server services

hosts/sobotka/default.nix

@@ -33,11 +33,15 @@ in {
   imports = [
     ./hardware-configuration.nix
     ./modules.nix
+    ./server.nix
   ];
 
   boot.initrd.luks.devices."luks-47b35d4b-467a-4637-a5f9-45177da62897".device = "/dev/disk/by-uuid/47b35d4b-467a-4637-a5f9-45177da62897";
 
-  networking.hostName = "sobotka";
+  networking = {
+    hostName = "sobotka";
+    domain = "cnst.dev";
+  };
 
   environment.variables.NH_FLAKE = "/home/cnst/.nix-config";
 

hosts/sobotka/modules.nix

@@ -29,7 +29,7 @@
       network = {
         enable = true;
         interfaces = {
-          "eno1" = {
+          "enp6s0" = {
             allowedTCPPorts = [22 80 443];
           };
         };

hosts/sobotka/server.nix

@@ -0,0 +1,10 @@
+{
+  server = {
+    caddy = {
+      enable = true;
+    };
+    vaultwarden = {
+      enable = true;
+    };
+  };
+}

modules/default.nix

@@ -117,6 +117,12 @@
         ./nixos/system/xdg
       ];
     };
+    server = {
+      imports = [
+        ./server/caddy
+        ./server/vaultwarden
+      ];
+    };
     options = {
       imports = [
         ./options/accounts

modules/server/caddy/default.nix

@@ -0,0 +1,27 @@
+{
+  self,
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf mkEnableOption;
+  cfg = config.server.caddy;
+in {
+  options = {
+    server.caddy.enable = mkEnableOption "Enables caddy";
+  };
+  config = mkIf cfg.enable {
+    networking.firewall = let
+      ports = [80 443];
+    in {
+      allowedTCPPorts = ports;
+      allowedUDPPorts = ports;
+    };
+
+    services.caddy = {
+      enable = true;
+      # package = self.packages.${pkgs.system}.caddy-with-plugins;
+    };
+  };
+}

modules/server/vaultwarden/default.nix

@@ -0,0 +1,66 @@
+# yanked from @fufexan
+{
+  config,
+  self,
+  lib,
+  ...
+}: let
+  inherit (config.networking) domain;
+  inherit (lib) mkIf mkEnableOption;
+  vcfg = config.services.vaultwarden.config;
+  cfg = config.server.vaultwarden;
+in {
+  options = {
+    home.server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
+  };
+  config = mkIf cfg.enable {
+    age.secrets.vaultwarden-env = {
+      file = "${self}/secrets/vaultwarden-env.age";
+      owner = "vaultwarden";
+      mode = "400";
+    };
+
+    # allow SMTP
+    # networking.firewall.allowedTCPPorts = [587];
+
+    # this forces the system to create backup folder
+    systemd.services.backup-vaultwarden.serviceConfig = {
+      User = "root";
+      Group = "root";
+    };
+
+    services.caddy.virtualHosts."vault.cnst.dev".extraConfig = ''
+      encode zstd gzip
+      reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
+        # Use this instead, if using Cloudflare's proxy
+        # header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
+      }
+    '';
+
+    services.vaultwarden = {
+      enable = true;
+      environmentFile = config.age.secrets.vaultwarden-env.path;
+
+      backupDir = "/var/backup/vaultwarden";
+
+      config = {
+        DOMAIN = "https://vault.${domain}";
+        SIGNUPS_ALLOWED = false;
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+
+        extendedLogging = true;
+        invitationsAllowed = false;
+        showPasswordHint = false;
+
+        useSyslog = true;
+        logLevel = "warn";
+
+        signupsAllowed = false;
+        signupsDomainsWhitelist = domain;
+        signupsVerify = true;
+      };
+    };
+  };
+}