xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

refactor: move auth settings inside machine configuration to modules

Browse source
This commit is contained in:
xinyangli 2024-07-30 16:01:17 +08:00
parent 4985b80589
commit c98d2fe289
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
2 changed files with 11 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
machines/dolomite/default.nix
View file

@ -14,6 +14,12 @@ in
config = { config = {
isBandwagon = builtins.elem config.networking.hostName bwgHosts; isBandwagon = builtins.elem config.networking.hostName bwgHosts;
isLightsail = builtins.elem config.networking.hostName awsHosts; isLightsail = builtins.elem config.networking.hostName awsHosts;
commonSettings = {
auth.enable = true;
nix.enable = true;
};
sops = { sops = {
secrets = { secrets = {
wg_private_key = { wg_private_key = {
@ -52,33 +58,6 @@ in
}; };
}; };
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life/";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
services.openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
programs.mosh.enable = true;
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
services.sing-box = let services.sing-box = let
singTls = { singTls = {
enabled = true; enabled = true;

33
machines/massicot/default.nix
View file

@ -7,6 +7,11 @@
./networking.nix ./networking.nix
./services.nix ./services.nix
]; ];
customSettings = {
auth.enable = true;
nix.enable = true;
};
sops = { sops = {
defaultSopsFile = ./secrets.yaml; defaultSopsFile = ./secrets.yaml;
@ -52,34 +57,6 @@
networking = { networking = {
hostName = "massicot"; hostName = "massicot";
}; };
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life/";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
programs.mosh.enable = true;
systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
} }