refactor: use flake-parts, change modules structure

author: schererleander <leander@schererleander.de> 2026-01-09 16:57:15 +0100
committer: schererleander <leander@schererleander.de> 2026-01-09 23:13:49 +0100
commit: 3b5a73c436eb22e0cda59469263490705e149cb9 (patch)
tree: ae3f20ca6008b11f71247dfc6e2df8218de9b95c /modules/hosts/server
parent: ec45aae780da92e12cf82c5a32e336b14b7540ba (diff)
6 files changed, 0 insertions, 357 deletions
diff --git a/modules/hosts/server/default.nix b/modules/hosts/server/default.nix
deleted file mode 100644
index ca3ca4f..0000000
--- a/modules/hosts/server/default.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{
-  lib,
-  ...
-}:
-let
-  inherit (lib) mkOption types;
-in
-{
-  options.nx.server = {
-    enable = mkOption {
-      description = "Set this host as server";
-      type = types.bool;
-      default = false;
-    };
-    timeZone = mkOption {
-      description = "Time Zone of the server";
-      type = types.str;
-      default = "Europe/Berlin";
-    };
-  };
-
-  imports = [
-    ./openssh
-    ./nginx
-    ./fail2ban
-    ./nextcloud
-    ./site
-  ];
-}
diff --git a/modules/hosts/server/fail2ban/default.nix b/modules/hosts/server/fail2ban/default.nix
deleted file mode 100644
index 09fcdf2..0000000
--- a/modules/hosts/server/fail2ban/default.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-{
-  config,
-  pkgs,
-  options,
-  lib,
-  ...
-}:
-let
-  cfg = config.nx.server.fail2ban;
-  inherit (lib) mkOption types mkIf;
-in
-{
-  options.nx.server.fail2ban = {
-    enable = mkOption {
-      description = "Setup fail2ban service";
-      type = types.bool;
-      default = false;
-    };
-    bantime = mkOption {
-      description = "default bantime";
-      type = types.str;
-      default = "1h";
-    };
-  };
-  config = mkIf cfg.enable {
-    services.fail2ban = {
-      enable = true;
-      bantime = cfg.bantime;
-    };
-  };
-}
diff --git a/modules/hosts/server/nextcloud/default.nix b/modules/hosts/server/nextcloud/default.nix
deleted file mode 100644
index a527de2..0000000
--- a/modules/hosts/server/nextcloud/default.nix
+++ /dev/null
@@ -1,156 +0,0 @@
-{
-  pkgs,
-  config,
-  username,
-  options,
-  lib,
-  ...
-}:
-let
-  cfg = config.nx.server.nextcloud;
-  inherit (lib) mkOption types mkIf;
-in
-{
-  options.nx.server.nextcloud = {
-    enable = mkOption {
-      description = "Setup nextcloud server";
-      type = types.bool;
-      default = false;
-    };
-    adminUser = mkOption {
-      description = "Admin user";
-      type = types.str;
-      default = "schererleander";
-    };
-    adminPassFile = mkOption {
-      description = "Admin user key file";
-      type = types.str;
-      default = "/etc/nextcloud-admin-pass";
-    };
-    hostName = mkOption {
-      description = "Nextcloud hostname";
-      type = types.str;
-      default = "cloud.schererleander.de";
-    };
-    backup = mkOption {
-      description = "enable borgbase backups";
-      type = types.bool;
-      default = true;
-    };
-    jail = mkOption {
-      description = "setup fail2ban jail";
-      type = types.bool;
-      default = config.nx.server.fail2ban.enable;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.nextcloud = {
-      enable = true;
-      package = pkgs.nextcloud32;
-      hostName = cfg.hostName;
-      https = true;
-      database.createLocally = true;
-      maxUploadSize = "16G";
-      config = {
-        dbtype = "mysql";
-        adminuser = cfg.adminUser;
-        adminpassFile = cfg.adminPassFile;
-      };
-      settings = {
-        maintenance_window_start = 2; # 02:00
-        default_phone_region = "de";
-        overwriteProtocol = "https";
