lavitz/modules/services.nix

{ config, pkgs, ... }:

let
  settings = import ../settings.nix;
in
{
  # Hardened OpenSSH
  services.openssh = {
    enable = true;
    ports = [ 22 ];
    settings = {
      # Authentication
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitEmptyPasswords = false;

      # Security hardening
      X11Forwarding = false;
      AllowTcpForwarding = false;
      AllowAgentForwarding = false;
      AllowStreamLocalForwarding = false;

      # Session settings
      ClientAliveInterval = 300;
      ClientAliveCountMax = 2;
      MaxAuthTries = 3;
      MaxSessions = 2;
      LoginGraceTime = 30;
    };
  };

  # Tailscale
  services.tailscale.enable = true;

  # Fwupd
  services.fwupd.enable = true;

  # Sunshine
  services.sunshine = {
      enable = true;
      autoStart = true;
      openFirewall = true;
      capSysAdmin = true;
      applications = {
        apps = [
          {
            name = "Steam Big Picture";
            cmd = "${pkgs.steam}/bin/steam -bigpicture";
          }
          {
            name = "Desktop";
            cmd = "${pkgs.coreutils}/bin/true";
          }
        ];
      };
  };

  services = {
      syncthing = {
          enable = true;
          group = "wheel";
          user = "${settings.username}";
          dataDir = "/home/${settings.username}/syncthing/data";
          configDir = "/home/${settings.username}/syncthing/conf";
      };
  };

  services.avahi.publish.enable = true;
  services.avahi.publish.userServices = true;

  services.system76-scheduler.enable = true;
}