Add dotsrc vaultwarden and backup configuration

This commit is contained in:
Emelie Graven 2022-02-14 21:30:24 +01:00
parent 02ffae5e7e
commit 4c5d415d2e
Signed by: emelie
GPG key ID: C11123726DBB55A1
5 changed files with 73 additions and 14 deletions

View file

@ -9,6 +9,8 @@
./services/nginx.nix ./services/nginx.nix
./services/mail.nix ./services/mail.nix
./services/tor.nix ./services/tor.nix
./services/vaultwarden.nix
./services/duplicity.nix
./data/secrets/secrets.nix ./data/secrets/secrets.nix
]; ];
@ -50,7 +52,7 @@
]; ];
}; };
users.groups.backup.members = [ "virtualMail" ]; users.groups.backup.members = [ "virtualMail" "vaultwarden" ];
users.groups.nginx.members = [ "deploy-web" ]; users.groups.nginx.members = [ "deploy-web" ];
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;

View file

@ -0,0 +1,11 @@
{ config, ... }:
{
services.duplicity = {
enable = true;
include = [ "/var/lib/bitwarden_rs/backup" ];
frequency = "hourly";
targetUrl = "rsync://duplicity@2001:878:346::123/var/backups/vaultwarden";
extraFlags = [ "--no-encryption" ];
};
}

View file

@ -4,7 +4,7 @@
imports = [ imports = [
(builtins.fetchTarball { (builtins.fetchTarball {
# Pick a commit from the branch you are interested in # Pick a commit from the branch you are interested in
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz"; url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz";
# And set its hash # And set its hash
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi"; sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
}) })
@ -13,19 +13,22 @@
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "nixaalb.org"; fqdn = "nixaalb.org";
domains = [ "nixaalb.org" ]; domains = [ "nixaalb.org" "dotsrc.org"];
loginAccounts = { loginAccounts = {
"emelie@nixaalb.org" = { "emelie@nixaalb.org" = {
hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file; hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
aliases = [ "admin@nixaalb.org" ]; aliases = [ "admin@nixaalb.org" ];
}; };
"sebastian@nixaalb.org" = { "sebastian@nixaalb.org" = {
hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file; hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
}; };
"noreply@anarkafem.dev" = { "noreply@anarkafem.dev" = {
hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file; hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
}; };
"noreply@dotsrc.org" = {
hashedPasswordFile = config.secrets.files.mail_noreply_dotsrc.org;
};
}; };
certificateScheme = 3; certificateScheme = 3;
}; };

View file

@ -13,7 +13,23 @@
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri; add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
''; '';
};
"vault.dotsrc.org" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
}; };
"mta-sts.nixaalb.org" = { "mta-sts.nixaalb.org" = {
enableACME = true; enableACME = true;

View file

@ -0,0 +1,27 @@
{ config, ... }:
{
services.vaultwarden = {
enable = true;
environmentFile = config.secrets.files.vaultwarden_env.file;
backupDir = "/var/lib/bitwarden_rs/backup";
config = {
domain = "https://vault.dotsrc.org";
signupsAllowed = false;
rocketPort = 8812;
ipHeader = "X-Real-IP";
websocketEnabled = true;
websocketAddress = "127.0.0.1";
websocketPort = "3012";
#dataDir = "/var/lib/vaultwarden";
smtpHost = "127.0.0.1";
smtpFrom = "noreply@dotsrc.org";
smtpFromName = "Vaultwarden";
smtpPort = 465;
smtpSsl = true;
smtpExplicitTls = true;
smtpAuthMechanism = "Login";
};
};
systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly" };
}