Initial commit

configuration.nix

@@ -0,0 +1,95 @@
+{ config, pkgs, ... }:
+
+{
+  # Minimal system packages
+  environment.systemPackages = with pkgs; [
+    vim
+    nano
+    git
+    curl
+    htop
+    tmux
+    rsync
+    ncdu
+    iotop
+    nethogs
+    lsof
+    strace
+    jq
+    tree
+    unzip
+    zip
+    pciutils
+    usbutils
+    smartmontools
+    lm_sensors
+    nmap
+    tcpdump
+    nettools
+    bind.dnsutils
+    openssl
+    ethtool
+    sysstat
+    logrotate
+    cron
+  ];
+
+  # Nix optimization and garbage collection
+  nix.settings = {
+    auto-optimise-store = true;
+    allowed-users = [ "@users" ];
+  };
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 90d";
+  };
+
+  # Docker configuration
+  virtualisation.docker.enable = true;
+
+  # Bootloader configuration
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
+
+  # SSH Server configuration
+  services.openssh = {
+    enable = true;
+    ports = [ 222 ];
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "prohibit-password";
+    };
+  };
+
+  # SSHGuard — monitors logs for brute-force attempts and blocks offending IPs
+  services.sshguard.enable = true;
+
+  # Security
+  security.sudo.wheelNeedsPassword = true;
+
+  # User configuration
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMniNzAzuI527bfk/EipqFILFayUCwYXDoZ3R7+QgYq6 kawaiipunk@ZeroCool"
+    ];
+  };
+
+  # Firewall configuration — only expose HTTP, HTTPS, and SSH
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 222 ];
+  };
+
+  # VM configuration (used when building with nixos-rebuild build-vm)
+  virtualisation.vmVariant = {
+    virtualisation = {
+      memorySize = 2048;
+      cores = 2;
+    };
+  };
+
+  system.stateVersion = "25.05";
+}