refactor: streamline core modules into dedicated folder

modules/core/bacula.nix

@@ -0,0 +1,43 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets = {
+    "bacula/password".owner = "bacula";
+    "bacula/keypair".owner = "bacula";
+    "bacula/masterkey".owner = "bacula";
+  };
+  networking.firewall = {
+    extraInputRules = ''
+      ip saddr 10.144.0.11 tcp dport ${builtins.toString config.services.bacula-fd.port} accept comment "Only allow Bacula access from Abel"
+    '';
+  };
+  services.bacula-fd = {
+    enable = true;
+    name = "ifsr-quitte";
+    extraClientConfig = ''
+      Maximum Concurrent Jobs = 20
+      FDAddress = 141.30.30.169
+      PKI Signatures = Yes
+      PKI Encryption = Yes
+      PKI Keypair = ${config.sops.secrets."bacula/keypair".path}
+      PKI Master Key = ${config.sops.secrets."bacula/masterkey".path}
+    '';
+    extraMessagesConfig = ''
+      director = abel-dir = all, !skipped, !restored
+      mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
+      mail = root+backup = all, !skipped
+    '';
+    director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}";
+  };
+  environment.etc."bacula/bconsole.conf".text = ''
+    Director {
+      Name = abel-dir
+      DIRport = 9101
+      address = 10.144.0.11
+      Password = @${config.sops.secrets."bacula/password".path}
+    }
+    Console {
+      Name = ifsr-quitte-console
+      Password = @${config.sops.secrets."bacula/password".path}
+    }
+  '';
+}

modules/core/base.nix

@@ -0,0 +1,112 @@
+{ pkgs, config, ... }: {
+  nix = {
+    package = pkgs.nixUnstable; # or versioned attributes like nix_2_4
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
+
+  system.activationScripts.report-nixos-changes = ''
+    if [ -e /run/current-system ] && [ -e $systemConfig ]; then
+      echo System package diff:
+      ${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true
+    fi
+
+    NO_FORMAT="\033[0m"
+    F_BOLD="\033[1m"
+    C_RED="\033[38;5;9m"
+    ${pkgs.diffutils}/bin/cmp --silent \
+      <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) \
+      <(readlink /run/current-system/{initrd,kernel,kernel-modules}) \
+      || echo -e "''${F_BOLD}''${C_RED}Kernel version changed, reboot is advised.''${NO_FORMAT}"
+  '';
+
+  # Select internationalisation properties.
+  console = {
+    #font = "Lat2-Terminus16";
+    font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+    keyMap = pkgs.lib.mkForce "uk";
+  };
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  programs.mosh.enable = true;
+
+  # vs code server
+  services.vscode-server.enable = true;
+
+  # set root ssh keys
+  users.users.root.openssh.authorizedKeys = {
+    keys = [
+      # RSA keys go into keyFiles because they're shamefully long
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS8xkNH7JvKblekx5oel4HVKCz3uBbQYEaR9Z9nzTAr manuel@ifsr.de"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINogGKyXieCXQvVTa1z3ArS1TlqcVl2sSqvMpOjQo/Um jakob@krbs.me"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjNYNRBsY/Dc+/XOaGDui9tRa4VGPsHwYo3irGnMRbR felix@tycho"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdOcXORg+akeN2t3yZlKWdoTURKxtV29eQ7UrIMkCHv felix@entropy"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH73n+ZfJqNzIh9rPh6JYQaI4OAw9WKkPeqj2XRFmRfQ pascal@ifsr.de"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmb1kv+7HU1QKE53+gNxUhrggbwomC40Xjxd9hACkoo bennofs@d-cube"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0X6L7NwTHiOmFzo8mJBCy6H+DKUePAAXU4amm32DAQ fugi@arch"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHD1ZkrAmC9g5eJPDgv4zuEM+UIIEWromDzM1ltHt4TM fugi@macbook"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICBtP2ltExnQL5llOvfSKp6OCZKbPWsa2s6P0i00XyrH helene_emilia.hausmann@mailbox.tu-dresden.de"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXMHwy4AZ9B4pMRBa/P/rb7N3SCas9e7Lp89plTHdFS halcyon@eisvogel.moe"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"
+      "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff"
+    ];
+    keyFiles = [
+      ../../keys/ssh/marcus-sapphire
+      ../../keys/ssh/schrader
+      ../../keys/ssh/jannusch
+      ../../keys/ssh/jannusch-arch
+      ../../keys/ssh/tassilo
+      ../../keys/ssh/jonasga
+      ../../keys/ssh/rouven
+      ../../keys/ssh/joachim
+    ];
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  # basic shell & editor
+  programs.vim.defaultEditor = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    atop
+    btop
+    bat
+    git
+    htop
+    fd
+    ripgrep
+    tldr
+    tmux
+    usbutils
+    wget
+    neovim
+    helix
+    nmap
+    tcpdump
+    bat
+    dig
+    ethtool
+    iftop
+    ipcalc
+    iperf3
+    ipv6calc
+    lsof
+    ltrace
+    strace
+    mtr
+    traceroute
+    smartmontools
+    sysstat
+    tree
+    whois
+    eza
+    zsh
+    unzip
+  ];
+}
+

modules/core/default.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  imports = [
+    ./base.nix
+    ./bacula.nix
+    ./fail2ban.nix
+    ./initrd-ssh.nix
+    ./mysql.nix
+    ./nginx.nix
+    ./postgres.nix
+    ./sssd.nix
+    ./zsh.nix
+  ];
+}

modules/core/fail2ban.nix

@@ -0,0 +1,27 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "141.30.0.0/16"
+      "141.76.0.0/16"
+    ];
+    bantime-increment = {
+      enable = true;
+    };
+
+    jails = {
+      dovecot = ''
+        enabled = true
+        # aggressive mode to add blocking for aborted connections
+        filter = dovecot[mode=aggressive]
+        maxretry = 3
+      '';
+      postfix = ''
+        enabled = true
+        filter = postfix[mode=aggressive]
+        maxretry = 3
+      '';
+    };
+  };
+}

modules/core/initrd-ssh.nix

@@ -0,0 +1,28 @@
+# Find the required kernel module for the network adapter using `lspci -v` and add it to `boot.initrd.availableKernelModules`.
+# Enable `networking.useDHCP` or set a static ip using the `ip=` kernel parameter.
+# Generate another SSH host key for the machine:
+# $ ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key_initrd -C HOSTNAME-initrd
+# Add the public key to your known_hosts and create an ssh config entry.
+{ config, ... }:
+{
+  boot.initrd = {
+    systemd = {
+      enable = true;
+      network = {
+        enable = true;
+        networks."10-wired-default" = config.systemd.network.networks."10-wired-default";
+      };
+      users.root.shell = "/bin/systemd-tty-ask-password-agent";
+    };
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = 222;
+        hostKeys = [ "/etc/ssh/ssh_host_ed25519_key_initrd" ];
+        # authorizedKeys option inherits root's authorizedKeys.keys, but not keyFiles
+      };
+    };
+  };
+}
+

modules/core/mysql.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    settings.mysqld.bind_address = "127.0.0.1";
+  };
+  services.mysqlBackup = {
+    enable = true;
+    user = "mysql";
+    location = "/var/lib/backup/mysql";
+    databases = [
+      "decisions"
+      "fsrewsp"
+      "nightline"
+      "wiki_ese"
+      "wiki_vernetzung"
+    ];
+  };
+}

