refactor(module): simplify modules and integrate sops-nix

author: schererleander <leander@schererleander.de> 2026-02-03 17:55:59 +0100
committer: schererleander <leander@schererleander.de> 2026-02-03 17:59:00 +0100
commit: a88204fbc9ddec3474186bc5a3f3c573ee787289 (patch)
tree: 71be63c1ebb33efcec2c65c3390ae7fadcf333db /modules/nixos
parent: fca85a013c9f0d209a4b524f1eaef3f36e7029e3 (diff)
3 files changed, 41 insertions, 86 deletions
diff --git a/modules/nixos/server/fail2ban/default.nix b/modules/nixos/server/fail2ban/default.nix
deleted file mode 100644
index 21020b5..0000000
--- a/modules/nixos/server/fail2ban/default.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  inherit (lib) mkEnableOption mkOption types mkIf;
-  cfg = config.nx.server.fail2ban;
-in
-{
-  options.nx.server.fail2ban = {
-    enable = mkEnableOption "fail2ban service";
-    bantime = mkOption {
-      description = "default bantime";
-      type = types.str;
-      default = "1h";
-    };
-  };
-  config = mkIf cfg.enable {
-    services.fail2ban = {
-      enable = true;
-      bantime = cfg.bantime;
-    };
-  };
-}
diff --git a/modules/nixos/server/nextcloud/default.nix b/modules/nixos/server/nextcloud/default.nix
index 7325c92..db665cf 100644
--- a/modules/nixos/server/nextcloud/default.nix
+++ b/modules/nixos/server/nextcloud/default.nix
@@ -5,89 +5,76 @@
   ...
 }:
 let
-  inherit (lib) mkEnableOption mkOption types mkIf;
+  inherit (lib) mkEnableOption mkIf;
   cfg = config.nx.server.nextcloud;
 in
 {
   options.nx.server.nextcloud = {
     enable = mkEnableOption "Nextcloud server";
-    user = mkOption {
-      description = "System user for paths like SSH keys";
-      type = types.str;
-    };
-    adminUser = mkOption {
-      description = "Admin user";
-      type = types.str;
-      default = "schererleander";
-    };
-    adminPassFile = mkOption {
-      description = "Admin user key file";
-      type = types.str;
-      default = "/etc/nextcloud-admin-pass";
-    };
-    hostName = mkOption {
-      description = "Nextcloud hostname";
-      type = types.str;
-      default = "cloud.schererleander.de";
-    };
-    backup = mkOption {
-      description = "enable borgbase backups";
-      type = types.bool;
-      default = true;
-    };
-    backupSshKeyPath = mkOption {
-      description = "SSH key path for borgbase backup";
-      type = types.str;
-      default = "/home/${cfg.user}/.ssh/borgbase-nextcloud";
-    };
-    jail = mkOption {
-      description = "setup fail2ban jail";
-      type = types.bool;
-      default = config.nx.server.fail2ban.enable;
-    };
   };
 
   config = mkIf cfg.enable {
     services.nextcloud = {
       enable = true;
       package = pkgs.nextcloud32;
-      hostName = cfg.hostName;
+      hostName = "cloud.schererleander.de";
       https = true;
       database.createLocally = true;
       maxUploadSize = "16G";
       config = {
         dbtype = "mysql";
-        adminuser = cfg.adminUser;
-        adminpassFile = cfg.adminPassFile;
+        adminuser = "schererleander";
+        adminpassFile = config.sops.secrets."nextcloud-admin-pass".path;
       };
       settings = {
         maintenance_window_start = 2; # 02:00
         default_phone_region = "de";
         overwriteProtocol = "https";
-        trusted_domains = [ cfg.hostName ];
+        trusted_domains = [ "cloud.schererleander.de" ];
         logtimezone = config.time.timeZone;
         log_type = "file";
+        enabledPreviewProviders = [
+          # Default
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+          # Non default
+          #"OC\\Preview\\Font"
+          "OC\\Preview\\HEIC"
+          #"OC\\Preview\\MP3"
+          #"OC\\Preview\\Movie"
+          #"OC\\Preview\\PDF"
+          #"OC\\Preview\\SVG"
+        ];
       };
       phpOptions."opcache.interned_strings_buffer" = "64";
     };
 
     services.nginx.virtualHosts = mkIf ((config.nx.server.nginx or { }).enable or false) {
-      "${cfg.hostName}" = {
+      "cloud.schererleander.de" = {
         forceSSL = true;
         sslCertificate = config.nx.server.nginx.sslCertificate;
         sslCertificateKey = config.nx.server.nginx.sslCertificateKey;
       };
     };
 
