refactor(modules): separate nixos/home-manager modules, use standard option conventions

author: Leander Scherer <leander@schererleander.de> 2026-01-08 02:48:11 +0100
committer: Leander Scherer <leander@schererleander.de> 2026-01-08 19:08:12 +0100
commit: 6174f3650cf42aaf008012e828d5a1f8e2ce037f (patch)
tree: 9bbbd99680cd5adb56596a14734d4896bc6af733 /hosts/sachiel
parent: c582c4d0675aada46fa196b7af1941ed753d055f (diff)
1 files changed, 6 insertions, 208 deletions
diff --git a/hosts/sachiel/configuration.nix b/hosts/sachiel/configuration.nix
index 0537569..3944006 100644
--- a/hosts/sachiel/configuration.nix
+++ b/hosts/sachiel/configuration.nix
@@ -1,8 +1,6 @@
 {
   pkgs,
   host,
-  lib,
-  config,
   username,
   ...
 }:
@@ -66,212 +64,12 @@
     };
   };
 
-  services.fail2ban = {
-    enable = true;
-    bantime = "1h";
-    jails = {
-      sshd = {
-        enabled = true;
-        settings = {
-          port = 8693;
-          backend = "systemd";
-          maxretry = 4;
-          findtime = "10m";
-          bantime = "1h";
-        };
-      };
-      nextcloud = {
-        enabled = true;
-        settings = {
-          # START modification to work with syslog instead of logile
-          backend = "systemd";
-          journalmatch = "SYSLOG_IDENTIFIER=Nextcloud";
-          # END modification to work with syslog instead of logile
-          port = 443;
-          protocol = "tcp";
-          filter = "nextcloud";
-          maxretry = 3;
-          bantime = 86400;
-          findtime = 43200;
-        };
-      };
-    };
-  };
-
-  environment.etc = {
-    # Adapted failregex for syslogs
-    "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault (
-      pkgs.lib.mkAfter ''
-        [Definition]
-        _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-        failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-                      ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-        datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-      ''
-    );
-  };
-
-  services.openssh = {
-    enable = true;
-    ports = [ 8693 ];
-    settings = {
-      PasswordAuthentication = false;
-      AllowUsers = [ username ];
-      X11Forwarding = false;
-      PermitRootLogin = "no";
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "leander@schererleander.de";
-  };
-
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    appendHttpConfig = ''
-      map $scheme $hsts_header {
-          https   "max-age=31536000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-      #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;
-      add_header 'Referrer-Policy' 'same-origin';
-      add_header X-Frame-Options DENY;
-      add_header X-Content-Type-Options nosniff;
-    '';
-
-    #virtualHosts."bitwarden.schererleander.de" = {
-    #  forceSSL = true;
-    #  sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem";
-    #  sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key";
-    #  locations."/" = {
-    #    proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
-    #  };
-    #};
-
-    virtualHosts."cloud.schererleander.de" = {
-      forceSSL = true;
-      sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem";
-      sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key";
-    };
-  };
-
-  services.site = {
-    enable = true;
-    domain = "schererleander.de";
-    sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem";
-    sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key";
-  };
-
-  # services.vaultwarden = {
-  #   enable = true;
-  #   environmentFile = "/var/lib/vaultwarden.env";
-  #   backupDir = "/var/backup/vaultwarden";
-  #   config = {
