diff --git a/modules/nixos/services/media/mydia/default.nix b/modules/nixos/services/media/mydia/default.nix index 6fa94ca..aa44856 100644 --- a/modules/nixos/services/media/mydia/default.nix +++ b/modules/nixos/services/media/mydia/default.nix @@ -24,6 +24,7 @@ in { package = inputs.mydia.packages.${system}.default; port = 2010; + listenAddress = "0.0.0.0"; openFirewall = true; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix index abab566..07f7058 100644 --- a/modules/nixos/services/security/vaultwarden/default.nix +++ b/modules/nixos/services/security/vaultwarden/default.nix @@ -1,25 +1,31 @@ -{ pkgs, config, lib, namespace, ... }: -let +{ + pkgs, + config, + lib, + namespace, + ... +}: let inherit (builtins) toString; inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; cfg = config.${namespace}.services.security.vaultwarden; - databaseProviderSqlite = types.submodule ({ ... }: { + databaseProviderSqlite = types.submodule ({...}: { options = { type = mkOption { - type = types.enum [ "sqlite" ]; + type = types.enum ["sqlite"]; }; file = mkOption { - type = types.str; - description = ''''; + type = types.path; + description = '' + Path to sqlite database file. + ''; }; }; }); - databaseProviderPostgresql = types.submodule ({ ... }: - let + databaseProviderPostgresql = types.submodule ({...}: let urlOptions = lib.${namespace}.options.mkUrlOptions { host = { description = '' @@ -40,36 +46,36 @@ let example = "postgres"; }; }; - in - { - options = { - type = mkOption { - type = types.enum [ "postgresql" ]; - }; + in { + options = + { + type = mkOption { + type = types.enum ["postgresql"]; + }; - sslMode = mkOption { - type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; - default = "verify-full"; - example = "verify-ca"; - description = '' - How to verify the server's ssl + sslMode = mkOption { + type = types.enum ["verify-ca" "verify-full" "require" "prefer" "allow" "disabled"]; + default = "verify-full"; + example = "verify-ca"; + description = '' + How to verify the server's ssl - | mode | eavesdropping protection | MITM protection | Statement | - |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| - | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | - | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | - | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | - | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | - | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | - | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | - - [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) - ''; - }; - } // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); + | mode | eavesdropping protection | MITM protection | Statement | + |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| + | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | + | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | + | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | + | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | + | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | + | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | + + [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) + ''; + }; + } + // (urlOptions |> getAttrs ["protocol" "host" "port"]); }); -in -{ +in { options.${namespace}.services.security.vaultwarden = { enable = mkEnableOption "enable vaultwarden"; @@ -136,7 +142,7 @@ in postgresql = { enable = true; - ensureDatabases = [ "vaultwarden" ]; + ensureDatabases = ["vaultwarden"]; ensureUsers = [ { name = "vaultwarden"; @@ -171,7 +177,7 @@ in owner = config.users.users.vaultwarden.name; group = config.users.users.vaultwarden.name; key = "email/chris_kruining_eu"; - restartUnits = [ "vaultwarden.service" ]; + restartUnits = ["vaultwarden.service"]; }; }; @@ -183,34 +189,31 @@ in owner = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; }; - temp-db-output.content = - let - config = - cfg.database - |> ({ type, ... }@db: - if type == "sqlite" then - { inherit (db) type file; } - else if type == "postgresql" then - { - inherit (db) type; - url = lib.${namespace}.strings.toUrl { - inherit (db) protocol host port; - path = "vaultwarden"; - query = { - sslmode = db.sslMode; - }; + temp-db-output.content = let + config = + cfg.database + |> ( + {type, ...} @ db: + if type == "sqlite" + then {inherit (db) type file;} + else if type == "postgresql" + then { + inherit (db) type; + url = lib.${namespace}.strings.toUrl { + inherit (db) protocol host port; + path = "vaultwarden"; + query = { + sslmode = db.sslMode; }; - } - else - {} - ) - |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") - ; - in - '' - # GENERATED VALUES - ${config} - ''; + }; + } + else {} + ) + |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}"); + in '' + # GENERATED VALUES + ${config} + ''; }; }; };