From ffb223d03fd059e867d121ea0f1289c3127420a2 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Mon, 29 Jul 2024 14:56:01 +0800
Subject: [PATCH] feat(modules): add modules for some common settings

---
 modules/nixos/common-settings/auth.nix        | 41 +++++++++++++++++++
 .../nix-conf.nix}                             |  0
 modules/nixos/default.nix                     |  3 +-
 modules/nixos/vaultwarden.nix                 |  4 +-
 4 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 modules/nixos/common-settings/auth.nix
 rename modules/nixos/{common-nix-conf.nix => common-settings/nix-conf.nix} (100%)

diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix
new file mode 100644
index 0000000..f70d350
--- /dev/null
+++ b/modules/nixos/common-settings/auth.nix
@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+
+  cfg = config.commonSettings.auth;
+in
+{
+  options.commonSettings.auth = {
+    enable = mkEnableOption "Common auth settings for servers";
+  };
+
+  config = mkIf cfg.enable {
+    custom.kanidm-client = {
+      enable = true;
+      uri = "https://auth.xinyang.life";
+      asSSHAuth = {
+        enable = true;
+        allowedGroups = [ "linux_users" ];
+      };
+      sudoers = [ "xin@auth.xinyang.life" ];
+    };
+
+    services.openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        GSSAPIAuthentication = "no";
+        KerberosAuthentication = "no";
+      };
+    };
+    services.fail2ban.enable = true;
+
+    security.sudo = {
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+  };
+}
+
diff --git a/modules/nixos/common-nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix
similarity index 100%
rename from modules/nixos/common-nix-conf.nix
rename to modules/nixos/common-settings/nix-conf.nix
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 0d64656..7908b49 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -1,7 +1,8 @@
 { config, pkgs, ... }:
 {
   imports = [
-    ./common-nix-conf.nix
+    ./common-settings/auth.nix
+    ./common-settings/nix-conf.nix
     ./restic.nix
     ./vaultwarden.nix
     ./prometheus.nix
diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix
index 6c0af66..b4c7d04 100644
--- a/modules/nixos/vaultwarden.nix
+++ b/modules/nixos/vaultwarden.nix
@@ -22,8 +22,8 @@ in
       # TODO: mailserver support
     };
   };
-  config = {
-    services.vaultwarden = mkIf cfg.enable {
+  config = mkIf cfg.enable {
+    services.vaultwarden =  {
       enable = true;
       dbBackend = "sqlite";
       config = {