feat(MOMO): setup syncthing and vaultwarden

hosts/APPA/default.nix

@@ -13,6 +13,8 @@
   ];
 
   bchmnn = {
+    home.enable = true;
+
     git = {
       signing = {
         key = "0x7753026D577922A6";

hosts/APPA/services/adguard-home.nix

@@ -50,10 +50,6 @@
             domain = "anki.dryb.org";
             answer = "192.168.2.40";
           }
-          {
-            domain = "vaultwarden.dryb.org";
-            answer = "192.168.2.40";
-          }
           {
             domain = "paperless.dryb.org";
             answer = "192.168.2.40";
@@ -62,6 +58,22 @@
             domain = "jellyfin.dryb.org";
             answer = "192.168.2.40";
           }
+          {
+            domain = "momo.dryb.org";
+            answer = "188.245.216.128";
+          }
+          {
+            domain = "momo.dryb.org";
+            answer = "2a01:4f8:1c1e:8abc::1";
+          }
+          {
+            domain = "syncthing.dryb.org";
+            answer = "momo.dryb.org";
+          }
+          {
+            domain = "vaultwarden.dryb.org";
+            answer = "momo.dryb.org";
+          }
         ];
       };
       dhcp = {

hosts/APPA/services/default.nix

@@ -11,6 +11,5 @@
     ./nginx.nix
     ./paperless.nix
     ./postgresql.nix
-    ./vaultwarden.nix
   ];
 }

hosts/APPA/services/homepage-dashboard.nix

@@ -111,13 +111,6 @@
               icon = "si-anki";
             };
           }
-          {
-            "Vaultwarden" = {
-              description = "https://vaultwarden.dryb.org";
-              href = "https://vaultwarden.dryb.org";
-              icon = "vaultwarden";
-            };
-          }
           {
             "Paperless" = {
               description = "https://paperless.dryb.org";

hosts/APPA/services/nginx.nix

@@ -36,13 +36,6 @@
         proxyPass = "http://127.0.0.1:8004";
       };
     };
-    virtualHosts."vaultwarden.dryb.org" = {
-      useACMEHost = "dryb.org";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:8005";
-      };
-    };
     virtualHosts."paperless.dryb.org" = {
       useACMEHost = "dryb.org";
       forceSSL = true;

hosts/APPA/services/postgresql.nix

@@ -5,15 +5,10 @@
     enable = true;
     ensureDatabases = [
       config.services.gitea.user
-      "vaultwarden"
       config.services.paperless.user
     ];
 
     ensureUsers = [
-      {
-        name = "vaultwarden";
-        ensureDBOwnership = true;
-      }
       {
         name = config.services.paperless.user;
         ensureDBOwnership = true;
@@ -23,14 +18,12 @@
     # type   database     DBuser  auth-method  mapping
     authentication = ''
       local  gitea        all     ident        map=gitea-users
-      local  vaultwarden  all     ident        map=vaultwarden-users
       local  paperless    all     ident        map=paperless-users
     '';
 
     # name               sysuser        dbuser
     identMap = ''
       gitea-users        gitea          gitea
-      vaultwarden-users  vaultwarden    vaultwarden
       paperless-users    paperless      paperless
     '';
   };

hosts/MOMO/default.nix

@@ -0,0 +1,38 @@
+{ ... }:
+{
+  imports = [
+    ./services
+    ./hardware.nix
+    ./network.nix
+    ../../modules
+  ];
+
+  bchmnn = {
+    network = {
+      resolved.enable = true;
+      networkd.enable = true;
+    };
+    collections = {
+      cli-utils.enable = true;
+    };
+  };
+
+  services.openssh = {
+    settings = {
+      PasswordAuthentication = false;
+    };
+  };
+
+  users.users.root = {
+    openssh = {
+      authorizedKeys = {
+        keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAOG8Sja2i6nepkEkuxYdu86XbT9vS5uniBmZifSMZ0t jacob.bachmann@posteo.de"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrE1fMXjJXI8f1mKvhLquwSsb4tvLh5Tq0n+yOakQks gandalf@appa.dryb.com"
+        ];
+      };
+    };
+  };
+
+  documentation.nixos.enable = false;
+}

hosts/MOMO/hardware.nix

@@ -0,0 +1,68 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  disko.devices = {
+    disk.disk1 = {
+      device = lib.mkDefault "/dev/sda";
+      type = "disk";
+      content = {
+        type = "gpt";
+        partitions = {
+          boot = {
+            name = "BOOT";
+            size = "1M";
+            type = "EF02";
+          };
+          esp = {
+            name = "ESP";
+            size = "500M";
+            type = "EF00";
+            content = {
+              type = "filesystem";
+              format = "vfat";
+              mountpoint = "/boot";
+            };
+          };
+          root = {
+            name = "ROOT";
+            end = "-8G";
+            content = {
+              type = "filesystem";
+              format = "ext4";
+              mountpoint = "/";
+            };
+          };
+          plainSwap = {
+            size = "100%";
+            content = {
+              type = "swap";
+              discardPolicy = "both";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  networking.useDHCP = lib.mkDefault true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/MOMO/network.nix

@@ -0,0 +1,22 @@
+{ ... }:
+{
+  networking = {
+    hostName = "MOMO";
+    interfaces.enp1s0 = {
+      ipv6.addresses = [
+        {
+          address = "2a01:4f8:1c1e:8abc::1";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp1s0";
+    };
+    nameservers = [
+      "2a01:4ff:ff00::add:1"
+      "2a01:4ff:ff00::add:2"
+    ];
+  };
+}

hosts/MOMO/services/acme.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "gendulf@posteo.de";
+  };
+}

hosts/MOMO/services/default.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./acme.nix
+    ./nginx.nix
+    ./postgresql.nix
+    ./syncthing.nix
+    ./vaultwarden.nix
+  ];
+}

hosts/MOMO/services/nginx.nix

@@ -0,0 +1,27 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."syncthing.dryb.org" = {
+      addSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8384";
+      };
+    };
+    virtualHosts."vaultwarden.dryb.org" = {
+      addSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8005";
+      };
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+}

hosts/MOMO/services/postgresql.nix

@@ -0,0 +1,26 @@
+{ ... }:
+{
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "vaultwarden" ];
+
+    ensureUsers = [
+      {
+        name = "vaultwarden";
+        ensureDBOwnership = true;
+      }
+    ];
+
+    # type   database     DBuser  auth-method  mapping
+    authentication = ''
+      local  vaultwarden  all     ident        map=vaultwarden-users
+    '';
+
+    # name               sysuser        dbuser
+    identMap = ''
+      vaultwarden-users  vaultwarden    vaultwarden
+    '';
+  };
+
+}

hosts/MOMO/services/syncthing.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+  };
+}

hosts/MOMO/services/vaultwarden.nix

@@ -2,9 +2,6 @@
 {
   age.secrets.environments-vaultwarden = {
     file = ../../../secrets/environments/vaultwarden.age;
-    # mode = "640";
-    # owner = "vaultwarden";
-    # group = "vaultwarden";
   };
 
   users.users.vaultwarden = {