commit ae00d3dcedc99ef7fc1b63c9e02548e58b9bf337
parent 9c6894cb058da3ddb1aeee449bc96f7eb731aba0
Author: Katja (ctucx) <git@ctu.cx>
Date: Mon, 2 Dec 2024 20:34:42 +0100
parent 9c6894cb058da3ddb1aeee449bc96f7eb731aba0
Author: Katja (ctucx) <git@ctu.cx>
Date: Mon, 2 Dec 2024 20:34:42 +0100
machiines/trabbi: move `vaultwarden` to host `hector`
9 files changed, 95 insertions(+), 95 deletions(-)
diff --git a/machines/hector/default.nix b/machines/hector/default.nix @@ -15,6 +15,9 @@ # cal- and card-dav server ./radicale.nix + # vaultwarden password-store + ./vaultwarden.nix + ./syncthing.nix ];
diff --git a/machines/hector/vaultwarden.nix b/machines/hector/vaultwarden.nix @@ -0,0 +1,62 @@ +{ pkgs, config, ... }: + +{ + + dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ]; + + age.secrets = { + restic-vaultwarden.file = ./. + "/../../secrets/${config.networking.hostName}/restic/vaultwarden.age"; + vaultwarden-secrets = { + file = ./. + "/../../secrets/${config.networking.hostName}/vaultwarden-secrets.age"; + owner = "vaultwarden"; + group = "vaultwarden"; + }; + }; + + restic-backups.vaultwarden = { + user = "vaultwarden"; + passwordFile = config.age.secrets.restic-vaultwarden.path; + paths = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"]; + }; + + systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ]; + + services = { + vaultwarden = { + enable = true; + dbBackend = "sqlite"; + backupDir = "/var/backups/vaultwarden"; + environmentFile = config.age.secrets.vaultwarden-secrets.path; + config = { + DOMAIN = "https://vault.ctu.cx"; + SIGNUPS_ALLOWED = false; + + PUSH_ENABLED = true; + + SMTP_HOST = "trabbi.ctu.cx"; + SMTP_FROM = "vaultwarden@ctu.cx"; + SMTP_USERNAME = "vaultwarden@ctu.cx"; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + + ROCKET_ADDRESS = "::1"; + ROCKET_PORT = 8582; + }; + }; + + nginx = { + enable = true; + virtualHosts."vault.ctu.cx" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + locations."/notifications/hub" = { + proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + proxyWebsockets = true; + }; + }; + }; + }; + +}+ \ No newline at end of file
diff --git a/machines/trabbi/default.nix b/machines/trabbi/default.nix @@ -11,9 +11,6 @@ # git server (gitolite+stagit) ./git.nix - # vaultwarden password-store - ./vaultwarden.nix - # communication ./fedi ./matrix
diff --git a/machines/trabbi/vaultwarden.nix b/machines/trabbi/vaultwarden.nix @@ -1,62 +0,0 @@ -{ pkgs, config, ... }: - -{ - - dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ]; - - age.secrets = { - restic-vaultwarden.file = ./. + "/../../secrets/${config.networking.hostName}/restic/vaultwarden.age"; - vaultwarden-secrets = { - file = ./. + "/../../secrets/${config.networking.hostName}/vaultwarden-secrets.age"; - owner = "vaultwarden"; - group = "vaultwarden"; - }; - }; - - restic-backups.vaultwarden = { - user = "vaultwarden"; - passwordFile = config.age.secrets.restic-vaultwarden.path; - paths = [ "/var/lib/bitwarden_rs" "/var/lib/vaultwarden_backups"]; - }; - - systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ]; - - services = { - vaultwarden = { - enable = true; - dbBackend = "sqlite"; - backupDir = "/var/lib/vaultwarden_backups"; - environmentFile = config.age.secrets.vaultwarden-secrets.path; - config = { - DOMAIN = "https://vault.ctu.cx"; - SIGNUPS_ALLOWED = false; - - PUSH_ENABLED = true; - - SMTP_HOST = "trabbi.ctu.cx"; - SMTP_FROM = "vaultwarden@ctu.cx"; - SMTP_USERNAME = "vaultwarden@ctu.cx"; - SMTP_PORT = 587; - SMTP_SECURITY = "starttls"; - - ROCKET_ADDRESS = "::1"; - ROCKET_PORT = 8582; - }; - }; - - nginx = { - enable = true; - virtualHosts."vault.ctu.cx" = { - enableACME = true; - forceSSL = true; - kTLS = true; - locations."/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; - locations."/notifications/hub" = { - proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; - proxyWebsockets = true; - }; - }; - }; - }; - -}- \ No newline at end of file
diff --git a/secrets/hector/restic/vaultwarden.age b/secrets/hector/restic/vaultwarden.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQ1VkQjB4SlBUV0ZKZXZI +czdVSVJ1VVJVTG1NSHE4QzFxUmJYTEt1R1RRCm1uOWE4RVlLcG5WM1pQMmtmcjhr +RStWblVHR0dqeFN6UDNBMGh0ZVVxSjAKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIEhu +OUNEYmxNOHZaL2M4ajVDQXRUcnArOHphUDZNbFJIWk5XLzNpK3VkMm8KajA1bFFD +bU80VkFEMzc1MldCMkpwR3g5S1A4bEc4UU9HTlRmYjNqeGJHRQotPiBtRjpdLWdy +ZWFzZSB2cWt8KGRBIF0gdCAqOk8yXCUsZQpydTNFZHVnc1VHVG5UZTdLdktHR2JV +QQotLS0gazFkK2RJZHJuSnNUQUpZdklOcVgxd3RjN1JjN21qelpBczhEVmY1cjkz +UQqEXY4d6+Z6F2cREq4ewm2PosSIAUNNW93h7YF3OPdDLJ2luTwgX09ZWrRW718a +mjg= +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/hector/vaultwarden-secrets.age b/secrets/hector/vaultwarden-secrets.age @@ -0,0 +1,16 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWlMrNzFFcjF1YURMNGxY +Q3ZmNDZqcUpsbUd6dnc2WHBGdkJJOVIvK25nCmoxaSsvN0RwbGtZMHhOY3lyZDZ6 +aVMvaGNFZkhlV2Q0Z285THFBZG5Va1EKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIFJQ +Q2t0eXR2ZHdRSjFoMXpDeStVK0sybDdVamhJWHMvTHFjUjVncVMweUUKOWhUZDJo +N20wTTNxYmJoNmg2QUk5ZVZiVXRRUFdIdXVKY1d6clVSajEzYwotPiBZJWlUL3ln +LWdyZWFzZQpQZEJ2TmdGN09VUHo3SjkyTUpHVVVTK0FhWFdlVWxEazdDRDN5bkVv +dWpEVVpiREQ1TVN3cG9Oa0l4K1pzL2tyCk9IYwotLS0gdjBjM1lsTUxGWXFtck1o +RVRSSlFhWFRjOUlmOG5nanVlYkJlTzRjVktwdwriVc16cfrAyR+SXCRf+62O2/yH +wtOqTQDxs3sOOyTcl8Rj8MPtz1bjoY+xnU/VQx/Anfmuyn7f6DYUDOg7p6bcQ0s/ +EuhvDH2AdcgZZyV8ODxwGFqAJM9KFnC7lFDd8MDutBuu18ku7UKtGA9qpFkArkkV +rA/lncbS+wWgkLtZqSuJoqV8/5LfqM58vJz9jfJtAH0zlyyH7+WG+eJv3gApDbng +89ooWFHueQcB5B1p0N+TUluymvGBfNATwjSX4Q0CJZKaED2SGUctGMJVnnaSPdTG +q2mqOzFMeoWe221ltilqPGYej37519N8KTkreOT+Dex0VpRpel0INv8NFMzfLnIg +KnUkBQVbPjrOEwrBlUTE5ySWtctIoPbaauciNvluMQkwFNEkG3vT9zMUwda7/vvN +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/secrets.nix b/secrets/secrets.nix @@ -71,11 +71,9 @@ in { "trabbi/restic/matrix-synapse.age".publicKeys = [ main-key trabbi ]; "trabbi/restic/ctucx-things.age".publicKeys = [ main-key trabbi ]; "trabbi/restic/gitolite.age".publicKeys = [ main-key trabbi ]; - "trabbi/restic/vaultwarden.age".publicKeys = [ main-key trabbi ]; "trabbi/restic/gotosocial.age".publicKeys = [ main-key trabbi ]; "trabbi/travelynx2fedi-env.age".publicKeys = [ main-key trabbi ]; - "trabbi/vaultwarden-secrets.age".publicKeys = [ main-key trabbi ]; "trabbi/gotosocial-env.age".publicKeys = [ main-key trabbi ]; "trabbi/matrix-synapse/registration_shared_secret.age".publicKeys = [ main-key trabbi ]; @@ -93,11 +91,13 @@ in { "hector/restic/radicale.age".publicKeys = [ main-key hector ]; + "hector/restic/vaultwarden.age".publicKeys = [ main-key hector ]; "hector/syncthing/key.age".publicKeys = [ main-key hector ]; "hector/syncthing/cert.age".publicKeys = [ main-key hector ]; "hector/radicale-users.age".publicKeys = [ main-key hector ]; + "hector/vaultwarden-secrets.age".publicKeys = [ main-key hector ]; "wanderduene/wireguard-privkey.age".publicKeys = [ main-key wanderduene ];
diff --git a/secrets/trabbi/restic/vaultwarden.age b/secrets/trabbi/restic/vaultwarden.age @@ -1,10 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFa2NwYVJPWTZtZ3hVTGRS -cUhPWWZ6Tk9YY3Z0Tk5RTFV0Ujk5NEoxa0U0CkJyTDA1QzBqU2czTFJCa2JPNWVJ -M3RiNGYzZ2o3eDQybDR4enRxdlR1cWsKLT4gc3NoLWVkMjU1MTkgcThvY3pnIFNR -bmIwckxWTzEwdUZsTjc2d2ZVOXNNcngyb0VjMlIvRDB3QUNvMkE4WHMKT21IdkE4 -ZWxQSWltK29CUHBFc213Z1VtNDhDaEYvZzFIUGNGUDZKeXJvdwotPiAoITVNSiw2 -LWdyZWFzZSBHKCBiblQ0L0YpJApHVE10VXBaK3J6RCtiblExQ2dRaTNBCi0tLSBp -V2N5WERDejR5dU9iSDVMRzNOT0RVY3hqV0xwaGJMdy8wTHNRUC9zVUg4CrukbHSx -F9HVeo+Dd9s7aFb1CaickbIy6GNLbpfYMGB1A3MSSX5GKP0KFOWt9hGPUw== ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/trabbi/vaultwarden-secrets.age b/secrets/trabbi/vaultwarden-secrets.age @@ -1,17 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2L0g5cThDeWw5bTFuODlx -OG9zaDNuOGNYbVp2a1dqY0ZPcFdqTGs3K0ZjCkFsZUZxY1N6Vzhjb1AvdjVnWVhh -cExLaFoxbDJkU2wyM1RvZ3dySzAvZm8KLT4gc3NoLWVkMjU1MTkgcThvY3pnIEdX -dVZKQ3VBVW9PaGFxRGhGK1JucFduOHlCS0tjRHF0L2FmdjR4ZXJxVFEKSmhsTEp0 -azVPYU84dVk2Rzg3NFF2Y1JGYVdYajU2ejg2NUROZUlsTXpsQQotPiAwd10tZ3Jl -YXNlIH1gWzNZCmdhZk5FYzVnSDdCRTBCc2xpeWNuNGZaZlBnZk1rRzJFZVJUVHhB -QXZVK0EyY1FrbjRlMFlUWUVWNWdkU3Uzbi8KbG1NWEF0Zmc1Yy8wTlVKc056Wm4z -TGFqOUx3N3dDUmFGYjhxYkxrCi0tLSBwQ3crZ0h6d0RiUXhCMXphTHI5bndyMm95 -Nm8yeW90OGFWaUhrK3ZDTzBjCtYOmi5qEUi1Brb4jQZoiBFfBlpqNBJpEbpSmB71 -Rwfq686KbPDCLxWkt2q04feITmFREGTcEywojJBewlbrm3KbOV5aHR3d5x92BzEw -jcs9R3NOKeDQFurE7pqdoFq+953n9YmXN0gzh11EKfB7eZy0R1/IWYvLeMXS6Zw9 -O+XOpHn6EmCRgqS8aziffacKB0wzVLTP/5T5D6jMFuH1JImQKw+R8pcu4GYVRzW8 -AZ2sNdZd3aPU/RavajkOsRkYrxx/xCCPxA/UJYzU9NdOjW7VQ23QAsus6lxRf3zE -MRaLrW/ZlWpHuwEVKaKEO2luKD9OGC3qiAXzDeOF449JqODuC7c38CSZsIGHDHEK -WY5Bv/a/jbgbi86+e4PV5VD9umjSLBFoPOMDHYmTz1rdc/E2sTM= ------END AGE ENCRYPTED FILE-----