feat : Add of secret for roundcube and vaultwarden
This commit is contained in:
Wateir
parent
a59e409a49
commit
2f5c8be389
18 changed files with 116 additions and 51 deletions
|
|
@ -3,7 +3,7 @@
|
|||
lib.mkIf config.module.acme.enable {
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "noreply@wateir.fr";
|
||||
defaults.email = "noreply@${config.module.domain}";
|
||||
|
||||
certs."${config.module.domain}" = {
|
||||
dnsProvider = "ovh";
|
||||
|
|
|
|||
|
|
@ -47,18 +47,12 @@ in {
|
|||
desc = "ACME DNS Challenge";
|
||||
};
|
||||
|
||||
tailscale = mkServiceOption {
|
||||
desc = "Tailscale VPN";
|
||||
defaultEnabled = true;
|
||||
};
|
||||
|
||||
newt = mkServiceOption {
|
||||
desc = "Newt custom wireguard tunnel";
|
||||
};
|
||||
|
||||
roundcube = mkServiceOption {
|
||||
desc = "Roundcube webapp";
|
||||
extraOpts = { port = mkPortOption 1984; };
|
||||
extraOpts = {
|
||||
port = mkPortOption 1984;
|
||||
subdomain = "mail";
|
||||
};
|
||||
};
|
||||
|
||||
vaultwarden = mkServiceOption {
|
||||
|
|
@ -66,6 +60,7 @@ in {
|
|||
extraOpts = {
|
||||
externalPort = mkPortOption 8000;
|
||||
internalPort = mkPortOption 8222;
|
||||
subdomain = "vault";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -73,13 +68,17 @@ in {
|
|||
desc = "Vaultwarden password manager";
|
||||
extraOpts = {
|
||||
externalPort = mkPortOption 3000;
|
||||
internalPort = mkPortOption 8223;
|
||||
internalPort = mkPortOption 8500;
|
||||
subdomain = "git";
|
||||
};
|
||||
};
|
||||
|
||||
searxng = mkServiceOption {
|
||||
desc = "SearXNG meta-search engine";
|
||||
extraOpts = { port = mkPortOption 1692; };
|
||||
extraOpts = {
|
||||
port = mkPortOption 1692;
|
||||
subdomain = "search";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
{ config,lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.forgejo;
|
||||
srv = cfg.settings.server;
|
||||
in
|
||||
lib.mkIf config.module.forgejo.enable {
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
|
|
@ -11,7 +14,7 @@ lib.mkIf config.module.forgejo.enable {
|
|||
DOMAIN = "git.${config.module.domain}";
|
||||
# You need to specify this to remove the port from URLs in the web UI.
|
||||
ROOT_URL = "https://${srv.DOMAIN}/";
|
||||
HTTP_PORT = 8222;
|
||||
HTTP_PORT = config.module.forgejo.internalPort;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -6,8 +6,8 @@ with lib;
|
|||
services.nginx.enable = true;
|
||||
|
||||
services.nginx.virtualHosts = mkMerge [
|
||||
(mkIf config.module.vaultwarden.enable {
|
||||
"${config.module.hostName}-vault" = {
|
||||
(mkIf config.services.vaultwarden.enable {
|
||||
"${config.module.hostName}-${config.module.vaultwarden.subdomain}" = {
|
||||
listen = [{ addr = "0.0.0.0"; port = config.module.vaultwarden.externalPort; }];
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.module.vaultwarden.internalPort}";
|
||||
|
|
@ -22,7 +22,7 @@ with lib;
|
|||
})
|
||||
|
||||
(mkIf config.module.roundcube.enable {
|
||||
"${config.module.hostName}-roundcube" = {
|
||||
"${config.module.hostName}-${config.module.roundcube.subdomain}" = {
|
||||
listen = [{ addr = "0.0.0.0"; port = config.module.roundcube.port; }];
|
||||
root = "${pkgs.roundcube}/public_html";
|
||||
locations."/" = {
|
||||
|
|
@ -41,10 +41,16 @@ with lib;
|
|||
};
|
||||
})
|
||||
(mkIf config.module.forgejo.enable {
|
||||
"${config.module.hostName}-vault" = {
|
||||
"${config.module.hostName}-${config.module.forgejo.subdomain}" = {
|
||||
listen = [{ addr = "0.0.0.0"; port = config.module.forgejo.externalPort; }];
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString config.module.forgejo.internalPort}";
