diff --git a/configuration.nix b/configuration.nix index da92d19..a557e46 100644 --- a/configuration.nix +++ b/configuration.nix @@ -10,6 +10,8 @@ ./hardware-configuration.nix ./package.nix ./module/hostname.nix + ./module/nginx.nix + ./module/newt.nix ./module/searXNG.nix ./module/roundcube.nix @@ -33,14 +35,6 @@ networking.networkmanager.enable = true; - services.nginx = { - enable = true; - virtualHosts."${config.HostName}" = { - forceSSL = false; - enableACME = false; - }; - }; - time.timeZone = "Europe/Paris"; i18n.defaultLocale = "en_US.UTF-8"; @@ -120,18 +114,6 @@ useRoutingFeatures = "server"; # or "client" / "both" }; - security.acme = { - acceptTerms = true; - defaults.email = "admin+contact@wateir.fr"; - - certs."wateir.fr" = { - dnsProvider = "ovh"; - environmentFile = "/etc/acme.env"; - }; - }; - - - networking.firewall = { enable = true; allowedTCPPorts = [ 443 ]; diff --git a/module/newt.nix b/module/newt.nix new file mode 100644 index 0000000..22db625 --- /dev/null +++ b/module/newt.nix @@ -0,0 +1,16 @@ + {config,lib, ... }: + +{ + services.newt = { + enable = true; + environmentFile = "/etc/newt.env"; + settings = { + endpoint = "https://pangolin.wateir.fr"; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 51820 21820 ]; + }; +} diff --git a/module/nginx.nix b/module/nginx.nix new file mode 100644 index 0000000..23c91e4 --- /dev/null +++ b/module/nginx.nix @@ -0,0 +1,51 @@ +{ config, pkgs, lib, ... }: + +lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") { + + services.nginx = { + enable = true; + virtualHosts = { + "${config.HostName}-vault" = { + listen = [ + { addr = "0.0.0.0"; port = 8000; } + ]; + + locations."/" = { + proxyPass = "http://127.0.0.1:8222"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + + "${config.HostName}-roundcube" = { + listen = [ + { addr = "0.0.0.0"; port = 1984; } + ]; + + root = "${pkgs.roundcube}/public_html"; + + locations."/" = { + extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php?$args; + ''; + }; + + locations."~ \\.php$" = { + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_pass unix:/run/phpfpm/roundcube.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + ''; + }; + }; + }; + }; + + + networking.firewall.allowedTCPPorts = [ 1984 8000 ]; +} diff --git a/module/roundcube.nix b/module/roundcube.nix index 768a936..99566db 100644 --- a/module/roundcube.nix +++ b/module/roundcube.nix @@ -20,14 +20,7 @@ lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") { ''; }; - services.nginx = { - virtualHosts."${config.HostName}" = { - listen = [ - { addr = "0.0.0.0"; port = 1984; } - ]; - }; - }; - - networking.firewall.allowedTCPPorts = [ 1984 ]; + systemd.services.nginx.serviceConfig.ProtectHome = false; + users.groups.roundcube.members = [ "nginx" ]; } diff --git a/module/searXNG.nix b/module/searXNG.nix index 509aee6..f88a4d5 100644 --- a/module/searXNG.nix +++ b/module/searXNG.nix @@ -10,9 +10,6 @@ lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004"){ settings.server = { bind_address = "0.0.0.0"; port = 1692; - # WARNING: setting secret_key here might expose it to the nix cache - # see below for the sops or environment file instructions to prevent this - # secret_key = "$SEARXNG_SECRET"; }; settings.engines = lib.mapAttrsToList (name: value: { inherit name; } // value) { "wikidata".disabled = true; diff --git a/module/tailscale.nix b/module/tailscale.nix new file mode 100644 index 0000000..8a6ce09 --- /dev/null +++ b/module/tailscale.nix @@ -0,0 +1,20 @@ + {config,lib, ... }: + +{ + services.tailscale = { + enable = true; + extraDaemonFlags = [ + "--no-logs-no-support" + ]; + + extraSetFlags = [ + "--ssh=false" + ]; + useRoutingFeatures = "server"; # or "client" / "both" + }; + + networking.firewall = { + allowedTCPPorts = [ 443 ]; + allowedUDPPorts = [ 41641 3478 ]; + }; +} diff --git a/module/vaultWarden.nix b/module/vaultWarden.nix index bac4ace..c09c204 100644 --- a/module/vaultWarden.nix +++ b/module/vaultWarden.nix @@ -6,30 +6,11 @@ lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004"){ backupDir = "/var/local/vaultwarden/backup"; + environmentFile = "/etc/vaultwarden.env"; + config = { SIGNUPS_ALLOWED = true; ROCKET_PORT = 8222; }; }; - - services.nginx = { - enable = true; - - virtualHosts = { - "${config.HostName}" = { - listen = [{ addr = "0.0.0.0"; port = 8000; }]; - locations."/" = { - proxyPass = "http://127.0.0.1:8222"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8000 ]; }