From 8ed553d2c5048df223eabc82566c23ea20cb80e5 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Tue, 15 Feb 2022 13:51:54 +0100
Subject: [PATCH] Finalize vaultwarden setup

This fixes the last few issues with the new vaultwarden
deployment, such as backups and email.
---
 ...519_key.pub => despondos_host_ed25519.pub} |   0
 .../data/pubkeys/vw-backup_host_ed25519.pub   |   1 +
 config/common/services/nginx.nix              |  23 ----------------
 config/common/services/ssh.nix                |   6 +++-
 config/hosts/capetillo/configuration.nix      |   4 +--
 .../capetillo/data/secrets/restic_dotsrc_pass | Bin 0 -> 367 bytes
 .../{restic_pass => restic_nixaalborg_pass}   | Bin
 .../hosts/capetillo/data/secrets/secrets.nix  | Bin 556 -> 744 bytes
 config/hosts/capetillo/services/duplicity.nix |  11 --------
 config/hosts/capetillo/services/mail.nix      |   2 +-
 config/hosts/capetillo/services/nginx.nix     |  23 ++++++++++++++--
 config/hosts/capetillo/services/restic.nix    |  12 +++++++-
 .../hosts/capetillo/services/vaultwarden.nix  |   7 ++---
 config/sources/nix/sources.json               |  26 +++++++++---------
 14 files changed, 56 insertions(+), 59 deletions(-)
 rename config/common/data/pubkeys/{despondos_host_ed25519_key.pub => despondos_host_ed25519.pub} (100%)
 create mode 100644 config/common/data/pubkeys/vw-backup_host_ed25519.pub
 create mode 100644 config/hosts/capetillo/data/secrets/restic_dotsrc_pass
 rename config/hosts/capetillo/data/secrets/{restic_pass => restic_nixaalborg_pass} (100%)
 delete mode 100644 config/hosts/capetillo/services/duplicity.nix

diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519.pub
similarity index 100%
rename from config/common/data/pubkeys/despondos_host_ed25519_key.pub
rename to config/common/data/pubkeys/despondos_host_ed25519.pub
diff --git a/config/common/data/pubkeys/vw-backup_host_ed25519.pub b/config/common/data/pubkeys/vw-backup_host_ed25519.pub
new file mode 100644
index 0000000..797d489
--- /dev/null
+++ b/config/common/data/pubkeys/vw-backup_host_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxKGASvmnZ+1wZLnRShq3416gZkN8qK6YmHQANjxfk8 root@vw-backup
diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix
index e844887..fbed680 100644
--- a/config/common/services/nginx.nix
+++ b/config/common/services/nginx.nix
@@ -13,29 +13,6 @@
 		sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 
 		commonHttpConfig = ''
-			# Add HSTS header with preloading to HTTPS requests.
-			# Adding this header to HTTP requests is discouraged
-			map $scheme $hsts_header {
-				https   "max-age=31536000; includeSubdomains; preload";
-			}
-			add_header Strict-Transport-Security $hsts_header;
-
-			# Enable CSP for your services.
-			add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-			# Minimize information leaked to other domains
-			add_header 'Referrer-Policy' 'same-origin';
-
-			# Disable embedding as a frame
-			add_header X-Frame-Options DENY;
-
-			# Prevent injection of code in other mime types (XSS Attacks)
-			add_header X-Content-Type-Options nosniff;
-
-			# Enable XSS protection of the browser.
-			# May be unnecessary when CSP is configured properly (see above)
-			add_header X-XSS-Protection "1; mode=block";
-
 			# This might create errors
 			proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 		'';
diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix
index 562cba6..f4414ea 100644
--- a/config/common/services/ssh.nix
+++ b/config/common/services/ssh.nix
@@ -16,7 +16,11 @@
 	programs.ssh.knownHosts = {
 		despondos = {
 			hostNames = [ "despondos.nao.sh" ];
-			publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+			publicKeyFile = ../data/pubkeys/despondos_host_ed25519.pub;
+		};
+		vw-backup = {
+			hostNames = [ "vw-backup.dotsrc.org" ];
+			publicKeyFile = ../data/pubkeys/vw-backup_host_ed25519.pub;
 		};
 	};
 
diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix
index 8fcb8be..a976db7 100644
--- a/config/hosts/capetillo/configuration.nix
+++ b/config/hosts/capetillo/configuration.nix
@@ -10,7 +10,7 @@
 		./services/mail.nix
 		./services/tor.nix
 		./services/vaultwarden.nix
-		./services/duplicity.nix
+		./services/restic.nix
 		./data/secrets/secrets.nix
 	];
 
@@ -52,7 +52,7 @@
 		];
 	};
 