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
'';
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
@ -52,7 +58,8 @@ with lib;
|
|||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = concatLists [
|
||||
(if config.module.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else [])
|
||||
(if config.module.roundcube.enable then [ config.module.roundcube.port ] else [])
|
||||
(if config.services.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else [])
|
||||
(if config.services.roundcube.enable then [ config.module.roundcube.port ] else [])
|
||||
(if config.services.forgejo.enable then [ config.module.forgejo.externalPort ] else [])
|
||||
];
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,35 +2,29 @@
|
|||
|
||||
lib.mkIf config.module.roundcube.enable {
|
||||
age.secrets = {
|
||||
smtp_server = {
|
||||
file = ../secrets/smtp_server.age;
|
||||
owner = "roundcube";
|
||||
group = "roundcube";
|
||||
mode = "0400";
|
||||
YfDrVBDJcVoYNZeJ = {
|
||||
file = ../secrets/cache/YfDrVBDJcVoYNZeJ;
|
||||
};
|
||||
imap_server = {
|
||||
file = ../secrets/imap_server.age;
|
||||
owner = "roundcube";
|
||||
group = "roundcube";
|
||||
mode = "0400";
|
||||
LtnxWKwZdDIxAKzp = {
|
||||
file = ../secrets/cache/LtnxWKwZdDIxAKzp;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
services.roundcube = {
|
||||
enable = true;
|
||||
hostName = "mail.${config.module.domain}";
|
||||
hostName = "${config.module.roundcube.subdomain}.${config.module.domain}";
|
||||
|
||||
plugins = [ "multiple_accounts" ];
|
||||
configureNginx = false;
|
||||
|
||||
extraConfig = ''
|
||||
$config['default_host'] = trim(
|
||||
file_get_contents('${config.age.secrets.imap_server.path}')
|
||||
file_get_contents('${config.age.secrets.LtnxWKwZdDIxAKzp.path}')
|
||||
);
|
||||
$config['default_port'] = 993;
|
||||
$config['smtp_server'] = trim(
|
||||
file_get_contents('${config.age.secrets.smtp_server.path}')
|
||||
file_get_contents('${config.age.secrets.YfDrVBDJcVoYNZeJ.path}')
|
||||
);
|
||||
$config['smtp_port'] = 465;
|
||||
$config['smtp_user'] = '%u';
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
{ config,lib,pkgs, ... }:
|
||||
|
||||
lib.mkIf config.module.searxng.enable {
|
||||
{
|
||||
services.searx = {
|
||||
enable = true;
|
||||
redisCreateLocally = true;
|
||||
package = pkgs.searxng;
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
lib.mkIf config.module.tailscale.enable {
|
||||
{
|
||||
services.tailscale = {
|
||||
enable = true;
|
||||
extraDaemonFlags = [
|
||||
"--no-logs-no-support"
|
||||
];
|
||||
|
|
@ -13,7 +12,7 @@ lib.mkIf config.module.tailscale.enable {
|
|||
useRoutingFeatures = "server";
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
networking.firewall = lib.mkIf config.services.tailscale.enable {
|
||||
allowedTCPPorts = [ 443 ];
|
||||
allowedUDPPorts = [ 41641 3478 ];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,12 +1,22 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
lib.mkIf config.module.vaultwarden.enable {
|
||||
{
|
||||
age.secrets.xHeDf80ikqG65h3u = {
|
||||
file = ../secrets/cache/xHeDf80ikqG65h3u;
|
||||
owner = "vaultwarden";
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
environmentFile = config.age.secrets.xHeDf80ikqG65h3u.path;
|
||||
|
||||
config = {
|
||||
DOMAIN = "https://vault.${config.module.domain}";
|
||||
ROCKET_PORT = config.module.vaultwarden.internalPort;
|
||||
ROCKET_ADDRESS = "127.0.0.1";
|
||||
SIGNUPS_ALLOWED = false;
|
||||
SMTP_PORT = 587;
|
||||
# SMTP_SSL = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue