systems": "systems_2"
+        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1731533236,
@ -446,6 +504,24 @@
        "type": "github"
      }
    },
    "flake-utils_4": {
      "inputs": {
        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flakey-profile": {
      "locked": {
        "lastModified": 1712898590,
@ -473,11 +549,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1737465171,
+        "lastModified": 1740849354,
-        "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
+        "narHash": "sha256-oy33+t09FraucSZ2rZ6qnD1Y1c8azKKmQuCvF2ytUko=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
+        "rev": "4a709a8ce9f8c08fa7ddb86761fe488ff7858a07",
        "type": "github"
      },
      "original": {
@ -538,11 +614,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1740796616,
+        "lastModified": 1741579508,
-        "narHash": "sha256-JU97wIfRxeFN6rpTsUVCwWAdix+Wka4Or23907YIrFI=",
+        "narHash": "sha256-skRbH+UF2ES+msEa+KWi7AQFX73S+QsGlPsyCU6XyE0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f0b5e7e8a75abdea32bbff09ddd7b6eeb4b9b445",
+        "rev": "744f749dd6fbc1489591ea370b95156858629cb9",
        "type": "github"
      },
      "original": {
@ -600,16 +676,16 @@
    },
    "lite-config": {
      "locked": {
-        "lastModified": 1740833288,
+        "lastModified": 1741449308,
-        "narHash": "sha256-6wHmdkkJ8OpmOSkdYvCoq5vMYILimDM0V1iqOg4GwdY=",
+        "narHash": "sha256-+DKkUwO9RxuBMTy0n8vnGzwBckMRj4KDQl3yLswq3aE=",
        "owner": "ataraxiasjel",
        "repo": "lite-config",
-        "rev": "2ea208e46d2811858c7a7be78a285e69e8b2708c",
+        "rev": "bf042143ef8bd2789f345268253f6f10d4678a78",
        "type": "github"
      },
      "original": {
        "owner": "ataraxiasjel",
-        "ref": "v0.7.0",
+        "ref": "v0.8.0",
        "repo": "lite-config",
        "type": "github"
      }
@ -652,6 +728,21 @@
        "type": "github"
      }
    },
    "mk-shell-bin": {
      "locked": {
        "lastModified": 1677004959,
        "narHash": "sha256-/uEkr1UkJrh11vD02aqufCxtbF5YnhRTIKlx5kyvf+I=",
        "owner": "rrbutani",
        "repo": "nix-mk-shell-bin",
        "rev": "ff5d8bd4d68a347be5042e2f16caee391cd75887",
        "type": "github"
      },
      "original": {
        "owner": "rrbutani",
        "repo": "nix-mk-shell-bin",
        "type": "github"
      }
    },
    "nix": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -708,6 +799,27 @@
        "type": "github"
      }
    },
    "nix2container": {
      "inputs": {
        "flake-utils": "flake-utils_4",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1739638901,
        "narHash": "sha256-w+mIxNbEaOh2JqDwV2BLt71GZTBMzTyHhm3JYG0rkj0=",
        "owner": "nlewo",
        "repo": "nix2container",
        "rev": "50818838feff20902ff9004dcdef1aeb7098e488",
        "type": "github"
      },
      "original": {
        "owner": "nlewo",
        "repo": "nix2container",
        "type": "github"
      }
    },
    "nix_2": {
      "inputs": {
        "flake-compat": [
@ -849,23 +961,26 @@
    },
    "nixpkgs-lib_2": {
      "locked": {
-        "lastModified": 1738452942,
+        "lastModified": 1740877520,
-        "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=",
+        "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+        "repo": "nixpkgs.lib",
        "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
        "type": "github"
      },
      "original": {
-        "type": "tarball",
+        "owner": "nix-community",
-        "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz"
+        "repo": "nixpkgs.lib",
        "type": "github"
      }
    },
    "nixpkgs-master": {
      "locked": {
-        "lastModified": 1740833265,
+        "lastModified": 1741607783,
-        "narHash": "sha256-2KvMZrAAeY7UkUB1ayK6TwVFL369xIPY6ExPvyuNLcQ=",
+        "narHash": "sha256-qKrom+rflGH23CBtcmumxXCLiRpO6iMhIAv+HXT36uA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "2cf427c0455febe93e01d8f2491129698aff6fd4",
+        "rev": "abd72d8e98ab73f114561d986f9c069ddd800935",
        "type": "github"
      },
      "original": {
@ -1037,11 +1152,11 @@
    },
    "nixpkgs_8": {
      "locked": {
-        "lastModified": 1740695751,
+        "lastModified": 1741379970,
-        "narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=",
+        "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
+        "rev": "36fd87baa9083f34f7f5027900b62ee6d09b1f2f",
        "type": "github"
      },
      "original": {
@ -1151,17 +1266,22 @@
    "root": {
      "inputs": {
        "ataraxiasjel-nur": "ataraxiasjel-nur",
        "deploy-rs": "deploy-rs",
        "devenv": "devenv_4",
        "devenv-root": "devenv-root",
        "disko": "disko",
        "flake-parts": "flake-parts_4",
        "flake-registry": "flake-registry",
        "home-manager": "home-manager",
        "impermanence": "impermanence",
        "lite-config": "lite-config",
        "lix-module": "lix-module",
        "mk-shell-bin": "mk-shell-bin",
        "nix2container": "nix2container",
        "nixpkgs": "nixpkgs_8",
        "nixpkgs-master": "nixpkgs-master",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
        "srvos": "srvos"
      }
    },
    "sops-nix": {
@ -1171,11 +1291,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1739262228,
+        "lastModified": 1741043164,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
        "type": "github"
      },
      "original": {
@ -1184,6 +1304,26 @@
        "type": "github"
      }
    },
    "srvos": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1741567682,
