move vaultwarden to fwminex

This commit is contained in:
Motiejus Jakštys 2024-08-03 06:53:37 +03:00
parent 70d2833fa0
commit 8c74bdca64
8 changed files with 84 additions and 58 deletions

View File

@ -24,9 +24,6 @@ rec {
grafana = 3000;
gitea = 3001;
# not necessary from vaultwarden 1.29.0
vaultwarden_ws = 3012;
soju = 6697;
soju-ws = 6698;
matrix-synapse = 8008;

View File

@ -210,6 +210,7 @@
headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;

View File

@ -178,9 +178,14 @@ in
};
services = {
sshguard.enable = false;
sshguard.enable = true;
gitea.enable = true;
hass.enable = true;
vaultwarden = {
enable = true;
port = myData.ports.vaultwarden;
secretsEnvFile = config.age.secrets.vaultwarden-secrets-env.path;
};
grafana = {
enable = true;
@ -229,6 +234,7 @@ in
"gitea"
"grafana"
"headscale"
"bitwarden_rs"
"private/photoprism"
];
patterns = [ "- gitea/data/repo-archive/" ];

View File

@ -61,7 +61,6 @@
mountpoint = "/var/lib";
repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib";
paths = [
"bitwarden_rs"
"caddy"
"nsd-acme"
"tailscale"
@ -81,7 +80,6 @@
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-var_lib";
paths = [
"bitwarden_rs"
"caddy"
"nsd-acme"
"tailscale"
@ -255,7 +253,7 @@
X-Frame-Options "SAMEORIGIN"
}
reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} {
reverse_proxy ${fwminex-jakst}:${toString myData.ports.vaultwarden} {
header_up X-Real-IP {remote_host}
}
'';
@ -381,40 +379,10 @@
'';
};
vaultwarden = {
enable = true;
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = myData.ports.vaultwarden;
LOG_LEVEL = "warn";
DOMAIN = "https://bitwarden.jakstys.lt";
SIGNUPS_ALLOWED = false;
INVITATION_ORG_NAME = "jakstys";
PUSH_ENABLED = true;
SMTP_HOST = "localhost";
SMTP_PORT = 25;
SMTP_SECURITY = "off";
SMTP_FROM = "admin@jakstys.lt";
SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
};
};
minidlna = {
enable = true;
openFirewall = true;
settings = {
media_dir = [ "/home/motiejus/video" ];
friendly_name = "vno1-oh2";
inotify = "yes";
};
};
syncthing.relay = {
enable = true;
providedBy = "11sync.net";
};
#syncthing.relay = {
# enable = true;
# providedBy = "11sync.net";
#};
};
systemd.services = {
@ -460,15 +428,6 @@
requires = [ "nsd-acme-irc.jakstys.lt.service" ];
};
vaultwarden = {
preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
serviceConfig = {
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
RuntimeDirectory = "vaultwarden";
LoadCredential = [ "secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}" ];
};
};
cert-watcher = {
description = "Restart caddy when tls keys/certs change";
wantedBy = [ "multi-user.target" ];

View File

@ -20,6 +20,7 @@
./sshguard
./syncthing
./tailscale
./vaultwarden
./wifibackup
./zfsunlock
];

View File

@ -0,0 +1,57 @@
{
config,
lib,
myData,
...
}:
let
cfg = config.mj.services.vaultwarden;
in
{
options.mj.services.vaultwarden = with lib.types; {
enable = lib.mkEnableOption "Enable vautwarden";
port = lib.mkOption { type = port; };
secretsEnvFile = lib.mkOption { type = path; };
};
config = lib.mkIf cfg.enable {
services.vaultwarden = {
enable = true;
config = {
# TODO http migration
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = cfg.port;
LOG_LEVEL = "warn";
DOMAIN = "https://bitwarden.jakstys.lt";
SIGNUPS_ALLOWED = false;
INVITATION_ORG_NAME = "jakstys";
PUSH_ENABLED = true;
SMTP_HOST = "localhost";
SMTP_PORT = 25;
SMTP_SECURITY = "off";
SMTP_FROM = "admin@jakstys.lt";
SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
};
};
systemd.services.vaultwarden = {
preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
serviceConfig = {
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
RuntimeDirectory = "vaultwarden";
LoadCredential = [ "secrets.env:${cfg.secretsEnvFile}" ];
};
};
mj.services.friendlyport.ports = [
{
subnets = [ myData.subnets.tailscale.cidr ];
tcp = [ cfg.port ];
}
];
};
}

View File

@ -33,7 +33,6 @@ in
// mk ([ vno1-oh2 ] ++ motiejus) [
"secrets/vno1-oh2/borgbackup/password.age"
"secrets/letsencrypt/account.key.age"
"secrets/vaultwarden/secrets.env.age"
"secrets/synapse/jakstys_lt_signing_key.age"
"secrets/synapse/registration_shared_secret.age"
@ -50,13 +49,19 @@ in
"secrets/mtworx/syncthing/key.pem.age"
"secrets/mtworx/syncthing/cert.pem.age"
]
// mk (
[
fwminex
vno1-oh2
]
++ motiejus
) [ "secrets/grafana.jakstys.lt/oidc.age" ]
//
mk
(
[
fwminex
vno1-oh2
]
++ motiejus
)
[
"secrets/grafana.jakstys.lt/oidc.age"
"secrets/vaultwarden/secrets.env.age"
]
// mk ([ fwminex ] ++ motiejus) [
"secrets/motiejus_server_passwd_hash.age"
"secrets/root_server_passwd_hash.age"

Binary file not shown.