ctucx.git: nixfiles

ctucx' nixfiles

commit 6ee842c2d36b1aec50e5f6968eabe08a407b000f
parent 1cdd498a6f7fbc4253789ff772c82b1cfd3ba910
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 13 Nov 2023 10:32:55 +0100

machines/trabbi: add vaultwarden server
7 files changed, 119 insertions(+), 3 deletions(-)
diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix
@@ -24,6 +24,9 @@
     ./mail
     ./matrix-synapse.nix
 
+    # vaultwarden password-store
+    ./vaultwarden.nix
+
     # websites
     ./websites
 
diff --git a/machines/trabbi/mail/default.nix b/machines/trabbi/mail/default.nix
@@ -32,9 +32,10 @@ in {
     inputs.simple-nixos-mailserver.nixosModule
   ];
 
-  age.secrets.restic-mail.file              = ./. + "/../../../secrets/${config.networking.hostName}/restic/mail.age";
-  age.secrets.mail-password-leah.file       = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-leah-ctu.cx.age";
-  age.secrets.mail-password-zugnetwork.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-mail-zug.network.age";
+  age.secrets.restic-mail.file               = ./. + "/../../../secrets/${config.networking.hostName}/restic/mail.age";
+  age.secrets.mail-password-leah.file        = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-leah-ctu.cx.age";
+  age.secrets.mail-password-vaultwarden.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-vaultwarden-ctu.cx.age";
+  age.secrets.mail-password-zugnetwork.file  = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-mail-zug.network.age";
 
   dns.zones = with pkgs.dns.lib.combinators; let
     TXT   = [ "v=spf1 a mx ip4:${config.networking.primaryIP4} +ip6:${config.networking.primaryIP} ~all" ];

@@ -161,6 +162,10 @@ in {
         ];
       };
 
+      "vaultwarden@ctu.cx" = {
+        hashedPasswordFile = config.age.secrets.mail-password-vaultwarden.path;      	
+      };
+
       "mail@zug.network" = {
         hashedPasswordFile = config.age.secrets.mail-password-zugnetwork.path;      	
         aliases = [
diff --git a/machines/trabbi/vaultwarden.nix b/machines/trabbi/vaultwarden.nix
@@ -0,0 +1,62 @@
+{ pkgs, config, ... }:
+
+{
+
+  dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ];
+
+  age.secrets = {
+    restic-vaultwarden.file = ./. + "/../../secrets/${config.networking.hostName}/restic/vaultwarden.age";
+    vaultwarden-secrets = {
+      file  = ./. + "/../../secrets/${config.networking.hostName}/vaultwarden-secrets.age";
+      owner = "vaultwarden";
+      group = "vaultwarden";
+    };
+  };
+
+  restic-backups.vaultwarden = {
+    user         = "vaultwarden";
+    passwordFile = config.age.secrets.restic-vaultwarden.path;
+    paths        = [ "/var/lib/bitwarden_rs" ];
+  };
+
+  systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ];
+
+  services = {
+    vaultwarden = {
+      enable          = true;
+      dbBackend       = "sqlite";
+      backupDir       = "/var/lib/bitwarden_rs/backups";
+      environmentFile = config.age.secrets.vaultwarden-secrets.path;
+      config          = {
+        DOMAIN          = "https://vault.ctu.cx";
+        SIGNUPS_ALLOWED = false;
+
+        PUSH_ENABLED = true;
+
+        SMTP_HOST     = "trabbi.ctu.cx";
+        SMTP_FROM     = "vaultwarden@ctu.cx";
+        SMTP_USERNAME = "vaultwarden@ctu.cx";
+        SMTP_PORT     = 587;
+        SMTP_SECURITY = "starttls";
+
+        ROCKET_ADDRESS = "::1";
+        ROCKET_PORT = 8582;
+      };
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts."vault.ctu.cx" = {
+        enableACME = true;
+        forceSSL   = true;
+        kTLS       = true;
+        locations."/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+        locations."/notifications/hub" = {
+          proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+
+}+
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -78,6 +78,7 @@ in {
   "trabbi/matrix-synapse/s3_secrets.age".publicKeys                  = [ leah trabbi ];
 
   "trabbi/restic/radicale.age".publicKeys                           = [ leah trabbi ];
+  "trabbi/restic/vaultwarden.age".publicKeys                        = [ leah trabbi ];
   "trabbi/restic/gitolite.age".publicKeys                           = [ leah trabbi ];
   "trabbi/restic/pleroma.age".publicKeys                            = [ leah trabbi ];
   "trabbi/restic/matrix-synapse.age".publicKeys                     = [ leah trabbi ];

@@ -85,10 +86,13 @@ in {
   "trabbi/restic/gotosocial.age".publicKeys                         = [ leah trabbi ];
 
   "trabbi/mail/password-leah-ctu.cx.age".publicKeys                 = [ leah trabbi ];
+  "trabbi/mail/password-vaultwarden-ctu.cx.age".publicKeys          = [ leah trabbi ];
   "trabbi/mail/password-mail-zug.network.age".publicKeys            = [ leah trabbi ];
 
   "trabbi/radicale-users.age".publicKeys                            = [ leah trabbi ];
 
+  "trabbi/vaultwarden-secrets.age".publicKeys                       = [ leah trabbi ];
+
 
