From d3776db31196cc19e8b8f2c9c8a09b191bd0e0e2 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sun, 29 Mar 2026 15:52:03 +0200 Subject: [PATCH] defiant/vaultwarden: unpublish --- hosts/defiant/services/nginx.nix | 9 +++++++++ hosts/defiant/services/vaultwarden.nix | 12 ++++++++---- secrets/defiant/defiant.yaml | 7 ++++--- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix index e027fb1..5a9c88e 100644 --- a/hosts/defiant/services/nginx.nix +++ b/hosts/defiant/services/nginx.nix @@ -31,6 +31,15 @@ in { defaults.email = "felix@albrigtsen.it"; }; + # security.acme.certs."domainname" = { + # dnsProvider = "domeneshop"; + # environmentFile = config.sops.secrets."domeneshop/acme".path; + # webroot = null; + # } + sops.secrets."domeneshop/acme" = { + group = "nginx"; + }; + # Publicly exposed services: services.nginx.virtualHosts = let diff --git a/hosts/defiant/services/vaultwarden.nix b/hosts/defiant/services/vaultwarden.nix index 751c9cb..33b8a45 100644 --- a/hosts/defiant/services/vaultwarden.nix +++ b/hosts/defiant/services/vaultwarden.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: let cfg = config.services.vaultwarden; - domain = "pw.feal.no"; + domain = "pw.home.feal.no"; address = "127.0.1.2"; port = 3011; wsPort = 3012; @@ -43,13 +43,17 @@ in { services.postgresqlBackup.databases = [ "vaultwarden" ]; + security.acme.certs."pw.home.feal.no" = { + dnsProvider = "domeneshop"; + environmentFile = config.sops.secrets."domeneshop/acme".path; + webroot = null; + }; services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; - listen = [ - { addr = "192.168.10.175"; port = 43443; ssl = true; } - { addr = "192.168.10.175"; port = 43080; ssl = false; } + { addr = "192.168.10.175"; port = 443; ssl = true; } + { addr = "192.168.10.175"; port = 80; ssl = false; } ]; extraConfig = '' diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml index da9ce05..93f0887 100644 --- a/secrets/defiant/defiant.yaml +++ b/secrets/defiant/defiant.yaml @@ -5,6 +5,7 @@ matrix: slidingsyncsecret: ENC[AES256_GCM,data:bMBTXsLhXCj0Divy2mXZQ3zv5WBLut47pOzEQ1elOD1uDaKZMX8wX/EjGrrfmPZvUfLrvqEn8zEda++VtwPBonmQQ0CZraZeEKGgStQrFw==,iv:EulqNNtkNUFxO/LQ1qtYL/IXWu71L5cuJ1pY6eK85vc=,tag:uVoi42sq4S34bErASGJOAA==,type:str] domeneshop: netrc: ENC[AES256_GCM,data:35HTN/L7FfKTdsnu73Vqcf9NEc/ybV9CtEYVh/3VFuge5LEviubcqR2ljkdh22HzMjzbzO9WZVTLo0K8oqrR+8zCbKmi4+4n8ZsnGrqdnx2/Bl2KGdNXTbvfkIqZMD7xRBJtSB2IVyXcB1u7JYd9jvr2xVek3IC8C1Zf,iv:XeqZZYWHD9Sww+IUoRs5+BEKZK80cDF1o4zdUlztA94=,tag:dHQe6Rqst75VTmXSiqTeTw==,type:str] + acme: ENC[AES256_GCM,data:hESj6E3E9QI3mo0WxkLtk9elQNJ/878cecjHDCQJz9OQTG+rnlsCG5GhLOENcKlbhtZTkV8qsRSDO+3L2sdOEpe4eNuPnytxJycOrwZ3pr1F1FOBoWbkWX9F0xSf/7RxsetbrtlscnjaXYYdMBAAe3thkAXvca+0ZkZC/R4=,iv:/++qO2N4xczNvGjyZfG8JBF7KABa+GB+diO0jLTeQeA=,tag:08E7O/voRSNc7wt8upJojQ==,type:str] hedgedoc: env: ENC[AES256_GCM,data:30kDNwJA/nL2/l1gSVPWgFYIrrxnhKbsQPaS1MqeaggjDpPxyNOhSLf5/p5Z5S/jDuJapevpQR70hfAM8g3gLRNIFtP38V/8w0lUngpuz6MzL7THdNfbabOKsHpNht+nxwGXE1YSd0D4OuX5ll5pLWT8nQtNhhOzuYmDIJ/Xc01lmcGc2ThsA0GlkWZxUw==,iv:ht6BiCYJReWFoR1zpo/X0bcgMV9tYfXUM7Re2ngEk4M=,tag:XrlYHyhVujhhWul3czSTDg==,type:str] vaultwarden: @@ -58,7 +59,7 @@ sops: ZVp5RHU2U1ppakJCMFozWUNGSXhvNkkKDVPJGjPDaX+n3v27PBdMyk9kuzXnRIop h5XGRkJHTC4emo8zgKpBfByEb2fkBSL3k2ffZbVYtxrpupVBmT1Uqw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-14T22:36:00Z" - mac: ENC[AES256_GCM,data:H//LCiMw1wE7IDFvKf/QEhOlAjx83R4bxGCE9g4lG0dg2V9LD2bWOq2FVGUrMxw350Rj8CFIWaS5ZolGOvUetbDiQTlqayXi7OArGKBkJphoAdr2rskGYVULmB90a4wp1Fq9oIW2ZjbeURQkwybGJzBTCXFRNWp1VcY1STxzlR8=,iv:DWNLKAcscWIUZ9n46I3dssCM7416oGdsY/mPy1YzrJA=,tag:Q03jAMKSDJw5HmFb9i3Hxg==,type:str] + lastmodified: "2026-03-29T13:20:56Z" + mac: ENC[AES256_GCM,data:1nf8TodfK9B85SOql0enViCNQGU+diIfWhBWN+RrUFVX/5snso76j+/XlhSU7vck9Z+LB2f+2p4GyMbC0Y8CRMyiiszoINlOE1EljYI+iUZuj8iKUfOvtOAEUk1MXahu7Z8yYDD89aFQ47CoHEVaYnIzZQIrqvJauKilt9TpiO0=,iv:fC8wInBTPnUa+6L04nfv3tt5ohggwjZrnrO5vjiGIYo=,tag:jcjWezEriykPl44iRxgd0Q==,type:str] unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.12.1