refactor: move auth settings inside machine configuration to modules

2024-07-30 16:01:17 +08:00 · 2024-07-30 16:01:17 +08:00 · c98d2fe289
commit c98d2fe289
parent 4985b80589
2 changed files with 11 additions and 55 deletions
--- a/machines/dolomite/default.nix
+++ b/machines/dolomite/default.nix
@ -14,6 +14,12 @@ in
  config = {
    isBandwagon = builtins.elem config.networking.hostName bwgHosts;
    isLightsail = builtins.elem config.networking.hostName awsHosts;
+
+    commonSettings = {
+      auth.enable = true;
+      nix.enable = true;
+    };
+
    sops = {
      secrets = {
        wg_private_key = {
@ -52,33 +58,6 @@ in
      };
    };

-    custom.kanidm-client = {
-      enable = true;
-      uri = "https://auth.xinyang.life/";
-      asSSHAuth = {
-        enable = true;
-        allowedGroups = [ "linux_users" ];
-      };
-      sudoers = [ "xin@auth.xinyang.life" ];
-    };
-
-    services.openssh = {
-      settings = {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = lib.mkForce "no";
-        GSSAPIAuthentication = "no";
-        KerberosAuthentication = "no";
-      };
-    };
-    services.fail2ban.enable = true;
-    programs.mosh.enable = true;
-
-    security.sudo = {
-      execWheelOnly = true;
-      wheelNeedsPassword = false;
-    };
-
    services.sing-box = let
      singTls = {
        enabled = true;
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@ -7,6 +7,11 @@
    ./networking.nix
    ./services.nix
  ];
+
+  customSettings = {
+    auth.enable = true;
+    nix.enable = true;
+  };
  
  sops = {
    defaultSopsFile = ./secrets.yaml;
@ -52,34 +57,6 @@
  networking = {
    hostName = "massicot";
  };
-
-  custom.kanidm-client = {
-    enable = true;
-    uri = "https://auth.xinyang.life/";
-    asSSHAuth = {
-      enable = true;
-      allowedGroups = [ "linux_users" ];
-    };
-    sudoers = [ "xin@auth.xinyang.life" ];
-  };
-
-  security.sudo = {
-      execWheelOnly = true;
-      wheelNeedsPassword = false;
-    };
-
-  services.openssh = {
-    enable = true;
-    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = "no";
-      GSSAPIAuthentication = "no";
-      KerberosAuthentication = "no";
-    };
-  };
-  services.fail2ban.enable = true;
-  programs.mosh.enable = true;
  
  systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
 }