   "wanderduene/wireguard-privkey.age".publicKeys                    = [ leah wanderduene ];
   "wanderduene/restic-server-htpasswd.age".publicKeys               = [ leah wanderduene ];
diff --git a/secrets/trabbi/mail/password-vaultwarden-ctu.cx.age b/secrets/trabbi/mail/password-vaultwarden-ctu.cx.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaHkwOHpYdUlPRUUrOHd4
+dUxKSHJrcHl1ZzBkL3Jxb2E5emF1R2Y0bFcwCjJseHo1WHhCQkhZMjBNWDZkNW05
+Ky9yZXZ4WkN4cWJrVnJYMktnUWVSVjgKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IFVh
+TmdRL2Ixdk1ESEY0S29RbnYyUkVkSEgzVGR5M1BWT20yNXNPWEp4QWMKa2VXY0Ez
+VU8wMjZJM0VkVGtoZUVsR2dCa0R2NFFwWEp4M2gwZkVZQzJISQotPiBpLWdyZWFz
+ZSBRZDFkcSBHfTQpOgplVlNyN2c5N2JhdDdoTWc2WTRBUmJxRzcxMGlIbitUSUNF
+L0NmeFlUTmpnZExZTzdMcFJHcUFZVDFzYll2Rk1XClFSSFEwRWtVcEsvQmtEMHBn
+YkVDTVZRRXlnCi0tLSBnZVowL1phWTZFYUxMdjVpRmQwekFDUXZkb25Ba1hDR0Jn
+dWsrRnl3b0dZCgQYiKNKYJ3Zksdz4XojgVuiMNZWnAgHdNAuLsgDZKeViB3UQI5c
+q70EoUo81QwQoxfRqq0cKs+kdXJ7GCi/uXgzVhMPAdkwON91bsKavIFs95cJAsla
+L2kdg42U
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/restic/vaultwarden.age b/secrets/trabbi/restic/vaultwarden.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aXlZRHdWbWVucWxDbU9M
+MjdKNUhKRm5vT0VBQ2dtbGxaSjFTWE00b0NZCnRCTFBabzBsMEVuK0FPS1ZjNHp0
+YUhUNStYKzhqVVBKRTNmUC96Z1p0UzAKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IE93
+eFFxVTE4NkNTcW00dkEwN1FrclhBMHpHZ1QrNk9FZUVlQmVkN0tlbDAKWW5qR2R0
+ckRCd3Bwd2RZaVpudUR2OEU3QWlmSmUxYS9hMVd3VjBSYlpKNAotPiBgLWdyZWFz
+ZSBlMjNqWS5eMCB+IHoKVkdYbHliMlNhOXlUQkNCUXNPeHZRaXl1MzhBTkpMS0tR
+empYZFppRUtXa0JyRzlnVVVGSXFBRm9rVVByR3hDbAovY3NRMXFwdE5PWTMKLS0t
+IGoyeEVwQW5FVy9PdGdldTRYZUlKUkwrRVN1dXJCQWl1b2svWVE4RElqY1EKgIgf
+Z3las+5EMvEq5e1lU5wFGoVFXRSxsxU/kknJY33avmHzXovRW0vE9XLcWegr
+-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/vaultwarden-secrets.age b/secrets/trabbi/vaultwarden-secrets.age
@@ -0,0 +1,17 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKM01mWFpOZk94b0psSUxx
+QnlYR1JEODJWZE96QkcxaUxCalluT1hpVkY4Ckdnb3lZZEdmQ0haRTdVYTMyQ3R2
+VTAwbFNYSFUvcmQ1Ym9hL0ZhamZwazAKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IE92
+MGY5U3lsWkZOMWV3Q3hXZEhSbWZKOHY2cVBabEdUaW5nYjAxWFZTbTgKTzRSZGdZ
+cjl6Rms5T083dkc4NEhVc01iTHExY0NKcEhxNjVkLzBxeFJFZwotPiBEJi1ncmVh
+c2UgPmw5dzggNi9TflFfIHxTCkdTQW5oSlVFSlVTekhEQlRsMEpFUld6eHZNdXk0
+Z29xc3VIVkF5eERKQ2ZDWDA5ZS9pNnJBaTVycmpBZXA3WFoKZ1pFUGo1dGo5SE5N
+VG02SVdvbVVCajAKLS0tIGNkWjVSL09xQ09LYjBXaW4vaS9FbHkwbmlReWVsdWth
+aXVYWEtwNzVhQkkKMVw/vLmH5bjPmgKyFf5xAAtkC4hDuvV62+ZVwocNlHzIk4V2
+tl3EKz7MgLYrQIuP7R7doBBqs5o7IKcToOziAW52B4NHO++7JghAdxJDYWJH/CTN
+QUYIVjYj/fg60y9EDvP7fEXBSfnM+IfURPh8XuhZYweAvcMe7IEeP7Zf0RY92HqT
+3IPzf+NwaYHeIaiJs0TNmRraxL/tN/oNqjgQc12HE/SEUnurhu6qxQSXCDF/uSB7
+OEWxTmUVl7tTyK1t7q/nNXOWELfqqjmyCpdGjyriTDvlD2MZrg31oUbHLnD3HITe
+0MRhvcJHOLYOOqoFugnFH0+kZDQPkrTzLjM/Gc1+7yQD6waIbOnWYIifZTHE1YN9
+V266nK/NpxBk4vevjRU7y3w92J3iETPjyqPwIvNnpw==
+-----END AGE ENCRYPTED FILE-----