        "narHash": "sha256-N2LArmDeNL06fLHvLmbNMG3L2fEi62+Ra4X1NkPKsKQ=",
        "owner": "nix-community",
        "repo": "srvos",
        "rev": "4b726f14b80473a05302cdcd70d3043a183c5276",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "srvos",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
@ -1213,6 +1353,54 @@
        "repo": "default",
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "utils": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1701680307,
        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -7,15 +7,21 @@
  };
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-master.url = "github:nixos/nixpkgs/master";
    flake-parts.url = "github:hercules-ci/flake-parts";
    lite-config.url = "github:ataraxiasjel/lite-config/v0.7.0";
    devenv.url = "github:cachix/devenv";
    devenv-root = {
      url = "file+file:///dev/null";
      flake = false;
    };
    mk-shell-bin.url = "github:rrbutani/nix-mk-shell-bin";
    nix2container = {
      url = "github:nlewo/nix2container";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-master.url = "github:nixos/nixpkgs/master";
    flake-parts.url = "github:hercules-ci/flake-parts";
    lite-config.url = "github:ataraxiasjel/lite-config/v0.8.0";
    flake-registry = {
      url = "github:nixos/flake-registry";
      flake = false;
@ -26,6 +32,14 @@
    };
    ataraxiasjel-nur.url = "github:AtaraxiaSjel/nur";
    deploy-rs = {
      url = "github:serokell/deploy-rs";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    impermanence.url = "github:nix-community/impermanence";
    lix-module = {
      # url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
@ -56,7 +70,7 @@
            config = {
              allowUnfree = true;
            };
-            patches = [ ./patches/onlyoffice.patch ];
+            patches = [ ./patches/erofs-hardened.patch ];
            overlays = [
              inputs.ataraxiasjel-nur.overlays.default
              inputs.ataraxiasjel-nur.overlays.grub2-unstable-argon2
@ -65,6 +79,7 @@
          };
          extraSpecialArgs = {
            flake-self = self;
            secretsDir = ./secrets;
          };
          systemModules = [
            inputs.sops-nix.nixosModules.sops
@ -74,6 +89,11 @@
          hostModuleDir = ./hosts;
          hosts = {
            NixOS-VM.system = "x86_64-linux";
            # VPS
            redshift = {
              system = "x86_64-linux";
              useHomeManager = false;
            };
          };
        };
@ -100,6 +120,10 @@
                deadnix.enable = true;
                flake-checker.enable = true;
                lychee.enable = true;
                lychee.args = [
                  "--exclude"
                  "^https://.+\\.backblazeb2\\.com"
                ];
                markdownlint.enable = true;
                nixfmt-rfc-style.enable = true;
                ripsecrets.enable = true;
@ -107,9 +131,13 @@
                typos.enable = true;
                yamlfmt.enable = true;
                yamllint.enable = true;
                yamllint.args = [
                  "--config-file"
                  ".yamllint"
                  "--format"
                  "parsable"
                ];
              };
              # https://github.com/cachix/devenv/issues/528
              containers = { };
            };
          };
      }
--- a/hosts/redshift/default.nix
+++ b/hosts/redshift/default.nix
@ -0,0 +1,153 @@
 {
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
    ./disk-config.nix
  ];
  ataraxia.defaults.role = "server";
  # Impermanence
  persist.cache.clean.enable = true;
  ataraxia.filesystems.btrfs.enable = true;
  ataraxia.filesystems.btrfs.eraseOnBoot.enable = true;
  ataraxia.filesystems.btrfs.eraseOnBoot.device = "/dev/sda4";
  ataraxia.filesystems.btrfs.eraseOnBoot.systemdDevice =
    "sys-devices-pci0000:00-0000:00:05.0-0000:01:01.0-virtio3-host0-target0:0:0-0:0:0:0-block-sda.device";
  ataraxia.filesystems.btrfs.eraseOnBoot.eraseVolumes = [
    {
      vol = "rootfs";
      blank = "rootfs-blank";
    }
    {
      vol = "homefs";
      blank = "homefs-blank";
    }
  ];
  ataraxia.defaults.ssh.ports = [ 32323 ];
  ataraxia.network = {
    enable = true;
    enableIPv6 = false;
    domain = "wg.ataraxiadev.com";
    ifname = "enp0s18";
    mac = "bc:24:11:99:d5:2f";
    bridge.enable = true;
    ipv4 = {
      address = "104.164.54.197/24";
      gateway = "104.164.54.1";
      dns = [
        "9.9.9.9"
        "149.112.112.112"
      ];
    };
  };
  services.qemuGuest.enable = lib.mkForce true;
  # I don't want to specify all required kernel modules
  # manually. For now at least
  security.lockKernelModules = lib.mkForce false;
  # scudo memalloc often borks everything
  environment.memoryAllocator.provider = lib.mkForce "libc";
  boot = {
    initrd.availableKernelModules = [
      "ata_piix"
      "uhci_hcd"
      "vfat"
      "virtio_pci"
      "virtio_scsi"
      "sd_mod"
      "sr_mod"
    ];
    kernelModules = [ "kvm-intel" ];
    kernelParams = [
      "scsi_mod.use_blk_mq=1"
      "kvm.ignore_msrs=1"
      "kvm.report_ignored_msrs=0"
      # Allow access to rescue mode with locked root user
      # "rd.systemd.unit=rescue.target"
      "systemd.setenv=SYSTEMD_SULOGIN_FORCE=1"
    ];
    kernel.sysctl = {
      "vm.swappiness" = 50;
      "vm.vfs_cache_pressure" = 200;
      "vm.dirty_background_ratio" = 1;
      "vm.dirty_ratio" = 40;
      "vm.page-cluster" = 0;
      # proxy tuning
      "net.ipv4.tcp_congestion_control" = "bbr";
      "net.ipv4.tcp_slow_start_after_idle" = 0;
      "net.core.default_qdisc" = "cake";
      "net.core.rmem_max" = 67108864;
      "net.core.wmem_max" = 67108864;
