constants.nix

@@ -46,7 +46,7 @@ rec {
       port = 1200;
     };
     vaultwarden = {
-      fqdn = "pw." + intranet;
+      fqdn = "pw." + domain;
       port = 8222;
     };
   };

hosts/rx4/secrets/secrets.yaml

@@ -16,6 +16,7 @@ forgejo-runner:
 vaultwarden:
     admin-token: ENC[AES256_GCM,data:HhD0xNZ/Ep7pCOX1j6p/M/ZZ3gs=,iv:7QT71KlYz+HQYBhiRavpiXS9sNS2PoJiM/WkxM3Hk/g=,tag:SYTRWpyA2+WMSMiRM8mvew==,type:str]
     smtp-password: ENC[AES256_GCM,data:eQo7op5+74EID6689hL0/J1pq2s=,iv:JqrEqxabWGydRuJJ/27e1q+4YnQhTQ1bKRSsOvjQ+bE=,tag:weqnrhqK+LGEfAacBcuPUA==,type:str]
+hetzner-api-key: ENC[AES256_GCM,data:casjNOXzuQDWgnSFftbBMygA8kGpGiZDqup08faWO9kfjvgOyWOXeqPd2VA1ND8yfM2LvoLYvPs6gUWtni2ldQ==,iv:p2W24uhJgBvpi3g4+cHw0/XbbTM5oYCPHreMBUR4CNs=,tag:lpwjZGoJe/91+CHX/hAkKA==,type:str]
 sops:
     age:
         - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@@ -36,7 +37,7 @@ sops:
             NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
             f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-05-17T16:35:00Z"
+    lastmodified: "2026-05-17T20:34:39Z"
-    mac: ENC[AES256_GCM,data:U2WT4ENx8I9sr3byj7fQjv3H+mQTlhTI1HL9tufryKcUGjvb35ChwkIBcvEiYLa8udOR631sWwN4dCqZ4qwtCQ3MNjR8s1P6HqhzXeAPwyxfMLPZG1mbKXvYpamkxAOq8RxVHnVsPbrvFsxc57J11SI5IUfWT5T5GPQyJ+U8gMs=,iv:/xDaNV0fgKf9z+sql4BwwyIO/LQhRm3TrMhgaYZsPuE=,tag:Y0bfT1ZuiJ05F/+EwyzbSg==,type:str]
+    mac: ENC[AES256_GCM,data:lSSotIfDcS6oJpSDSe2hLx1M9L8a+bjkPstcPv1h2ohSiOu8WGAwTy4lsKD1n9rnhTzFmMqi2Xgh4K0n3WiqWFBeNcA6UeM7+a6PcDtUeCC3JKsP/XZvCoPq5uBwUWcovRSm4UElaL5MteZkV3e+qZWeUpZCTWWWEjYBYnHPLpQ=,iv:t4Up4DuTuQyQQNa7lmZK6kt5O0/aShXSF2XBj9Y6/z8=,tag:oNmP8e7jEZ3ttPkwXkWSZw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.1

hosts/rx4/services/vaultwarden.nix

@@ -6,6 +6,7 @@
 
 let
   inherit (constants) domain;
+  inherit (constants.hosts.rx4) ip;
   inherit (constants.services.vaultwarden) fqdn port;
 in
 {
@@ -21,6 +22,7 @@ in
     environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
 
     config = {
+      ENABLE_WEBSOCKET = true;
       SIGNUPS_ALLOWED = false;
 
       SMTP_FROM = "vaultwarden@${domain}";
@@ -30,12 +32,50 @@ in
       SMTP_SECURITY = "starttls";
       SMTP_USERNAME = "vaultwarden@${domain}";
 
-      ROCKET_ADDRESS = "0.0.0.0";
+      ROCKET_ADDRESS = "127.0.0.1";
       ROCKET_PORT = port;
       ROCKET_LOG = "critical";
     };
   };
 