-  #     DOMAIN = "https://bitwarden.schererleander.de";
-  #     SIGNUPS_ALLOWED = true;
-  #     ROCKET_ADDRESS = "127.0.0.1";
-  #     ROCKET_PORT = 8222;
-  #     ROCKET_LOG = "critical";
-  #     KDF = "PBKDF2";
-  #     KDFIterations = 600000;
-  #   };
-  # };
-  #
-  # services.borgbackup.jobs.vaultwarden = {
-  #   paths = [ "/var/backup/vaultwarden" ];
-  #   repo = "t7e4d4f9@t7e4d4f9.repo.borgbase.com:repo";
-  #   encryption.mode = "none";
-  #   environment.BORG_RSH = "ssh -i /home/${username}/.ssh/borgbase-vaultwarden -o StrictHostKeyChecking=accept-new";
-  #   compression = "auto,lzma";
-  #   startAt = "daily";
-  # };
-
-  services.nextcloud = {
-    enable = true;
-    package = pkgs.nextcloud32;
-    hostName = "cloud.schererleander.de";
-    https = true;
-    database.createLocally = true;
-    maxUploadSize = "16G";
-    config = {
-      dbtype = "mysql";
-      adminuser = "schererleander";
-      adminpassFile = "/etc/nextcloud-admin-pass";
-    };
-    settings = {
-      maintenance_window_start = 2; # 02:00
-      default_phone_region = "de";
-      overwriteProtocol = "https";
-      trusted_domains = [ "cloud.schererleander.de" ];
-      logtimezone = "Europe/Berlin";
-      log_type = "file";
-    };
-    phpOptions."opcache.interned_strings_buffer" = "64";
-  };
-
-  services.borgbackup.jobs.nextcloud = {
-    paths = [
-      "/var/lib/nextcloud"
-      "/var/lib/backup/nextcloud/db"
-    ];
-    repo = "h8xn8qvo@h8xn8qvo.repo.borgbase.com:repo";
-    encryption.mode = "none";
-    environment = {
-      BORG_RSH = "ssh -i /home/${username}/.ssh/borgbase-nextcloud -o StrictHostKeyChecking=accept-new";
-      TMPDIR = "/var/tmp";
-    };
-    compression = "auto,lzma";
-    startAt = "daily";
-    readWritePaths = [
-      "/var/lib/backup"
-      "/var/lib/nextcloud"
-    ];
-    preHook = ''
-      set -euo pipefail
-      INSTALL="${pkgs.coreutils}/bin/install"
-      FIND="${pkgs.findutils}/bin/find"
-      MYSQLDUMP="${pkgs.mariadb.client}/bin/mysql-dump"
-      GZIP="${pkgs.gzip}/bin/gzip"
-      OCC="${lib.getExe config.services.nextcloud.occ}"
-
-      # This command requires write access to /var/lib/backup.
-      $INSTALL -d -m 0750 -o root -g root /var/lib/backup/nextcloud/db
-
-      trap "$OCC maintenance:mode --off >/dev/null 2>&1 || true" EXIT
-
-      $OCC maintenance:mode --on
-
-      # Make a consistent database dump without locking the site.
-      $MYSQLDUMP --single-transaction --quick --lock-tables=false --databases nextcloud \
-        | $GZIP -c > /var/lib/backup/nextcloud/db/nextcloud-$(date +%F-%H%M%S).sql.gz
-
-      # Delete local dump files older than 14 days.
-      $FIND /var/lib/backup/nextcloud/db -type f -name "*.sql.gz" -mtime +14 -delete || true
-    '';
-    postHook = ''
-      set -euo pipefail
-      ${lib.getExe config.services.nextcloud.occ} maintenance:mode --off || true
-    '';
-  };
-
-  security.auditd.enable = true;
-  security.audit = {
-    enable = true;
-    rules = [ "-a exit,always -F arch=b64 -S execve" ];
-  };
-
-  networking.firewall = {
-    allowPing = false;
-    allowedTCPPorts = [
-      80
-      443
-      8693
-    ];
+  nx.server = {
+    openssh.enable = true;
+    fail2ban.enable = true;
+    nginx.enable = true;
+    nextcloud.enable = true;
+    site.enable = true;
   };
 
   nixpkgs.config.allowUnfree = true;
author	Leander Scherer <leander@schererleander.de>	2026-01-08 02:48:11 +0100
committer	Leander Scherer <leander@schererleander.de>	2026-01-08 19:08:12 +0100
commit	6174f3650cf42aaf008012e828d5a1f8e2ce037f (patch)
tree	9bbbd99680cd5adb56596a14734d4896bc6af733 /hosts/sachiel
parent	c582c4d0675aada46fa196b7af1941ed753d055f (diff)