-	users.groups.backup.members = [ "virtualMail" "vaultwarden" "duplicity" ];
+	users.groups.backup.members = [ "virtualMail" "vaultwarden" ];
 	users.groups.nginx.members = [ "deploy-web" ];
 
 	security.sudo.wheelNeedsPassword = false;
diff --git a/config/hosts/capetillo/data/secrets/restic_dotsrc_pass b/config/hosts/capetillo/data/secrets/restic_dotsrc_pass
new file mode 100644
index 0000000000000000000000000000000000000000..40fa5c2a892f9a70b5a699ae848493c3cff245f7
GIT binary patch
literal 367
zcmV-#0g(OxM@dveQdv+`0BnI>C=rwNFCt|4N=nK8;9YP{TX^Tuu0CSgOuYrPe~K9T
zq&p~(!K^#NJ_HwdsAHQSz|?<X&@&^FSFU(nqpM`0;mTG%#b|2LywTms&IBB(GF9`_
zp#K2sM@J9GBrMpaAo9{g75_!Zs@(i!En#r2@}X9DBQ^rL9Y?Q8I0LRNI3{PB_`9Sd
z4SJaGt7iCo0E|>sPj>|p%n>w~`BlL64xkP0ovDoCXLqrgMZ$YqOu%i6XyHNpUP!p<
z@;*Rf(I5(iXEC-eQme`=zpfrzg`lH60FGe*w7P9OfA9Lak)x}kXDe@ejjUxfvNCRg
zmt5>p5rZlDW$1;N)tVW^=3l+!>&zT_W&l$B1`ttYX9ANPsU@$hLaiZpc?7jepIUdD
z{+2u=jCMjKLvHq}9K$zm(G0(vd{YQi5Y!8mT)iX68Of!D>@YQ7i|B`cFHPTlb9o#H
N%-b{p=`<&m%?B+5u4n)N

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/data/secrets/restic_pass b/config/hosts/capetillo/data/secrets/restic_nixaalborg_pass
similarity index 100%
rename from config/hosts/capetillo/data/secrets/restic_pass
rename to config/hosts/capetillo/data/secrets/restic_nixaalborg_pass
diff --git a/config/hosts/capetillo/data/secrets/secrets.nix b/config/hosts/capetillo/data/secrets/secrets.nix
index 41404b477cfd90f985ffd6913ccda037cde2ac80..0fd850d969825eabad528f4df9f0516665930772 100644
GIT binary patch
literal 744
zcmV<E0vG)NM@dveQdv+`0Pi2>gNn_%cH1jM&+=gJ#T}r~2EwGwjpn)qA2SGUJ^_rp
zB4p;B=fT}W8WrNB0+6$WD;Bp=Jf012n>F{WfJSzneBRFf`f`x2C23K0IY(llPmj&V
zb436)p#=3^r8$QBXD3$bpE`h|Ty033)aSGUzCJAm!+%yD5=ui~1uR*U0+<Y0AIvG%
z9^ClFSCabMo^~7~>Zs1+4h~A+gaHzB`Z8kv(%j18pf4G+LMi`F?fOgbh{oLm6$qwk
zb3^edD#Imi)$~&Vx@6b@Zg(2)jW^>DdQwQNyMQtiPc@^g#kSm0xu796W-4V?=!^(j
z9)Qtm${Rr@n(B8|9hIFp^u~_@a7QC0?KKR%w3;}&3LYaWG`G|$AugzESeIgfwpZnh
zJeMdj2E@B<S5Pv0)|;K?QQbMOjV8?uj(`y4WREo&M?x?sV3#&}g8tuTDC9L(KYsy@
zi6v?)YWJ=ls?zp&uKJ=z=d9vaxsJzqG?eQt>6}I`oj+KA_(+}|rWZGXb~Kt*z@oF~
zd#Y+T5Tr@FpoO`(cdE+C?wFAZr#psUdg*IuYrY|7*p%PC=!yRk;?;W(+8u^JnrMT)
zp94KkPJMpM@y;FqQ`>5`6LDfO!Oz)m@kpByxs2nU&oRjTlc=6Lj|GGj9S21}jT%V5
z(KcZq3lxAnPuN}#ZQ)(nSiA_$Jfg<-ox;}Ms~19<YV@(knjG7#N3Z&;r_fR{02@x6
zNajQ{=Vg$=*MGj{$sr~&Os4OYmh7K9&Ec_SY2Eo+FwKexj9v|ZSTQl<?m_;DTlUz@
zBXcQ4{{LP-BMgTFWlIQ`*iK^cnwwb=6cli{EKF3M6qRV5CF{#bC}viU3;PduB(lZr
z2oMh6{S`nROF7#mj6%MHUs|Gv%mD$%YwHE(?Qjs#VV!~Qu3o)OsyKy4l|0F9hca)0
aeE|(SEZX_kj%LljWSIX=qyi89gS(;BYGz{q

literal 556
zcmV+{0@M8fM@dveQdv+`0H&uu;$9mNLwG&LbVfARQ|+FA{6D|x7(gV@XDicbj6KW`
zgSfJK&q|zVk0UmgrbALPwh0!C2#Enb#I;sx6kmVxUN#I`?2o*~W3B7puvr`35dBl-
z_`eklwA90St7En^RVl)j>eZRI>2><EwuGi+5;qE;{31H?2+BgJ>PprUPOg6C>CI2-
zBk`?6e)Y~P#<xHNGb3f8Be*lxfxbd4EA*V}q@AB-maS!~@8#gKlJ?PQR11Bk-|S&z
z2+Ca>$pi+*$C*C(F8l;B;>I1_H405vwA5R=wJ+8gZhW=IdGFyJQ0yNWmsWdnRSpuY
zy;BsrV-<+#+0x)Xmoy1?5VYz0Gzj@;Ov97VO>?r*FArY<BxarENYuxt7;>_v9STi6
zZw4e@11Ef}8qU6CmFfJ3+)@SdX7}klfwxx`#Ngx<Rnh_SWKD)58gWO@a!@bMeDYiP
z^yHv7MxJl$!y4F}Y{zim?HYsD{%LV7?HCw)nBM#wU^6`hW7%y}KXB7pMadM8tPgX|
z#<*k9^Ni6~d{)a(Gcq3HDD$~f7SDwq^XkV2Iuuy%?_kbleVe_N)J$#!E<yRoRni;b
zWc_O{jquR6c`r$KwR9n5P$Cf!L8U2P2jWwcpXO$He4xHf@>T$%VErO=&fj=Nm~3Cs
u(Q2Vhw9drnq2m6h#01NU_KNb{4Cj1HK`f9HYO7=zAWjnppR|R~)fAks!xiQL

diff --git a/config/hosts/capetillo/services/duplicity.nix b/config/hosts/capetillo/services/duplicity.nix
deleted file mode 100644
index 1a7e684..0000000
--- a/config/hosts/capetillo/services/duplicity.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ config, ... }:
-{
-
-	services.duplicity = {
-		enable = true;
-		include = [ "/var/lib/bitwarden_rs/backup" ];
-		frequency = "hourly";
-		targetUrl = "rsync://duplicity@2001:878:346::123/var/backups/vaultwarden";
-		extraFlags = [ "--no-encryption" ];
-	};
-}
diff --git a/config/hosts/capetillo/services/mail.nix b/config/hosts/capetillo/services/mail.nix
index 1674476..a955155 100644
--- a/config/hosts/capetillo/services/mail.nix
+++ b/config/hosts/capetillo/services/mail.nix
@@ -6,7 +6,7 @@
 			# Pick a commit from the branch you are interested in
 			url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz";
 			# And set its hash
-			sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+			sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44";
 		})
 	];
 
diff --git a/config/hosts/capetillo/services/nginx.nix b/config/hosts/capetillo/services/nginx.nix
index 091cd62..d7ff070 100644
--- a/config/hosts/capetillo/services/nginx.nix
+++ b/config/hosts/capetillo/services/nginx.nix
@@ -12,6 +12,7 @@
 				add_header X-Frame-Options DENY;
 				add_header X-Content-Type-Options nosniff;
 				add_header X-XSS-Protection "1; mode=block";
+				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
 				add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
 		'';
 		};
@@ -19,15 +20,15 @@
 			forceSSL = true;
 			enableACME = true;
 			locations."/" = {
-				proxyPass = "http://localhost:8812";
+				proxyPass = "http://127.0.0.1:8812";
 				proxyWebsockets = true;
 			};
 			locations."/notifications/hub" = {
-				proxyPass = "http://localhost:3012";
+				proxyPass = "http://127.0.0.1:3012";
 				proxyWebsockets = true;
 			};
 			locations."/notifications/hub/negotiate" = {
-				proxyPass = "http://localhost:8812";
+				proxyPass = "http://127.0.0.1:8812";
 				proxyWebsockets = true;
 			};
 		};
@@ -35,6 +36,14 @@
 			enableACME = true;
 			forceSSL = true;
 			root = "/var/www/mta-sts/public";
+			extraConfig = ''
+				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+				add_header 'Referrer-Policy' 'same-origin';
+				add_header X-Frame-Options DENY;
+				add_header X-Content-Type-Options nosniff;
+				add_header X-XSS-Protection "1; mode=block";
+				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+		'';
 		};
 		"ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = {
 			# TODO: Do this with unix sockets instead
@@ -43,6 +52,14 @@
 								port = 8080;
 							} ];
 			root = "/var/www/nixaalb.org/public";
+			extraConfig = ''
+				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+				add_header 'Referrer-Policy' 'same-origin';
+				add_header X-Frame-Options DENY;
+				add_header X-Content-Type-Options nosniff;
+				add_header X-XSS-Protection "1; mode=block";
+				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+		'';
 
