From 4c5d415d2e8d6befe6fb3c9e3d120e2439556708 Mon Sep 17 00:00:00 2001 From: Emelie Graven Date: Mon, 14 Feb 2022 21:30:24 +0100 Subject: [PATCH] Add dotsrc vaultwarden and backup configuration --- config/hosts/capetillo/configuration.nix | 4 ++- config/hosts/capetillo/services/duplicity.nix | 11 ++++++++ config/hosts/capetillo/services/mail.nix | 27 ++++++++++--------- config/hosts/capetillo/services/nginx.nix | 18 ++++++++++++- .../hosts/capetillo/services/vaultwarden.nix | 27 +++++++++++++++++++ 5 files changed, 73 insertions(+), 14 deletions(-) create mode 100644 config/hosts/capetillo/services/duplicity.nix create mode 100644 config/hosts/capetillo/services/vaultwarden.nix diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix index 69bf319..e86bc1b 100644 --- a/config/hosts/capetillo/configuration.nix +++ b/config/hosts/capetillo/configuration.nix @@ -9,6 +9,8 @@ ./services/nginx.nix ./services/mail.nix ./services/tor.nix + ./services/vaultwarden.nix + ./services/duplicity.nix ./data/secrets/secrets.nix ]; @@ -50,7 +52,7 @@ ]; }; - users.groups.backup.members = [ "virtualMail" ]; + users.groups.backup.members = [ "virtualMail" "vaultwarden" ]; users.groups.nginx.members = [ "deploy-web" ]; security.sudo.wheelNeedsPassword = false; diff --git a/config/hosts/capetillo/services/duplicity.nix b/config/hosts/capetillo/services/duplicity.nix new file mode 100644 index 0000000..1a7e684 --- /dev/null +++ b/config/hosts/capetillo/services/duplicity.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + + services.duplicity = { + enable = true; + include = [ "/var/lib/bitwarden_rs/backup" ]; + frequency = "hourly"; + targetUrl = "rsync://duplicity@2001:878:346::123/var/backups/vaultwarden"; + extraFlags = [ "--no-encryption" ]; + }; +} diff --git a/config/hosts/capetillo/services/mail.nix b/config/hosts/capetillo/services/mail.nix index a9e9aab..6f134b7 100644 --- a/config/hosts/capetillo/services/mail.nix +++ b/config/hosts/capetillo/services/mail.nix @@ -4,7 +4,7 @@ imports = [ (builtins.fetchTarball { # Pick a commit from the branch you are interested in - url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz"; + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz"; # And set its hash sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; }) @@ -13,19 +13,22 @@ mailserver = { enable = true; fqdn = "nixaalb.org"; - domains = [ "nixaalb.org" ]; + domains = [ "nixaalb.org" "dotsrc.org"]; loginAccounts = { - "emelie@nixaalb.org" = { - hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file; - aliases = [ "admin@nixaalb.org" ]; - }; - "sebastian@nixaalb.org" = { - hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file; - }; - "noreply@anarkafem.dev" = { - hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; - }; + "emelie@nixaalb.org" = { + hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file; + aliases = [ "admin@nixaalb.org" ]; + }; + "sebastian@nixaalb.org" = { + hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file; + }; + "noreply@anarkafem.dev" = { + hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; + }; + "noreply@dotsrc.org" = { + hashedPasswordFile = config.secrets.files.mail_noreply_dotsrc.org; + }; }; certificateScheme = 3; }; diff --git a/config/hosts/capetillo/services/nginx.nix b/config/hosts/capetillo/services/nginx.nix index 921e8ce..091cd62 100644 --- a/config/hosts/capetillo/services/nginx.nix +++ b/config/hosts/capetillo/services/nginx.nix @@ -13,7 +13,23 @@ add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri; - ''; + ''; + }; + "vault.dotsrc.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8812"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://localhost:3012"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://localhost:8812"; + proxyWebsockets = true; + }; }; "mta-sts.nixaalb.org" = { enableACME = true; diff --git a/config/hosts/capetillo/services/vaultwarden.nix b/config/hosts/capetillo/services/vaultwarden.nix new file mode 100644 index 0000000..957682f --- /dev/null +++ b/config/hosts/capetillo/services/vaultwarden.nix @@ -0,0 +1,27 @@ +{ config, ... }: +{ + services.vaultwarden = { + enable = true; + environmentFile = config.secrets.files.vaultwarden_env.file; + backupDir = "/var/lib/bitwarden_rs/backup"; + config = { + domain = "https://vault.dotsrc.org"; + signupsAllowed = false; + rocketPort = 8812; + ipHeader = "X-Real-IP"; + websocketEnabled = true; + websocketAddress = "127.0.0.1"; + websocketPort = "3012"; + #dataDir = "/var/lib/vaultwarden"; + smtpHost = "127.0.0.1"; + smtpFrom = "noreply@dotsrc.org"; + smtpFromName = "Vaultwarden"; + smtpPort = 465; + smtpSsl = true; + smtpExplicitTls = true; + smtpAuthMechanism = "Login"; + }; + }; + systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly" }; +} +