diff --git a/hosts/sobotka/default.nix b/hosts/sobotka/default.nix index d6eb51d1..b262544f 100644 --- a/hosts/sobotka/default.nix +++ b/hosts/sobotka/default.nix @@ -33,11 +33,15 @@ in { imports = [ ./hardware-configuration.nix ./modules.nix + ./server.nix ]; boot.initrd.luks.devices."luks-47b35d4b-467a-4637-a5f9-45177da62897".device = "/dev/disk/by-uuid/47b35d4b-467a-4637-a5f9-45177da62897"; - networking.hostName = "sobotka"; + networking = { + hostName = "sobotka"; + domain = "cnst.dev"; + }; environment.variables.NH_FLAKE = "/home/cnst/.nix-config"; diff --git a/hosts/sobotka/modules.nix b/hosts/sobotka/modules.nix index f1c3759f..1670cbde 100644 --- a/hosts/sobotka/modules.nix +++ b/hosts/sobotka/modules.nix @@ -29,7 +29,7 @@ network = { enable = true; interfaces = { - "eno1" = { + "enp6s0" = { allowedTCPPorts = [22 80 443]; }; }; diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix new file mode 100644 index 00000000..9f93bdf7 --- /dev/null +++ b/hosts/sobotka/server.nix @@ -0,0 +1,10 @@ +{ + server = { + caddy = { + enable = true; + }; + vaultwarden = { + enable = true; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix index 2a062b0f..0633f6e4 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -117,6 +117,12 @@ ./nixos/system/xdg ]; }; + server = { + imports = [ + ./server/caddy + ./server/vaultwarden + ]; + }; options = { imports = [ ./options/accounts diff --git a/modules/server/caddy/default.nix b/modules/server/caddy/default.nix new file mode 100644 index 00000000..57a14dba --- /dev/null +++ b/modules/server/caddy/default.nix @@ -0,0 +1,27 @@ +{ + self, + pkgs, + config, + lib, + ... +}: let + inherit (lib) mkIf mkEnableOption; + cfg = config.server.caddy; +in { + options = { + server.caddy.enable = mkEnableOption "Enables caddy"; + }; + config = mkIf cfg.enable { + networking.firewall = let + ports = [80 443]; + in { + allowedTCPPorts = ports; + allowedUDPPorts = ports; + }; + + services.caddy = { + enable = true; + # package = self.packages.${pkgs.system}.caddy-with-plugins; + }; + }; +} diff --git a/modules/server/vaultwarden/default.nix b/modules/server/vaultwarden/default.nix new file mode 100644 index 00000000..840ceae6 --- /dev/null +++ b/modules/server/vaultwarden/default.nix @@ -0,0 +1,66 @@ +# yanked from @fufexan +{ + config, + self, + lib, + ... +}: let + inherit (config.networking) domain; + inherit (lib) mkIf mkEnableOption; + vcfg = config.services.vaultwarden.config; + cfg = config.server.vaultwarden; +in { + options = { + home.server.vaultwarden.enable = mkEnableOption "Enables vaultwarden"; + }; + config = mkIf cfg.enable { + age.secrets.vaultwarden-env = { + file = "${self}/secrets/vaultwarden-env.age"; + owner = "vaultwarden"; + mode = "400"; + }; + + # allow SMTP + # networking.firewall.allowedTCPPorts = [587]; + + # this forces the system to create backup folder + systemd.services.backup-vaultwarden.serviceConfig = { + User = "root"; + Group = "root"; + }; + + services.caddy.virtualHosts."vault.cnst.dev".extraConfig = '' + encode zstd gzip + reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} { + header_up X-Real-IP {remote_host} + # Use this instead, if using Cloudflare's proxy + # header_up X-Real-IP {http.request.header.Cf-Connecting-Ip} + } + ''; + + services.vaultwarden = { + enable = true; + environmentFile = config.age.secrets.vaultwarden-env.path; + + backupDir = "/var/backup/vaultwarden"; + + config = { + DOMAIN = "https://vault.${domain}"; + SIGNUPS_ALLOWED = false; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + extendedLogging = true; + invitationsAllowed = false; + showPasswordHint = false; + + useSyslog = true; + logLevel = "warn"; + + signupsAllowed = false; + signupsDomainsWhitelist = domain; + signupsVerify = true; + }; + }; + }; +}