Various fixes; wireguard, vaultwarden, cleanups

hosts/voyager/services/hedgedoc.nix

@@ -45,9 +45,41 @@ in {
         };
     };
 
-    systemd.services.hedgedoc.serviceConfig = {
-      WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
-      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+    systemd.services.hedgedoc = {
+      requires = [
+        "postgresql.service"
+        "kanidm.service"
+      ];
+      serviceConfig = let
+        workDir = "/var/lib/hedgedoc";
+      in {
+        WorkingDirectory = lib.mkForce workDir;
+        StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+
+        # Better safe than sorry :)
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ReadWritePaths = [ workDir ];
+        RemoveIPC = true;
+        RestrictSUIDSGID = true;
+        UMask = "0007";
+        RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ port ];

hosts/voyager/services/jellyfin.nix

@@ -10,6 +10,7 @@ in {
   };
 
   services.nginx.virtualHosts."${domainName}" = {
+    serverAliases = [ "jf.feal.no" ];
     extraConfig = ''
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";

hosts/voyager/services/matrix/bridge-discord.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+{
+  services.mx-puppet-discord = {
+    enable = true;
+
+    serviceDependencies = [
+      "matrix-synapse.service"
+      "postgresql.service"
+    ];
+
+    settings = {
+      bridge = {
+        bindAddress = "localhost";
+        domain = "feal.no";
+        homeserverUrl = "https://matrix.feal.no";
+        # homeserverUrl = "http://127.0.1.2:8008";
+
+        port = 8434;
+        enableGroupSync = true;
+      };
+
+      database.connString = "postgresql://mx-puppet-discord@localhost/mx-puppet-discord?sslmode=disable";
+
+      provisioning.whitelist = [ "@felixalb:feal\\.no" ];
+      relay.whitelist = [ ".*" ];
+      selfService.whitelist = [ "@felixalb:feal\\.no" ];
+
+    };
+  };
+
+  services.matrix-synapse.settings.app_service_config_files = [ /var/lib/mx-puppet-discord/discord-registration.yaml ];
+}

hosts/voyager/services/postgres.nix

@@ -5,12 +5,14 @@
     /* enableTCPIP = true; # Expose on the network */
     authentication = pkgs.lib.mkOverride 10 ''
      local gitea all ident map=gitea-users
+     local vaultwarden all ident map=vaultwarden-users
      local all all trust
      host all all 127.0.0.1/32 trust
      host all all ::1/128 trust
     '';
     identMap = ''
       gitea-users gitea gitea
+      vaultwarden-users vaultwarden vaultwarden
     '';
   };
 

hosts/voyager/services/transmission.nix

@@ -2,8 +2,8 @@
 let
   host = "127.0.1.2";
   port = "5003";
-  uid = 778;
-  gid = 778;
+  uid = config.ids.uids.transmission;
+  gid = config.ids.gids.transmission;
 in {
   sops.secrets."transmission/vpncreds" = {
     owner = "transmission";

hosts/voyager/services/vaultwarden.nix

@@ -0,0 +1,69 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.vaultwarden;
+  domain = "pw.feal.no";
+  address = "127.0.0.1";
+  port = 3011; # Note! The websocket port is left as default
+in {
+  sops.secrets."vaultwarden/admintoken" = {
+    owner = "vaultwarden";
+    group = "vaultwarden";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
+    config = {
+      domain = "https://${domain}";
+
+      rocketAddress = address;
+      rocketPort = port;
+      websocketEnabled = true;
+      databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
+
+      signupsAllowed = false;
+      rocketLog = "critical";
+
+    # This example assumes a mailserver running on localhost,
+    # thus without transport encryption.
+    # If you use an external mail server, follow:
+    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+      /* SMTP_HOST = "127.0.0.1"; */
+      /* SMTP_PORT = 25; */
+      /* SMTP_SSL = false; */
+
+      /* SMTP_FROM = "admin@bitwarden.example.com"; */
+      /* SMTP_FROM_NAME = "example.com Bitwarden server"; */
+
+    };
+  };
+
+
+  services.nginx.virtualHosts."${domain}" = {
+    extraConfig = ''
+      client_max_body_size 128M;
+    '';
+    locations."/" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub" = {
+      proxyPass = "http://localhost:3012";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub/negotiate" = {
+      proxyPass = "http://${address}:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+  services.postgresql = {
+    ensureDatabases = [ "vaultwarden" ];
+    ensureUsers = [{
+      name = "vaultwarden";
+      ensurePermissions = {
+        "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
+      };
+    }];
+  };
+}