diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix new file mode 100644 index 0000000..f70d350 --- /dev/null +++ b/modules/nixos/common-settings/auth.nix @@ -0,0 +1,41 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkEnableOption mkOption types; + + cfg = config.commonSettings.auth; +in +{ + options.commonSettings.auth = { + enable = mkEnableOption "Common auth settings for servers"; + }; + + config = mkIf cfg.enable { + custom.kanidm-client = { + enable = true; + uri = "https://auth.xinyang.life"; + asSSHAuth = { + enable = true; + allowedGroups = [ "linux_users" ]; + }; + sudoers = [ "xin@auth.xinyang.life" ]; + }; + + services.openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + GSSAPIAuthentication = "no"; + KerberosAuthentication = "no"; + }; + }; + services.fail2ban.enable = true; + + security.sudo = { + execWheelOnly = true; + wheelNeedsPassword = false; + }; + }; +} + diff --git a/modules/nixos/common-nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix similarity index 100% rename from modules/nixos/common-nix-conf.nix rename to modules/nixos/common-settings/nix-conf.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0d64656..7908b49 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,7 +1,8 @@ { config, pkgs, ... }: { imports = [ - ./common-nix-conf.nix + ./common-settings/auth.nix + ./common-settings/nix-conf.nix ./restic.nix ./vaultwarden.nix ./prometheus.nix diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 6c0af66..b4c7d04 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -22,8 +22,8 @@ in # TODO: mailserver support }; }; - config = { - services.vaultwarden = mkIf cfg.enable { + config = mkIf cfg.enable { + services.vaultwarden = { enable = true; dbBackend = "sqlite"; config = {