From ae9b064b6ea9668fc94b0b824c7039fc603e7764 Mon Sep 17 00:00:00 2001 From: murmeldin Date: Fri, 6 Dec 2024 18:21:06 +0100 Subject: [PATCH] Initial commit --- .gitignore | 5 +++ README.md | 3 ++ vaultwarden.nix | 111 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 vaultwarden.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a806510 --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +# ---> Nix +# Ignore build outputs from performing a nix-build or `nix build` command +result +result-* + diff --git a/README.md b/README.md new file mode 100644 index 0000000..60dbaa1 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# cccb-vaultwarden + +This is the configuration of the cccb vaultwarden instance \ No newline at end of file diff --git a/vaultwarden.nix b/vaultwarden.nix new file mode 100644 index 0000000..314a3ef --- /dev/null +++ b/vaultwarden.nix @@ -0,0 +1,111 @@ +{ config, pkgs, ... }: +{ + # Enable necessary services + services.vaultwarden = { + enable = true; + package = pkgs.vaultwarden; + config = { + # Hardening and security settings + DOMAIN = "https://vault.berlin.ccc.de"; + SIGNUPS_ALLOWED = false; # Disable public signups + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; + RATE_LIMITS = "200/1m"; + + # Enhanced logging and security + LOG_LEVEL = "warn"; + ADMIN_TOKEN = ""; # Set a strong, unique admin token via environment file + WEBSOCKET_ENABLED = true; + + # Database and storage + DATABASE_URL = "sqlite:///var/lib/vaultwarden/db.sqlite3"; + DATA_FOLDER = "/var/lib/vaultwarden/data"; + }; + }; + + # ACME and SSL configuration + security.acme = { + defaults.email = "admin@berlin.ccc.de"; + acceptTerms = true; + }; + + # Nginx reverse proxy configuration + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + services.nginx.recommendedTlsSettings = true; + security.acme.certs."vault.berlin.ccc.de".extraConfig = '' + ssl_stapling on; + ssl_stapling_verify on; + ''; + + virtualHosts."vault.berlin.ccc.de" = { + enableACME = true; + forceSSL = true; + + # Strict security headers + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "DENY" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none';" always; + ''; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + proxyWebsockets = true; + }; + }; + }; + + # Backup configuration + services.restic.backups = { + vaultwarden-backup = { + initialize = true; + repository = "/mnt/backup/vaultwarden"; + paths = [ "/var/lib/vaultwarden" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + # Consider using environment file for sensitive backup credentials + passwordFile = "/path/to/restic/password/file"; + checkConfig = { + OnCalendar = "weekly"; + Persistent = true; + }; + }; + }; + + # Firewall configuration + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = []; + extraConfig = '' + iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT; # DNS + iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT; # HTTPS + iptables -P OUTPUT DROP; + ''; + + }; + + # Additional security hardening + security.hardening.enable = true; + + # Periodic system updates + system.autoUpgrade = { + enable = true; + allowReboot = false; + }; + + services.fail2ban = { + enable = true; + filters."nginx-http-auth".enable = true; + }; +} \ No newline at end of file