From d199f35824f9be1c2a231e25bb3ab9264122e8e7 Mon Sep 17 00:00:00 2001
From: Hadi <112569860+anotherhadi@users.noreply.github.com>
Date: Wed, 19 Mar 2025 13:55:03 +0100
Subject: [PATCH] add modules

---
 hosts/server/configuration.nix   |  3 +++
 hosts/server/secrets/default.nix |  1 +
 server-modules/bitwarden.nix     | 34 ++++++++++++++++++++++++++++++++
 server-modules/firewall.nix      |  6 ++++++
 server-modules/nginx.nix         | 10 ++++++++++
 5 files changed, 54 insertions(+)
 create mode 100644 server-modules/bitwarden.nix
 create mode 100644 server-modules/firewall.nix
 create mode 100644 server-modules/nginx.nix

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index 9c9bfaa..493e299 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -9,6 +9,9 @@
     ../../nixos/tailscale.nix
 
     ../../server-modules/ssh.nix
+    ../../server-modules/bitwarden.nix
+    ../../server-modules/firewall.nix
+    ../../server-modules/nginx.nix
 
     # You should let those lines as is
     ./hardware-configuration.nix
diff --git a/hosts/server/secrets/default.nix b/hosts/server/secrets/default.nix
index 38290b2..283942b 100644
--- a/hosts/server/secrets/default.nix
+++ b/hosts/server/secrets/default.nix
@@ -13,6 +13,7 @@
         path = "/home/hadi/.ssh/jack";
         mode = "0600";
       };
+      cloudflare-dns-token = { path = "/etc/cloudflare/dnskey.txt"; };
     };
   };
 }
diff --git a/server-modules/bitwarden.nix b/server-modules/bitwarden.nix
new file mode 100644
index 0000000..6bd9def
--- /dev/null
+++ b/server-modules/bitwarden.nix
@@ -0,0 +1,34 @@
+{ config, ... }:
+let domain = "vault.hadi.diy";
+in {
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://" + domain;
+      SIGNUPS_ALLOWED = true;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    useACMEHost = "hadi.diy";
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${
+          toString config.services.vaultwarden.config.ROCKET_PORT
+        }";
+    };
+  };
+
+  security.acme.certs."hadi.diy" = {
+    domain = "hadi.diy";
+    extraDomainNames = [ "*.hadi.diy" ];
+    group = "nginx";
+
+    dnsProvider = "cloudflare";
+    dnsPropagationCheck = true;
+    credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
+  };
+}
diff --git a/server-modules/firewall.nix b/server-modules/firewall.nix
new file mode 100644
index 0000000..6987110
--- /dev/null
+++ b/server-modules/firewall.nix
@@ -0,0 +1,6 @@
+{
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+  };
+}
diff --git a/server-modules/nginx.nix b/server-modules/nginx.nix
new file mode 100644
index 0000000..d6c79e0
--- /dev/null
+++ b/server-modules/nginx.nix
@@ -0,0 +1,10 @@
+{ config, ... }: {
+  services.nginx = { enable = true; };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = config.var.git.email;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}