-        trusted_domains = [ cfg.hostName ];
-        logtimezone = config.nx.server.timeZone;
-        log_type = "file";
-      };
-      phpOptions."opcache.interned_strings_buffer" = "64";
-    };
-
-    services.nginx.virtualHosts = mkIf ((config.nx.server.nginx or { }).enable or false) {
-      "${cfg.hostName}" = {
-        forceSSL = true;
-        sslCertificate = config.nx.server.nginx.sslCertificate;
-        sslCertificateKey = config.nx.server.nginx.sslCertificateKey;
-      };
-    };
-
-    services.borgbackup.jobs.nextcloud = mkIf cfg.backup {
-      paths = [
-        "/var/lib/nextcloud"
-        "/var/lib/backup/nextcloud/db"
-      ];
-      repo = "h8xn8qvo@h8xn8qvo.repo.borgbase.com:repo";
-      encryption.mode = "none";
-      environment = {
-        BORG_RSH = "ssh -i /home/${username}/.ssh/borgbase-nextcloud -o StrictHostKeyChecking=accept-new";
-        TMPDIR = "/var/tmp";
-      };
-      compression = "auto,lzma";
-      startAt = "daily";
-      readWritePaths = [
-        "/var/lib/backup"
-        "/var/lib/nextcloud"
-      ];
-      preHook = ''
-        set -euo pipefail
-        INSTALL="${pkgs.coreutils}/bin/install"
-        FIND="${pkgs.findutils}/bin/find"
-        MYSQLDUMP="${pkgs.mariadb.client}/bin/mysql-dump"
-        GZIP="${pkgs.gzip}/bin/gzip"
-        OCC="${lib.getExe config.services.nextcloud.occ}"
-
-        # This command requires write access to /var/lib/backup.
-        $INSTALL -d -m 0750 -o root -g root /var/lib/backup/nextcloud/db
-
-        trap "$OCC maintenance:mode --off >/dev/null 2>&1 || true" EXIT
-
-        $OCC maintenance:mode --on
-
-        # Make a consistent database dump without locking the site.
-        $MYSQLDUMP --single-transaction --quick --lock-tables=false --databases nextcloud \
-          | $GZIP -c > /var/lib/backup/nextcloud/db/nextcloud-$(date +%F-%H%M%S).sql.gz
-
-        # Delete local dump files older than 14 days.
-        $FIND /var/lib/backup/nextcloud/db -type f -name "*.sql.gz" -mtime +14 -delete || true
-      '';
-      postHook = ''
-        set -euo pipefail
-        ${lib.getExe config.services.nextcloud.occ} maintenance:mode --off || true
-      '';
-    };
-
-    services.fail2ban = mkIf cfg.jail {
-      jails = {
-        nextcloud = {
-          enabled = true;
-          settings = {
-            backend = "systemd";
-            journalmatch = "SYSLOG_IDENTIFIER=Nextcloud";
-            # END modification to work with syslog instead of logile
-            port = 443;
-            protocol = "tcp";
-            filter = "nextcloud";
-            maxretry = 3;
-            bantime = 86400;
-            findtime = 43200;
-          };
-        };
-      };
-    };
-
-    environment.etc = mkIf cfg.jail {
-      # Adapted failregex for syslogs
-      "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault (
-        pkgs.lib.mkAfter ''
-          [Definition]
-          _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
-          failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
-                        ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
-          datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
-        ''
-      );
-    };
-  };
-}
diff --git a/modules/hosts/server/nginx/default.nix b/modules/hosts/server/nginx/default.nix
deleted file mode 100644
index 438ab49..0000000
--- a/modules/hosts/server/nginx/default.nix
+++ /dev/null
@@ -1,56 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  cfg = config.nx.server.nginx;
-  inherit (lib) mkOption types mkIf;
-in
-{
-  options.nx.server.nginx = {
-    enable = mkOption {
-      description = "Setup nginx reverse proxy";