modules/core/nginx.nix

@@ -0,0 +1,55 @@
+{ lib, config, pkgs, ... }:
+{
+  # set default options for virtualHosts
+  options = with lib; {
+    services.nginx.virtualHosts = mkOption {
+      type = types.attrsOf (types.submodule
+        ({ name, ... }: {
+          # split up nginx access logs per vhost
+          extraConfig = ''
+            access_log /var/log/nginx/${name}_access.log;
+            error_log /var/log/nginx/${name}_error.log;
+          '';
+        })
+      );
+    };
+  };
+
+  config = {
+    services.nginx = {
+      additionalModules = [ pkgs.nginxModules.pam ];
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+
+      # appendHttpConfig = ''
+      #   map $remote_addr $remote_addr_anon {
+      #            ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+      #            ~(?P<ip>[^:]+:[^:]+):       $ip::;
+      #            # IP addresses to not anonymize
+      #            127.0.0.1                   $remote_addr;
+      #            ::1                         $remote_addr;
+      #            default                     0.0.0.0;
+      #   }
+      #   log_format  anon_ip   '$remote_addr_anon - $remote_user [$time_local] "$request" '
+      #                         '$status $body_bytes_sent "$http_referer" '
+      #                         '"$http_user_agent" "$http_x_forwarded_for"';
+
+      #   access_log  /var/log/nginx/access.log  anon_ip;
+      # '';
+    };
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+        email = "root@${config.networking.domain}";
+      };
+    };
+    security.pam.services.nginx.text = ''
+      auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
+      account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
+    '';
+  };
+}

modules/core/postgres.nix

@@ -0,0 +1,26 @@
+{ ... }:
+{
+  # automatically back up all databases
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/backup/postgresql";
+    databases = [
+      "directus_ese"
+      "course-management"
+      "git"
+      "hedgedoc"
+      "matrix-synapse"
+      "mautrix-telegram"
+      "mediawiki"
+      "nextcloud"
+      "postgres"
+      "sogo"
+      "vaultwarden"
+      "mailman"
+      "mailman-web"
+      "zammad"
+    ];
+  };
+
+  services.postgresql.settings.max_connections = 1000;
+}

modules/core/sssd.nix

@@ -0,0 +1,41 @@
+{ config, ... }:
+{
+  sops.secrets = {
+    "sssd/env" = { };
+
+  };
+  services.sssd = {
+    enable = true;
+    environmentFile = config.sops.secrets."sssd/env".path;
+    sshAuthorizedKeysIntegration = true;
+    config = ''
+      [sssd]
+      config_file_version = 2
+      services = nss, pam, ssh
+      domains = ldap
+
+      [ssh]
+
+      [nss]
+
+      [pam]
+
+      [domain/ldap]
+      auth_provider = ldap
+      ldap_uri = ldaps://auth.ifsr.de
+      ldap_default_authtok_type = password
+      ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
+      ldap_search_base = dc=ifsr,dc=de
+      id_provider = ldap
+      ldap_default_bind_dn = uid=search,ou=users,dc=ifsr,dc=de
+      cache_credentials = True
+      ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt
+      ldap_tls_reqcert = hard
+    '';
+
+  };
+  security.pam.services = {
+    sshd.makeHomeDir = true;
+    login.makeHomeDir = true;
+  };
+}

modules/core/zsh.nix

@@ -0,0 +1,34 @@
+{ lib, pkgs, ... }:
+{
+  programs.command-not-found.enable = false;
+  programs.nix-index-database.comma.enable = true;
+  environment.systemPackages = with pkgs; [
+    # fzf
+    bat
+    duf
+  ];
+  programs.fzf = {
+    keybindings = true;
+  };
+  programs.zsh = {
+    enable = true;
+    autosuggestions = {
+      enable = true;
+      highlightStyle = "fg=#00bbbb,bold";
+    };
+
+    # don't override agdsn-zsh-config aliases
+    shellAliases = lib.mkForce { };
+
+    shellInit = ''
+      zsh-newuser-install () {}
+    '';
+    interactiveShellInit = ''
+      source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh
+      HW_CONF_ALIASES_GIT_AUTHOR_REMINDER=0
+      source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc
+    '';
+    promptInit = "";
+  };
+}
+