diff --git a/hosts/APPA/services/acme.nix b/hosts/APPA/services/acme.nix new file mode 100644 index 0000000..090f927 --- /dev/null +++ b/hosts/APPA/services/acme.nix @@ -0,0 +1,19 @@ +{ config, ... }: +{ + age.secrets.environments-acme = { + file = ../../../secrets/environments/acme.age; + }; + + security.acme.acceptTerms = true; + security.acme.defaults.email = "gendulf@posteo.de"; + + security.acme.certs."dryb.org" = { + domain = "dryb.org"; + extraDomainNames = [ "*.dryb.org" ]; + dnsProvider = "cloudflare"; + dnsPropagationCheck = true; + credentialsFile = config.age.secrets.environments-acme.path; + }; + + users.users.nginx.extraGroups = [ "acme" ]; +} diff --git a/hosts/APPA/services/adguard-home.nix b/hosts/APPA/services/adguard-home.nix index 6355a39..c5cf9e5 100644 --- a/hosts/APPA/services/adguard-home.nix +++ b/hosts/APPA/services/adguard-home.nix @@ -46,6 +46,10 @@ domain = "anki.dryb.org"; answer = "192.168.2.40"; } + { + domain = "vaultwarden.dryb.org"; + answer = "192.168.2.40"; + } ]; }; dhcp = { diff --git a/hosts/APPA/services/ddclient.nix b/hosts/APPA/services/ddclient.nix index 94eb0a9..6a5de13 100644 --- a/hosts/APPA/services/ddclient.nix +++ b/hosts/APPA/services/ddclient.nix @@ -1,7 +1,7 @@ { config, ... }: { - age.secrets.passwords-ddclient-namecheap = { - file = ../../../secrets/passwords/ddclient/namecheap.age; + age.secrets.passwords-ddclient-cloudflare = { + file = ../../../secrets/passwords/ddclient/cloudflare.age; }; services.ddclient = { @@ -11,11 +11,10 @@ usev4=webv4, webv4=ifconfig.me usev6=disabled ''; - protocol = "namecheap"; - server = "dynamicdns.park-your-domain.com"; - username = "dryb.org"; - passwordFile = config.age.secrets.passwords-ddclient-namecheap.path; - domains = [ "vpn" ]; + protocol = "cloudflare"; + zone = "dryb.org"; + passwordFile = config.age.secrets.passwords-ddclient-cloudflare.path; + domains = [ "vpn.dryb.org" ]; interval = "10min"; }; } diff --git a/hosts/APPA/services/default.nix b/hosts/APPA/services/default.nix index 2193830..f4085ab 100644 --- a/hosts/APPA/services/default.nix +++ b/hosts/APPA/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./acme.nix ./adguard-home.nix ./anki.nix ./ddclient.nix @@ -7,5 +8,6 @@ ./homepage-dashboard.nix ./nginx.nix ./postgresql.nix + ./vaultwarden.nix ]; } diff --git a/hosts/APPA/services/nginx.nix b/hosts/APPA/services/nginx.nix index caa25f2..66cd9ff 100644 --- a/hosts/APPA/services/nginx.nix +++ b/hosts/APPA/services/nginx.nix @@ -3,28 +3,46 @@ services.nginx = { enable = true; virtualHosts."dryb.org" = { + useACMEHost = "dryb.org"; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8002"; }; }; virtualHosts."adguard.dryb.org" = { + useACMEHost = "dryb.org"; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8001"; }; }; virtualHosts."${config.services.gitea.domain}" = { + useACMEHost = "dryb.org"; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8003"; }; }; virtualHosts."anki.dryb.org" = { + useACMEHost = "dryb.org"; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8004"; }; }; + virtualHosts."vaultwarden.dryb.org" = { + useACMEHost = "dryb.org"; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8005"; + }; + }; }; networking.firewall = { - allowedTCPPorts = [ 80 ]; + allowedTCPPorts = [ + 80 + 443 + ]; }; } diff --git a/hosts/APPA/services/postgresql.nix b/hosts/APPA/services/postgresql.nix index 30ec212..456f1ce 100644 --- a/hosts/APPA/services/postgresql.nix +++ b/hosts/APPA/services/postgresql.nix @@ -3,16 +3,28 @@ services.postgresql = { enable = true; - ensureDatabases = [ config.services.gitea.user ]; + ensureDatabases = [ + config.services.gitea.user + "vaultwarden" + ]; - # type database DBuser auth-method mapping + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; + + # type database DBuser auth-method mapping authentication = '' - local gitea all ident map=gitea-users + local