nat/mini_nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vaultwarden and postgresql

Browse source
This commit is contained in:
tristan 2025-05-24 23:03:40 -04:00
parent d0c72f5d3c
commit 55eb4f5ddc
10 changed files with 228 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

10
caddy.nix
View file

@ -1,10 +0,0 @@
{
services.caddy = {
enable = true;
virtualHosts."mymarseille.duckdns.org".extraConfig = ''
reverse_proxy localhost:4533
'';
};
}

22
configuration.nix
View file

@ -8,8 +8,12 @@
imports = imports =
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./caddy.nix ./imports/caddy.nix
./wireguard.nix ./imports/hedgedoc.nix
./imports/postgres.nix
./imports/navidrome.nix
./imports/vaultwarden.nix
./imports/wireguard.nix
]; ];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@ -106,14 +110,6 @@
blahaj blahaj
]; ];
services.navidrome = {
enable = true;
settings = {
Address = "0.0.0.0";
Port = 4533;
MusicFolder = "/srv/music";
};
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"broadcom-sta" "broadcom-sta"
@ -137,11 +133,11 @@
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
22 22
4533 80
]; ];
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [
22 22
4533 80
]; ];
# Or disable the firewall altogether. # Or disable the firewall altogether.
networking.firewall.enable = true; networking.firewall.enable = true;
@ -149,7 +145,7 @@
# Copy the NixOS configuration file and link it from the resulting system # Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you # (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix. # accidentally delete configuration.nix.
system.copySystemConfiguration = true; # system.copySystemConfiguration = true;

111
flake.lock generated Normal file
View file

@ -0,0 +1,111 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1746827285,
"narHash": "sha256-hsFe4Tsqqg4l+FfQWphDtjC79WzNCZbEFhHI8j2KJzw=",
"rev": "47aad376c87e2e65967f17099277428e4b3f8e5a",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/47aad376c87e2e65967f17099277428e4b3f8e5a.tar.gz?rev=47aad376c87e2e65967f17099277428e4b3f8e5a"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.93.0.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1746838955,
"narHash": "sha256-11R4K3iAx4tLXjUs+hQ5K90JwDABD/XHhsM9nkeS5N8=",
"rev": "cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/cd2a9c028df820a83ca2807dc6c6e7abc3dfa7fc.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1747744144,
"narHash": "sha256-W7lqHp0qZiENCDwUZ5EX/lNhxjMdNapFnbErcbnP11Q=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2795c506fe8fb7b03c36ccb51f75b6df0ab2553f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"lix-module": "lix-module",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

10
flake.nix
View file

@ -3,14 +3,22 @@
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = { self, nixpkgs }: {
};
outputs = { self, nixpkgs, lix-module }: {
nixosConfigurations = { nixosConfigurations = {
mini = nixpkgs.lib.nixosSystem { mini = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./configuration.nix ./configuration.nix
lix-module.nixosModules.default
]; ];
}; };
}; };

20
imports/caddy.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, pkgs, ... }:
{
services.caddy = {
enable = true;
virtualHosts."http://navidrome.mymarseille.duckdns.org".extraConfig = ''
reverse_proxy localhost:4533
'';
virtualHosts."http://notes.mymarseille.duckdns.org".extraConfig = ''
reverse_proxy localhost:8001
'';
virtualHosts."http://vault.mymarseille.duckdns.org".extraConfig = ''
reverse_proxy localhost:8000
'';
};
}

11
imports/hedgedoc.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, pkgs, ... }:
{
services.hedgedoc = {
enable = true;
settings = {
domain = "hedgedoc.mymarseille.duckdns.org";
port = 8001;
};
};
}

11
imports/navidrome.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, pkgs, ... }:
{
services.navidrome = {
enable = true;
settings = {
Address = "0.0.0.0";
Port = 4533;
MusicFolder = "/srv/music";
};
};
}

25
imports/postgres.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, lib, pkgs, ... }:
{
services.postgresql = {
enable = true;
ensureDatabases = [ "vaultwarden" ];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
# When removing users or removing permissions from users here, must also remove them manually
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
settings = {
port = 5432;
};
};
}

31
imports/vaultwarden.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
{
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
# backupDir = "/srv/backup/vaultwarden"; # optional for backups
config = {
ROCKET_PORT = 8000;
DOMAIN = "https://vault.mymarseille.duckdns.org";
SIGNUPS_ALLOWED = false;
ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$djJtbTZsUlhBY0lxWldqSFV2NEUwNloxRlF0Uk5VVmFOalFmT0hQaHBoMD0$Ekj+ymeGJXyx84GCE3wN123f/Khdcw1GGPMv+s1tqmU";
DATABASE_URL="postgresql://:5432/vaultwarden";
SMTP_FROM = "vincentwaltz8@gmail.com";
SMTP_FROM_NAME = "VaultWarden";
SMTP_HOST = "smtp.gmail.com";
SMTP_USERNAME = "vincentwaltz8@gmail.com";
SMTP_PASSWORD = "iieu nrwc abtb vdqh";
};
};
systemd.services.vaultwarden = {
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
}

1
wireguard.nix → imports/wireguard.nix
View file

@ -1,3 +1,4 @@
{ config, lib, pkgs, ... }:
{ {
# Enable WireGuard # Enable WireGuard
networking.wireguard.enable = true; networking.wireguard.enable = true;