ctucx.git: nixfiles

ctucx' nixfiles

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 { secrets, pkgs, config, ... }:

{

  dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ];

  age.secrets = {
    resticVaultwarden.file = secrets."${config.networking.hostName}".restic.vaultwarden;
    vaultwardenSecrets = {
      file  = secrets."${config.networking.hostName}".vaultwardenSecrets;
      owner = "vaultwarden";
      group = "vaultwarden";
    };
  };

  restic-backups.vaultwarden = {
    user         = "vaultwarden";
    passwordFile = config.age.secrets.resticVaultwarden.path;
    paths        = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"];
  };

  systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ];

  services = {
    vaultwarden = {
      enable          = true;
      dbBackend       = "sqlite";
      backupDir       = "/var/backups/vaultwarden";
      environmentFile = config.age.secrets.vaultwardenSecrets.path;
      config          = {
        DOMAIN          = "https://vault.ctu.cx";
        SIGNUPS_ALLOWED = false;

        PUSH_ENABLED = true;

        SMTP_HOST     = "hector.ctu.cx";
        SMTP_FROM     = "vaultwarden@ctu.cx";
        SMTP_USERNAME = "vaultwarden@ctu.cx";
        SMTP_PORT     = 587;
        SMTP_SECURITY = "starttls";

        ROCKET_ADDRESS = "::1";
        ROCKET_PORT    = 8582;
      };
    };

    nginx = {
      enable = true;
      virtualHosts."vault.ctu.cx" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL    = true;
        kTLS        = true;
        locations   = {
          "/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
          "/notifications/hub" = {
            proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
            proxyWebsockets = true;
          };
        };
      };
    };
  };

}