diff --git a/data.nix b/data.nix index 8b2b8ff..27c0a49 100644 --- a/data.nix +++ b/data.nix @@ -15,8 +15,13 @@ rec { ports = { grafana = 3000; gitea = 3001; + + # not necessary from vaultwarden 1.29.0 + vaultwarden_ws = 3012; + soju = 6697; matrix-synapse = 8008; + vaultwarden = 8222; kodi = 8080; prometheus = 9001; exporters.node = 9002; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index f655c5b..a8e7a79 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -108,16 +108,13 @@ subnetCIDR = myData.tailscale_subnet.cidr; }; - nsd-acme = { + nsd-acme = let + accountKey = config.age.secrets.letsencrypt-account-key.path; + in { enable = true; - zones."grafana.jakstys.lt" = { - accountKey = config.age.secrets.letsencrypt-account-key.path; - staging = false; - }; - zones."irc.jakstys.lt" = { - accountKey = config.age.secrets.letsencrypt-account-key.path; - staging = false; - }; + zones."grafana.jakstys.lt".accountKey = accountKey; + zones."irc.jakstys.lt".accountKey = accountKey; + zones."bitwarden.jakstys.lt".accountKey = accountKey; }; deployerbot = { @@ -190,6 +187,29 @@ reverse_proxy 127.0.0.1:3000 tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem ''; + virtualHosts."bitwarden.jakstys.lt".extraConfig = '' + @denied not remote_ip ${myData.tailscale_subnet.cidr} + abort @denied + tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem + + # from https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples + encode gzip + header { + # Enable HTTP Strict Transport Security (HSTS) + Strict-Transport-Security "max-age=31536000;" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "SAMEORIGIN" + } + + # deprecated from vaultwarden 1.29.0 + reverse_proxy /notifications/hub 127.0.0.1:${toString myData.ports.vaultwarden_ws} + + reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} { + header_up X-Real-IP {remote_host} + } + ''; virtualHosts."www.jakstys.lt".extraConfig = '' redir https://jakstys.lt ''; @@ -389,18 +409,49 @@ message-store fs /var/lib/soju ''; }; + + vaultwarden = { + enable = true; + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = myData.ports.vaultwarden; + DOMAIN = "https://bitwarden.jakstys.lt"; + SIGNUPS_ALLOWED = false; + ROCKET_LOG = "critical"; + + # TODO remove after 1.29.0 + WEBSOCKET_ENABLED = true; + WEBSOCKET_ADDRESS = "127.0.0.1"; + WEBSOCKET_PORT = myData.ports.vaultwarden_ws; + + SMTP_HOST = "127.0.0.1"; + SMTP_PORT = 25; + SMTP_SECURITY = "off"; + SMTP_FROM = "admin@jakstys.lt"; + SMTP_FROM_NAME = "jakstys.lt Bitwarden server"; + }; + }; }; systemd.services = { caddy = let - acme = config.mj.services.nsd-acme.zones."grafana.jakstys.lt"; + grafana = config.mj.services.nsd-acme.zones."grafana.jakstys.lt"; + bitwarden = config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt"; in { serviceConfig.LoadCredential = [ - "grafana.jakstys.lt-cert.pem:${acme.certFile}" - "grafana.jakstys.lt-key.pem:${acme.keyFile}" + "grafana.jakstys.lt-cert.pem:${grafana.certFile}" + "grafana.jakstys.lt-key.pem:${grafana.keyFile}" + "bitwarden.jakstys.lt-cert.pem:${bitwarden.certFile}" + "bitwarden.jakstys.lt-key.pem:${bitwarden.keyFile}" + ]; + after = [ + "nsd-acme-grafana.jakstys.lt.service" + "nsd-acme-bitwarden.jakstys.lt.service" + ]; + requires = [ + "nsd-acme-grafana.jakstys.lt.service" + "nsd-acme-bitwarden.jakstys.lt.service" ]; - after = ["nsd-acme-grafana.jakstys.lt.service"]; - requires = ["nsd-acme-grafana.jakstys.lt.service"]; }; soju = let @@ -449,6 +500,7 @@ pathConfig = { PathChanged = [ config.mj.services.nsd-acme.zones."grafana.jakstys.lt".certFile + config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt".certFile ]; Unit = "cert-watcher.service"; };