From 721a9b2c5cb546813b6acc7eda80bef81785edfd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Thu, 7 Sep 2023 10:51:27 +0300
Subject: [PATCH] vaultwarden: add admin secret

---
 flake.nix                         |   1 +
 hosts/vno1-oh2/configuration.nix  |  14 ++++++++++++--
 secrets.nix                       |   1 +
 secrets/vaultwarden/admin.env.age | Bin 0 -> 760 bytes
 4 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 secrets/vaultwarden/admin.env.age

diff --git a/flake.nix b/flake.nix
index b3584a9..050aa6f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,6 +64,7 @@
             age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
             age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
             age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
+            age.secrets.vaultwarden-admin-env.file = ./secrets/vaultwarden/admin.env.age;
 
             age.secrets.synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
             age.secrets.synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index a8e7a79..0b59b0f 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -412,12 +412,13 @@
 
     vaultwarden = {
       enable = true;
+
       config = {
         ROCKET_ADDRESS = "127.0.0.1";
         ROCKET_PORT = myData.ports.vaultwarden;
-        DOMAIN = "https://bitwarden.jakstys.lt";
-        SIGNUPS_ALLOWED = false;
         ROCKET_LOG = "critical";
+        DOMAIN = "https://bitwarden.jakstys.lt";
+        SIGNUPS_ALLOWED = true;
 
         # TODO remove after 1.29.0
         WEBSOCKET_ENABLED = true;
@@ -472,6 +473,15 @@
       requires = ["nsd-acme-irc.jakstys.lt.service"];
     };
 
+    vaultwarden = {
+      serviceConfig = {
+        environmentFile = ["$CREDENTIALS_DIRECTORY/admin.env"];
+        LoadCredential = [
+          "admin.env:${config.age.secrets.vaultwarden-admin-env.path}"
+        ];
+      };
+    };
+
     grafana = {
       preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret";
       serviceConfig = {
diff --git a/secrets.nix b/secrets.nix
index 52a72e6..aff9633 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -26,6 +26,7 @@ in
     "secrets/grafana.jakstys.lt/oidc.age"
     "secrets/letsencrypt/account.key.age"
     "secrets/headscale/oidc_client_secret2.age"
+    "secrets/vaultwarden/admin.env.age"
 
     "secrets/synapse/jakstys_lt_signing_key.age"
     "secrets/synapse/registration_shared_secret.age"
diff --git a/secrets/vaultwarden/admin.env.age b/secrets/vaultwarden/admin.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..8e368c75526c2c5be2a2a85ba395c4b7218baba1
GIT binary patch
literal 760
zcmY+-NsH59002-yP^pTC5ibh12So_AO`4?5MNQhYO{Q(Sq)ihKlF8C6O_wz3msCU$
zK?Ik>fQ%Op!YGKMB8Z3}B8VU(qKJryh@c)^84*-ubnxW+15fT~ajmDg;lMNdy`6ox
zlNiI1_^#+^WW+TU!7!MJc38Jq>qIrQ<>k^|vzuyLAjtA*p+vwGLpivU*T<elWd~Tb
zW;1Huj)<+C8uD;Lq4^nu1wuKYw(6*mugmor*+4>_&DXkI4Hiqx^49(rm5CZz6qChK
zJq4?}XNq{%ZzcR3QpKe(E2cu=l0?A*88{Qc3yxoGu{bwDq-K-0Gj^)nF1W!A;bgl~
zMo8xpkT!Ng%>>KCz#PX12!=<Y5Gf=;l=KTSq)*T!lh=Zf2}9T&HKqknaq}dkGz`vx
zh7RkM3=HQYX$#8brdhi}G+2XDOhE(fA#4kpQf+0p=}C}gdqo7dTQl^3msJ_6DKbj-
zCiHZ{P|yj9nJB9d@?_SQX~L?~s37Tp#$~)~1P&80aKx7@{f;?KRD!b92AQJI0*dF_
z9@++&u3)r2;yUdv({+u^@)g8PKHhOPd89>|UJQyfE54u0Dk&b$KwLEx$o_y)QKLr=
zhdu!eC}hX=5`<L>WHKo>i%AO!5R~DKknAvwRAM7#6Hah+(?c89kPH7N@p#nkOEMv`
z0>>u_8h8@}^ewW-b0)=ms*BkyMj8_=nT1+tWZmP1H`}*<-h5(Tc>2hur{k+Jf4I1M
z;rR2ZQwK}8zs+wvdGpqN>-?n;XMg;jzeDJ+wmC08u062h`@@wdf6CO`{rjl5>MZ&6
z%?0sy<KEotmi6G`<)z+&c5ct+J-e>lr@Xx}@yT#Eby%6YAsxH+;Pq1J;<M(8>ZjVO
t13L0+?##R7RPFB3+0`h&c<9Tc#b577kJbQRd=N9|K3speVgBpOr9blj6y*Q_

literal 0
HcmV?d00001