nixos-hypervisor/systems/minimalLXCConfig.nix

{pkgs, ...}: {
  nix = {
    settings.experimental-features = ["nix-command" "flakes"];
    settings.trusted-users = ["root" "@wheel"];
  };

  nixpkgs.overlays = [
    (final: prev: {
      crowdsec = prev.crowdsec.overrideAttrs (prev: rec {
        pname = "crowdsec";
        version = "1.6.4";
        src = pkgs.fetchFromGitHub {
          owner = "crowdsecurity";
          repo = "${pname}";
          tag = "v${version}";
          hash = "sha256-/NTlj0kYCOMxShfoKdmouJTiookDjccUj5HFHLPn5HI=";
        };
      });
    })
  ];

  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [22 6060 9002];
    };
    nameservers = ["192.168.1.90"];
  };

  boot.isContainer = true;
  proxmoxLXC = {
    enable = true;
    privileged = false;
    manageNetwork = false;
    manageHostName = false;
  };
  systemd.suppressedSystemUnits = [
    "dev-mqueue.mount"
    "sys-kernel-debug.mount"
    "sys-fs-fuse-connections.mount"
  ];

  time.timeZone = "Europe/Paris";
  console.keyMap = "fr";
  i18n.defaultLocale = "fr_FR.UTF-8";
  environment.sessionVariables = {
    TERM = "xterm-256color";
  };

  nix.gc = {
    automatic = true;
    dates = "daily";
    options = "--delete-old";
  };

  security.sudo.wheelNeedsPassword = false;
  users = {
    users.tbarnouin = {
      isNormalUser = true;
      extraGroups = ["wheel"];
      shell = pkgs.zsh;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf1B0nxNMvPWSR9pStdtx2x6Iw+JUeCCt1CKWoD8dsr"
      ];
    };
    users.root = {
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"
      ];
    };
  };

  programs = {
    zsh = {
      enable = true;
      shellAliases = {
        ll = "ls -l";
        lla = "ls -lah";
      };
      ohMyZsh = {
        enable = true;
        plugins = ["git"];
        theme = "bira";
      };
    };
    tmux = {
      enable = true;
    };
  };

  nixpkgs.config.allowUnfree = true;
  environment = {
    localBinInPath = true;
    systemPackages = with pkgs; [
      vim
      bash
      wget
      curl
      git
      htop
      tree
      dig
      ncdu
      nmap
      iperf3
      netcat-openbsd
      gnugrep
    ];
  };

  services = {
    journald = {
      audit = false;
      extraConfig = ''
        MaxRetentionSec=1day
      '';
    };
    openssh = {
      enable = true;
      settings.PasswordAuthentication = false;
      settings.KbdInteractiveAuthentication = false;
      settings.PermitRootLogin = "prohibit-password";
      hostKeys = [
        {
          path = "/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
      ];
    };
    crowdsec = {
      enable = true;
      package = pkgs.crowdsec;
      autoUpdateService = false;
      openFirewall = true;
      settings = {
        general = {
          prometheus.listen_addr = "0.0.0.0";
        };
      };
      hub.collections = [
        "crowdsecurity/linux"
      ];
    };
    rsyslogd = {
      enable = true;
      extraConfig = ''
        *.* action(type="omfwd" target="192.168.1.27" port="1514" protocol="tcp" Template="RSYSLOG_SyslogProtocol23Format")
      '';
    };
    prometheus = {
      exporters = {
        node = {
          enable = true;
          enabledCollectors = ["systemd"];
          port = 9002;
        };
      };
    };
  };

  system = {
    stateVersion = "24.11";
    activationScripts.ensure-ssh-key-dir.text = "mkdir -p /etc/ssh";
  };
}