add modules

server-modules/bitwarden.nix

@@ -0,0 +1,34 @@
+{ config, ... }:
+let domain = "vault.hadi.diy";
+in {
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://" + domain;
+      SIGNUPS_ALLOWED = true;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    useACMEHost = "hadi.diy";
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${
+          toString config.services.vaultwarden.config.ROCKET_PORT
+        }";
+    };
+  };
+
+  security.acme.certs."hadi.diy" = {
+    domain = "hadi.diy";
+    extraDomainNames = [ "*.hadi.diy" ];
+    group = "nginx";
+
+    dnsProvider = "cloudflare";
+    dnsPropagationCheck = true;
+    credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
+  };
+}

server-modules/firewall.nix

@@ -0,0 +1,6 @@
+{
+  networking.firewall = {
+    enable = true;
+    allowPing = false;
+  };
+}

server-modules/nginx.nix

@@ -0,0 +1,10 @@
+{ config, ... }: {
+  services.nginx = { enable = true; };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = config.var.git.email;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}