server services

2025-07-15 15:24:33 +02:00
parent 555b11eab0
commit 378edf29a4
6 changed files with 115 additions and 2 deletions
--- a/hosts/sobotka/default.nix
+++ b/hosts/sobotka/default.nix
@@ -33,11 +33,15 @@ in {
  imports = [
    ./hardware-configuration.nix
    ./modules.nix
    ./server.nix
  ];
  boot.initrd.luks.devices."luks-47b35d4b-467a-4637-a5f9-45177da62897".device = "/dev/disk/by-uuid/47b35d4b-467a-4637-a5f9-45177da62897";
-  networking.hostName = "sobotka";
+  networking = {
    hostName = "sobotka";
    domain = "cnst.dev";
  };
  environment.variables.NH_FLAKE = "/home/cnst/.nix-config";
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -29,7 +29,7 @@
      network = {
        enable = true;
        interfaces = {
-          "eno1" = {
+          "enp6s0" = {
            allowedTCPPorts = [22 80 443];
          };
        };
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -0,0 +1,10 @@
 {
  server = {
    caddy = {
      enable = true;
    };
    vaultwarden = {
      enable = true;
    };
  };
 }
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -117,6 +117,12 @@
        ./nixos/system/xdg
      ];
    };
    server = {
      imports = [
        ./server/caddy
        ./server/vaultwarden
      ];
    };
    options = {
      imports = [
        ./options/accounts
--- a/modules/server/caddy/default.nix
+++ b/modules/server/caddy/default.nix
@@ -0,0 +1,27 @@
 {
  self,
  pkgs,
  config,
  lib,
  ...
 }: let
  inherit (lib) mkIf mkEnableOption;
  cfg = config.server.caddy;
 in {
  options = {
    server.caddy.enable = mkEnableOption "Enables caddy";
  };
  config = mkIf cfg.enable {
    networking.firewall = let
      ports = [80 443];
    in {
      allowedTCPPorts = ports;
      allowedUDPPorts = ports;
    };
    services.caddy = {
      enable = true;
      # package = self.packages.${pkgs.system}.caddy-with-plugins;
    };
  };
 }
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -0,0 +1,66 @@
 # yanked from @fufexan
 {
  config,
  self,
  lib,
  ...
 }: let
  inherit (config.networking) domain;
  inherit (lib) mkIf mkEnableOption;
  vcfg = config.services.vaultwarden.config;
  cfg = config.server.vaultwarden;
 in {
  options = {
    home.server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
  };
  config = mkIf cfg.enable {
    age.secrets.vaultwarden-env = {
      file = "${self}/secrets/vaultwarden-env.age";
      owner = "vaultwarden";
      mode = "400";
    };
    # allow SMTP
    # networking.firewall.allowedTCPPorts = [587];
    # this forces the system to create backup folder
    systemd.services.backup-vaultwarden.serviceConfig = {
      User = "root";
      Group = "root";
    };
    services.caddy.virtualHosts."vault.cnst.dev".extraConfig = ''
      encode zstd gzip
      reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} {
        header_up X-Real-IP {remote_host}
        # Use this instead, if using Cloudflare's proxy
        # header_up X-Real-IP {http.request.header.Cf-Connecting-Ip}
      }
    '';
    services.vaultwarden = {
      enable = true;
      environmentFile = config.age.secrets.vaultwarden-env.path;
      backupDir = "/var/backup/vaultwarden";
      config = {
        DOMAIN = "https://vault.${domain}";
        SIGNUPS_ALLOWED = false;
        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = 8222;
        extendedLogging = true;
        invitationsAllowed = false;
        showPasswordHint = false;
        useSyslog = true;
        logLevel = "warn";
        signupsAllowed = false;
        signupsDomainsWhitelist = domain;
        signupsVerify = true;
      };
    };
  };
 }