      "net.core.netdev_max_backlog" = 10000;
      "net.core.somaxconn" = 4096;
      "net.ipv4.tcp_syncookies" = 1;
      "net.ipv4.tcp_tw_reuse" = 1;
      "net.ipv4.tcp_fin_timeout" = 30;
      "net.ipv4.tcp_keepalive_time" = 1200;
      "net.ipv4.tcp_keepalive_probes" = 5;
      "net.ipv4.tcp_keepalive_intvl" = 30;
      "net.ipv4.tcp_max_syn_backlog" = 8192;
      "net.ipv4.tcp_max_tw_buckets" = 5000;
      "net.ipv4.tcp_fastopen" = 3;
      "net.ipv4.tcp_mem" = "25600 51200 102400";
      "net.ipv4.udp_mem" = "25600 51200 102400";
      "net.ipv4.tcp_rmem" = "4096 87380 67108864";
      "net.ipv4.tcp_wmem" = "4096 65536 67108864";
      "net.ipv4.tcp_mtu_probing" = 1;
    };
    loader.grub = {
      enable = true;
      efiSupport = true;
      efiInstallAsRemovable = true;
    };
    supportedFilesystems = [
      "vfat"
      "btrfs"
    ];
  };
  environment.systemPackages = builtins.attrValues {
    inherit (pkgs.kitty) terminfo;
    inherit (pkgs)
      bat
      bottom
      comma
      git
      micro
      nix-index
      pwgen
      rsync
      ;
  };
  services.fail2ban = {
    enable = true;
    maxretry = 3;
    bantime = "2h";
    bantime-increment = {
      enable = true;
      maxtime = "72h";
      overalljails = true;
    };
    ignoreIP = [
      "10.0.0.0/8"
      "172.16.0.0/12"
      "192.168.0.0/16"
    ];
    jails = {
      sshd.settings = {
        backend = "systemd";
        mode = "aggressive";
      };
    };
  };
  system.stateVersion = "24.11";
 }
--- a/hosts/redshift/disk-config.nix
+++ b/hosts/redshift/disk-config.nix
@ -0,0 +1,156 @@
 { inputs, ... }:
 {
  imports = [ inputs.disko.nixosModules.disko ];
  disko.devices.disk.disk1 =
    let
      device = "/dev/sda";
    in
    {
      inherit device;
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            name = "boot";
            size = "1M";
            type = "EF02";
          };
          esp = {
            name = "ESP";
            size = "512M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          swap = {
            name = "swap";
            size = "1G";
            content = {
              type = "swap";
              randomEncryption = true;
            };
          };
          root = {
            name = "root";
            size = "100%";
            content = {
              type = "btrfs";
              extraArgs = [ "-f" ];
              postCreateHook = ''
                mount -t btrfs ${device}4 /mnt
                btrfs subvolume snapshot -r /mnt/rootfs /mnt/snapshots/rootfs-blank
                btrfs subvolume snapshot -r /mnt/homefs /mnt/snapshots/homefs-blank
                btrfs subvolume snapshot -r /mnt/persist/docker /mnt/snapshots/docker-blank
                btrfs subvolume snapshot -r /mnt/persist/podman /mnt/snapshots/podman-blank
                btrfs subvolume snapshot -r /mnt/persist/containers /mnt/snapshots/containers-blank
                btrfs subvolume snapshot -r /mnt/persist/libvirt /mnt/snapshots/libvirt-blank
                btrfs subvolume snapshot -r /mnt/persist/log /mnt/snapshots/log-blank
                btrfs subvolume snapshot -r /mnt/persist/impermanence /mnt/snapshots/impermanence-blank
                btrfs subvolume snapshot -r /mnt/persist/srv /mnt/snapshots/srv-blank
                umount /mnt
              '';
              subvolumes = {
                "/snapshots" = { };
                "/rootfs" = {
                  mountpoint = "/";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/homefs" = {
                  mountpoint = "/home";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist" = { };
                "/persist/nix" = {
                  mountpoint = "/nix";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist/srv" = {
                  mountpoint = "/srv";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist/docker" = {
                  mountpoint = "/var/lib/docker";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist/podman" = {
                  mountpoint = "/var/lib/podman";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist/containers" = {
                  mountpoint = "/var/lib/containers";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist/libvirt" = {
                  mountpoint = "/var/lib/libvirt";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist/log" = {
                  mountpoint = "/var/log";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
                "/persist/impermanence" = {
                  mountpoint = "/persist";
                  mountOptions = [
                    "compress=zstd"
                    "noatime"
                    "autodefrag"
                    "ssd"
                  ];
                };
              };
            };
          };
        };
      };
    };
 }
--- a/modules/home/persist/default.nix
+++ b/modules/home/persist/default.nix
@ -1,10 +1,12 @@
 {
  config,
  lib,
  ...
 }:
 let
-  inherit (lib) mkOption mkEnableOption;
+  inherit (lib) mkOption mkEnableOption mkIf;
  inherit (lib.types) listOf path str;
  cfg = config.persist;
 in
 {
  options =
@ -45,4 +47,12 @@ in
        } // common;
      };
    };
  config = mkIf cfg.enable {
    # Persist by default
    persist.cache.directories = [ ".cache" ];
    persist.state = {
      directories = [ ".local/share/nix" ];
    };
  };
 }
--- a/modules/nixos/backups/default.nix
+++ b/modules/nixos/backups/default.nix
@ -0,0 +1,4 @@
 { ... }:
 {
  imports = [ ./postgresql.nix ];
 }
--- a/modules/nixos/backups/postgresql.nix
+++ b/modules/nixos/backups/postgresql.nix
@ -0,0 +1,108 @@
 {
  config,
  lib,
  pkgs,
  inputs,
  secretsDir,
  ...