-    services.borgbackup.jobs.nextcloud = mkIf cfg.backup {
+    services.borgbackup.jobs.nextcloud = {
       paths = [
         "/var/lib/nextcloud"
         "/var/lib/backup/nextcloud/db"
       ];
-      repo = "h8xn8qvo@h8xn8qvo.repo.borgbase.com:repo";
+      repo = config.sops.secrets."borg_repo".path;
       encryption.mode = "none";
       environment = {
-        BORG_RSH = "ssh -i ${cfg.backupSshKeyPath} -o StrictHostKeyChecking=accept-new";
+        BORG_RSH = "ssh -i ${
+          config.sops.secrets."borgbase_ssh_key".path
+        } -o StrictHostKeyChecking=accept-new";
         TMPDIR = "/var/tmp";
       };
       compression = "auto,lzma";
@@ -124,7 +111,9 @@ in
       '';
     };
 
-    services.fail2ban = mkIf cfg.jail {
+    services.fail2ban = {
+      enable = true;
+      bantime = "86400";
       jails = {
         nextcloud = {
           enabled = true;
@@ -136,14 +125,13 @@ in
             protocol = "tcp";
             filter = "nextcloud";
             maxretry = 3;
-            bantime = 86400;
             findtime = 43200;
           };
         };
       };
     };
 
-    environment.etc = mkIf cfg.jail {
+    environment.etc = {
       # Adapted failregex for syslogs
       "fail2ban/filter.d/nextcloud.local".text = pkgs.lib.mkDefault (
         pkgs.lib.mkAfter ''
@@ -157,3 +145,4 @@ in
     };
   };
 }
+
diff --git a/modules/nixos/server/openssh/default.nix b/modules/nixos/server/openssh/default.nix
index 675ceaf..a56460d 100644
--- a/modules/nixos/server/openssh/default.nix
+++ b/modules/nixos/server/openssh/default.nix
@@ -5,38 +5,30 @@
 }:
 
 let
-  inherit (lib) mkEnableOption mkOption types mkIf;
+  inherit (lib) mkEnableOption mkIf;
   cfg = config.nx.server.openssh;
 in
 {
   options.nx.server.openssh = {
     enable = mkEnableOption "OpenSSH server";
-    port = mkOption {
-      description = "Port for openssh";
-      type = types.port;
-      default = 8693;
-    };
-    allowedUsers = mkOption {
-      description = "Users allowed to SSH";
-      type = types.listOf types.str;
-      default = [ ];
-    };
   };
 
   config = mkIf cfg.enable {
     services.openssh = {
       enable = true;
-      ports = [ cfg.port ];
+      ports = [ 8693 ];
       settings = {
         PasswordAuthentication = false;
-        AllowUsers = cfg.allowedUsers;
+        AllowUsers = [ ];
         X11Forwarding = false;
         PermitRootLogin = "yes";
       };
     };
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
+    networking.firewall.allowedTCPPorts = [ 8693 ];
 
     services.fail2ban = {
+      enable = true;
+      bantime = "1h";
       jails = {
         sshd = {
           enabled = true;
@@ -45,7 +37,6 @@ in
             backend = "systemd";
             maxretry = 4;
             findtime = "10m";
-            bantime = "1h";
           };
         };
       };
author	schererleander <leander@schererleander.de>	2026-02-03 17:55:59 +0100
committer	schererleander <leander@schererleander.de>	2026-02-03 17:59:00 +0100
commit	a88204fbc9ddec3474186bc5a3f3c573ee787289 (patch)
tree	71be63c1ebb33efcec2c65c3390ae7fadcf333db /modules/nixos
parent	fca85a013c9f0d209a4b524f1eaef3f36e7029e3 (diff)