commit 6ee842c2d36b1aec50e5f6968eabe08a407b000f
parent 1cdd498a6f7fbc4253789ff772c82b1cfd3ba910
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 13 Nov 2023 10:32:55 +0100
parent 1cdd498a6f7fbc4253789ff772c82b1cfd3ba910
Author: Leah (ctucx) <git@ctu.cx>
Date: Mon, 13 Nov 2023 10:32:55 +0100
machines/trabbi: add vaultwarden server
7 files changed, 119 insertions(+), 3 deletions(-)
diff --git a/machines/trabbi/configuration.nix b/machines/trabbi/configuration.nix @@ -24,6 +24,9 @@ ./mail ./matrix-synapse.nix + # vaultwarden password-store + ./vaultwarden.nix + # websites ./websites
diff --git a/machines/trabbi/mail/default.nix b/machines/trabbi/mail/default.nix @@ -32,9 +32,10 @@ in { inputs.simple-nixos-mailserver.nixosModule ]; - age.secrets.restic-mail.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/mail.age"; - age.secrets.mail-password-leah.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-leah-ctu.cx.age"; - age.secrets.mail-password-zugnetwork.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-mail-zug.network.age"; + age.secrets.restic-mail.file = ./. + "/../../../secrets/${config.networking.hostName}/restic/mail.age"; + age.secrets.mail-password-leah.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-leah-ctu.cx.age"; + age.secrets.mail-password-vaultwarden.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-vaultwarden-ctu.cx.age"; + age.secrets.mail-password-zugnetwork.file = ./. + "/../../../secrets/${config.networking.hostName}/mail/password-mail-zug.network.age"; dns.zones = with pkgs.dns.lib.combinators; let TXT = [ "v=spf1 a mx ip4:${config.networking.primaryIP4} +ip6:${config.networking.primaryIP} ~all" ]; @@ -161,6 +162,10 @@ in { ]; }; + "vaultwarden@ctu.cx" = { + hashedPasswordFile = config.age.secrets.mail-password-vaultwarden.path; + }; + "mail@zug.network" = { hashedPasswordFile = config.age.secrets.mail-password-zugnetwork.path; aliases = [
diff --git a/machines/trabbi/vaultwarden.nix b/machines/trabbi/vaultwarden.nix @@ -0,0 +1,62 @@ +{ pkgs, config, ... }: + +{ + + dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ]; + + age.secrets = { + restic-vaultwarden.file = ./. + "/../../secrets/${config.networking.hostName}/restic/vaultwarden.age"; + vaultwarden-secrets = { + file = ./. + "/../../secrets/${config.networking.hostName}/vaultwarden-secrets.age"; + owner = "vaultwarden"; + group = "vaultwarden"; + }; + }; + + restic-backups.vaultwarden = { + user = "vaultwarden"; + passwordFile = config.age.secrets.restic-vaultwarden.path; + paths = [ "/var/lib/bitwarden_rs" ]; + }; + + systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ]; + + services = { + vaultwarden = { + enable = true; + dbBackend = "sqlite"; + backupDir = "/var/lib/bitwarden_rs/backups"; + environmentFile = config.age.secrets.vaultwarden-secrets.path; + config = { + DOMAIN = "https://vault.ctu.cx"; + SIGNUPS_ALLOWED = false; + + PUSH_ENABLED = true; + + SMTP_HOST = "trabbi.ctu.cx"; + SMTP_FROM = "vaultwarden@ctu.cx"; + SMTP_USERNAME = "vaultwarden@ctu.cx"; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + + ROCKET_ADDRESS = "::1"; + ROCKET_PORT = 8582; + }; + }; + + nginx = { + enable = true; + virtualHosts."vault.ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + locations."