 }:
 let
  inherit (lib)
    mapAttrs'
    mkDefault
    mkIf
    mkOption
    nameValuePair
    ;
  inherit (lib.types)
    attrsOf
    nullOr
    str
    submodule
    ;
 in
 {
  options.backups.postgresql = mkOption {
    description = ''
      Periodic backups of postgresql database to create using Rustic.
    '';
    type = attrsOf (
      submodule (
        { name, ... }:
        {
          options = {
            dbName = mkOption {
              type = str;
              default = name;
              description = "Name of database to backup";
            };
            proxyAddress = mkOption {
              type = nullOr str;
              default = null;
              description = "Optional https proxy for connection to backblaze.";
            };
          };
        }
      )
    );
    default = { };
  };
  imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ];
  config = mkIf (config.backups.postgresql != { }) {
    sops.secrets.rustic-postgresql-s3-env.sopsFile = mkDefault (secretsDir + /rustic.yaml);
    sops.secrets.rustic-postgresql-pass.sopsFile = mkDefault (secretsDir + /rustic.yaml);
    sops.secrets.rustic-postgresql-s3-env.owner = "postgres";
    sops.secrets.rustic-postgresql-pass.owner = "postgres";
    services.rustic.backups = mapAttrs' (
      name: backup:
      nameValuePair "postgresql-${name}" {
        backup = true;
        prune = true;
        initialize = true;
        user = "postgres";
        extraEnvironment.https_proxy = mkIf (backup.proxyAddress != null) backup.proxyAddress;
        environmentFile = config.sops.secrets.rustic-postgresql-s3-env.path;
        pruneOpts = [ "--repack-cacheable-only=false" ];
        timerConfig = {
          OnCalendar = "daily";
          Persistent = true;
        };
        # Backup postgresql db and pass it to rustic through stdin
        # Runs this command:
        # pg_dump ${dbName} | zstd --rsyncable --stdout - | rustic -P postgresql-authentik backup -
        backupCommandPrefix = "${config.services.postgresql.package}/bin/pg_dump --clean ${backup.dbName} | ${pkgs.zstd}/bin/zstd --rsyncable --stdout - |";
        extraBackupArgs = [ "-" ];
        # Rustic profile yaml
        settings = {
          repository = {
            repository = "opendal:s3";
            password-file = config.sops.secrets.rustic-postgresql-pass.path;
            options = {
              root = backup.dbName;
              bucket = "ataraxia-postgresql-backups";
              region = "eu-central-003";
              endpoint = "https://s3.eu-central-003.backblazeb2.com";
            };
          };
          backup = {
            host = config.networking.hostName;
            label = backup.dbName;
            ignore-devid = true;
            group-by = "label";
            skip-identical-parent = true;
            stdin-filename = "${backup.dbName}.dump.zst";
          };
          forget = {
            filter-labels = [ backup.dbName ];
            group-by = "label";
            prune = true;
            keep-daily = 4;
            keep-weekly = 2;
            keep-monthly = 1;
          };
        };
      }
    ) config.backups.postgresql;
  };
 }
--- a/modules/nixos/filesystems/btrfs.nix
+++ b/modules/nixos/filesystems/btrfs.nix
@ -0,0 +1,122 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (builtins) map;
  inherit (lib)
    concatStringsSep
    mkIf
    mkEnableOption
    mkOption
    mkBefore
    ;
  inherit (lib.types)
    bool
    str
    listOf
    submodule
    ;
  cfg = config.ataraxia.filesystems.btrfs;
  eraseVolumesOpts =
    { ... }:
    {
      options = {
        vol = mkOption {
          type = str;
          example = "rootfs";
          description = "Name of submodule to erase";
        };
        blank = mkOption {
          type = str;
          example = "rootfs-blank";
          description = "Name of submodule to clone into `vol`";
        };
      };
    };
 in
 {
  options.ataraxia.filesystems.btrfs = {
    enable = mkEnableOption "Root on btrfs";
    # Btrfs clean root
    eraseOnBoot = {
      enable = mkOption {
        type = bool;
        default = config.persist.enable;
        description = "Clean btrfs subvolumes on boot";
      };
      device = mkOption {
        type = str;
        description = "Device on which is btrfs partititon";
      };
      systemdDevice = mkOption {
        type = str;
        description = "Escaped string with name of .device service";
        example = "dev-disk-by\\x2did-ata\\x2dPhison_SATA_SSD_2165.device";
      };
      eraseVolumes = mkOption {
        type = listOf (submodule eraseVolumesOpts);
        default = [ ];
        example = [
          {
            vol = "rootfs";
            blank = "rootfs-blank";
          }
        ];
        description = ''
          A list of subvolumes to erase on boot.
        '';
      };
    };
  };
  config =
    let
      script = ''
        mkdir -p /mnt
        mount -t btrfs -o subvol=/ ${cfg.eraseOnBoot.device} /mnt
        ${concatStringsSep "\n" (
          map (x: ''
            btrfs subvolume list -o /mnt/${x.vol} |
            cut -f9 -d' ' |
            while read subvolume; do
              echo "deleting /$subvolume subvolume..."
              btrfs subvolume delete "/mnt/$subvolume"
            done &&
            echo "deleting /${x.vol} subvolume..."
            btrfs subvolume delete /mnt/${x.vol}
            echo "restoring blank ${x.blank} subvolume..."
