From d4d707334472083efcc976bc29690c2cbc0a381a Mon Sep 17 00:00:00 2001
From: Wateir <contact@wateir.fr>
Date: Wed, 17 Dec 2025 23:11:49 +0100
Subject: [PATCH] Add of vaulwarden

Some refractoring and start of a more versatil config
---
 configuration.nix      | 46 +++++++++++++++++++++++-------------------
 module/acme.nix        | 13 ++++++++++++
 module/hostname.nix    | 11 ++++++++++
 module/roundcube.nix   | 14 ++++++-------
 module/searXNG.nix     | 10 +++++----
 module/vaultWarden.nix | 35 ++++++++++++++++++++++++++++++++
 6 files changed, 96 insertions(+), 33 deletions(-)
 create mode 100644 module/acme.nix
 create mode 100644 module/hostname.nix

diff --git a/configuration.nix b/configuration.nix
index 1d84cf9..da92d19 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -2,20 +2,22 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config,pkgs, ... }:
+{ config,pkgs,lib, ... }:
 
 {
   imports =
-    [ # Include the results of the hardware scan.
+    [
       ./hardware-configuration.nix
       ./package.nix
+      ./module/hostname.nix
+
       ./module/searXNG.nix
       ./module/roundcube.nix
+      ./module/vaultWarden.nix
     ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
-  # Bootloader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
@@ -29,13 +31,18 @@
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
-  # Enable networking
   networking.networkmanager.enable = true;
 
-  # Set your time zone.
+  services.nginx = {
+    enable = true;
+    virtualHosts."${config.HostName}" = {
+      forceSSL = false;
+      enableACME = false;
+    };
+  };
+
   time.timeZone = "Europe/Paris";
 
-  # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
 
   i18n.extraLocaleSettings = {
@@ -50,17 +57,14 @@
     LC_TIME = "fr_FR.UTF-8";
   };
 
-  # Configure keymap in X11
   services.xserver.xkb = {
     layout = "fr";
     variant = "azerty";
   };
 
-  # Configure console keymap
   console.keyMap = "fr";
   programs.zsh.enable = true;
 
-  # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.manager = {
     isNormalUser = true;
     description = "manager";
@@ -116,6 +120,18 @@
 	  useRoutingFeatures = "server";  # or "client" / "both"
 	};
 
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin+contact@wateir.fr";
+
+    certs."wateir.fr" = {
+      dnsProvider = "ovh";
+      environmentFile = "/etc/acme.env";
+    };
+  };
+
+
+
 	networking.firewall = {
 		enable = true;
 		allowedTCPPorts = [ 443 ];
@@ -123,10 +139,6 @@
 
 	};
 
-
-
-
-
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   # programs.mtr.enable = true;
@@ -139,8 +151,6 @@
     TERM = "xterm-256color";
   };
 
-  # List services that you want to enable:
-  # Enable the OpenSSH daemon.
   services.openssh.enable = true;
 
   services.openssh.settings.Macs = [
@@ -152,12 +162,6 @@
     "hmac-sha2-256"
   ];
 
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
   system.stateVersion = "25.11";
 
 }
diff --git a/module/acme.nix b/module/acme.nix
new file mode 100644
index 0000000..92fad9f
--- /dev/null
+++ b/module/acme.nix
@@ -0,0 +1,13 @@
+  { config, ... }:
+
+  {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin+contact@wateir.fr";
+
+    certs."wateir.fr" = {
+      dnsProvider = "ovh";
+      environmentFile = "/etc/acme.env";
+    };
+  };
+}
diff --git a/module/hostname.nix b/module/hostname.nix
new file mode 100644
index 0000000..a10585e
--- /dev/null
+++ b/module/hostname.nix
@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  options.HostName = mkOption {
+    type = types.str;
+    default = "${config.networking.hostName}.ssh.wateir.fr";
+    description = "Global hostname with domain for all services";
+  };
+}
diff --git a/module/roundcube.nix b/module/roundcube.nix
index 89811ab..768a936 100644
--- a/module/roundcube.nix
+++ b/module/roundcube.nix
@@ -1,12 +1,14 @@
-{ config, ... }:
+{ config,pkgs,lib, ... }:
 
-{
+lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
   services.roundcube = {
     enable = true;
-    hostName = "_";
+    hostName = "${config.HostName}";
 
     plugins = [ "multiple_accounts" ];
 
+    configureNginx = false;
+
     extraConfig = ''
       # PurelyMail is the entreprise who host my mail
       $config['default_host'] = 'ssl://imap.purelymail.com';
@@ -19,14 +21,10 @@
   };
 
   services.nginx = {
-    enable = true;
-
-    virtualHosts."_" = {
+    virtualHosts."${config.HostName}" = {
       listen = [
         { addr = "0.0.0.0"; port = 1984; }
       ];
-      forceSSL = false;
-      enableACME = false;
     };
   };
 
diff --git a/module/searXNG.nix b/module/searXNG.nix
index d363eb3..509aee6 100644
--- a/module/searXNG.nix
+++ b/module/searXNG.nix
@@ -1,11 +1,11 @@
 { config,lib,pkgs, ... }:
 
-{
-  services = {
-    searx = {
+lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004"){
+  services.searx = {
       enable = true;
       redisCreateLocally = true;
       package = pkgs.searxng;
+
       environmentFile = "/etc/searx.env";
       settings.server = {
         bind_address = "0.0.0.0";
@@ -14,6 +14,8 @@
         # see below for the sops or environment file instructions to prevent this
         # secret_key = "$SEARXNG_SECRET";
       };
+      settings.engines = lib.mapAttrsToList (name: value: { inherit name; } // value) {
+        "wikidata".disabled = true;
+      };
     };
-  };
 }
diff --git a/module/vaultWarden.nix b/module/vaultWarden.nix
index e69de29..bac4ace 100644
--- a/module/vaultWarden.nix
+++ b/module/vaultWarden.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, lib, ... }:
+
+lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004"){
+  services.vaultwarden = {
+    enable = true;
+
+    backupDir = "/var/local/vaultwarden/backup";
+
+    config = {
+      SIGNUPS_ALLOWED = true;
+      ROCKET_PORT = 8222;
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "${config.HostName}" = {
+        listen = [{ addr = "0.0.0.0"; port = 8000; }];
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8222";
+          extraConfig = ''
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+}