From 55eb4f5ddc3b7d3ed4b56f918aa35f7342a3072b Mon Sep 17 00:00:00 2001 From: tristan <> Date: Sat, 24 May 2025 23:03:40 -0400 Subject: [PATCH] vaultwarden and postgresql --- caddy.nix | 10 --- configuration.nix | 22 ++--- flake.lock | 111 +++++++++++++++++++++++++ flake.nix | 10 ++- imports/caddy.nix | 20 +++++ imports/hedgedoc.nix | 11 +++ imports/navidrome.nix | 11 +++ imports/postgres.nix | 25 ++++++ imports/vaultwarden.nix | 31 +++++++ wireguard.nix => imports/wireguard.nix | 1 + 10 files changed, 228 insertions(+), 24 deletions(-) delete mode 100644 caddy.nix create mode 100644 flake.lock create mode 100644 imports/caddy.nix create mode 100644 imports/hedgedoc.nix create mode 100644 imports/navidrome.nix create mode 100644 imports/postgres.nix create mode 100644 imports/vaultwarden.nix rename wireguard.nix => imports/wireguard.nix (98%) diff --git a/caddy.nix b/caddy.nix deleted file mode 100644 index a4def1d..0000000 --- a/caddy.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - services.caddy = { - enable = true; - - virtualHosts."mymarseille.duckdns.org".extraConfig = '' - reverse_proxy localhost:4533 - - ''; - }; -} diff --git a/configuration.nix b/configuration.nix index a1f8ea4..ded579c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -8,8 +8,12 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./caddy.nix - ./wireguard.nix + ./imports/caddy.nix + ./imports/hedgedoc.nix + ./imports/postgres.nix + ./imports/navidrome.nix + ./imports/vaultwarden.nix + ./imports/wireguard.nix ]; # Use the systemd-boot EFI boot loader. @@ -106,14 +110,6 @@ blahaj ]; - services.navidrome = { - enable = true; - settings = { - Address = "0.0.0.0"; - Port = 4533; - MusicFolder = "/srv/music"; - }; - }; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "broadcom-sta" @@ -137,11 +133,11 @@ # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 22 - 4533 + 80 ]; networking.firewall.allowedUDPPorts = [ 22 - 4533 + 80 ]; # Or disable the firewall altogether. networking.firewall.enable = true; @@ -149,7 +145,7 @@ # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. - system.copySystemConfiguration = true; + # system.copySystemConfiguration = true; diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b0f90c4 --- /dev/null +++ b/flake.lock @@ -0,0 +1,111 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flakey-profile": { + "locked": { + "lastModified": 1712898590, + "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", + "owner": "lf-", + "repo": "flakey-profile", + "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", + "type": "github" + }, + "original": { + "owner": "lf-", + "repo": "flakey-profile", + "type": "github" + } + }, + "lix": { + "flake": false, + "locked": { + "lastModified": 1746827285, + "narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=", + "rev": "47aad376c87e2e65967f17099277428e4b3f8e5a", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz" + } + }, + "lix-module": { + "inputs": { + "flake-utils": "flake-utils", + "flakey-profile": "flakey-profile", + "lix": "lix", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746838955, + "narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=", + "rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1747744144, + "narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "lix-module": "lix-module", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 723de29..8f63571 100644 --- a/flake.nix +++ b/flake.nix @@ -3,14 +3,22 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + + lix-module = { + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs }: { + +}; + + outputs = { self, nixpkgs, lix-module }: { nixosConfigurations = { mini = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./configuration.nix + lix-module.nixosModules.default ]; }; }; diff --git a/imports/caddy.nix b/imports/caddy.nix new file mode 100644 index 0000000..975055e --- /dev/null +++ b/imports/caddy.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: + +{ + services.caddy = { + enable = true; + + virtualHosts."http://navidrome.mymarseille.duckdns.org".extraConfig = '' + reverse_proxy localhost:4533 + ''; + + virtualHosts."http://notes.mymarseille.duckdns.org".extraConfig = '' + reverse_proxy localhost:8001 + ''; + + virtualHosts."http://vault.mymarseille.duckdns.org".extraConfig = '' + reverse_proxy localhost:8000 + ''; + + }; +} diff --git a/imports/hedgedoc.nix b/imports/hedgedoc.nix new file mode 100644 index 0000000..63d8feb --- /dev/null +++ b/imports/hedgedoc.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: +{ + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.mymarseille.duckdns.org"; + port = 8001; + }; + }; + +} diff --git a/imports/navidrome.nix b/imports/navidrome.nix new file mode 100644 index 0000000..efa5b41 --- /dev/null +++ b/imports/navidrome.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: +{ + services.navidrome = { + enable = true; + settings = { + Address = "0.0.0.0"; + Port = 4533; + MusicFolder = "/srv/music"; + }; + }; +} diff --git a/imports/postgres.nix b/imports/postgres.nix new file mode 100644 index 0000000..cf0cf27 --- /dev/null +++ b/imports/postgres.nix @@ -0,0 +1,25 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresql = { + enable = true; + + ensureDatabases = [ "vaultwarden" ]; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all trust + ''; + + # When removing users or removing permissions from users here, must also remove them manually + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; + + + settings = { + port = 5432; + }; + }; +} diff --git a/imports/vaultwarden.nix b/imports/vaultwarden.nix new file mode 100644 index 0000000..e760075 --- /dev/null +++ b/imports/vaultwarden.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: +{ + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + + # backupDir = "/srv/backup/vaultwarden"; # optional for backups + config = { + ROCKET_PORT = 8000; + DOMAIN = "https://vault.mymarseille.duckdns.org"; + SIGNUPS_ALLOWED = false; + + ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$djJtbTZsUlhBY0lxWldqSFV2NEUwNloxRlF0Uk5VVmFOalFmT0hQaHBoMD0$Ekj+ymeGJXyx84GCE3wN123f/Khdcw1GGPMv+s1tqmU"; + + DATABASE_URL="postgresql://:5432/vaultwarden"; + + SMTP_FROM = "vincentwaltz8@gmail.com"; + SMTP_FROM_NAME = "VaultWarden"; + SMTP_HOST = "smtp.gmail.com"; + SMTP_USERNAME = "vincentwaltz8@gmail.com"; + SMTP_PASSWORD = "iieu nrwc abtb vdqh"; + }; + + }; + + systemd.services.vaultwarden = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + +} diff --git a/wireguard.nix b/imports/wireguard.nix similarity index 98% rename from wireguard.nix rename to imports/wireguard.nix index 7044fab..cf6cf76 100644 --- a/wireguard.nix +++ b/imports/wireguard.nix @@ -1,3 +1,4 @@ +{ config, lib, pkgs, ... }: { # Enable WireGuard networking.wireguard.enable = true;