gitea all ident map=gitea-users + local vaultwarden all ident map=vaultwarden-users ''; - # name sysuser dbuser + # name sysuser dbuser identMap = '' - gitea-users gitea gitea + gitea-users gitea gitea + vaultwarden-users vaultwarden vaultwarden ''; }; diff --git a/hosts/APPA/services/vaultwarden.nix b/hosts/APPA/services/vaultwarden.nix new file mode 100644 index 0000000..a2e9e3b --- /dev/null +++ b/hosts/APPA/services/vaultwarden.nix @@ -0,0 +1,30 @@ +{ config, ... }: +{ + age.secrets.environments-vaultwarden = { + file = ../../../secrets/environments/vaultwarden.age; + # mode = "640"; + # owner = "vaultwarden"; + # group = "vaultwarden"; + }; + + users.users.vaultwarden = { + description = "Vaultwarden Service"; + home = "/var/lib/bitwarden_rs"; + useDefaultShell = true; + isSystemUser = true; + }; + + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = config.age.secrets.environments-vaultwarden.path; + config = { + DOMAIN = "http://vaultwarden.dryb.org"; + SIGNUPS_ALLOWED = false; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8005; + DATABASE_URL = "postgresql:///vaultwarden"; + WEB_VAULT_ENABLED = true; + }; + }; +} diff --git a/secrets/environments/acme.age b/secrets/environments/acme.age new file mode 100644 index 0000000..254458f --- /dev/null +++ b/secrets/environments/acme.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 OFTJeQ lVjtEgBSiaW7WAGHK0LzsK5xas+TLs0neuU7TGAj+nE +uV9vlgEXhYCn47teXi/OFKeZo+YpGKZphgmAt0SlBFU +-> ssh-ed25519 lfMVeg +/4LvBwWhj8ESgP6BTDjvLj1mFf66s9ZOdV3onK20xk +ScCG+j82nhTlXco6cI+NWwWwDGrhJiN0k9GnqaNEO0s +-> ssh-ed25519 ueRyzQ 7RT3y7YHnvZAaBJhNP6DlA679teJXKs7UjshdCoxwT4 +ck/IxyklPcnWXXLVXjq9b/90GB/EeQNWt3eg5uBD0CM +--- bW7WQun8Ku8Br1e23N1lFCRwY+N3j/nCbtgeL1AbMqg +b Qf/OOJFaw|b390|% QOfۏVrMEGNϖO7)RW;uw0Ihb& \ No newline at end of file diff --git a/secrets/environments/vaultwarden.age b/secrets/environments/vaultwarden.age new file mode 100644 index 0000000..5b332f2 Binary files /dev/null and b/secrets/environments/vaultwarden.age differ diff --git a/secrets/passwords/ddclient/cloudflare.age b/secrets/passwords/ddclient/cloudflare.age new file mode 100644 index 0000000..a2bf30a --- /dev/null +++ b/secrets/passwords/ddclient/cloudflare.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 OFTJeQ Duzy5R4T6qjIQNDaM/rMLtn6owinrOPR7bsj+zNyF1s +vuz3upwrRY+p9neicV+/MYqIpqPP8LxKjb/MSd3AG50 +-> ssh-ed25519 lfMVeg F5b0npiotrpPjEqEEmq13iIWrEG1duL/r+A+fFt9MUw +hXV7o5UqSnrOYmTO4PudLMH2nTn3z134YuD78ogNS+Q +-> ssh-ed25519 ueRyzQ Msn3gbqPbt4anEbYGvuroa3Clgldv0c2yjJm8sviWig +qwsS+8V0LvR6aWWlC6/8V7oP4ClTPIH6UF7vIbSFLM0 +--- /UJ64tEwx0Jus9JEby8z4X9LtlPoYMCUTMk3T50Flbk +} EuKh<}gף)NGxMߣ{*$g`)?rNF*(w 'i \ No newline at end of file diff --git a/secrets/passwords/ddclient/namecheap.age b/secrets/passwords/ddclient/namecheap.age deleted file mode 100644 index cd1c073..0000000 --- a/secrets/passwords/ddclient/namecheap.age +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 OFTJeQ /4VkgBRfkeDWGyydiC0UWnRldkkweIS3kQWiyazW30w -FogoQsMtbjc0gUTGeMdoFTV0CZPv051x3qhRxYvGp+Q --> ssh-ed25519 lfMVeg tYYo7I8FawLwBrdTWtjDV/4hzhrUFlGZTAM5Hp8mtRE -JEcLpEKgppWVrlUEvL+arvWBL7/6sVhW/ErXZRkzfIA --> ssh-ed25519 ueRyzQ wTI3u3XtBoTKargoSn+HWl9HQTZzXjCEnLGQRSCmVUE -+9ovukCRRZ3FO+uuPjdWWvUQBfTyW2NfDpEFkaTVBZE ---- VpOsD2Mzrb/jWQVu9wLlTSiUZNbpBmD9ISDLtbivuO0 -b<+Yh('3[KN3:]֦Ukl9G]R,t}4)%=# \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a280577..810ff47 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,7 +19,9 @@ let ]; in { + "environments/acme.age".publicKeys = users ++ [ APPA ]; + "environments/vaultwarden.age".publicKeys = users ++ [ APPA ]; "passwords/gitea/db.age".publicKeys = users ++ [ APPA ]; "passwords/anki/admin.age".publicKeys = users ++ [ APPA ]; - "passwords/ddclient/namecheap.age".publicKeys = users ++ [ APPA ]; + "passwords/ddclient/cloudflare.age".publicKeys = users ++ [ APPA ]; }