cccb-vaultwarden/vaultwarden.nix

{ config, pkgs, ... }:
{
  # Enable necessary services
  services.vaultwarden = {
    enable = true;
    package = pkgs.vaultwarden;
    config = {
      # Hardening and security settings
      DOMAIN = "https://vault.berlin.ccc.de";
      SIGNUPS_ALLOWED = false; # Disable public signups
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;
      ROCKET_LOG = "critical";
      RATE_LIMITS = "200/1m";

      # Enhanced logging and security
      LOG_LEVEL = "warn";
      ADMIN_TOKEN = ""; # Set a strong, unique admin token via environment file
      WEBSOCKET_ENABLED = true;
      
      # Database and storage
      DATABASE_URL = "sqlite:///var/lib/vaultwarden/db.sqlite3";
      DATA_FOLDER = "/var/lib/vaultwarden/data";
    };
  };

  # ACME and SSL configuration
  security.acme = {
    defaults.email = "admin@berlin.ccc.de";
    acceptTerms = true;
  };

  # Nginx reverse proxy configuration
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    services.nginx.recommendedTlsSettings = true;
    security.acme.certs."vault.berlin.ccc.de".extraConfig = ''
      ssl_stapling on;
      ssl_stapling_verify on;
    '';

    virtualHosts."vault.berlin.ccc.de" = {
      enableACME = true;
      forceSSL = true;

      # Strict security headers
      extraConfig = ''
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "DENY" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none';" always;
      '';

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
        proxyWebsockets = true;
      };
    };
  };

  # Backup configuration
  services.restic.backups = {
    vaultwarden-backup = {
      initialize = true;
      repository = "/mnt/backup/vaultwarden";
      paths = [ "/var/lib/vaultwarden" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
      };
      # Consider using environment file for sensitive backup credentials
      passwordFile = "/path/to/restic/password/file";
      checkConfig = {
        OnCalendar = "weekly";
        Persistent = true;
      };
    };
  };

  # Firewall configuration
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    allowedUDPPorts = [];
    extraConfig = ''
      iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT; # DNS
      iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT; # HTTPS
      iptables -P OUTPUT DROP;
    '';

  };

  # Additional security hardening
  security.hardening.enable = true;

  # Periodic system updates
  system.autoUpgrade = {
    enable = true;
    allowReboot = false;
  };

  services.fail2ban = {
    enable = true;
    filters."nginx-http-auth".enable = true;
  };
}
Initial commit 2024-12-06 18:21:06 +01:00			`{ config, pkgs, ... }:`
			`{`
			`# Enable necessary services`
			`services.vaultwarden = {`
			`enable = true;`
			`package = pkgs.vaultwarden;`
			`config = {`
			`# Hardening and security settings`
			`DOMAIN = "https://vault.berlin.ccc.de";`
			`SIGNUPS_ALLOWED = false; # Disable public signups`
			`ROCKET_ADDRESS = "127.0.0.1";`
			`ROCKET_PORT = 8222;`
			`ROCKET_LOG = "critical";`
			`RATE_LIMITS = "200/1m";`

			`# Enhanced logging and security`
			`LOG_LEVEL = "warn";`
			`ADMIN_TOKEN = ""; # Set a strong, unique admin token via environment file`
			`WEBSOCKET_ENABLED = true;`

			`# Database and storage`
			`DATABASE_URL = "sqlite:///var/lib/vaultwarden/db.sqlite3";`
			`DATA_FOLDER = "/var/lib/vaultwarden/data";`
			`};`
			`};`

			`# ACME and SSL configuration`
			`security.acme = {`
			`defaults.email = "admin@berlin.ccc.de";`
			`acceptTerms = true;`
			`};`

			`# Nginx reverse proxy configuration`
			`services.nginx = {`
			`enable = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`

			`services.nginx.recommendedTlsSettings = true;`
			`security.acme.certs."vault.berlin.ccc.de".extraConfig = ''`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
			`'';`

			`virtualHosts."vault.berlin.ccc.de" = {`
			`enableACME = true;`
			`forceSSL = true;`

			`# Strict security headers`
			`extraConfig = ''`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
			`add_header X-Frame-Options "DENY" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header Referrer-Policy "strict-origin-when-cross-origin" always;`
			`add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none';" always;`
			`'';`

			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`};`

			`# Backup configuration`
			`services.restic.backups = {`
			`vaultwarden-backup = {`
			`initialize = true;`
			`repository = "/mnt/backup/vaultwarden";`
			`paths = [ "/var/lib/vaultwarden" ];`
			`timerConfig = {`
			`OnCalendar = "daily";`
			`Persistent = true;`
			`};`
			`# Consider using environment file for sensitive backup credentials`
			`passwordFile = "/path/to/restic/password/file";`
			`checkConfig = {`
			`OnCalendar = "weekly";`
			`Persistent = true;`
			`};`
			`};`
			`};`

			`# Firewall configuration`
			`networking.firewall = {`
			`enable = true;`
			`allowedTCPPorts = [ 80 443 ];`
			`allowedUDPPorts = [];`
			`extraConfig = ''`
			`iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT; # DNS`
			`iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT; # HTTPS`
			`iptables -P OUTPUT DROP;`
			`'';`

			`};`

			`# Additional security hardening`
			`security.hardening.enable = true;`

			`# Periodic system updates`
			`system.autoUpgrade = {`
			`enable = true;`
			`allowReboot = false;`
			`};`

			`services.fail2ban = {`
			`enable = true;`
			`filters."nginx-http-auth".enable = true;`
			`};`
			`}`