/notifications/hub" = { + proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + proxyWebsockets = true; + }; + }; + }; + }; + +}+ \ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -78,6 +78,7 @@ in { "trabbi/matrix-synapse/s3_secrets.age".publicKeys = [ leah trabbi ]; "trabbi/restic/radicale.age".publicKeys = [ leah trabbi ]; + "trabbi/restic/vaultwarden.age".publicKeys = [ leah trabbi ]; "trabbi/restic/gitolite.age".publicKeys = [ leah trabbi ]; "trabbi/restic/pleroma.age".publicKeys = [ leah trabbi ]; "trabbi/restic/matrix-synapse.age".publicKeys = [ leah trabbi ]; @@ -85,10 +86,13 @@ in { "trabbi/restic/gotosocial.age".publicKeys = [ leah trabbi ]; "trabbi/mail/password-leah-ctu.cx.age".publicKeys = [ leah trabbi ]; + "trabbi/mail/password-vaultwarden-ctu.cx.age".publicKeys = [ leah trabbi ]; "trabbi/mail/password-mail-zug.network.age".publicKeys = [ leah trabbi ]; "trabbi/radicale-users.age".publicKeys = [ leah trabbi ]; + "trabbi/vaultwarden-secrets.age".publicKeys = [ leah trabbi ]; + "wanderduene/wireguard-privkey.age".publicKeys = [ leah wanderduene ]; "wanderduene/restic-server-htpasswd.age".publicKeys = [ leah wanderduene ];
diff --git a/secrets/trabbi/mail/password-vaultwarden-ctu.cx.age b/secrets/trabbi/mail/password-vaultwarden-ctu.cx.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaHkwOHpYdUlPRUUrOHd4 +dUxKSHJrcHl1ZzBkL3Jxb2E5emF1R2Y0bFcwCjJseHo1WHhCQkhZMjBNWDZkNW05 +Ky9yZXZ4WkN4cWJrVnJYMktnUWVSVjgKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IFVh +TmdRL2Ixdk1ESEY0S29RbnYyUkVkSEgzVGR5M1BWT20yNXNPWEp4QWMKa2VXY0Ez +VU8wMjZJM0VkVGtoZUVsR2dCa0R2NFFwWEp4M2gwZkVZQzJISQotPiBpLWdyZWFz +ZSBRZDFkcSBHfTQpOgplVlNyN2c5N2JhdDdoTWc2WTRBUmJxRzcxMGlIbitUSUNF +L0NmeFlUTmpnZExZTzdMcFJHcUFZVDFzYll2Rk1XClFSSFEwRWtVcEsvQmtEMHBn +YkVDTVZRRXlnCi0tLSBnZVowL1phWTZFYUxMdjVpRmQwekFDUXZkb25Ba1hDR0Jn +dWsrRnl3b0dZCgQYiKNKYJ3Zksdz4XojgVuiMNZWnAgHdNAuLsgDZKeViB3UQI5c +q70EoUo81QwQoxfRqq0cKs+kdXJ7GCi/uXgzVhMPAdkwON91bsKavIFs95cJAsla +L2kdg42U +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/restic/vaultwarden.age b/secrets/trabbi/restic/vaultwarden.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3aXlZRHdWbWVucWxDbU9M +MjdKNUhKRm5vT0VBQ2dtbGxaSjFTWE00b0NZCnRCTFBabzBsMEVuK0FPS1ZjNHp0 +YUhUNStYKzhqVVBKRTNmUC96Z1p0UzAKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IE93 +eFFxVTE4NkNTcW00dkEwN1FrclhBMHpHZ1QrNk9FZUVlQmVkN0tlbDAKWW5qR2R0 +ckRCd3Bwd2RZaVpudUR2OEU3QWlmSmUxYS9hMVd3VjBSYlpKNAotPiBgLWdyZWFz +ZSBlMjNqWS5eMCB+IHoKVkdYbHliMlNhOXlUQkNCUXNPeHZRaXl1MzhBTkpMS0tR +empYZFppRUtXa0JyRzlnVVVGSXFBRm9rVVByR3hDbAovY3NRMXFwdE5PWTMKLS0t +IGoyeEVwQW5FVy9PdGdldTRYZUlKUkwrRVN1dXJCQWl1b2svWVE4RElqY1EKgIgf +Z3las+5EMvEq5e1lU5wFGoVFXRSxsxU/kknJY33avmHzXovRW0vE9XLcWegr +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/vaultwarden-secrets.age b/secrets/trabbi/vaultwarden-secrets.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKM01mWFpOZk94b0psSUxx +QnlYR1JEODJWZE96QkcxaUxCalluT1hpVkY4Ckdnb3lZZEdmQ0haRTdVYTMyQ3R2 +VTAwbFNYSFUvcmQ1Ym9hL0ZhamZwazAKLT4gc3NoLWVkMjU1MTkgVjB1VXJ3IE92 +MGY5U3lsWkZOMWV3Q3hXZEhSbWZKOHY2cVBabEdUaW5nYjAxWFZTbTgKTzRSZGdZ +cjl6Rms5T083dkc4NEhVc01iTHExY0NKcEhxNjVkLzBxeFJFZwotPiBEJi1ncmVh +c2UgPmw5dzggNi9TflFfIHxTCkdTQW5oSlVFSlVTekhEQlRsMEpFUld6eHZNdXk0 +Z29xc3VIVkF5eERKQ2ZDWDA5ZS9pNnJBaTVycmpBZXA3WFoKZ1pFUGo1dGo5SE5N +VG02SVdvbVVCajAKLS0tIGNkWjVSL09xQ09LYjBXaW4vaS9FbHkwbmlReWVsdWth +aXVYWEtwNzVhQkkKMVw/vLmH5bjPmgKyFf5xAAtkC4hDuvV62+ZVwocNlHzIk4V2 +tl3EKz7MgLYrQIuP7R7doBBqs5o7IKcToOziAW52B4NHO++7JghAdxJDYWJH/CTN +QUYIVjYj/fg60y9EDvP7fEXBSfnM+IfURPh8XuhZYweAvcMe7IEeP7Zf0RY92HqT +3IPzf+NwaYHeIaiJs0TNmRraxL/tN/oNqjgQc12HE/SEUnurhu6qxQSXCDF/uSB7 +OEWxTmUVl7tTyK1t7q/nNXOWELfqqjmyCpdGjyriTDvlD2MZrg31oUbHLnD3HITe +0MRhvcJHOLYOOqoFugnFH0+kZDQPkrTzLjM/Gc1+7yQD6waIbOnWYIifZTHE1YN9 +V266nK/NpxBk4vevjRU7y3w92J3iETPjyqPwIvNnpw== +-----END AGE ENCRYPTED FILE-----