# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running `nixos-help`).

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      # /home/defin/hardware-configuration.nix
      ./hardware-configuration.nix
      # /tmp/etc/nixos/hardware-configuartion.nix
      ./disko.nix

      ../../modules/nixos/nix-common.nix
      ../../modules/nixos/environment.nix
      ../../modules/nixos/tailscale.nix
      ../../modules/nixos/system-packages.nix

      ../../modules/users/defin.nix
      ../../modules/users/git.nix
      ../../modules/users/root.nix
    ];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = "biski"; # Define your hostname.

  services.tailscale = {
    extraSetFlags = [ "--advertise-exit-node" ];
    useRoutingFeatures = "both";
  };
  security.pam.sshAgentAuth.enable = true;

  services.rsyslogd = {
    enable = true;
    extraConfig = ''
      $ModLoad imudp
      $UDPServerRun 10514
      *.* /var/log/rsyslog-remote.log
    '';
  };

  environment.etc = {
    "fail2ban/action.d/routeros.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Init]

      # SSH credentials to use to log into the router
      user = FCWadmin
      port = 2200
      pubkey = /etc/fail2ban/.id_routeros

      # SSH connection command
      ssh = /run/current-system/sw/bin/ssh
      cmd = <ssh> -i <pubkey> -p <port> <user>@64.77.244.138

      # What to do on ban.
      action = tarpit
      chain = fail2ban

      # Command-shortening aliases
      iff = /ip/firewall/filter
      what = src-address="<ip>" chain="<chain>"
      addwhat = <what> dst-port="<port>" proto="tcp" action="<action>"

      [Definition]

      actionban = <cmd> '<iff> add <addwhat> place-before=0'
      actionunban = <cmd> '<iff> remove numbers=[find <what>]'
    '');
  
    # Defines a filter for Mikrotik login failures by reading rsyslog
    "fail2ban/filter.d/routeros-rsyslog-sshd.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]
      _router     = (<F-ROUTER>[a-zA-Z0-9.-]+</F-ROUTER>)
      failregex   = ^\s?<_router> .* login failure for user .* from <HOST> via ssh
    '');
  };
  services.fail2ban = {
    enable = true;
    ignoreIP = [
      # Whitelist some subnets
      "205.192.218.182/29"
      "10.0.0.0/8"
    ];
    jails = {
      routeros-rsyslog-sshd.settings = {
        enabled = true;
        filter = "routeros-rsyslog-sshd";
        action = "routeros";
        logpath = "/var/log/rsyslog-remote.log";
        backend = "polling";
        ignoreself = true;
        maxretry = 3;
        findtime = 600;
      };
    };
  };

  # Set your time zone.
  time.timeZone = "US/Mountain";

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkbOptions in tty.
  # };


  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  programs.mtr.enable = true;
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings.X11Forwarding = true;
  };

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 25565 ];
  networking.firewall.allowedUDPPorts = [ 10514 ];
  networking.nftables = {
    enable = true;
    ruleset = ''
      table ip nat {
        chain PREROUTING {
          type nat hook prerouting priority dstnat; policy accept;
          iifname "eno1" tcp dport 25565 dnat to 100.64.0.2:25565
        }
      }
    '';
  };
  networking.nat = {
    enable = true;
    internalInterfaces = [ "eno1" ];
    externalInterface = "tailscale0";
    forwardPorts = [{
      sourcePort = 25565;
      proto = "tcp";
      destination = "100.64.0.2:25565";
    }];
  };
  
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.11"; # Did you read the comment?
}