            btrfs subvolume snapshot /mnt/snapshots/${x.blank} /mnt/${x.vol}
          '') cfg.eraseOnBoot.eraseVolumes
        )}
        umount /mnt
      '';
    in
    mkIf cfg.enable {
      boot.initrd = mkIf cfg.eraseOnBoot.enable {
        postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) (mkBefore script);
        systemd.services.rollback = mkIf config.boot.initrd.systemd.enable {
          description = "Rollback btrfs root subvolume to a pristine state on boot";
          wantedBy = [ "initrd.target" ];
          requires = [ cfg.eraseOnBoot.systemdDevice ];
          after = [ cfg.eraseOnBoot.systemdDevice ];
          before = [ "sysroot.mount" ];
          path = [
            pkgs.btrfs-progs
            pkgs.coreutils
            pkgs.util-linuxMinimal.mount
          ];
          unitConfig.DefaultDependencies = "no";
          serviceConfig.Type = "oneshot";
          script = script;
        };
      };
    };
 }
--- a/modules/nixos/filesystems/default.nix
+++ b/modules/nixos/filesystems/default.nix
@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [
    ./btrfs.nix
    ./zfs.nix
  ];
 }
--- a/modules/nixos/filesystems/zfs.nix
+++ b/modules/nixos/filesystems/zfs.nix
@ -0,0 +1,16 @@
 { config, lib, ... }:
 let
  inherit (lib) mkIf mkEnableOption;
  cfg = config.ataraxia.filesystems.zfs;
 in
 {
  options.ataraxia.filesystems.zfs = {
    enable = mkEnableOption "Root on zfs";
  };
  config = mkIf cfg.enable {
    persist.state.files = [
      "/etc/zfs/zpool.cache"
    ];
  };
 }
--- a/modules/nixos/locale/default.nix
+++ b/modules/nixos/locale/default.nix
@ -0,0 +1,44 @@
 { config, lib, ... }:
 let
  inherit (lib) mkDefault mkEnableOption mkIf;
  cfg = config.ataraxia.defaults.locale;
  c = "C.UTF-8";
  dk = "en_DK.UTF-8";
  gb = "en_GB.UTF-8";
  ie = "en_IE.UTF-8";
  ru = "ru_RU.UTF-8";
  us = "en_US.UTF-8";
  lang = "en_IE:en_US:en:C:ru_RU";
 in
 {
  options.ataraxia.defaults.locale = {
    enable = mkEnableOption "Default locale settings";
  };
  config = mkIf cfg.enable {
    environment.sessionVariables = {
      XKB_DEFAULT_LAYOUT = "us,ru";
      XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
    };
    i18n.defaultLocale = ie;
    i18n.extraLocaleSettings = {
      LANGUAGE = lang;
      LC_TIME = dk;
      LC_ADDRESS = ru;
      LC_MONETARY = ru;
      LC_NUMERIC = ru;
      LC_PAPER = ru;
      LC_TELEPHONE = ru;
    };
    i18n.supportedLocales = map (x: "${x}/UTF-8") [
      c
      dk
      gb
      ie
      ru
      us
    ];
    time.timeZone = mkDefault "Europe/Moscow";
  };
 }
--- a/modules/nixos/network/default.nix
+++ b/modules/nixos/network/default.nix
@ -0,0 +1,148 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkForce
    mkIf
    mkOption
    optionals
    ;
  inherit (lib.types)
    bool
    listOf
    nullOr
    str
    ;
  cfg = config.ataraxia.network;
 in
 {
  options.ataraxia.network = {
    enable = mkEnableOption "Enable systemd-networkd bridged network";
    enableIPv6 = mkEnableOption "Enable IPv6";
    domain = mkOption {
      type = nullOr str;
      default = null;
    };
    ifname = mkOption {
      type = str;
    };
    mac = mkOption {
      type = str;
    };
    bridge = {
      enable = mkOption {
        type = bool;
        default = true;
      };
      name = mkOption {
        type = str;
        default = "br0";
      };
    };
    ipv4 = {
      address = mkOption {
        type = str;
      };
      gateway = mkOption {
        type = str;
      };
      dns = mkOption {
        type = listOf str;
        default = [ ];
      };
      gatewayOnLink = mkEnableOption "Enable GatewayOnLink";
    };
    ipv6 = {
      address = mkOption {
        type = str;
      };
      gateway = mkOption {
        type = str;
      };
      dns = mkOption {
        type = listOf str;
        default = [ ];
      };
      gatewayOnLink = mkEnableOption "Enable GatewayOnLink";
    };
  };
  config = mkIf cfg.enable {
    services.resolved.enable = true;
    networking = {
      dhcpcd.enable = false;
      domain = mkIf (cfg ? domain) cfg.domain;
      enableIPv6 = cfg.enableIPv6;
      nftables.enable = true;
      useDHCP = false;
      useNetworkd = false;
      usePredictableInterfaceNames = mkForce true;
      firewall = {
        enable = true;
        allowedTCPPorts = mkDefault [ ];
        allowedUDPPorts = mkDefault [ ];
      };
    };
    systemd.network = {
      enable = true;
      wait-online.ignoredInterfaces = [ "lo" ];
      netdevs = {
        "20-${cfg.bridge.name}" = {
          netdevConfig = {
            Kind = "bridge";
            Name = cfg.bridge.name;
            MACAddress = cfg.mac;
          };
        };
      };
      networks = {
        "30-${cfg.ifname}" = {
          matchConfig.Name = cfg.ifname;
          linkConfig.RequiredForOnline = "enslaved";
          networkConfig.Bridge = cfg.bridge.name;
          networkConfig.DHCP = "no";
        };
        "40-${cfg.bridge.name}" = {
          matchConfig.Name = cfg.bridge.name;
          address =
            [
              cfg.ipv4.address
            ]
            ++ optionals cfg.enableIPv6 [
              cfg.ipv6.address
              "fc00::1/64"
            ];
          dns = cfg.ipv4.dns ++ optionals cfg.enableIPv6 cfg.ipv6.dns;
          networkConfig.LinkLocalAddressing = "no";
          linkConfig.RequiredForOnline = "routable";
          routes =
