feat : Add of secret for roundcube and vaultwarden

2025-12-24 17:18:24 +01:00 · 2025-12-24 17:18:24 +01:00 · 2f5c8be389
commit 2f5c8be389
parent a59e409a49
18 changed files with 116 additions and 51 deletions
--- a/flake.lock
+++ b/flake.lock
@ -82,16 +82,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1751274312,
-        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
+        "lastModified": 1766201043,
+        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
+        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -2,7 +2,7 @@
  description = "My homelab config";

  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    agenix.url = "github:ryantm/agenix";
  };

--- a/host/default.nix
+++ b/host/default.nix
@ -2,12 +2,13 @@
 let
  hostConfigs = {
    ThinkCentre-Server-004 = {
-      module.vaultwarden.enable = true;
-      module.roundcube.enable   = true;
-      module.searxng.enable     = true;
-      module.acme.enable        = true;
-      services.newt.enable        = true;
-      module.forgejo.enable     = true;
+      services.vaultwarden.enable  = true;
+      services.tailscale.enable    = true;
+      module.roundcube.enable      = true;
+      services.searx.enable        = true;
+      module.acme.enable           = true;
+      services.newt.enable         = true;
+      module.forgejo.enable        = true;
    };
  };
 in {
--- a/module/acme.nix
+++ b/module/acme.nix
@ -3,7 +3,7 @@
 lib.mkIf config.module.acme.enable {
  security.acme = {
    acceptTerms = true;
-    defaults.email =  "noreply@wateir.fr";
+    defaults.email =  "noreply@${config.module.domain}";

    certs."${config.module.domain}" = {
      dnsProvider = "ovh";
--- a/module/default.nix
+++ b/module/default.nix
@ -47,18 +47,12 @@ in {
      desc = "ACME DNS Challenge";
    };

-    tailscale = mkServiceOption {
-      desc = "Tailscale VPN";
-      defaultEnabled = true;
-    };
-
-    newt = mkServiceOption {
-      desc = "Newt custom wireguard tunnel";
-    };
-
    roundcube = mkServiceOption {
      desc = "Roundcube webapp";
-      extraOpts = { port = mkPortOption 1984; };
+      extraOpts = {
+        port = mkPortOption 1984;
+        subdomain = "mail";
+      };
    };

    vaultwarden = mkServiceOption {
@ -66,6 +60,7 @@ in {
      extraOpts = {
        externalPort = mkPortOption 8000;
        internalPort = mkPortOption 8222;
+        subdomain = "vault";
      };
    };

@ -73,13 +68,17 @@ in {
      desc = "Vaultwarden password manager";
      extraOpts = {
        externalPort = mkPortOption 3000;
-        internalPort = mkPortOption 8223;
+        internalPort = mkPortOption 8500;
+        subdomain = "git";
      };
    };

    searxng = mkServiceOption {
      desc = "SearXNG meta-search engine";
-      extraOpts = { port = mkPortOption 1692; };
+      extraOpts = {
+        port = mkPortOption 1692;
+        subdomain = "search";
+      };
    };
  };
 }
--- a/module/forgejo.nix
+++ b/module/forgejo.nix
@ -1,5 +1,8 @@
 { config,lib, ... }:
-
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in
 lib.mkIf config.module.forgejo.enable {
  services.forgejo = {
    enable = true;
@ -11,7 +14,7 @@ lib.mkIf config.module.forgejo.enable {
        DOMAIN = "git.${config.module.domain}";
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${srv.DOMAIN}/";
-        HTTP_PORT = 8222;
+        HTTP_PORT = config.module.forgejo.internalPort;
      };
    };
  };
--- a/module/nginx.nix
+++ b/module/nginx.nix
@ -6,8 +6,8 @@ with lib;
  services.nginx.enable = true;

  services.nginx.virtualHosts = mkMerge [
-    (mkIf config.module.vaultwarden.enable {
-      "${config.module.hostName}-vault" = {
+    (mkIf config.services.vaultwarden.enable {
+      "${config.module.hostName}-${config.module.vaultwarden.subdomain}" = {
        listen = [{ addr = "0.0.0.0"; port = config.module.vaultwarden.externalPort; }];
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.module.vaultwarden.internalPort}";
@ -22,7 +22,7 @@ with lib;
    })

    (mkIf config.module.roundcube.enable {
-      "${config.module.hostName}-roundcube" = {
+      "${config.module.hostName}-${config.module.roundcube.subdomain}" = {
        listen = [{ addr = "0.0.0.0"; port = config.module.roundcube.port; }];
        root = "${pkgs.roundcube}/public_html";
        locations."/" = {
@ -41,10 +41,16 @@ with lib;
      };
    })
    (mkIf config.module.forgejo.enable {
-      "${config.module.hostName}-vault" = {
+      "${config.module.hostName}-${config.module.forgejo.subdomain}" = {
        listen = [{ addr = "0.0.0.0"; port = config.module.forgejo.externalPort; }];
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.module.forgejo.internalPort}";
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
        };
      };
    })
@ -52,7 +58,8 @@ with lib;
  ];

  networking.firewall.allowedTCPPorts = concatLists [
-    (if config.module.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else [])
-    (if config.module.roundcube.enable   then [ config.module.roundcube.port   ] else [])
+    (if config.services.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else [])
+    (if config.services.roundcube.enable   then [ config.module.roundcube.port   ] else [])
+    (if config.services.forgejo.enable   then [ config.module.forgejo.externalPort   ] else [])
  ];
 }
--- a/module/roundcube.nix
+++ b/module/roundcube.nix
@ -2,35 +2,29 @@

 lib.mkIf config.module.roundcube.enable {
  age.secrets = {
-    smtp_server = {
-      file = ../secrets/smtp_server.age;
-      owner = "roundcube";
-      group = "roundcube";
-      mode = "0400";
+    YfDrVBDJcVoYNZeJ = {
+      file = ../secrets/cache/YfDrVBDJcVoYNZeJ;
    };
-    imap_server = {
-      file = ../secrets/imap_server.age;
-      owner = "roundcube";
-      group = "roundcube";
-      mode = "0400";
+    LtnxWKwZdDIxAKzp = {
+      file = ../secrets/cache/LtnxWKwZdDIxAKzp;
    };
  };


  services.roundcube = {
    enable = true;
-    hostName = "mail.${config.module.domain}";
+    hostName = "${config.module.roundcube.subdomain}.${config.module.domain}";

    plugins = [ "multiple_accounts" ];
    configureNginx = false;

    extraConfig = ''
      $config['default_host'] = trim(
-        file_get_contents('${config.age.secrets.imap_server.path}')
+        file_get_contents('${config.age.secrets.LtnxWKwZdDIxAKzp.path}')
      );
      $config['default_port'] = 993;
      $config['smtp_server'] = trim(
-        file_get_contents('${config.age.secrets.smtp_server.path}')
+        file_get_contents('${config.age.secrets.YfDrVBDJcVoYNZeJ.path}')
      );
      $config['smtp_port'] = 465;
      $config['smtp_user'] = '%u';
--- a/module/searXNG.nix
+++ b/module/searXNG.nix
@ -1,8 +1,7 @@
 { config,lib,pkgs, ... }:

-lib.mkIf config.module.searxng.enable {
+{
  services.searx = {
-      enable = true;
      redisCreateLocally = true;
      package = pkgs.searxng;

--- a/module/tailscale.nix
+++ b/module/tailscale.nix
@ -1,8 +1,7 @@
 { config, lib, pkgs, ... }:

-lib.mkIf config.module.tailscale.enable {
+{
  services.tailscale = {
-    enable = true;
    extraDaemonFlags = [
      "--no-logs-no-support"
    ];
@ -13,7 +12,7 @@ lib.mkIf config.module.tailscale.enable {
    useRoutingFeatures = "server";
  };

-  networking.firewall = {
+  networking.firewall = lib.mkIf config.services.tailscale.enable {
    allowedTCPPorts = [ 443 ];
    allowedUDPPorts = [ 41641 3478 ];
  };
--- a/module/vaultWarden.nix
+++ b/module/vaultWarden.nix
@ -1,12 +1,22 @@
 { config, lib, ... }:

-lib.mkIf config.module.vaultwarden.enable {
+{
+  age.secrets.xHeDf80ikqG65h3u  = {
+    file = ../secrets/cache/xHeDf80ikqG65h3u;
+    owner = "vaultwarden";
+  };
+
  services.vaultwarden = {
    enable = true;
+    environmentFile = config.age.secrets.xHeDf80ikqG65h3u.path;
+
    config = {
+      DOMAIN = "https://vault.${config.module.domain}";
      ROCKET_PORT = config.module.vaultwarden.internalPort;
      ROCKET_ADDRESS = "127.0.0.1";
      SIGNUPS_ALLOWED = false;
+      SMTP_PORT = 587;
+      # SMTP_SSL = true;
    };
  };
 }
--- a/secrets/cache/LtnxWKwZdDIxAKzp
+++ b/secrets/cache/LtnxWKwZdDIxAKzp
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZX/yJA 5o3VZvF6R5omfRGu8f5C6YA287n58Gqcl/cA1tR2dwo
+PUxVDLsvhukxgRdiFOHNN4W1kzCvpJ4eZ6quX/ZxCK8
+-> ssh-ed25519 5AyMyw LT2QCekJV3Hb9CGnZDHtQmGbVEgx96jZ3dU1oWxUL1g
+SFq7UXIjL67blDFU/n7LcwbZAYzMqzL5Eos2n14J++M
+--- I8lQdNHSL27BXd0WQ2SGwDhVQcI/cL3N3LFIhyc/ycA
+öáø"(…Tú¡=êEGóFÜ¹J>—ãsüŽÂ9
Y/»<C2AD>lVL‚
+yz¿Ù\"‘|FY@dÇªj"9
--- a/secrets/cache/XNkwPolezNRELmWu
+++ b/secrets/cache/XNkwPolezNRELmWu
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZX/yJA SS6C3dWH+2/iu17doKlKvktlQzYQqZNcBHF7S98FWhY
+xxfLoOK1c8RSXVznlb2afOcD4XK1vgjlDcIdyAGJ4hY
+-> ssh-ed25519 5AyMyw GTEQ552uVK4nZBqU3GFBmL1im5XLjxVsoSRbRsj3l28
+RIaiehCm1YHl0Ig/zPB3uOovVz/4eFn66rlg51K/L9w
+--- BTR3Sg+ZoN/eMG7gDAisL0C0X66aqcc93b/HBknwgCE
+í˜;¼Kô:
mQMÒ<4D>ï)çÈûBCHÇ5-Á<>D<EFBFBD>·êrØ†è>ç #+B¹¯•íoUaa
--- a/secrets/cache/XwUz9pLEBTCzdh5R
+++ b/secrets/cache/XwUz9pLEBTCzdh5R
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZX/yJA omlnMqfBM7yE5DG2s2GxVaStTy2dfwlGCpJV6TW+RE8
+dy2g7as6pwHbv2lbiAsBOfLIvF9uMbiKc3ZL8fBCHoc
+-> ssh-ed25519 5AyMyw bZjaUNgJoordZ5QYgQ7G/IhnnQhqs/Mi0XcOkqCuDFQ
+OCsST1sSITzmQi7XBz0QBad4c55ItVBEqTiDV641CPE
+--- TlNlMPP+o6a4oFULXtMMgDX/eRWXFRowvP0T5GH1e7Y
+i$îž”s”53Ñé¾U¨Ê–¹:_áƒ²¢n0 SFÚï
+
âúÁêŽZR»Ú™
--- a/secrets/cache/YfDrVBDJcVoYNZeJ
+++ b/secrets/cache/YfDrVBDJcVoYNZeJ
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZX/yJA IQ2va+9dYf1sKZMjafovBZLLyjRgkf+WbWWVmNZ14kA
+4k2NcxL4NT7og8ad+2i1FQC20OzXJG4mVGvZz2Kb5M4
+-> ssh-ed25519 5AyMyw meaQCKCXiEwA+E2gijD41gWou73/s4RGWEVJX55JnS8
+GUX7WzSIzLVfQUViJfeudUh6eeIOMfMRMFgL2JwEIoY
+--- jsp7cV2mL6r7A3RlsHmK9LmLHsRrZGG0EKloktB63as
+]"		v%TCçßgÖ³
+€>uZä&<jhœ'€GÛB/|³à#(,V‘”Ü×þÈ
BCVS<13>ý£ƒG
--- a/secrets/cache/kuc8wgd09HbRU99u
+++ b/secrets/cache/kuc8wgd09HbRU99u
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZX/yJA q0SYXY0NRDnAMXVGSZHn1jmelJ95YI4/IC4GcQ5qQV8
+jaoaPbv6tDp+FuH2Xn+MxRDfE+2RmrK3hbQgVkTSedM
+-> ssh-ed25519 5AyMyw 35vlZ9FGZCkPVH7+296xusV5vE+kvnh/3+AarSJpazE
+w9kOjalxqTtu9qh/LcF+/Ft+htESDadvH0Kx7koztc8
+--- zmSq4EH3uZ34cD22cHztT+ieSu2eh5PpbP90kE2WYpc
+›P]Õ
+Þ)åîÙð<ì}@:cFn§ÉZ2ûY'jørëv1 6¶ži%ØúEuO'
--- a/secrets/cache/xHeDf80ikqG65h3u
+++ b/secrets/cache/xHeDf80ikqG65h3u
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZX/yJA nMqH3eMp+x/NJu+aH5cCl8eU1teMo/adWFg1RXfFfDw
+PHF6EGEojTlMA7D0JDHRT9GtSMlYeSkUt3xDDNcg/hs
+-> ssh-ed25519 5AyMyw 9UU0d/ZgAp9rQar2lzQg4c5dG2aByciPbnJDUm5/a2g
+Xw/ysmJsgW9u5Yg4RfyRTKsk8SSXYpUy481kxfCQuLo
+--- Vvqhk9BltzFRfQW31Aie0wveIoqh8NWKRPBzm9K56f0
+Ò0Qt£Î¿Ž\®Ó(¾}Nâî‘Pýã§V‹,Ð_fF™½†v}±XA(PÂP2ªR;ûC‚d<E2809A><18>ãid§õ-JÔ<4A>Ô® T8hÉþû2ÕSyß<79>—
+õ[mi+Ty÷ù2„3ÿ‚Ž<E2809A>J¢ÃÄbØ–¬ÿ€ÉRf%ˆŠÙ×0Å£?èˆ˜p±˜ãŸ²æ%÷
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -8,4 +8,10 @@ in
 {
  "smtp_server.age".publicKeys = [ user1 system1 ];
  "imap_server.age".publicKeys = [ user1 system1 ];
+  "./cache/XwUz9pLEBTCzdh5R".publicKeys = [ user1 system1 ];
+  "./cache/kuc8wgd09HbRU99u".publicKeys = [ user1 system1 ];
+  "./cache/XNkwPolezNRELmWu".publicKeys = [ user1 system1 ];
+  "./cache/YfDrVBDJcVoYNZeJ".publicKeys = [ user1 system1 ];
+  "./cache/LtnxWKwZdDIxAKzp".publicKeys = [ user1 system1 ];
+  "./cache/xHeDf80ikqG65h3u".publicKeys = [ user1 system1 ];
 }