diff --git a/flake.nix b/flake.nix index 9328f7e..7df9581 100644 --- a/flake.nix +++ b/flake.nix @@ -54,6 +54,23 @@ nixos-hardware.nixosModules.apple-t2 ]; }; + schrottserver = nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs; + }; + system = "x86_64-linux"; + modules = [ + ./schrottserver/configuration.nix + home-manager.nixosModules.home-manager { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.jade = { nixosConfig, pkgs, ... }: { + home.sessionVariables.TZ = nixosConfig.time.timeZone; + home.stateVersion = "${nixosConfig.system.stateVersion}"; + }; + } + ]; + }; }; }; } diff --git a/schrottserver/configuration.nix b/schrottserver/configuration.nix new file mode 100644 index 0000000..f1bb2cf --- /dev/null +++ b/schrottserver/configuration.nix @@ -0,0 +1,35 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ inputs, config, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ../common.nix + ./proxy.nix + ./vaultwarden.nix + ]; + + jade = { + neovim.enable = true; + zsh.enable = true; + }; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + networking.hostName = "schrottserver"; # Define your hostname. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + networking.firewall.enable = false; + + # default settings for stateful data; don't change unless reinstall with newer version + system.stateVersion = "22.11"; # Did you read the comment? + +} + diff --git a/schrottserver/hardware-configuration.nix b/schrottserver/hardware-configuration.nix new file mode 100644 index 0000000..549050f --- /dev/null +++ b/schrottserver/hardware-configuration.nix @@ -0,0 +1,37 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e8d88849-3746-4c24-9ecd-09921645ef81"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0107-0E2C"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/schrottserver/proxy.nix b/schrottserver/proxy.nix new file mode 100644 index 0000000..b8a702c --- /dev/null +++ b/schrottserver/proxy.nix @@ -0,0 +1,44 @@ +{ inputs, config, pkgs, ... }: +let + domain = "schrottkatze.de"; + vaultwardenSubdomain = "vw"; +in { + security.acme = { + acceptTerms = true; + defaults.email = "jade@schrottkatze.de"; + certs = { + "${vaultwardenSubdomain}.${domain}" = { + group = "nginx"; + keyType = "rsa2048"; + }; + }; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "${vaultwardenSubdomain}.${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8812"; #changed the default rocket port due to some conflict + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://localhost:3012"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://localhost:8812"; + proxyWebsockets = true; + }; + }; + }; + }; +} diff --git a/schrottserver/vaultwarden.nix b/schrottserver/vaultwarden.nix new file mode 100644 index 0000000..b96dd0d --- /dev/null +++ b/schrottserver/vaultwarden.nix @@ -0,0 +1,31 @@ +{ pkgs, ... }: +{ + services.vaultwarden = { + enable = true; + #backupDir = "/vw-backups"; + config = { + #WEB_VAULT_FOLDER = "${pkgs.vaultwarden}/share/vaultwarden/vault"; + #WEB_VAULT_ENABLED = true; + DATA_FOLDER = "/var/lib/bitwarden_rs/"; + DATABASE_URL = "/var/lib/bitwarden_rs/db.sqlite3"; + LOG_FILE = "/var/log/bitwarden"; + WEBSOCKET_ENABLED = true; + WEBSOCKET_ADDRESS = "0.0.0.0"; + WEBSOCKET_PORT = 3012; + SIGNUPS_VERIFY = true; + ROCKET_LOG = "debug"; + ENABLE_WAL = false; + ADMIN_TOKEN = builtins.readFile ../secret-data/vaultwarden-admin-token; + DOMAIN = "http://localhost"; + #SMTP_HOST = "mx.example.com"; + #SMTP_FROM = "bitwarden@example.com"; + #SMTP_FROM_NAME = "Bitwarden_RS"; + #SMTP_PORT = 587; + #SMTP_SSL = true; + #SMTP_USERNAME = (import /etc/nixos/secret/bitwarden.nix).SMTP_USERNAME; + #SMTP_PASSWORD = (import /etc/nixos/secret/bitwarden.nix).SMTP_PASSWORD; + SMTP_TIMEOUT = 15; + ROCKET_PORT = 8812; + }; + }; +} diff --git a/secret-data/vaultwarden-admin-token b/secret-data/vaultwarden-admin-token new file mode 100644 index 0000000..7e1a87b Binary files /dev/null and b/secret-data/vaultwarden-admin-token differ