            [
              {
                Gateway = cfg.ipv4.gateway;
                GatewayOnLink = mkIf cfg.ipv4.gatewayOnLink true;
              }
            ]
            ++ optionals cfg.enableIPv6 [
              {
                Gateway = cfg.ipv6.gateway;
                GatewayOnLink = mkIf cfg.ipv4.gatewayOnLink true;
              }
            ];
        };
      };
    };
    system.activationScripts.udp-gro-forwarding = mkIf cfg.bridge.enable {
      text = ''
        ${pkgs.ethtool}/bin/ethtool -K ${cfg.bridge.name} rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };
 }
--- a/modules/nixos/persist/default.nix
+++ b/modules/nixos/persist/default.nix
@ -15,6 +15,7 @@ let
    mkMerge
    mkOption
    nameValuePair
    optionalAttrs
    ;
  inherit (lib.types) listOf path str;
  inherit (builtins) concatMap;
@ -78,7 +79,9 @@ in
      allFiles = takeAll "files" persists;
      allDirectories = takeAll "directories" persists;
-      userPersists = mapAttrs (_: cfg: cfg.persist) config.home-manager.users;
+      userPersists = mapAttrs (_: cfg: cfg.persist) (
        { } // optionalAttrs (builtins.hasAttr "home-manager" config) config.home-manager.users
      );
      usersFlatten = mapAttrs (
        name: cfg:
        let
@ -97,9 +100,6 @@ in
      ) userPersists;
    in
    mkIf cfg.enable {
      # Persist users uid by default
      persist.state.directories = [ "/var/lib/nixos" ];
      environment.persistence.${cfg.persistRoot} = {
        hideMounts = true;
        directories = allDirectories;
@ -143,5 +143,32 @@ in
            };
          }
        ];
      fileSystems.${cfg.persistRoot}.neededForBoot = true;
      # TODO: disable some dirs if using zfs
      # Persist by default
      persist.cache.directories = [
        "/var/cache"
      ];
      persist.state = {
        directories =
          [
            "/var/lib/nixos"
            "/var/lib/systemd"
          ]
          ++ lib.optionals config.services.mysql.enable [
            config.services.mysql.dataDir
          ]
          ++ lib.optionals config.services.postgresql.enable [
            "/var/lib/postgresql"
          ];
        files = [
          "/etc/machine-id"
          "/etc/ssh/ssh_host_ed25519_key"
          "/etc/ssh/ssh_host_ed25519_key.pub"
          "/etc/ssh/ssh_host_rsa_key"
          "/etc/ssh/ssh_host_rsa_key.pub"
        ];
      };
    };
 }
--- a/modules/nixos/profiles/default.nix
+++ b/modules/nixos/profiles/default.nix
@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [
    ./hardened.nix
    ./minimal.nix
  ];
 }
--- a/modules/nixos/profiles/hardened.nix
+++ b/modules/nixos/profiles/hardened.nix
@ -0,0 +1,105 @@
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkForce
    mkIf
    mkMerge
    ;
 in
 {
  options.ataraxia.profiles.hardened = mkEnableOption "hardened profile";
  imports = [
    (modulesPath + "/profiles/hardened.nix")
  ];
  config = mkMerge [
    (mkIf (!config.ataraxia.profiles.hardened) {
      profiles.hardened = false;
    })
    (mkIf config.ataraxia.profiles.hardened {
      profiles.hardened = true;
      boot.kernel.sysctl = {
        "dev.tty.ldisc_autoload" = mkDefault false;
        "fs.protected_fifos" = mkDefault "2";
        "fs.protected_regular" = mkDefault "2";
        "fs.suid_dumpable" = mkDefault false;
        "kernel.printk" = mkForce "3 3 3 3";
        "kernel.sysrq" = mkDefault false;
        "kernel.yama.ptrace_scope" = mkDefault "2";
        "net.ipv4.tcp_timestamps" = mkDefault false;
        "syskernel.core_pattern" = mkDefault "|/bin/false";
        "net.ipv4.tcp_congestion_control" = mkDefault "bbr";
        "net.core.default_qdisc" = mkDefault "cake";
        "net.ipv4.conf.all.accept_source_route" = mkDefault false;
        "net.ipv4.icmp_ignore_bogus_error_responses" = mkDefault true;
        "net.ipv4.tcp_dsack" = mkDefault false;
        "net.ipv4.tcp_fastopen" = mkDefault 3;
        "net.ipv4.tcp_rfc1337" = mkDefault true;
        "net.ipv4.tcp_sack" = mkDefault false;
        "net.ipv4.tcp_syncookies" = mkDefault true;
        "net.ipv6.conf.all.accept_ra" = mkDefault false;
        "net.ipv6.conf.all.accept_source_route" = mkDefault false;
        "net.ipv6.default.accept_ra" = mkDefault false;
      };
      boot.kernelParams = [
        "lockdown=confidentiality"
        "module.sig_enforce=1"
        "oops=panic"
        "loglevel=0"
        "vsyscall=none"
      ];
      boot.blacklistedKernelModules = [
        # Obscure networking protocols
        "af_802154"
        "appletalk"
        "atm"
        "can"
        "dccp"
        "decnet"
        "econet"
        "ipx"
        "n-hdlc"
        "p8022"
        "p8023"
        "psnap"
        "rds"
        "sctp"
        "tipc"
        "x25"
        # Various rare filesystems
        "cifs"
        "gfs2"
        "hfsplus"
        "jffs2"
        "nfs"
        "nfsv3"
        "squashfs"
        "udf"
        "vivid"
        # Disable Bluetooth
        "bluetooth"
        "btusb"
        # Disable webcam
        "uvcvideo"
        # Disable Thunderbolt and FireWire to prevent DMA attacks
        "firewire-core"
        "thunderbolt"
      ];
      # "always" may incurs significant performance cost
      security.virtualisation.flushL1DataCache = "cond";
    })
  ];
 }
--- a/modules/nixos/profiles/minimal.nix
+++ b/modules/nixos/profiles/minimal.nix
@ -0,0 +1,57 @@
 {
  config,
  lib,
  ...
