Initial commit

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

common.nix

@@ -0,0 +1,81 @@
+{ lib, ... }:
+
+{
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 7d";
+  };
+
+  time.timeZone = "America/Vancouver";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  nix.settings.experimental-features = "nix-command flakes";
+  nix.settings.trusted-public-keys = lib.mkAfter [
+    "local.yesod.ellie:3cAK/At9uVQq5kNrZco1cuthpgoPy7JfEvd+sBs80fk="
+  ];
+
+  networking.useDHCP = true;
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+      AllowUsers = [ "ellie" ];
+    };
+  };
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    bantime = "1h";
+    bantime-increment.enable = true;
+    jails = {
+      sshd.settings = {
+        enabled = true;
+        maxretry = 3;
+      };
+      nginx-botsearch.settings = {
+        enabled = true;
+        filter = "nginx-botsearch";
+        backend = "systemd";
+        maxretry = 2;
+      };
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        backend = "systemd";
+      };
+      nginx-bad-request.settings = {
+        enabled = true;
+        filter = "nginx-bad-request";
+        backend = "systemd";
+      };
+    };
+  };
+
+  users.mutableUsers = true;
+  security.sudo.wheelNeedsPassword = true;
+
+  users.users.ellie = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOv7i4ChPUm+DmELG6uRx0co4quhQ+h7QB4fgcxcC3qx contact@elliehigh.com"
+    ];
+
+    isNormalUser = true;
+    description = "Ellie";
+    extraGroups = [ "wheel" ];
+    initialPassword = "install";
+  };
+
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = true;
+    dates = "04:00";
+  };
+
+  system.stateVersion = "25.05";
+}