feat(modules): add modules for some common settings

modules/nixos/common-settings/auth.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+
+  cfg = config.commonSettings.auth;
+in
+{
+  options.commonSettings.auth = {
+    enable = mkEnableOption "Common auth settings for servers";
+  };
+
+  config = mkIf cfg.enable {
+    custom.kanidm-client = {
+      enable = true;
+      uri = "https://auth.xinyang.life";
+      asSSHAuth = {
+        enable = true;
+        allowedGroups = [ "linux_users" ];
+      };
+      sudoers = [ "xin@auth.xinyang.life" ];
+    };
+
+    services.openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        GSSAPIAuthentication = "no";
+        KerberosAuthentication = "no";
+      };
+    };
+    services.fail2ban.enable = true;
+
+    security.sudo = {
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+  };
+}
+

modules/nixos/default.nix

@@ -1,7 +1,8 @@
 { config, pkgs, ... }:
 {
   imports = [
-    ./common-nix-conf.nix
+    ./common-settings/auth.nix
+    ./common-settings/nix-conf.nix
     ./restic.nix
     ./vaultwarden.nix
     ./prometheus.nix

modules/nixos/vaultwarden.nix

@@ -22,8 +22,8 @@ in
       # TODO: mailserver support
     };
   };
-  config = {
+  config = mkIf cfg.enable {
-    services.vaultwarden = mkIf cfg.enable {
+    services.vaultwarden =  {
       enable = true;
       dbBackend = "sqlite";
       config = {