feat: change from namecheap to cloudflare, setup tls with acme, setup vaultwarden

2024-09-10 00:32:58 +02:00 · 2024-09-10 00:32:58 +02:00 · fd794698d3
commit fd794698d3
parent 6b55345b66
12 changed files with 118 additions and 23 deletions
--- a/hosts/APPA/services/acme.nix
+++ b/hosts/APPA/services/acme.nix
@ -0,0 +1,19 @@
+{ config, ... }:
+{
+  age.secrets.environments-acme = {
+    file = ../../../secrets/environments/acme.age;
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "gendulf@posteo.de";
+
+  security.acme.certs."dryb.org" = {
+    domain = "dryb.org";
+    extraDomainNames = [ "*.dryb.org" ];
+    dnsProvider = "cloudflare";
+    dnsPropagationCheck = true;
+    credentialsFile = config.age.secrets.environments-acme.path;
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+}
--- a/hosts/APPA/services/adguard-home.nix
+++ b/hosts/APPA/services/adguard-home.nix
@ -46,6 +46,10 @@
            domain = "anki.dryb.org";
            answer = "192.168.2.40";
          }
+          {
+            domain = "vaultwarden.dryb.org";
+            answer = "192.168.2.40";
+          }
        ];
      };
      dhcp = {
--- a/hosts/APPA/services/ddclient.nix
+++ b/hosts/APPA/services/ddclient.nix
@ -1,7 +1,7 @@
 { config, ... }:
 {
-  age.secrets.passwords-ddclient-namecheap = {
-    file = ../../../secrets/passwords/ddclient/namecheap.age;
+  age.secrets.passwords-ddclient-cloudflare = {
+    file = ../../../secrets/passwords/ddclient/cloudflare.age;
  };

  services.ddclient = {
@ -11,11 +11,10 @@
      usev4=webv4, webv4=ifconfig.me
      usev6=disabled
    '';
-    protocol = "namecheap";
-    server = "dynamicdns.park-your-domain.com";
-    username = "dryb.org";
-    passwordFile = config.age.secrets.passwords-ddclient-namecheap.path;
-    domains = [ "vpn" ];
+    protocol = "cloudflare";
+    zone = "dryb.org";
+    passwordFile = config.age.secrets.passwords-ddclient-cloudflare.path;
+    domains = [ "vpn.dryb.org" ];
    interval = "10min";
  };
 }
--- a/hosts/APPA/services/default.nix
+++ b/hosts/APPA/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
+    ./acme.nix
    ./adguard-home.nix
    ./anki.nix
    ./ddclient.nix
@ -7,5 +8,6 @@
    ./homepage-dashboard.nix
    ./nginx.nix
    ./postgresql.nix
+    ./vaultwarden.nix
  ];
 }
--- a/hosts/APPA/services/nginx.nix
+++ b/hosts/APPA/services/nginx.nix
@ -3,28 +3,46 @@
  services.nginx = {
    enable = true;
    virtualHosts."dryb.org" = {
+      useACMEHost = "dryb.org";
+      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8002";
      };
    };
    virtualHosts."adguard.dryb.org" = {
+      useACMEHost = "dryb.org";
+      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8001";
      };
    };
    virtualHosts."${config.services.gitea.domain}" = {
+      useACMEHost = "dryb.org";
+      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8003";
      };
    };
    virtualHosts."anki.dryb.org" = {
+      useACMEHost = "dryb.org";
+      forceSSL = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:8004";
      };
    };
+    virtualHosts."vaultwarden.dryb.org" = {
+      useACMEHost = "dryb.org";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8005";
+      };
+    };
  };

  networking.firewall = {
-    allowedTCPPorts = [ 80 ];
+    allowedTCPPorts = [
+      80
+      443
+    ];
  };
 }
--- a/hosts/APPA/services/postgresql.nix
+++ b/hosts/APPA/services/postgresql.nix
@ -3,16 +3,28 @@

  services.postgresql = {
    enable = true;
-    ensureDatabases = [ config.services.gitea.user ];
+    ensureDatabases = [
+      config.services.gitea.user
+      "vaultwarden"
+    ];

-    # type   database  DBuser  auth-method  mapping
+    ensureUsers = [
+      {
+        name = "vaultwarden";
+        ensureDBOwnership = true;
+      }
+    ];
+
+    # type   database     DBuser  auth-method  mapping
    authentication = ''
-      local  gitea     all     ident        map=gitea-users
+      local  gitea        all     ident        map=gitea-users
+      local  vaultwarden  all     ident        map=vaultwarden-users
    '';

-    # name         sysuser  dbuser
+    # name               sysuser        dbuser
    identMap = ''
-      gitea-users  gitea    gitea
+      gitea-users        gitea          gitea
+      vaultwarden-users  vaultwarden    vaultwarden
    '';
  };

