add caddy/vaultwarden/tailscale/zipline setup + cloudflared install

2025-08-06 14:24:27 -04:00 · 2025-08-06 14:24:27 -04:00 · 534dedfe9f
commit 534dedfe9f
parent 3170c5eb80
1 changed files with 63 additions and 0 deletions
--- a/hosts/Drone/default.nix
+++ b/hosts/Drone/default.nix
@ -42,7 +42,70 @@

  services = {
    scx.scheduler = lib.mkForce "scx_rusty";
+    
+    cloudflared = {
+      enable = true;
+      tunnels = {
+	
+      };
+    };

+    caddy = {
+      enable = true;
+      virtualHosts = {
+	"drone.taild5f7e6.ts.net".extraConfig = ''
+	  encode
+
+	  # most of this doesnt matter but why not
+          header {
+	      Strict-Transport-Security "max-age=31536000;"
+	      X-Frame-Options "SAMEORIGIN"
+	      X-Content-Type-Options "nosniff"
+	      -Server
+	      -X-Powered-By
+	  }
+
+	  # block connections to admin login
+          respond /admin/* 403
+	  
+	  reverse_proxy localhost:8000
+        '';
+#	"example.com".extraConfig = ''
+#	  encode
+
+#          header {
+#	      Strict-Transport-Security "max-age=31536000;"
+#	      X-Frame-Options "DENY"
+#	      X-Content-Type-Options "nosniff"
+#	      # nobody is gonna find this site through a search engine anyway
+#	      X-Robots-Tag "noindex, nofollow"
+#	      -Server
+#	      -X-Powered-By
+#	  }
+
+#	  reverse_proxy localhost:3000
+#	'';
+      };
+    };
+
+    tailscale.permitCertUid = "caddy"; # allow caddy to manage tailscale ssl certs
+
+    vaultwarden = {
+      enable = true;
+      backupDir = "/var/backups/vaultwarden";
+      config = {
+        DOMAIN = "https://drone.taild5f7e6.ts.net";
+
+        SIGNUPS_ALLOWED = false;
+      };
+      environmentFile = "/var/secrets/vaultwarden/secrets.env";
+    };
+
+    zipline = {
+      enable = true;
+      environmentFiles = [ "/var/secrets/zipline/secrets.env" ];
+    };
  };
+
  system.stateVersion = "25.05";
 }