diff --git a/flake.nix b/flake.nix index 303b66b..6287fe3 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "https://tangled.sh/@ocbwoy3.dev/nix"; + description = "Dark World Exclusive Nix Flake (Totally not a Deltarune reference)"; inputs = { # Core @@ -19,7 +19,7 @@ zen-browser.url = "github:0xc000022070/zen-browser-flake"; # Programs - tuxstrap.url = "git+https://tangled.sh/@ocbwoy3.dev/tuxstrap"; + tuxstrap.url = "git+https://tangled.org/kris.darkworld.download/tuxstrap"; # Package tooling chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; @@ -27,7 +27,7 @@ nvf.url = "github:notashelf/nvf"; # Extras - tangled.url = "git+https://tangled.sh/@tangled.sh/core"; + tangled.url = "git+https://tangled.sh/tangled.sh/core"; vscode-server.url = "github:nix-community/nixos-vscode-server"; spacebar = { url = "github:spacebarchat/server"; diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index e76871f..a37be07 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -12,6 +12,7 @@ ./modules/tangled.nix ../../modules/force.nix ./modules/gitea.nix + ./modules/vaultwarden.nix ]; # gcc. shit breaks. wtf @@ -40,9 +41,11 @@ }; }; - services.openssh.settings = { + services.openssh.settings = lib.mkDefault { PubkeyAuthentication = "yes"; TrustedUserCAKeys = "/etc/ssh/ca.pub"; + PermitRootLogin = lib.mkDefault "prohibit-password"; + KbdInteractiveAuthentication = lib.mkDefault false; }; services.openssh = { @@ -62,6 +65,7 @@ extraGroups = [ "wheel" "networkmanager" + "docker" ]; shell = pkgs.zsh; }; diff --git a/hosts/server/modules/vaultwarden.nix b/hosts/server/modules/vaultwarden.nix new file mode 100644 index 0000000..572be8e --- /dev/null +++ b/hosts/server/modules/vaultwarden.nix @@ -0,0 +1,44 @@ +{ + config, + pkgs, + lib, + ... +}: + +{ + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + environmentFile = "/private/vaultwarden/vaultwarden.env"; + config = { + # Keep data alongside the secret env file so we can back it up together. + DATA_FOLDER = "/private/vaultwarden/data"; + PUSH_RELAY_URI = "https://api.bitwarden.eu"; + PUSH_IDENTITY_URI = "https://identity.bitwarden.eu"; + DOMAIN = "https://vault.ocbwoy3.dev"; + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = 8222; + WEBSOCKET_ENABLED = true; + WEBSOCKET_ADDRESS = "0.0.0.0"; + WEBSOCKET_PORT = 3012; + SIGNUPS_ALLOWED = false; + }; + }; + + # Allow vaultwarden to write under /private/vaultwarden and ensure the directory exists. + systemd.services.vaultwarden.serviceConfig = { + ReadWritePaths = [ "/private/vaultwarden" ]; + }; + + systemd.tmpfiles.settings."10-vaultwarden-private"."/private/vaultwarden/data".d = { + user = "vaultwarden"; + group = "vaultwarden"; + mode = "0750"; + }; + + # cloudflared!! + # networking.firewall.allowedTCPPorts = [ + # 8222 + # 3012 + # ]; +} diff --git a/modules/force.nix b/modules/force.nix index d85a245..b5e71a2 100644 --- a/modules/force.nix +++ b/modules/force.nix @@ -1,38 +1,39 @@ { config, pkgs, ... }: { - imports = [ - ./nixos/bootloader.nix - ./nixos/hardware.nix - ./nixos/i18n.nix - ./nixos/network.nix - ./nixos/nixpkgs.nix - ./nixos/nvidia.nix - ./nixos/programs.nix - ./stuff/nvim.nix - ./stuff/zsh.nix - ]; + imports = [ + ./nixos/bootloader.nix + ./nixos/hardware.nix + ./nixos/i18n.nix + ./nixos/network.nix + ./nixos/nixpkgs.nix + ./nixos/nvidia.nix + ./nixos/programs.nix + ./stuff/nvim.nix + ./stuff/zsh.nix + ]; - environment.systemPackages = with pkgs; [ - tmux - gh - file - glib - openssl - nss - glibc - nixfmt-rfc-style - killall - deno - bun - imagemagick - unzip - libwebp - nix-direnv - htop - nixpkgs-fmt - nixd - ffmpeg-full - gnupg - ]; + environment.systemPackages = with pkgs; [ + tmux + gh + file + glib + openssl + nss + glibc + nixfmt-rfc-style + killall + deno + bun + imagemagick + unzip + libwebp + nix-direnv + htop + nixpkgs-fmt + nixd + ffmpeg-full + gnupg + codex + ]; }