Add dotsrc vaultwarden and backup configuration
This commit is contained in:
parent
02ffae5e7e
commit
4c5d415d2e
|
@ -9,6 +9,8 @@
|
||||||
./services/nginx.nix
|
./services/nginx.nix
|
||||||
./services/mail.nix
|
./services/mail.nix
|
||||||
./services/tor.nix
|
./services/tor.nix
|
||||||
|
./services/vaultwarden.nix
|
||||||
|
./services/duplicity.nix
|
||||||
./data/secrets/secrets.nix
|
./data/secrets/secrets.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -50,7 +52,7 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
users.groups.backup.members = [ "virtualMail" ];
|
users.groups.backup.members = [ "virtualMail" "vaultwarden" ];
|
||||||
users.groups.nginx.members = [ "deploy-web" ];
|
users.groups.nginx.members = [ "deploy-web" ];
|
||||||
|
|
||||||
security.sudo.wheelNeedsPassword = false;
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
11
config/hosts/capetillo/services/duplicity.nix
Normal file
11
config/hosts/capetillo/services/duplicity.nix
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
services.duplicity = {
|
||||||
|
enable = true;
|
||||||
|
include = [ "/var/lib/bitwarden_rs/backup" ];
|
||||||
|
frequency = "hourly";
|
||||||
|
targetUrl = "rsync://duplicity@2001:878:346::123/var/backups/vaultwarden";
|
||||||
|
extraFlags = [ "--no-encryption" ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -4,7 +4,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
(builtins.fetchTarball {
|
(builtins.fetchTarball {
|
||||||
# Pick a commit from the branch you are interested in
|
# Pick a commit from the branch you are interested in
|
||||||
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
|
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz";
|
||||||
# And set its hash
|
# And set its hash
|
||||||
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
|
sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
|
||||||
})
|
})
|
||||||
|
@ -13,19 +13,22 @@
|
||||||
mailserver = {
|
mailserver = {
|
||||||
enable = true;
|
enable = true;
|
||||||
fqdn = "nixaalb.org";
|
fqdn = "nixaalb.org";
|
||||||
domains = [ "nixaalb.org" ];
|
domains = [ "nixaalb.org" "dotsrc.org"];
|
||||||
|
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"emelie@nixaalb.org" = {
|
"emelie@nixaalb.org" = {
|
||||||
hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
|
hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
|
||||||
aliases = [ "admin@nixaalb.org" ];
|
aliases = [ "admin@nixaalb.org" ];
|
||||||
};
|
};
|
||||||
"sebastian@nixaalb.org" = {
|
"sebastian@nixaalb.org" = {
|
||||||
hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
|
hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
|
||||||
};
|
};
|
||||||
"noreply@anarkafem.dev" = {
|
"noreply@anarkafem.dev" = {
|
||||||
hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
|
hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
|
||||||
};
|
};
|
||||||
|
"noreply@dotsrc.org" = {
|
||||||
|
hashedPasswordFile = config.secrets.files.mail_noreply_dotsrc.org;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
certificateScheme = 3;
|
certificateScheme = 3;
|
||||||
};
|
};
|
||||||
|
|
|
@ -13,7 +13,23 @@
|
||||||
add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
|
add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
|
||||||
'';
|
'';
|
||||||
|
};
|
||||||
|
"vault.dotsrc.org" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:8812";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub" = {
|
||||||
|
proxyPass = "http://localhost:3012";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub/negotiate" = {
|
||||||
|
proxyPass = "http://localhost:8812";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
"mta-sts.nixaalb.org" = {
|
"mta-sts.nixaalb.org" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
|
27
config/hosts/capetillo/services/vaultwarden.nix
Normal file
27
config/hosts/capetillo/services/vaultwarden.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
services.vaultwarden = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = config.secrets.files.vaultwarden_env.file;
|
||||||
|
backupDir = "/var/lib/bitwarden_rs/backup";
|
||||||
|
config = {
|
||||||
|
domain = "https://vault.dotsrc.org";
|
||||||
|
signupsAllowed = false;
|
||||||
|
rocketPort = 8812;
|
||||||
|
ipHeader = "X-Real-IP";
|
||||||
|
websocketEnabled = true;
|
||||||
|
websocketAddress = "127.0.0.1";
|
||||||
|
websocketPort = "3012";
|
||||||
|
#dataDir = "/var/lib/vaultwarden";
|
||||||
|
smtpHost = "127.0.0.1";
|
||||||
|
smtpFrom = "noreply@dotsrc.org";
|
||||||
|
smtpFromName = "Vaultwarden";
|
||||||
|
smtpPort = 465;
|
||||||
|
smtpSsl = true;
|
||||||
|
smtpExplicitTls = true;
|
||||||
|
smtpAuthMechanism = "Login";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly" };
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue