From 2f5c8be3899e273cbd4c11d00b1f6e5fc27fec98 Mon Sep 17 00:00:00 2001 From: Wateir Date: Wed, 24 Dec 2025 17:18:24 +0100 Subject: [PATCH] feat : Add of secret for roundcube and vaultwarden --- flake.lock | 8 ++++---- flake.nix | 2 +- host/default.nix | 13 +++++++------ module/acme.nix | 2 +- module/default.nix | 23 +++++++++++------------ module/forgejo.nix | 7 +++++-- module/nginx.nix | 19 +++++++++++++------ module/roundcube.nix | 20 +++++++------------- module/searXNG.nix | 3 +-- module/tailscale.nix | 5 ++--- module/vaultWarden.nix | 12 +++++++++++- secrets/cache/LtnxWKwZdDIxAKzp | 8 ++++++++ secrets/cache/XNkwPolezNRELmWu | 7 +++++++ secrets/cache/XwUz9pLEBTCzdh5R | 8 ++++++++ secrets/cache/YfDrVBDJcVoYNZeJ | 8 ++++++++ secrets/cache/kuc8wgd09HbRU99u | 8 ++++++++ secrets/cache/xHeDf80ikqG65h3u | 8 ++++++++ secrets/secrets.nix | 6 ++++++ 18 files changed, 116 insertions(+), 51 deletions(-) create mode 100644 secrets/cache/LtnxWKwZdDIxAKzp create mode 100644 secrets/cache/XNkwPolezNRELmWu create mode 100644 secrets/cache/XwUz9pLEBTCzdh5R create mode 100644 secrets/cache/YfDrVBDJcVoYNZeJ create mode 100644 secrets/cache/kuc8wgd09HbRU99u create mode 100644 secrets/cache/xHeDf80ikqG65h3u diff --git a/flake.lock b/flake.lock index d1254e6..3fdc758 100644 --- a/flake.lock +++ b/flake.lock @@ -82,16 +82,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1751274312, - "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", + "lastModified": 1766201043, + "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", + "rev": "b3aad468604d3e488d627c0b43984eb60e75e782", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 43ab903..302351e 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "My homelab config"; inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; agenix.url = "github:ryantm/agenix"; }; diff --git a/host/default.nix b/host/default.nix index 8c05684..e240052 100644 --- a/host/default.nix +++ b/host/default.nix @@ -2,12 +2,13 @@ let hostConfigs = { ThinkCentre-Server-004 = { - module.vaultwarden.enable = true; - module.roundcube.enable = true; - module.searxng.enable = true; - module.acme.enable = true; - services.newt.enable = true; - module.forgejo.enable = true; + services.vaultwarden.enable = true; + services.tailscale.enable = true; + module.roundcube.enable = true; + services.searx.enable = true; + module.acme.enable = true; + services.newt.enable = true; + module.forgejo.enable = true; }; }; in { diff --git a/module/acme.nix b/module/acme.nix index 8e4d41f..86fccef 100644 --- a/module/acme.nix +++ b/module/acme.nix @@ -3,7 +3,7 @@ lib.mkIf config.module.acme.enable { security.acme = { acceptTerms = true; - defaults.email = "noreply@wateir.fr"; + defaults.email = "noreply@${config.module.domain}"; certs."${config.module.domain}" = { dnsProvider = "ovh"; diff --git a/module/default.nix b/module/default.nix index 6cbae9d..bba167b 100644 --- a/module/default.nix +++ b/module/default.nix @@ -47,18 +47,12 @@ in { desc = "ACME DNS Challenge"; }; - tailscale = mkServiceOption { - desc = "Tailscale VPN"; - defaultEnabled = true; - }; - - newt = mkServiceOption { - desc = "Newt custom wireguard tunnel"; - }; - roundcube = mkServiceOption { desc = "Roundcube webapp"; - extraOpts = { port = mkPortOption 1984; }; + extraOpts = { + port = mkPortOption 1984; + subdomain = "mail"; + }; }; vaultwarden = mkServiceOption { @@ -66,6 +60,7 @@ in { extraOpts = { externalPort = mkPortOption 8000; internalPort = mkPortOption 8222; + subdomain = "vault"; }; }; @@ -73,13 +68,17 @@ in { desc = "Vaultwarden password manager"; extraOpts = { externalPort = mkPortOption 3000; - internalPort = mkPortOption 8223; + internalPort = mkPortOption 8500; + subdomain = "git"; }; }; searxng = mkServiceOption { desc = "SearXNG meta-search engine"; - extraOpts = { port = mkPortOption 1692; }; + extraOpts = { + port = mkPortOption 1692; + subdomain = "search"; + }; }; }; } diff --git a/module/forgejo.nix b/module/forgejo.nix index c626922..afec651 100644 --- a/module/forgejo.nix +++ b/module/forgejo.nix @@ -1,5 +1,8 @@ { config,lib, ... }: - +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in lib.mkIf config.module.forgejo.enable { services.forgejo = { enable = true; @@ -11,7 +14,7 @@ lib.mkIf config.module.forgejo.enable { DOMAIN = "git.${config.module.domain}"; # You need to specify this to remove the port from URLs in the web UI. ROOT_URL = "https://${srv.DOMAIN}/"; - HTTP_PORT = 8222; + HTTP_PORT = config.module.forgejo.internalPort; }; }; }; diff --git a/module/nginx.nix b/module/nginx.nix index 4717cf0..70c2f2e 100644 --- a/module/nginx.nix +++ b/module/nginx.nix @@ -6,8 +6,8 @@ with lib; services.nginx.enable = true; services.nginx.virtualHosts = mkMerge [ - (mkIf config.module.vaultwarden.enable { - "${config.module.hostName}-vault" = { + (mkIf config.services.vaultwarden.enable { + "${config.module.hostName}-${config.module.vaultwarden.subdomain}" = { listen = [{ addr = "0.0.0.0"; port = config.module.vaultwarden.externalPort; }]; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.module.vaultwarden.internalPort}"; @@ -22,7 +22,7 @@ with lib; }) (mkIf config.module.roundcube.enable { - "${config.module.hostName}-roundcube" = { + "${config.module.hostName}-${config.module.roundcube.subdomain}" = { listen = [{ addr = "0.0.0.0"; port = config.module.roundcube.port; }]; root = "${pkgs.roundcube}/public_html"; locations."/" = { @@ -41,10 +41,16 @@ with lib; }; }) (mkIf config.module.forgejo.enable { - "${config.module.hostName}-vault" = { + "${config.module.hostName}-${config.module.forgejo.subdomain}" = { listen = [{ addr = "0.0.0.0"; port = config.module.forgejo.externalPort; }]; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.module.forgejo.internalPort}"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; }; }; }) @@ -52,7 +58,8 @@ with lib; ]; networking.firewall.allowedTCPPorts = concatLists [ - (if config.module.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else []) - (if config.module.roundcube.enable then [ config.module.roundcube.port ] else []) + (if config.services.