From e7838b899285853a13e3c16a274d1daeb5c1b42a Mon Sep 17 00:00:00 2001 From: Ciapa Date: Sat, 10 Feb 2024 19:26:29 +0100 Subject: [PATCH] Add services from nyx to phoenix --- hosts/phoenix.lewd.wtf/secrets.nix | 10 ++++ hosts/phoenix.lewd.wtf/secrets/services.yaml | 30 ++++++++++ .../phoenix.lewd.wtf/secrets/vaultwarden.env | 11 ++++ hosts/phoenix.lewd.wtf/services/nginx.nix | 7 +++ .../phoenix.lewd.wtf/services/uptimekuma.nix | 23 +++++++ .../phoenix.lewd.wtf/services/vaultwarden.nix | 60 +++++++++++++++++++ hosts/phoenix.lewd.wtf/services/vikunja.nix | 13 ++++ 7 files changed, 154 insertions(+) create mode 100644 hosts/phoenix.lewd.wtf/secrets/services.yaml create mode 100644 hosts/phoenix.lewd.wtf/secrets/vaultwarden.env create mode 100644 hosts/phoenix.lewd.wtf/services/nginx.nix create mode 100644 hosts/phoenix.lewd.wtf/services/uptimekuma.nix create mode 100644 hosts/phoenix.lewd.wtf/services/vaultwarden.nix create mode 100644 hosts/phoenix.lewd.wtf/services/vikunja.nix diff --git a/hosts/phoenix.lewd.wtf/secrets.nix b/hosts/phoenix.lewd.wtf/secrets.nix index d327b26..f520222 100644 --- a/hosts/phoenix.lewd.wtf/secrets.nix +++ b/hosts/phoenix.lewd.wtf/secrets.nix @@ -1,7 +1,17 @@ { config, ... }: { + sops.defaultSopsFile = ./secrets/services.yaml; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # Vaultwarden + sops.secrets."services/vaultwarden/.env" = { + mode = "0400"; + owner = config.users.users.vaultwarden.name; + group = config.users.users.vaultwarden.group; + sopsFile = ./secrets/vaultwarden.env; + format = "dotenv"; + }; + # MSMTP sops.secrets."services/msmtp/password" = { mode = "0777"; diff --git a/hosts/phoenix.lewd.wtf/secrets/services.yaml b/hosts/phoenix.lewd.wtf/secrets/services.yaml new file mode 100644 index 0000000..de36215 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/secrets/services.yaml @@ -0,0 +1,30 @@ +example_key: ENC[AES256_GCM,data:0VPRbi+eXJx6TEzSLg==,iv:wXY3sv0gW37H/Mv5s4caJIZe0NPzrSOu5+/zZV21OsU=,tag:66xqln7ExRHqTs84I5FI/g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaVc2c2ViN3pyYlNValQ2 + b2Q4STlST1M1Umh6MWl3ZDAvajJVUXJIbW13CmRvQ3RBbWZrbklKRmU4MmdHdkVN + YlgxSElqZzl3ckZjRWtEU3pmcGhpZU0KLS0tIDlEYklTN3N3RWxFUFNZM2xGMXRI + RE41cnNWdWRrZUVwaG56Qmh6VEwzSnMKi4Hl9IjxZKelOQd2fxf54qN0ZAlx4zzE + O+acAe7wB8v85XgEt/DBJrVi6NYg8bt7uj4R71cAMZxKheBjdNNPXA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArU1ZmY0dkM3FQdWtCdGlP + VFNpMkFaWWZwMGJxS1dqRm5BQURLbGQ0M2hNCnA5OFBScUNUc01tM3R4M3RxNFdl + NlArazJ5aktVVGlxUlpEV0hLK2Zna3cKLS0tIGZYc0lnL1dLRDNxV2RFZFFhUmhN + RmRoZmxVMVhOL1FtTlA3QTNCQ1RlNWcKLitsiPk+4Lzdud4GR/iMgolGLLURU6mO + 1FBk0HTP4b+f0G5Uentp9oBPTNA0J6qCo1C79ZgV6LiZoWKunh5QAg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-10T18:21:20Z" + mac: ENC[AES256_GCM,data:euTc5etuk3p8g3OOijis4mvDrgS3dkYf5d3qkqlzftxcocZgPgUI9lJZCL3K11zn7JnbNUm5cMtr/h14WYtCJXztHXXhrpAbfy3HRNKlELCn+gENvbMM7Vtkb/8Uji2xosRHl4ygnTLN3L6/qX0Sn0sQm96UB3Q8ZHOXClQNZ/4=,iv:FNw/OEOhCmAMdbbIpkn3SbNwf2y0eHSHFuJlm58ZykU=,tag:ealqzvWEdGiQkvz/72L6QQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/phoenix.lewd.wtf/secrets/vaultwarden.env b/hosts/phoenix.lewd.wtf/secrets/vaultwarden.env new file mode 100644 index 0000000..2a3c071 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/secrets/vaultwarden.env @@ -0,0 +1,11 @@ +ADMIN_TOKEN=ENC[AES256_GCM,data:1cRomfcw7QRGJ8FeRBIbVE0Rj7hGgusSxa4h0oLWmlNSqDi1NLuMevCZoQQuwGE4ZgTttdUrZUv6QGwtndaDcQ==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:gNN7eZc2mR/90n7JOeg5wg==,type:str] +SMTP_PASSWORD=ENC[AES256_GCM,data:GbBaT0JUsxCT8x3o5EoKvA==,iv:uA3WytiA9o/3qohl/eaMD7gVbORo4YZg2gzT/qZZHbA=,tag:GpP1lzeeNdkZfaI16cufzQ==,type:str] +YUBICO_SECRET_KEY=ENC[AES256_GCM,data:caHlB/H4iWfZP2jQjVrFIUXfYiT1g5q81Cyfb+7q,iv:XDmIl7dqV8R7bykwtQz3EQIf1qJHh3wPbL9RAu6ZWEk=,tag:3eDkQF1+7AroPzTh6PzTTg==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTCtwelNJdENDOERjSGlI\neUgwYnpvNDhnQkZmVmRaTmJSOFlCZFZGWkJjCjQrV3V3VExPZzIwVitJaUtmNEdU\nU09UbENVUi9wWWZ2RzNhbXN4VG5IZWsKLS0tIEpkT0hHZ2JCcEVBeGduWk83WnZm\nWlhkMzFMQXN5R3JBb1pvc0U5Y013dWMK5LiYBFHa2j29Q58VfR/XvxduBv/dy3Wi\nLasyBSqFrK0nngUXhCxPVCn8ZU5gMMaiXCisCPDxXDdX+t7DLErCSw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvS3o2TkplT1hIa1luKzky\nbEo0cGdIYStlTDg3NDh1UGQ1NTRqcTZqb0RRCk5aaTY2NnFMVDN6Z0ludDNyQW5n\nelNHZjNJZTJXbEVlN2xSNzBsQUV2WDAKLS0tIFBwRkpoWDIzMk5XRWh3dlRpbjR0\nbStON1RnbXprcXAwUm00aVExMVc2Q2sKdOrM7+UT5Bb6z5Rnv6EkVt8+aIEqWfOc\no2fc6d2F5ozmt/GS189dld8QWFvIY/RUQnRqm55txAip8NHynTt+0A==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age1tf5077gpdp3cp4hedvng5wltzvp9jg0ehpt7czhnczlx6ctvqpjstvrmmh +sops_lastmodified=2024-02-10T18:21:23Z +sops_mac=ENC[AES256_GCM,data:CAm7H/sbSnLD72uryZwK9rlu9ptTqBVMAvWjzI8PzzFx5PQHrkFKOmG73Sdao6Map1QMjM57g/q0DDxkL0tY3iW4X1kc3oUC4Ej4nj4/ZrjRiVpSA6Zs38gi4O30X7lr0iWK1DdD/wCMuo66ixJ5ol/0XBAUIUUUW7UxaTLptDM=,iv:bDvwwPoFeChslZgwnoSMPJzd9yY2Y6Tc8Gdyhxp9Fyk=,tag:BjUnCjdL9DNGg9sbyWOXAQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.7.3 diff --git a/hosts/phoenix.lewd.wtf/services/nginx.nix b/hosts/phoenix.lewd.wtf/services/nginx.nix new file mode 100644 index 0000000..6449182 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/nginx.nix @@ -0,0 +1,7 @@ +{ + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + services.nginx = { + enable = true; + }; +} diff --git a/hosts/phoenix.lewd.wtf/services/uptimekuma.nix b/hosts/phoenix.lewd.wtf/services/uptimekuma.nix new file mode 100644 index 0000000..9c4efec --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/uptimekuma.nix @@ -0,0 +1,23 @@ +{ + services.uptime-kuma = { + enable = true; + settings = { + UPTIME_KUMA_PORT = "8099"; + }; + }; + + services.nginx.virtualHosts."status.lewd.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8099"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + ; + }; + }; +} diff --git a/hosts/phoenix.lewd.wtf/services/vaultwarden.nix b/hosts/phoenix.lewd.wtf/services/vaultwarden.nix new file mode 100644 index 0000000..4a7d94a --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/vaultwarden.nix @@ -0,0 +1,60 @@ +{ config, ... }: +{ + users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ]; + + services.vaultwarden = { + enable = true; + environmentFile = "/run/secrets/services/vaultwarden/.env"; + config = { + DOMAIN = "https://vault.lewd.wtf"; + SIGNUPS_ALLOWED = false; + SIGNUPS_VERIFY = true; + INVITATIONS_ALLOWED = false; + WEBSOCKET_ENABLED = true; + WEBSOCKET_PORT = 3012; + ROCKET_PORT = 8222; + SMTP_HOST = "mail.your-server.de"; + SMTP_FROM = "vaultwarden@lewd.wtf"; + SMTP_FROM_NAME = "Vaultwarden"; + SMTP_USERNAME = "vaultwarden@lewd.wtf"; + YUBICO_CLIENT_ID = 88022; + }; + }; + + services.nginx.clientMaxBodySize = "128M"; + + services.nginx.virtualHosts."vault.lewd.wtf" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8222"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + ; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://127.0.0.1:8222"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + ; + }; + locations."/notifications/hub" = { + proxyPass = "http://127.0.0.1:3012"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = + "proxy_set_header Host $host;" + + "proxy_set_header X-Real-IP $remote_addr;" + + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + + "proxy_set_header X-Forwarded-Proto $scheme;" + ; + }; + }; +} diff --git a/hosts/phoenix.lewd.wtf/services/vikunja.nix b/hosts/phoenix.lewd.wtf/services/vikunja.nix new file mode 100644 index 0000000..1f4e6d6 --- /dev/null +++ b/hosts/phoenix.lewd.wtf/services/vikunja.nix @@ -0,0 +1,13 @@ +{ pkgs, ...}: +{ + services.vikunja = { + enable = true; + setupNginx = true; + frontendScheme = "https"; + frontendHostname = "todo.lewd.wtf"; + }; + services.nginx.virtualHosts."todo.lewd.wtf" = { + enableACME = true; + forceSSL = true; + }; +}