 }:
 let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkIf
    ;
 in
 {
  options.ataraxia.profiles.minimal = mkEnableOption "minimal profile";
  # Upstream nixpkgs doesn't support disabling profile
  # imports = [
  #   (modulesPath + "/profiles/minimal.nix")
  # ];
  config = mkIf config.ataraxia.profiles.minimal {
    # This pulls in nixos-containers which depends on Perl.
    boot.enableContainers = mkDefault false;
    documentation = {
      enable = mkDefault false;
      doc.enable = mkDefault false;
      info.enable = mkDefault false;
      man.enable = mkDefault false;
      nixos.enable = mkDefault false;
    };
    environment = {
      # Perl is a default package.
      defaultPackages = mkDefault [ ];
      stub-ld.enable = mkDefault false;
    };
    programs = {
      # The lessopen package pulls in Perl.
      less.lessopen = mkDefault null;
      command-not-found.enable = mkDefault false;
    };
    services = {
      logrotate.enable = mkDefault false;
      udisks2.enable = mkDefault false;
    };
    xdg = {
      autostart.enable = mkDefault false;
      icons.enable = mkDefault false;
      mime.enable = mkDefault false;
      sounds.enable = mkDefault false;
    };
  };
 }
--- a/modules/nixos/roles/default.nix
+++ b/modules/nixos/roles/default.nix
@ -5,11 +5,17 @@
 }:
 let
  inherit (lib)
    mkDefault
    mkIf
    mkMerge
    mkOption
    recursiveUpdate
    types
    ;
  defaultUser = config.ataraxia.defaults.users.defaultUser;
  fs = config.ataraxia.filesystems;
  fsCompression = fs.zfs.enable || fs.btrfs.enable;
  role = config.ataraxia.defaults.role;
 in
 {
@ -25,9 +31,51 @@ in
    };
  };
-  config = mkMerge [
+  config =
-    (mkIf (role == "base") {
+    let
-      ataraxia.defaults.nix.enable = true;
+      baseRole = {
-    })
+        ataraxia.defaults.locale.enable = mkDefault true;
-  ];
+        ataraxia.defaults.lix.enable = mkDefault true;
        ataraxia.defaults.nix.enable = mkDefault true;
        ataraxia.defaults.ssh.enable = mkDefault true;
        ataraxia.defaults.users.enable = mkDefault true;
        persist.enable = mkDefault true;
        # Do not compress journal logs if using native fs compression
        services.journald.extraConfig = mkIf fsCompression (mkDefault "Compress=false");
        boot.initrd.systemd.enable = mkDefault true;
        services.userborn.enable = mkDefault true;
        system.rebuild.enableNg = mkDefault true;
        system.switch.enableNg = mkDefault true;
        system.etc.overlay.enable = mkDefault true;
        system.etc.overlay.mutable = mkDefault true;
        zramSwap = {
          enable = true;
          algorithm = "zstd";
          memoryPercent = 100;
        };
      };
      serverRole = recursiveUpdate baseRole {
        ataraxia.profiles.hardened = mkDefault true;
        ataraxia.profiles.minimal = mkDefault true;
        time.timeZone = "Etc/UTC";
      };
      desktopRole = recursiveUpdate baseRole {
        services.getty.autologinUser = defaultUser;
        location = {
          provider = "manual";
          latitude = 48;
          longitude = 44;
        };
      };
    in
    mkMerge [
      (mkIf (role == "base") baseRole)
      (mkIf (role == "server") serverRole)
      (mkIf (role == "desktop") desktopRole)
    ];
 }
--- a/modules/nixos/ssh/default.nix
+++ b/modules/nixos/ssh/default.nix
@ -0,0 +1,27 @@
 { config, lib, ... }:
 let
  inherit (lib) mkIf mkEnableOption mkOption;
  inherit (lib.types) listOf int;
  cfg = config.ataraxia.defaults.ssh;
 in
 {
  options.ataraxia.defaults.ssh = {
    enable = mkEnableOption "Root on zfs";
    ports = mkOption {
      type = listOf int;
      default = [ 22 ];
      description = "OpenSSH ports to listen";
    };
  };
  config = mkIf cfg.enable {
    services.openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
      settings.PermitRootLogin = "no";
      settings.X11Forwarding = false;
      extraConfig = "StreamLocalBindUnlink yes";
      ports = cfg.ports;
    };
  };
 }
--- a/modules/nixos/user/default.nix
+++ b/modules/nixos/user/default.nix
@ -0,0 +1,108 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
  inherit (lib) mkIf mkEnableOption mkOption;
  inherit (lib.types) str;
  cfg = config.ataraxia.defaults.users;
 in
 {
  options.ataraxia.defaults.users = {
    enable = mkEnableOption "Setting up default users";
    defaultUser = mkOption {
      type = str;
      default = "ataraxia";
      description = "Name of the default user";
    };
  };
  config = mkIf cfg.enable {
    users.mutableUsers = false;
    users.groups.limits = { };
    users.users.${cfg.defaultUser} = {
      description = "Main user of this host.";
      isNormalUser = true;
      extraGroups = [
        "adbusers"
        "audio"
        "cdrom"
        "corectrl"
        "dialout"
        "disk"
        "docker"
        "input"
        "kvm"
        "libvirtd"
        "limits"
        "lp"
        "lxd"
        "networkmanager"
        "podman"
        "qemu-libvirtd"
        "render"
        "scanner"
        "smbuser"
        "systemd-journal"
        "video"
        "wheel"
      ];
      uid = 1000;
      hashedPassword = "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
      shell = pkgs.bashInteractive;
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
      ];
    };
    users.users.deploy = {
      description = "The administrator account for deploy-rs.";
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      openssh.authorizedKeys.keys = config.users.users.${cfg.defaultUser}.openssh.authorizedKeys.keys;
    };
    security.apparmor.enable = true;
    security.pam.loginLimits = [
      {
        domain = "@limits";
        item = "memlock";
        type = "soft";
        value = "unlimited";
      }
      {
        domain = "@limits";
        item = "memlock";
        type = "hard";
        value = "unlimited";
      }
    ];
    security.polkit.enable = true;
    systemd.services."user@" = {
      serviceConfig = {
        Restart = "always";
      };
    };
    # Disable sudo, use doas
    users.allowNoPasswordLogin = true;
    security.sudo.enable = lib.mkForce false;
    security.doas = {
      enable = true;
      extraRules = [
        {
          users = [ cfg.defaultUser ];
          keepEnv = true;
          persist = true;
        }
        {
          users = [ "deploy" ];
          noPass = true;
          keepEnv = true;
        }
      ];
    };
  };
 }
--- a/modules/nixos/vpn/default.nix
+++ b/modules/nixos/vpn/default.nix
@ -0,0 +1,4 @@
 { ... }:
 {
  imports = [ ./tailscale.nix ];
 }
--- a/modules/nixos/vpn/tailscale.nix
+++ b/modules/nixos/vpn/tailscale.nix
@ -0,0 +1,23 @@
 {
  config,
  lib,
  ...
 }:
 let
  inherit (lib) mkOption mkIf;
  inherit (lib.types) bool;
  cfg = config.ataraxia.vpn.tailscale;
 in
 {
  options.ataraxia.vpn.tailscale = {
    enable = mkOption {
      type = bool;
      default = config.services.tailscale.enable;
      description = "Enable tailsacle";
    };
  };
  config = mkIf cfg.enable {
    persist.state.directories = [ "/var/lib/tailscale" ];
  };
 }
--- a/patches/erofs-hardened.patch
+++ b/patches/erofs-hardened.patch
@ -0,0 +1,12 @@
 diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
 index dc3bf597cd4b..70a7af42358a 100644
 --- a/nixos/modules/profiles/hardened.nix
 +++ b/nixos/modules/profiles/hardened.nix
@@ -84,7 +84,6 @@ in
       "befs"
       "cramfs"
       "efs"
 -      "erofs"
       "exofs"
       "freevxfs"
       "f2fs"
Author	SHA1	Message	Date
Dmitriy Kholkin	0d155fa553	feat: add disko config for redshift	2025-03-10 19:10:28 +03:00
Dmitriy Kholkin	e63296d245	feat: add redshift (vps) host	2025-03-10 19:08:13 +03:00
Dmitriy Kholkin	2c03698a2f	feat: add rollback service for btrfs	2025-03-10 19:06:21 +03:00
Dmitriy Kholkin	6d85bb5bdb	fix: disable `document-start` rule for yamllint	2025-03-10 19:04:49 +03:00
Dmitriy Kholkin	65db257b33	feat: add sops for secrets management	2025-03-10 19:01:22 +03:00
Dmitriy Kholkin	7a910b5567	fix: postgresql backups	2025-03-10 18:46:44 +03:00
Dmitriy Kholkin	a2a0fb4a43	fix: persist some dirs by default for home dirs too	2025-03-10 18:45:57 +03:00
Dmitriy Kholkin	6d12c775c8	feat: network module for configuring networkd with bridge support	2025-03-10 18:44:16 +03:00
Dmitriy Kholkin	12651a52ee	feat: do not compress journald logs if using native fs compression	2025-03-10 18:43:40 +03:00
Dmitriy Kholkin	387086a698	feat: add empty modules for btrfs and zfs filesystems	2025-03-10 18:42:32 +03:00
Dmitriy Kholkin	bd8fa8a9ae	feat: add some files and dirs to persist by default	2025-03-10 18:39:05 +03:00
Dmitriy Kholkin	9a9abac938	fix: support persist module without home-manager on host	2025-03-10 18:38:30 +03:00
Dmitriy Kholkin	9d808421af	fix: remove `erofs` from kernel module blacklist for hardened profile system.etc.overlay requires erofs kernel module, but hardened profile from nixpkgs disables it. Patch nixpkgs and remove erofs module from blacklist.	2025-03-10 18:37:22 +03:00
Dmitriy Kholkin	57ab28592e	feat: locale module	2025-03-10 18:35:29 +03:00
Dmitriy Kholkin	0f43c2e01d	fix: import profiles to modules	2025-03-10 18:34:51 +03:00
Dmitriy Kholkin	0bf6498de3	feat: hardened profile from nixpkgs with some additions	2025-03-10 18:34:03 +03:00
Dmitriy Kholkin	1e47f00539	feat: minimal profile from nixpkgs	2025-03-10 18:32:18 +03:00
Dmitriy Kholkin	6ed8b746cb	feat: auto-login for desktop	2025-03-10 18:31:46 +03:00
Dmitriy Kholkin	d0563f6028	feat: user module with some security	2025-03-10 18:31:24 +03:00
Dmitriy Kholkin	73c86aa500	feat: sane ssh defaults	2025-03-10 18:30:20 +03:00
Dmitriy Kholkin	05db810079	feat: module for role system	2025-03-10 18:29:45 +03:00
Dmitriy Kholkin	03df1ae699	feat: simple tailscale module to persist its directory	2025-03-10 18:23:55 +03:00
Dmitriy Kholkin	7c346eb6a8	feat: add some new inputs, update them all	2025-03-10 18:22:22 +03:00
Dmitriy Kholkin	f8dd3a3ce6	fix: exclude backblaze link for lychee	2025-03-08 15:59:43 +03:00
Dmitriy Kholkin	2ad7f5aab4	feat: add module to backup postgresql db using rustic	2025-03-08 15:58:14 +03:00
Dmitriy Kholkin	f6edb7f80d	fix: enable home-manager options eval for nixd	2025-03-08 15:36:12 +03:00
Dmitriy Kholkin	bd5f61d3c0	feat: pass secretsDir to specialArgs	2025-03-08 15:35:34 +03:00