Finalize vaultwarden setup

This fixes the last few issues with the new vaultwarden
deployment, such as backups and email.

config/common/data/pubkeys/vw-backup_host_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxKGASvmnZ+1wZLnRShq3416gZkN8qK6YmHQANjxfk8 root@vw-backup

config/common/services/nginx.nix

@@ -13,29 +13,6 @@
 		sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 
 		commonHttpConfig = ''
-			# Add HSTS header with preloading to HTTPS requests.
-			# Adding this header to HTTP requests is discouraged
-			map $scheme $hsts_header {
-				https   "max-age=31536000; includeSubdomains; preload";
-			}
-			add_header Strict-Transport-Security $hsts_header;
-
-			# Enable CSP for your services.
-			add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-			# Minimize information leaked to other domains
-			add_header 'Referrer-Policy' 'same-origin';
-
-			# Disable embedding as a frame
-			add_header X-Frame-Options DENY;
-
-			# Prevent injection of code in other mime types (XSS Attacks)
-			add_header X-Content-Type-Options nosniff;
-
-			# Enable XSS protection of the browser.
-			# May be unnecessary when CSP is configured properly (see above)
-			add_header X-XSS-Protection "1; mode=block";
-
 			# This might create errors
 			proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
 		'';

config/common/services/ssh.nix

@@ -16,7 +16,11 @@
 	programs.ssh.knownHosts = {
 		despondos = {
 			hostNames = [ "despondos.nao.sh" ];
-			publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+			publicKeyFile = ../data/pubkeys/despondos_host_ed25519.pub;
+		};
+		vw-backup = {
+			hostNames = [ "vw-backup.dotsrc.org" ];
+			publicKeyFile = ../data/pubkeys/vw-backup_host_ed25519.pub;
 		};
 	};
 

config/hosts/capetillo/configuration.nix

@@ -10,7 +10,7 @@
 		./services/mail.nix
 		./services/tor.nix
 		./services/vaultwarden.nix
-		./services/duplicity.nix
+		./services/restic.nix
 		./data/secrets/secrets.nix
 	];
 
@@ -52,7 +52,7 @@
 		];
 	};
 
-	users.groups.backup.members = [ "virtualMail" "vaultwarden" "duplicity" ];
+	users.groups.backup.members = [ "virtualMail" "vaultwarden" ];
 	users.groups.nginx.members = [ "deploy-web" ];
 
 	security.sudo.wheelNeedsPassword = false;

config/hosts/capetillo/services/duplicity.nix

@@ -1,11 +0,0 @@
-{ config, ... }:
-{
-
-	services.duplicity = {
-		enable = true;
-		include = [ "/var/lib/bitwarden_rs/backup" ];
-		frequency = "hourly";
-		targetUrl = "rsync://duplicity@2001:878:346::123/var/backups/vaultwarden";
-		extraFlags = [ "--no-encryption" ];
-	};
-}

config/hosts/capetillo/services/mail.nix

@@ -6,7 +6,7 @@
 			# Pick a commit from the branch you are interested in
 			url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e3a7b2ea6f0d68b82027b988aa25d3423787303/nixos-mailserver-6e3a7b2ea6f0d68b82027b988aa25d3423787303.tar.gz";
 			# And set its hash
-			sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+			sha256 = "1i56llz037x416bw698v8j6arvv622qc0vsycd20lx3yx8n77n44";
 		})
 	];
 

config/hosts/capetillo/services/nginx.nix

@@ -12,6 +12,7 @@
 				add_header X-Frame-Options DENY;
 				add_header X-Content-Type-Options nosniff;
 				add_header X-XSS-Protection "1; mode=block";
+				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
 				add_header Onion-Location http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
 		'';
 		};
@@ -19,15 +20,15 @@
 			forceSSL = true;
 			enableACME = true;
 			locations."/" = {
-				proxyPass = "http://localhost:8812";
+				proxyPass = "http://127.0.0.1:8812";
 				proxyWebsockets = true;
 			};
 			locations."/notifications/hub" = {
-				proxyPass = "http://localhost:3012";
+				proxyPass = "http://127.0.0.1:3012";
 				proxyWebsockets = true;
 			};
 			locations."/notifications/hub/negotiate" = {
-				proxyPass = "http://localhost:8812";
+				proxyPass = "http://127.0.0.1:8812";
 				proxyWebsockets = true;
 			};
 		};
@@ -35,6 +36,14 @@
 			enableACME = true;
 			forceSSL = true;
 			root = "/var/www/mta-sts/public";
+			extraConfig = ''
+				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+				add_header 'Referrer-Policy' 'same-origin';
+				add_header X-Frame-Options DENY;
+				add_header X-Content-Type-Options nosniff;
+				add_header X-XSS-Protection "1; mode=block";
+				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+		'';
 		};
 		"ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = {
 			# TODO: Do this with unix sockets instead
@@ -43,6 +52,14 @@
 								port = 8080;
 							} ];
 			root = "/var/www/nixaalb.org/public";
+			extraConfig = ''
+				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+				add_header 'Referrer-Policy' 'same-origin';
+				add_header X-Frame-Options DENY;
+				add_header X-Content-Type-Options nosniff;
+				add_header X-XSS-Protection "1; mode=block";
+				add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+		'';
 