 		};
 	};
diff --git a/config/hosts/capetillo/services/restic.nix b/config/hosts/capetillo/services/restic.nix
index b49af89..4640744 100644
--- a/config/hosts/capetillo/services/restic.nix
+++ b/config/hosts/capetillo/services/restic.nix
@@ -10,8 +10,18 @@
 			pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
 			timerConfig = { "OnCalendar" = "02:15"; };
 			extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
-			passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+			passwordFile = builtins.toString config.secrets.files.restic_nixaalborg_pass.file;
 			user = "virtualMail";
 		};
+		"vaultwarden" = {
+			paths = [ "/var/lib/bitwarden_rs/backup" ];
+			repository = "sftp:restic@vw-backup.dotsrc.org:/var/backups/vaultwarden";
+			initialize = true;
+			pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+			timerConfig = { "OnCalendar" = "hourly"; };
+			extraOptions = [ "sftp.command='ssh restic@vw-backup.dotsrc.org -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+			passwordFile = builtins.toString config.secrets.files.restic_dotsrc_pass.file;
+			user = "vaultwarden";
+		};
 	};
 }
diff --git a/config/hosts/capetillo/services/vaultwarden.nix b/config/hosts/capetillo/services/vaultwarden.nix
index 957682f..f795671 100644
--- a/config/hosts/capetillo/services/vaultwarden.nix
+++ b/config/hosts/capetillo/services/vaultwarden.nix
@@ -12,16 +12,15 @@
       websocketEnabled = true;
       websocketAddress = "127.0.0.1";
       websocketPort = "3012";
-      #dataDir = "/var/lib/vaultwarden";
-      smtpHost = "127.0.0.1";
+      smtpHost = "nixaalb.org";
       smtpFrom = "noreply@dotsrc.org";
       smtpFromName = "Vaultwarden";
       smtpPort = 465;
       smtpSsl = true;
       smtpExplicitTls = true;
-      smtpAuthMechanism = "Login";
+      smtpAuthMechanism = "Plain";
     };
   };
-	systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly" };
+	systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly"; };
 }
 
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
index 88375ac..8062daf 100644
--- a/config/sources/nix/sources.json
+++ b/config/sources/nix/sources.json
@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c",
-        "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm",
+        "rev": "9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a",
+        "sha256": "1ajyqr8zka1zlb25jx1v4xys3zqmdy3prbm1vxlid6ah27a8qnzh",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "08cda8e3a5a4e685af525e5a589dfeb74267d505",
-        "sha256": "0bf3mbss7c3lyf5h8g1vwjbs0cg4h0c8ixbaz1kv24ahyy8n61y3",
+        "rev": "10eab1c4cd8e715c0b41d32c28af2b89fc67bed0",
+        "sha256": "1ig5d807x99c7rsma3r23vfys1n05836y6rj5iy6ypbad7vw7cs4",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixos-hardware/archive/08cda8e3a5a4e685af525e5a589dfeb74267d505.tar.gz",
+        "url": "https://github.com/nixos/nixos-hardware/archive/10eab1c4cd8e715c0b41d32c28af2b89fc67bed0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "release-21.05",
+        "branch": "release-21.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d",
-        "sha256": "163xpxkav524pq7wbc6sbsl9fkzc4wshpjq0h7vq7csnsb8w6p77",
+        "rev": "6e23cb0fa9fd9edf8fdd75fd4d5111d571fc85ac",
+        "sha256": "0h0hjk48azjjz2xpwx5l0hvwk2g40minchqf077klii3zka35731",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/6e23cb0fa9fd9edf8fdd75fd4d5111d571fc85ac.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "infinisil",
         "repo": "nixus",
-        "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57",
-        "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb",
+        "rev": "60ea7eb5e18d58ac7742234855b7192112fd4049",
+        "sha256": "0c9jkhd6xmgaw2gzbcsf7k1p42sn8dyhla71x1bp902mnfdgjsxx",
         "type": "tarball",
-        "url": "https://github.com/infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz",
+        "url": "https://github.com/infinisil/nixus/archive/60ea7eb5e18d58ac7742234855b7192112fd4049.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }