Initial commit

.gitignore

@@ -0,0 +1,5 @@
+# ---> Nix
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+

README.md

@@ -0,0 +1,3 @@
+# cccb-vaultwarden
+
+This is the configuration of the cccb vaultwarden instance

vaultwarden.nix

@@ -0,0 +1,111 @@
+{ config, pkgs, ... }:
+{
+  # Enable necessary services
+  services.vaultwarden = {
+    enable = true;
+    package = pkgs.vaultwarden;
+    config = {
+      # Hardening and security settings
+      DOMAIN = "https://vault.berlin.ccc.de";
+      SIGNUPS_ALLOWED = false; # Disable public signups
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+      ROCKET_LOG = "critical";
+      RATE_LIMITS = "200/1m";
+
+      # Enhanced logging and security
+      LOG_LEVEL = "warn";
+      ADMIN_TOKEN = ""; # Set a strong, unique admin token via environment file
+      WEBSOCKET_ENABLED = true;
+      
+      # Database and storage
+      DATABASE_URL = "sqlite:///var/lib/vaultwarden/db.sqlite3";
+      DATA_FOLDER = "/var/lib/vaultwarden/data";
+    };
+  };
+
+  # ACME and SSL configuration
+  security.acme = {
+    defaults.email = "admin@berlin.ccc.de";
+    acceptTerms = true;
+  };
+
+  # Nginx reverse proxy configuration
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    services.nginx.recommendedTlsSettings = true;
+    security.acme.certs."vault.berlin.ccc.de".extraConfig = ''
+      ssl_stapling on;
+      ssl_stapling_verify on;
+    '';
+
+    virtualHosts."vault.berlin.ccc.de" = {
+      enableACME = true;
+      forceSSL = true;
+
+      # Strict security headers
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "DENY" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none';" always;
+      '';
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  # Backup configuration
+  services.restic.backups = {
+    vaultwarden-backup = {
+      initialize = true;
+      repository = "/mnt/backup/vaultwarden";
+      paths = [ "/var/lib/vaultwarden" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+      # Consider using environment file for sensitive backup credentials
+      passwordFile = "/path/to/restic/password/file";
+      checkConfig = {
+        OnCalendar = "weekly";
+        Persistent = true;
+      };
+    };
+  };
+
+  # Firewall configuration
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 80 443 ];
+    allowedUDPPorts = [];
+    extraConfig = ''
+      iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT; # DNS
+      iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT; # HTTPS
+      iptables -P OUTPUT DROP;
+    '';
+
+  };
+
+  # Additional security hardening
+  security.hardening.enable = true;
+
+  # Periodic system updates
+  system.autoUpgrade = {
+    enable = true;
+    allowReboot = false;
+  };
+
+  services.fail2ban = {
+    enable = true;
+    filters."nginx-http-auth".enable = true;
+  };
+}