add modules

Former-commit-id: d199f35824

hosts/server/configuration.nix

@@ -9,6 +9,9 @@
     ../../nixos/tailscale.nix
 
     ../../server-modules/ssh.nix
+    ../../server-modules/bitwarden.nix
+    ../../server-modules/firewall.nix
+    ../../server-modules/nginx.nix
 
     # You should let those lines as is
     ./hardware-configuration.nix

hosts/server/secrets/default.nix

@@ -13,6 +13,7 @@
         path = "/home/hadi/.ssh/jack";
         mode = "0600";
       };
+      cloudflare-dns-token = { path = "/etc/cloudflare/dnskey.txt"; };
     };
   };
 }

server-modules/bitwarden.nix

@@ -0,0 +1,34 @@
+{ config, ... }:
+let domain = "vault.hadi.diy";
+in {
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://" + domain;
+      SIGNUPS_ALLOWED = true;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    useACMEHost = "hadi.diy";
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${
+          toString config.services.vaultwarden.config.ROCKET_PORT
+        }";
+    };
+  };
+
+  security.acme.certs."hadi.diy" = {
+    domain = "hadi.diy";
+    extraDomainNames = [ "*.hadi.diy" ];
+    group = "nginx";
+
+    dnsProvider = "cloudflare";
+    dnsPropagationCheck = true;
+    credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
+  };
+}

server-modules/firewall.nix

@@ -0,0 +1,6 @@
+{
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+  };
+}

server-modules/nginx.nix

@@ -0,0 +1,10 @@
+{ config, ... }: {
+  services.nginx = { enable = true; };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = config.var.git.email;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}