+  services.nginx.virtualHosts."${fqdn}" = {
+    useACMEHost = "pw-custom";
+    forceSSL = true;
+    listen = [
+      {
+        addr = "${ip}:443";
+        ssl = true;
+      }
+    ];
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+      };
+      "= /notifications/alerts" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+      };
+      "= /notifications/hub" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${domain}";
+    certs."pw-custom" = {
+      domain = fqdn;
+      dnsProvider = "hetzner";
+      dnsResolver = "1.1.1.1:53";
+      credentialFiles = {
+        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
+      };
+      group = "nginx";
+    };
+  };
+
   sops =
     let
       owner = config.users.users.vaultwarden.name;
@@ -50,6 +90,11 @@ in
         "vaultwarden/smtp-password" = {
           inherit owner group mode;
         };
+        hetzner-api-key = {
+          inherit mode;
+          owner = "acme";
+          group = "acme";
+        };
       };
       templates = {
         "vaultwarden/env-file" = {

hosts/sid/services/coredns.nix

@@ -14,12 +14,7 @@
         hosts {
           ${hosts.sid.ip} ${ca-fqdn} 
 
-          ${hosts.rx4.ip} rx4.tail
-          ${hosts.sid.ip} sid.tail
-          ${hosts.vde.ip} vde.tail
-
           ${hosts.sid.ip} ${services.netdata.fqdn}
-          ${hosts.sid.ip} ${services.vaultwarden.fqdn}
 
           fallthrough
         }

hosts/sid/services/default.nix

@@ -10,7 +10,6 @@
 
     outputs.nixosModules.tailscale
 
-    ./coredns.nix
     ./headscale.nix
     ./mailserver.nix
     ./matrix-synapse.nix
@@ -18,6 +17,8 @@
     ./nginx.nix
     ./radicale.nix
     ./rss-bridge.nix
-    ./step-ca.nix
+
+    # ./coredns.nix
+    # ./step-ca.nix
   ];
 }

hosts/sid/services/headscale.nix

@@ -1,5 +1,6 @@
 {
   inputs,
+  constants,
   ...
 }:
 
@@ -24,5 +25,17 @@
       enable = true;
       subdomain = "hs";
     };
+    settings.dns.extra_records = [
+      {
+        name = constants.services.vaultwarden.fqdn;
+        type = "A";
+        value = constants.hosts.rx4.ip;
+      }
+      {
+        name = constants.services.netdata.fqdn;
+        type = "A";
+        value = constants.hosts.sid.ip;
+      }
+    ];
   };
 }

hosts/sid/services/mailserver.nix

@@ -1,4 +1,4 @@
-{ inputs, config, ... }:
+{ inputs, ... }:
 
 {
   imports = [ inputs.synix.nixosModules.mailserver ];
@@ -6,10 +6,12 @@
   mailserver = {
     enable = true;
     stateVersion = 3;
-    localDnsResolver = !config.services.coredns.enable;
     accounts = {
       sid = {
-        aliases = [ "postmaster" ];
+        aliases = [
+          "admin"
+          "postmaster"
+        ];
       };
       vaultwarden = { };
     };

hosts/sid/services/nginx.nix

@@ -56,15 +56,6 @@ in
       address = constants.hosts.rx4.ip;
       port = constants.services.miniflux.port;
     };
-    virtualHosts."${constants.services.netdata.fqdn}" = {
-      useACMEHost = "sid-internal";
-      forceSSL = ssl;
-      locations."/" = {
-        # proxyPass = "http://${constants.hosts.sid.ip}:${toString constants.services.netdata.port}";
-        proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
-        proxyWebsockets = true;
-      };
-    };
     virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
       inherit ssl;
       address = constants.hosts.rx4.ip;
@@ -82,15 +73,6 @@ in
       address = constants.hosts.rx4.ip;
       port = constants.services.rsshub-oci.port;
     };
-    virtualHosts."${constants.services.vaultwarden.fqdn}" = {
-      useACMEHost = "sid-internal";
-      forceSSL = ssl;
-      locations = {
-        "/" = {
-          proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.vaultwarden.port}";
-        };
-      };
-    };
     # FIXME
     # virtualHosts."print.sid.ovh" = {
     #   enableACME = true;

hosts/sid/services/step-ca.nix

@@ -78,10 +78,8 @@ in
   security.acme = {
     certs."sid-internal" = {
       # domain = constants.intranet;
-      domain = constants.services.vaultwarden.fqdn;
+      domain = constants.services.netdata.fqdn;
       extraDomainNames = [
-        constants.services.netdata.fqdn
-        # constants.services.vaultwarden.fqdn
       ];
       server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
       group = "nginx";

modules/nixos/tailscale/default.nix

@@ -11,7 +11,7 @@
         loginServer = "https://hs.sid.ovh";
         authKeyFile = config.sops.secrets."tailscale/personal-key".path;
         enableSSH = true;
-        acceptDNS = false; # use coredns
+        acceptDNS = true;
       };
     };
   };