Add services from nyx to phoenix

hosts/phoenix.lewd.wtf/secrets.nix

@@ -1,7 +1,17 @@
 { config, ... }:
 {
+  sops.defaultSopsFile = ./secrets/services.yaml;
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
+  # Vaultwarden
+  sops.secrets."services/vaultwarden/.env" = {
+    mode = "0400";
+    owner = config.users.users.vaultwarden.name;
+    group = config.users.users.vaultwarden.group;
+    sopsFile = ./secrets/vaultwarden.env;
+    format = "dotenv";
+  };
+
   # MSMTP
   sops.secrets."services/msmtp/password" = {
     mode = "0777";

hosts/phoenix.lewd.wtf/secrets/services.yaml

@@ -0,0 +1,30 @@
+example_key: ENC[AES256_GCM,data:0VPRbi+eXJx6TEzSLg==,iv:wXY3sv0gW37H/Mv5s4caJIZe0NPzrSOu5+/zZV21OsU=,tag:66xqln7ExRHqTs84I5FI/g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaVc2c2ViN3pyYlNValQ2
+            b2Q4STlST1M1Umh6MWl3ZDAvajJVUXJIbW13CmRvQ3RBbWZrbklKRmU4MmdHdkVN
+            YlgxSElqZzl3ckZjRWtEU3pmcGhpZU0KLS0tIDlEYklTN3N3RWxFUFNZM2xGMXRI
+            RE41cnNWdWRrZUVwaG56Qmh6VEwzSnMKi4Hl9IjxZKelOQd2fxf54qN0ZAlx4zzE
+            O+acAe7wB8v85XgEt/DBJrVi6NYg8bt7uj4R71cAMZxKheBjdNNPXA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU1ZmY0dkM3FQdWtCdGlP
+            VFNpMkFaWWZwMGJxS1dqRm5BQURLbGQ0M2hNCnA5OFBScUNUc01tM3R4M3RxNFdl
+            NlArazJ5aktVVGlxUlpEV0hLK2Zna3cKLS0tIGZYc0lnL1dLRDNxV2RFZFFhUmhN
+            RmRoZmxVMVhOL1FtTlA3QTNCQ1RlNWcKLitsiPk+4Lzdud4GR/iMgolGLLURU6mO
+            1FBk0HTP4b+f0G5Uentp9oBPTNA0J6qCo1C79ZgV6LiZoWKunh5QAg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-10T18:21:20Z"
+    mac: ENC[AES256_GCM,data:euTc5etuk3p8g3OOijis4mvDrgS3dkYf5d3qkqlzftxcocZgPgUI9lJZCL3K11zn7JnbNUm5cMtr/h14WYtCJXztHXXhrpAbfy3HRNKlELCn+gENvbMM7Vtkb/8Uji2xosRHl4ygnTLN3L6/qX0Sn0sQm96UB3Q8ZHOXClQNZ/4=,iv:FNw/OEOhCmAMdbbIpkn3SbNwf2y0eHSHFuJlm58ZykU=,tag:ealqzvWEdGiQkvz/72L6QQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

hosts/phoenix.lewd.wtf/secrets/vaultwarden.env

@@ -0,0 +1,11 @@
+ADMIN_TOKEN=ENC[AES256_GCM,data:1cRomfcw7QRGJ8FeRBIbVE0Rj7hGgusSxa4h0oLWmlNSqDi1NLuMevCZoQQuwGE4ZgTttdUrZUv6QGwtndaDcQ==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:gNN7eZc2mR/90n7JOeg5wg==,type:str]
+SMTP_PASSWORD=ENC[AES256_GCM,data:GbBaT0JUsxCT8x3o5EoKvA==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:GpP1lzeeNdkZfaI16cufzQ==,type:str]
+YUBICO_SECRET_KEY=ENC[AES256_GCM,data:caHlB/H4iWfZP2jQjVrFIUXfYiT1g5q81Cyfb+7q,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:3eDkQF1+7AroPzTh6PzTTg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTCtwelNJdENDOERjSGlI\neUgwYnpvNDhnQkZmVmRaTmJSOFlCZFZGWkJjCjQrV3V3VExPZzIwVitJaUtmNEdU\nU09UbENVUi9wWWZ2RzNhbXN4VG5IZWsKLS0tIEpkT0hHZ2JCcEVBeGduWk83WnZm\nWlhkMzFMQXN5R3JBb1pvc0U5Y013dWMK5LiYBFHa2j29Q58VfR/XvxduBv/dy3Wi\nLasyBSqFrK0nngUXhCxPVCn8ZU5gMMaiXCisCPDxXDdX+t7DLErCSw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvS3o2TkplT1hIa1luKzky\nbEo0cGdIYStlTDg3NDh1UGQ1NTRqcTZqb0RRCk5aaTY2NnFMVDN6Z0ludDNyQW5n\nelNHZjNJZTJXbEVlN2xSNzBsQUV2WDAKLS0tIFBwRkpoWDIzMk5XRWh3dlRpbjR0\nbStON1RnbXprcXAwUm00aVExMVc2Q2sKdOrM7+UT5Bb6z5Rnv6EkVt8+aIEqWfOc\no2fc6d2F5ozmt/GS189dld8QWFvIY/RUQnRqm55txAip8NHynTt+0A==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh
+sops_lastmodified=2024-02-10T18:21:23Z
+sops_mac=ENC[AES256_GCM,data:CAm7H/sbSnLD72uryZwK9rlu9ptTqBVMAvWjzI8PzzFx5PQHrkFKOmG73Sdao6Map1QMjM57g/q0DDxkL0tY3iW4X1kc3oUC4Ej4nj4/ZrjRiVpSA6Zs38gi4O30X7lr0iWK1DdD/wCMuo66ixJ5ol/0XBAUIUUUW7UxaTLptDM=,iv:bDvwwPoFeChslZgwnoSMPJzd9yY2Y6Tc8Gdyhxp9Fyk=,tag:BjUnCjdL9DNGg9sbyWOXAQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.7.3

hosts/phoenix.lewd.wtf/services/nginx.nix

@@ -0,0 +1,7 @@
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+  };
+}

hosts/phoenix.lewd.wtf/services/uptimekuma.nix

@@ -0,0 +1,23 @@
+{
+  services.uptime-kuma = {
+    enable = true;
+    settings = {
+        UPTIME_KUMA_PORT = "8099";
+    };
+  };
+
+  services.nginx.virtualHosts."status.lewd.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8099";
+      proxyWebsockets = true; # needed if you need to use WebSocket
+      extraConfig =
+        "proxy_set_header        Host $host;" +
+        "proxy_set_header        X-Real-IP $remote_addr;" +
+        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
+        "proxy_set_header        X-Forwarded-Proto $scheme;"
+        ;
+    };
+  };
+}

hosts/phoenix.lewd.wtf/services/vaultwarden.nix

@@ -0,0 +1,60 @@
+{ config, ... }:
+{
+  users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ];
+
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = "/run/secrets/services/vaultwarden/.env";
+    config = {
+      DOMAIN = "https://vault.lewd.wtf";
+      SIGNUPS_ALLOWED = false;
+      SIGNUPS_VERIFY = true;
+      INVITATIONS_ALLOWED = false;
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_PORT = 3012;
+      ROCKET_PORT = 8222;
+      SMTP_HOST = "mail.your-server.de";
+      SMTP_FROM = "vaultwarden@lewd.wtf";
+      SMTP_FROM_NAME = "Vaultwarden";
+      SMTP_USERNAME = "vaultwarden@lewd.wtf";
+      YUBICO_CLIENT_ID = 88022;
+    };
+  };
+
+  services.nginx.clientMaxBodySize = "128M";
+
+  services.nginx.virtualHosts."vault.lewd.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8222";
+      proxyWebsockets = true; # needed if you need to use WebSocket
+      extraConfig =
+        "proxy_set_header        Host $host;" +
+        "proxy_set_header        X-Real-IP $remote_addr;" +
+        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
+        "proxy_set_header        X-Forwarded-Proto $scheme;"
+        ;
+    };
+    locations."/notifications/hub/negotiate" = {
+      proxyPass = "http://127.0.0.1:8222";
+      proxyWebsockets = true; # needed if you need to use WebSocket
+      extraConfig =
+        "proxy_set_header        Host $host;" +
+        "proxy_set_header        X-Real-IP $remote_addr;" +
+        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
+        "proxy_set_header        X-Forwarded-Proto $scheme;"
+        ;
+    };
+    locations."/notifications/hub" = {
+      proxyPass = "http://127.0.0.1:3012";
+      proxyWebsockets = true; # needed if you need to use WebSocket
+      extraConfig =
+        "proxy_set_header        Host $host;" +
+        "proxy_set_header        X-Real-IP $remote_addr;" +
+        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
+        "proxy_set_header        X-Forwarded-Proto $scheme;"
+        ;
+    };
+  };
+}

hosts/phoenix.lewd.wtf/services/vikunja.nix

@@ -0,0 +1,13 @@
+{ pkgs, ...}:
+{
+  services.vikunja = {
+    enable = true;
+    setupNginx = true;
+    frontendScheme = "https";
+    frontendHostname = "todo.lewd.wtf";
+  };
+  services.nginx.virtualHosts."todo.lewd.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+}