nix-config/hosts/server.nix

{
  lib,
  ...
}:

let
  inherit (lib) mkForce;
in
{
  imports = [
    ./common.nix
  ];

  documentation.enable = false;

  fonts.fontconfig.enable = false;

  security = {
    acme = {
      acceptTerms = true;
      defaults = {
        email = "hostmaster@vimium.com";
        group = "nginx";
        webroot = "/var/lib/acme/acme-challenge";
      };
    };
    # auditd.enable = true;
    # audit = {
    #   enable = true;
    #   rules = [
    #     "-a exit,always -F arch=b64 -S execve"
    #   ];
    # };
  };

  users = {
    users = {
      root = {
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
        ];
      };
    };
  };

  systemd = {
    enableEmergencyMode = false;

    sleep.extraConfig = ''
      AllowSuspend=no
      AllowHibernation=no
    '';

    watchdog = {
      runtimeTime = "20s";
      rebootTime = "30s";
    };
  };

  services.fail2ban = {
    enable = true;
    bantime = "1h";
    bantime-increment = {
      enable = true;
      maxtime = "24h";
      rndtime = "7m";
    };
    ignoreIP = [
      "100.64.0.0/10"
    ];
  };

  services.openssh.settings.PermitRootLogin = mkForce "prohibit-password";

  modules.services.tailscale = {
    enable = true;
    restrictSSH = false;
  };
}