security (vaultwarden): Add hardened reverse proxy config

services/caddy.nix

@@ -0,0 +1,15 @@
+{ config, ... }: {
+  services.caddy = {
+    enable = true;
+    logFormat = "level INFO";
+  };
+
+  services.crowdsec = {
+    localConfig.acquisitions = [{
+      filenames = [ "${config.services.caddy.logDir}/*.log" ];
+      labels.type = "caddy";
+    }];
+
+    hub.parsers = [ "crowdsecurity/caddy-logs" ];
+  };
+}

services/vaultwarden.nix

@@ -36,7 +36,28 @@ in {
   };
 
   services.caddy.virtualHosts."vault.millironx.com".extraConfig = ''
-    reverse_proxy http://127.0.0.1:${port}
+    # See <https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples>
+    encode zstd gzip
+    header / {
+    	Strict-Transport-Security "max-age=31536000;"
+    	X-XSS-Protection "0"
+    	X-Frame-Options "DENY"
+    	X-Robots-Tag "noindex, nofollow"
+    	X-Content-Type-Options "nosniff"
+    	-Server
+    	-X-Powered-By
+    	-Last-Modified
+    }
+
+    @admin {
+      path /admin*
+      not remote_ip private_ranges 100.64.0.0/10
+    }
+    respond @admin "Access denied to remote clients. Use localhost or VPN." 403
+
+    reverse_proxy http://127.0.0.1:${port} {
+      header_up X-Real-IP {remote_host}
+    }
   '';
 
   users.users."${user}" = {

systems/linux/mcentire.nix

@@ -5,6 +5,7 @@
     ./hardware-configuration/mcentire.nix
     ./../../modules/podman-secrets.nix
     ./../../services/borgmatic.nix
+    ./../../services/caddy.nix
     ./../../services/crowdsec.nix
     ./../../services/authentik.nix
     ./../../services/audiobookshelf.nix
@@ -67,7 +68,6 @@
   services = {
     openssh.enable = true;
     tailscale.enable = true;
-    caddy.enable = true;
 
     # Do not "enable" database services, but include the package configuration
     # so that borgmatic does not freak out about unset variables