-      type = types.bool;
-      default = true;
-    };
-    hostName = mkOption {
-      description = "url of server";
-      type = types.str;
-      default = "schererleander.de";
-    };
-    sslCertificate = mkOption {
-      description = "ssl certificate to use";
-      type = types.nullOr types.str;
-      default = "/etc/ssl/${cfg.hostName}/fullchain.pem";
-    };
-    sslCertificateKey = mkOption {
-      description = "ssl certificate key to use";
-      type = types.nullOr types.str;
-      default = "/etc/ssl/${cfg.hostName}/privkey.key";
-    };
-  };
-  config = mkIf cfg.enable {
-    services.nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      appendHttpConfig = ''
-        map $scheme $hsts_header {
-            https   "max-age=31536000; includeSubdomains; preload";
-        }
-        add_header Strict-Transport-Security $hsts_header;
-        #add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self';" always;
-        add_header 'Referrer-Policy' 'same-origin';
-        add_header X-Frame-Options DENY;
-        add_header X-Content-Type-Options nosniff;
-      '';
-    };
-    networking.firewall.allowedTCPPorts = [
-      80
-      443
-    ];
-  };
-}
diff --git a/modules/hosts/server/openssh/default.nix b/modules/hosts/server/openssh/default.nix
deleted file mode 100644
index fbb15db..0000000
--- a/modules/hosts/server/openssh/default.nix
+++ /dev/null
@@ -1,53 +0,0 @@
-{
-  config,
-  username,
-  lib,
-  ...
-}:
-let
-  cfg = config.nx.server.openssh;
-  inherit (lib) mkOption types mkIf;
-in
-{
-  options.nx.server.openssh = {
-    enable = mkOption {
-      description = "Setup openssh for server";
-      type = types.bool;
-      default = false;
-    };
-    port = mkOption {
-      description = "Port for openssh";
-      type = types.port;
-      default = 8693;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.openssh = {
-      enable = true;
-      ports = [ cfg.port ];
-      settings = {
-        PasswordAuthentication = false;
-        AllowUsers = [ username ];
-        X11Forwarding = false;
-        PermitRootLogin = "yes";
-      };
-    };
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
-
-    services.fail2ban = {
-      jails = {
-        sshd = {
-          enabled = true;
-          settings = {
-            port = 8693;
-            backend = "systemd";
-            maxretry = 4;
-            findtime = "10m";
-            bantime = "1h";
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/modules/hosts/server/site/default.nix b/modules/hosts/server/site/default.nix
deleted file mode 100644
index 24807d3..0000000
--- a/modules/hosts/server/site/default.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{
-  config,
-  lib,
-  inputs,
-  ...
-}:
-let
-  cfg = config.nx.server.site;
-  inherit (lib) mkOption types mkIf;
-in
-{
-  imports = [
-    inputs.site.nixosModules.default
-  ];
-
-  options.nx.server.site = {
-    enable = mkOption {
-      description = "Setup personal website";
-      type = types.bool;
-      default = false;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.site = {
-      enable = true;
-      domain = "schererleander.de";
-      sslCertificate = "/etc/ssl/schererleander.de/fullchain.pem";
-      sslCertificateKey = "/etc/ssl/schererleander.de/privkey.key";
-    };
-  };
-}
author	schererleander <leander@schererleander.de>	2026-01-09 16:57:15 +0100
committer	schererleander <leander@schererleander.de>	2026-01-09 23:13:49 +0100
commit	3b5a73c436eb22e0cda59469263490705e149cb9 (patch)
tree	ae3f20ca6008b11f71247dfc6e2df8218de9b95c /modules/hosts/server
parent	ec45aae780da92e12cf82c5a32e336b14b7540ba (diff)