--- a/hosts/APPA/services/vaultwarden.nix
+++ b/hosts/APPA/services/vaultwarden.nix
@ -0,0 +1,30 @@
+{ config, ... }:
+{
+  age.secrets.environments-vaultwarden = {
+    file = ../../../secrets/environments/vaultwarden.age;
+    # mode = "640";
+    # owner = "vaultwarden";
+    # group = "vaultwarden";
+  };
+
+  users.users.vaultwarden = {
+    description = "Vaultwarden Service";
+    home = "/var/lib/bitwarden_rs";
+    useDefaultShell = true;
+    isSystemUser = true;
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = config.age.secrets.environments-vaultwarden.path;
+    config = {
+      DOMAIN = "http://vaultwarden.dryb.org";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8005;
+      DATABASE_URL = "postgresql:///vaultwarden";
+      WEB_VAULT_ENABLED = true;
+    };
+  };
+}
--- a/secrets/environments/acme.age
+++ b/secrets/environments/acme.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 OFTJeQ lVjtEgBSiaW7WAGHK0LzsK5xas+TLs0neuU7TGAj+nE
+uV9vlgEXhYCn47teXi/OFKeZo+YpGKZphgmAt0SlBFU
+-> ssh-ed25519 lfMVeg +/4LvBwWhj8ESgP6BTDjvLj1mFf66s9ZOdV3onK20xk
+ScCG+j82nhTlXco6cI+NWwWwDGrhJiN0k9GnqaNEO0s
+-> ssh-ed25519 ueRyzQ 7RT3y7YHnvZAaBJhNP6DlA679teJXKs7UjshdCoxwT4
+ck/IxyklPcnWXXLVXjq9b/90GB/EeQNWt3eg5uBD0CM
+--- bW7WQun8Ku8Br1e23N1lFCRwY+N3j/nCbtgeL1AbMqg
+b
„óQéf/OOJš•‰F¼aw|b™ÖüþÉ3<C389>Ò9´“ÙÛ0|%	ýQ¥¢ßOføÛ<C2AD>VrMEG<45>ÃNÏ–šO7)µ—§©“RWŒ;<3B>œéú¼uw¹µž¬‰ä0<C3A4>IÔhbò&
--- a/secrets/environments/vaultwarden.age
+++ b/secrets/environments/vaultwarden.age
--- a/secrets/passwords/ddclient/cloudflare.age
+++ b/secrets/passwords/ddclient/cloudflare.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 OFTJeQ Duzy5R4T6qjIQNDaM/rMLtn6owinrOPR7bsj+zNyF1s
+vuz3upwrRY+p9neicV+/MYqIpqPP8LxKjb/MSd3AG50
+-> ssh-ed25519 lfMVeg F5b0npiotrpPjEqEEmq13iIWrEG1duL/r+A+fFt9MUw
+hXV7o5UqSnrOYmTO4PudLMH2nTn3z134YuD78ogNS+Q
+-> ssh-ed25519 ueRyzQ Msn3gbqPbt4anEbYGvuroa3Clgldv0c2yjJm8sviWig
+qwsS+8V0LvR6aWWlC6/8V7oP4ClTPIH6UF7vIbSFLM0
+--- /UJ64tEwx0Jus9JEby8z4X9LtlPoYMCUTMk3T50Flbk
+Öþ}”ñEuKôh§°<}gîÃ×£§¸£“)íNGñxž©˜³Mß£‘{*$ g`)?õrNýFò*ˆ(„é„Ìw	'i
--- a/secrets/passwords/ddclient/namecheap.age
+++ b/secrets/passwords/ddclient/namecheap.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 OFTJeQ /4VkgBRfkeDWGyydiC0UWnRldkkweIS3kQWiyazW30w
-FogoQsMtbjc0gUTGeMdoFTV0CZPv051x3qhRxYvGp+Q
-> ssh-ed25519 lfMVeg tYYo7I8FawLwBrdTWtjDV/4hzhrUFlGZTAM5Hp8mtRE
-JEcLpEKgppWVrlUEvL+arvWBL7/6sVhW/ErXZRkzfIA
-> ssh-ed25519 ueRyzQ wTI3u3XtBoTKargoSn+HWl9HQTZzXjCEnLGQRSCmVUE
-+9ovukCRRZ3FO+uuPjdWWvUQBfTyW2NfDpEFkaTVBZE
--- VpOsD2Mzrb/jWQVu9wLlTSiUZNbpBmD9ISDLtbivuO0
-b<Ý+YŸûh–<68>•('3[“KN3:ˆ]Ö¦Uklÿ9¯êGà]”ÐR•ÂÃö,çêt}4)œ%Ñî=«Í#¾
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -19,7 +19,9 @@ let
  ];
 in
 {
+  "environments/acme.age".publicKeys = users ++ [ APPA ];
+  "environments/vaultwarden.age".publicKeys = users ++ [ APPA ];
  "passwords/gitea/db.age".publicKeys = users ++ [ APPA ];
  "passwords/anki/admin.age".publicKeys = users ++ [ APPA ];
-  "passwords/ddclient/namecheap.age".publicKeys = users ++ [ APPA ];
+  "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ];
 }