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else []) + (if config.services.roundcube.enable then [ config.module.roundcube.port ] else []) + (if config.services.forgejo.enable then [ config.module.forgejo.externalPort ] else []) ]; } diff --git a/module/roundcube.nix b/module/roundcube.nix index c983664..412a21c 100644 --- a/module/roundcube.nix +++ b/module/roundcube.nix @@ -2,35 +2,29 @@ lib.mkIf config.module.roundcube.enable { age.secrets = { - smtp_server = { - file = ../secrets/smtp_server.age; - owner = "roundcube"; - group = "roundcube"; - mode = "0400"; + YfDrVBDJcVoYNZeJ = { + file = ../secrets/cache/YfDrVBDJcVoYNZeJ; }; - imap_server = { - file = ../secrets/imap_server.age; - owner = "roundcube"; - group = "roundcube"; - mode = "0400"; + LtnxWKwZdDIxAKzp = { + file = ../secrets/cache/LtnxWKwZdDIxAKzp; }; }; services.roundcube = { enable = true; - hostName = "mail.${config.module.domain}"; + hostName = "${config.module.roundcube.subdomain}.${config.module.domain}"; plugins = [ "multiple_accounts" ]; configureNginx = false; extraConfig = '' $config['default_host'] = trim( - file_get_contents('${config.age.secrets.imap_server.path}') + file_get_contents('${config.age.secrets.LtnxWKwZdDIxAKzp.path}') ); $config['default_port'] = 993; $config['smtp_server'] = trim( - file_get_contents('${config.age.secrets.smtp_server.path}') + file_get_contents('${config.age.secrets.YfDrVBDJcVoYNZeJ.path}') ); $config['smtp_port'] = 465; $config['smtp_user'] = '%u'; diff --git a/module/searXNG.nix b/module/searXNG.nix index bc12764..0c53015 100644 --- a/module/searXNG.nix +++ b/module/searXNG.nix @@ -1,8 +1,7 @@ { config,lib,pkgs, ... }: -lib.mkIf config.module.searxng.enable { +{ services.searx = { - enable = true; redisCreateLocally = true; package = pkgs.searxng; diff --git a/module/tailscale.nix b/module/tailscale.nix index 6917f52..660a3d3 100644 --- a/module/tailscale.nix +++ b/module/tailscale.nix @@ -1,8 +1,7 @@ { config, lib, pkgs, ... }: -lib.mkIf config.module.tailscale.enable { +{ services.tailscale = { - enable = true; extraDaemonFlags = [ "--no-logs-no-support" ]; @@ -13,7 +12,7 @@ lib.mkIf config.module.tailscale.enable { useRoutingFeatures = "server"; }; - networking.firewall = { + networking.firewall = lib.mkIf config.services.tailscale.enable { allowedTCPPorts = [ 443 ]; allowedUDPPorts = [ 41641 3478 ]; }; diff --git a/module/vaultWarden.nix b/module/vaultWarden.nix index fa807b3..67a6ee2 100644 --- a/module/vaultWarden.nix +++ b/module/vaultWarden.nix @@ -1,12 +1,22 @@ { config, lib, ... }: -lib.mkIf config.module.vaultwarden.enable { +{ + age.secrets.xHeDf80ikqG65h3u = { + file = ../secrets/cache/xHeDf80ikqG65h3u; + owner = "vaultwarden"; + }; + services.vaultwarden = { enable = true; + environmentFile = config.age.secrets.xHeDf80ikqG65h3u.path; + config = { + DOMAIN = "https://vault.${config.module.domain}"; ROCKET_PORT = config.module.vaultwarden.internalPort; ROCKET_ADDRESS = "127.0.0.1"; SIGNUPS_ALLOWED = false; + SMTP_PORT = 587; + # SMTP_SSL = true; }; }; } diff --git a/secrets/cache/LtnxWKwZdDIxAKzp b/secrets/cache/LtnxWKwZdDIxAKzp new file mode 100644 index 0000000..0e0faef --- /dev/null +++ b/secrets/cache/LtnxWKwZdDIxAKzp @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZX/yJA 5o3VZvF6R5omfRGu8f5C6YA287n58Gqcl/cA1tR2dwo +PUxVDLsvhukxgRdiFOHNN4W1kzCvpJ4eZ6quX/ZxCK8 +-> ssh-ed25519 5AyMyw LT2QCekJV3Hb9CGnZDHtQmGbVEgx96jZ3dU1oWxUL1g +SFq7UXIjL67blDFU/n7LcwbZAYzMqzL5Eos2n14J++M +--- I8lQdNHSL27BXd0WQ2SGwDhVQcI/cL3N3LFIhyc/ycA +"(T=EGFܹJ>s9 Y/lVL +yz\"|FY@dǪj"9 \ No newline at end of file diff --git a/secrets/cache/XNkwPolezNRELmWu b/secrets/cache/XNkwPolezNRELmWu new file mode 100644 index 0000000..15e7c68 --- /dev/null +++ b/secrets/cache/XNkwPolezNRELmWu @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZX/yJA SS6C3dWH+2/iu17doKlKvktlQzYQqZNcBHF7S98FWhY +xxfLoOK1c8RSXVznlb2afOcD4XK1vgjlDcIdyAGJ4hY +-> ssh-ed25519 5AyMyw GTEQ552uVK4nZBqU3GFBmL1im5XLjxVsoSRbRsj3l28 +RIaiehCm1YHl0Ig/zPB3uOovVz/4eFn66rlg51K/L9w +--- BTR3Sg+ZoN/eMG7gDAisL0C0X66aqcc93b/HBknwgCE +;K: mQMҏ)BCH5-Dr؆>#+BoUaa \ No newline at end of file diff --git a/secrets/cache/XwUz9pLEBTCzdh5R b/secrets/cache/XwUz9pLEBTCzdh5R new file mode 100644 index 0000000..00536d2 --- /dev/null +++ b/secrets/cache/XwUz9pLEBTCzdh5R @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZX/yJA omlnMqfBM7yE5DG2s2GxVaStTy2dfwlGCpJV6TW+RE8 +dy2g7as6pwHbv2lbiAsBOfLIvF9uMbiKc3ZL8fBCHoc +-> ssh-ed25519 5AyMyw bZjaUNgJoordZ5QYgQ7G/IhnnQhqs/Mi0XcOkqCuDFQ +OCsST1sSITzmQi7XBz0QBad4c55ItVBEqTiDV641CPE +--- TlNlMPP+o6a4oFULXtMMgDX/eRWXFRowvP0T5GH1e7Y +i$s53Uʖ:_ჲn0 SF + ZRڙ \ No newline at end of file diff --git a/secrets/cache/YfDrVBDJcVoYNZeJ b/secrets/cache/YfDrVBDJcVoYNZeJ new file mode 100644 index 0000000..ed19a16 --- /dev/null +++ b/secrets/cache/YfDrVBDJcVoYNZeJ @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZX/yJA IQ2va+9dYf1sKZMjafovBZLLyjRgkf+WbWWVmNZ14kA +4k2NcxL4NT7og8ad+2i1FQC20OzXJG4mVGvZz2Kb5M4 +-> ssh-ed25519 5AyMyw meaQCKCXiEwA+E2gijD41gWou73/s4RGWEVJX55JnS8 +GUX7WzSIzLVfQUViJfeudUh6eeIOMfMRMFgL2JwEIoY +--- jsp7cV2mL6r7A3RlsHmK9LmLHsRrZGG0EKloktB63as +]" v%TCgֳ +>uZ& ssh-ed25519 ZX/yJA q0SYXY0NRDnAMXVGSZHn1jmelJ95YI4/IC4GcQ5qQV8 +jaoaPbv6tDp+FuH2Xn+MxRDfE+2RmrK3hbQgVkTSedM +-> ssh-ed25519 5AyMyw 35vlZ9FGZCkPVH7+296xusV5vE+kvnh/3+AarSJpazE +w9kOjalxqTtu9qh/LcF+/Ft+htESDadvH0Kx7koztc8 +--- zmSq4EH3uZ34cD22cHztT+ieSu2eh5PpbP90kE2WYpc +P] +)<}@:cFnZ2Y'jrv1 6 i%EuO' \ No newline at end of file diff --git a/secrets/cache/xHeDf80ikqG65h3u b/secrets/cache/xHeDf80ikqG65h3u new file mode 100644 index 0000000..ed4b102 --- /dev/null +++ b/secrets/cache/xHeDf80ikqG65h3u @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 ZX/yJA nMqH3eMp+x/NJu+aH5cCl8eU1teMo/adWFg1RXfFfDw +PHF6EGEojTlMA7D0JDHRT9GtSMlYeSkUt3xDDNcg/hs +-> ssh-ed25519 5AyMyw 9UU0d/ZgAp9rQar2lzQg4c5dG2aByciPbnJDUm5/a2g +Xw/ysmJsgW9u5Yg4RfyRTKsk8SSXYpUy481kxfCQuLo +--- Vvqhk9BltzFRfQW31Aie0wveIoqh8NWKRPBzm9K56f0 +0Qtο\(}NPV,_fFv}XA(PP2R;Cdid-JԁԮ T8h2Syߍ +[mi+Ty23JbؖRf%0ţ?舘p% \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index bd41702..84939bc 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,4 +8,10 @@ in { "smtp_server.age".publicKeys = [ user1 system1 ]; "imap_server.age".publicKeys = [ user1 system1 ]; + "./cache/XwUz9pLEBTCzdh5R".publicKeys = [ user1 system1 ]; + "./cache/kuc8wgd09HbRU99u".publicKeys = [ user1 system1 ]; + "./cache/XNkwPolezNRELmWu".publicKeys = [ user1 system1 ]; + "./cache/YfDrVBDJcVoYNZeJ".publicKeys = [ user1 system1 ]; + "./cache/LtnxWKwZdDIxAKzp".publicKeys = [ user1 system1 ]; + "./cache/xHeDf80ikqG65h3u".publicKeys = [ user1 system1 ]; }