 		};
 	};

config/hosts/capetillo/services/restic.nix

@@ -10,8 +10,18 @@
 			pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
 			timerConfig = { "OnCalendar" = "02:15"; };
 			extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
-			passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+			passwordFile = builtins.toString config.secrets.files.restic_nixaalborg_pass.file;
 			user = "virtualMail";
 		};
+		"vaultwarden" = {
+			paths = [ "/var/lib/bitwarden_rs/backup" ];
+			repository = "sftp:restic@vw-backup.dotsrc.org:/var/backups/vaultwarden";
+			initialize = true;
+			pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+			timerConfig = { "OnCalendar" = "hourly"; };
+			extraOptions = [ "sftp.command='ssh restic@vw-backup.dotsrc.org -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+			passwordFile = builtins.toString config.secrets.files.restic_dotsrc_pass.file;
+			user = "vaultwarden";
+		};
 	};
 }

config/hosts/capetillo/services/vaultwarden.nix

@@ -12,16 +12,15 @@
       websocketEnabled = true;
       websocketAddress = "127.0.0.1";
       websocketPort = "3012";
-      #dataDir = "/var/lib/vaultwarden";
+      smtpHost = "nixaalb.org";
-      smtpHost = "127.0.0.1";
       smtpFrom = "noreply@dotsrc.org";
       smtpFromName = "Vaultwarden";
       smtpPort = 465;
       smtpSsl = true;
       smtpExplicitTls = true;
-      smtpAuthMechanism = "Login";
+      smtpAuthMechanism = "Plain";
     };
   };
-	systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly" };
+	systemd.timers.backup-vaultwarden.timerConfig = { OnCalendar = "hourly"; };
 }
 

config/sources/nix/sources.json

@@ -5,10 +5,10 @@
         "homepage": "https://github.com/nmattia/niv",
         "owner": "nmattia",
         "repo": "niv",
-        "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c",
+        "rev": "9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a",
-        "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm",
+        "sha256": "1ajyqr8zka1zlb25jx1v4xys3zqmdy3prbm1vxlid6ah27a8qnzh",
         "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz",
+        "url": "https://github.com/nmattia/niv/archive/9cb7ef336bb71fd1ca84fc7f2dff15ef4b033f2a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-hardware": {
@@ -17,22 +17,22 @@
         "homepage": "",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "08cda8e3a5a4e685af525e5a589dfeb74267d505",
+        "rev": "10eab1c4cd8e715c0b41d32c28af2b89fc67bed0",
-        "sha256": "0bf3mbss7c3lyf5h8g1vwjbs0cg4h0c8ixbaz1kv24ahyy8n61y3",
+        "sha256": "1ig5d807x99c7rsma3r23vfys1n05836y6rj5iy6ypbad7vw7cs4",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixos-hardware/archive/08cda8e3a5a4e685af525e5a589dfeb74267d505.tar.gz",
+        "url": "https://github.com/nixos/nixos-hardware/archive/10eab1c4cd8e715c0b41d32c28af2b89fc67bed0.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixpkgs": {
-        "branch": "release-21.05",
+        "branch": "release-21.11",
         "description": "Nix Packages collection",
         "homepage": "",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d",
+        "rev": "6e23cb0fa9fd9edf8fdd75fd4d5111d571fc85ac",
-        "sha256": "163xpxkav524pq7wbc6sbsl9fkzc4wshpjq0h7vq7csnsb8w6p77",
+        "sha256": "0h0hjk48azjjz2xpwx5l0hvwk2g40minchqf077klii3zka35731",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/6e23cb0fa9fd9edf8fdd75fd4d5111d571fc85ac.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixus": {
@@ -41,10 +41,10 @@
         "homepage": "",
         "owner": "infinisil",
         "repo": "nixus",
-        "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57",
+        "rev": "60ea7eb5e18d58ac7742234855b7192112fd4049",
-        "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb",
+        "sha256": "0c9jkhd6xmgaw2gzbcsf7k1p42sn8dyhla71x1bp902mnfdgjsxx",
         "type": "tarball",
-        "url": "https://github.com/infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz",
+        "url": "https://github.com/infinisil/nixus/archive/60ea7eb5e18d58ac7742234855b7192112fd4049.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }