From 8c74bdca646f0d051efc9f47e310bb66e54d3460 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sat, 3 Aug 2024 06:53:37 +0300 Subject: [PATCH] move vaultwarden to fwminex --- data.nix | 3 -- flake.nix | 1 + hosts/fwminex/configuration.nix | 8 +++- hosts/vno1-oh2/configuration.nix | 51 ++------------------ modules/services/default.nix | 1 + modules/services/vaultwarden/default.nix | 57 +++++++++++++++++++++++ secrets.nix | 21 +++++---- secrets/vaultwarden/secrets.env.age | Bin 858 -> 968 bytes 8 files changed, 84 insertions(+), 58 deletions(-) create mode 100644 modules/services/vaultwarden/default.nix diff --git a/data.nix b/data.nix index f7839f0..a68c345 100644 --- a/data.nix +++ b/data.nix @@ -24,9 +24,6 @@ rec { grafana = 3000; gitea = 3001; - # not necessary from vaultwarden 1.29.0 - vaultwarden_ws = 3012; - soju = 6697; soju-ws = 6698; matrix-synapse = 8008; diff --git a/flake.nix b/flake.nix index e66cefc..8194f9a 100644 --- a/flake.nix +++ b/flake.nix @@ -210,6 +210,7 @@ headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age; grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age; + vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age; photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age; syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age; syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age; diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index af5acbc..7e4e06d 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -178,9 +178,14 @@ in }; services = { - sshguard.enable = false; + sshguard.enable = true; gitea.enable = true; hass.enable = true; + vaultwarden = { + enable = true; + port = myData.ports.vaultwarden; + secretsEnvFile = config.age.secrets.vaultwarden-secrets-env.path; + }; grafana = { enable = true; @@ -229,6 +234,7 @@ in "gitea" "grafana" "headscale" + "bitwarden_rs" "private/photoprism" ]; patterns = [ "- gitea/data/repo-archive/" ]; diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix index 0ec5e4d..451dd41 100644 --- a/hosts/vno1-oh2/configuration.nix +++ b/hosts/vno1-oh2/configuration.nix @@ -61,7 +61,6 @@ mountpoint = "/var/lib"; repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib"; paths = [ - "bitwarden_rs" "caddy" "nsd-acme" "tailscale" @@ -81,7 +80,6 @@ myData.hosts."vno3-rp3b.servers.jakst".jakstIP }:${config.networking.hostName}.${config.networking.domain}-var_lib"; paths = [ - "bitwarden_rs" "caddy" "nsd-acme" "tailscale" @@ -255,7 +253,7 @@ X-Frame-Options "SAMEORIGIN" } - reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} { + reverse_proxy ${fwminex-jakst}:${toString myData.ports.vaultwarden} { header_up X-Real-IP {remote_host} } ''; @@ -381,40 +379,10 @@ ''; }; - vaultwarden = { - enable = true; - - config = { - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = myData.ports.vaultwarden; - LOG_LEVEL = "warn"; - DOMAIN = "https://bitwarden.jakstys.lt"; - SIGNUPS_ALLOWED = false; - INVITATION_ORG_NAME = "jakstys"; - PUSH_ENABLED = true; - - SMTP_HOST = "localhost"; - SMTP_PORT = 25; - SMTP_SECURITY = "off"; - SMTP_FROM = "admin@jakstys.lt"; - SMTP_FROM_NAME = "Bitwarden at jakstys.lt"; - }; - }; - - minidlna = { - enable = true; - openFirewall = true; - settings = { - media_dir = [ "/home/motiejus/video" ]; - friendly_name = "vno1-oh2"; - inotify = "yes"; - }; - }; - - syncthing.relay = { - enable = true; - providedBy = "11sync.net"; - }; + #syncthing.relay = { + # enable = true; + # providedBy = "11sync.net"; + #}; }; systemd.services = { @@ -460,15 +428,6 @@ requires = [ "nsd-acme-irc.jakstys.lt.service" ]; }; - vaultwarden = { - preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env"; - serviceConfig = { - EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ]; - RuntimeDirectory = "vaultwarden"; - LoadCredential = [ "secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}" ]; - }; - }; - cert-watcher = { description = "Restart caddy when tls keys/certs change"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/services/default.nix b/modules/services/default.nix index ec3d45a..c70a885 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -20,6 +20,7 @@ ./sshguard ./syncthing ./tailscale + ./vaultwarden ./wifibackup ./zfsunlock ]; diff --git a/modules/services/vaultwarden/default.nix b/modules/services/vaultwarden/default.nix new file mode 100644 index 0000000..ffd7fa6 --- /dev/null +++ b/modules/services/vaultwarden/default.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + myData, + ... +}: +let + cfg = config.mj.services.vaultwarden; +in +{ + options.mj.services.vaultwarden = with lib.types; { + enable = lib.mkEnableOption "Enable vautwarden"; + port = lib.mkOption { type = port; }; + secretsEnvFile = lib.mkOption { type = path; }; + }; + + config = lib.mkIf cfg.enable { + services.vaultwarden = { + enable = true; + + config = { + # TODO http migration + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = cfg.port; + LOG_LEVEL = "warn"; + DOMAIN = "https://bitwarden.jakstys.lt"; + SIGNUPS_ALLOWED = false; + INVITATION_ORG_NAME = "jakstys"; + PUSH_ENABLED = true; + + SMTP_HOST = "localhost"; + SMTP_PORT = 25; + SMTP_SECURITY = "off"; + SMTP_FROM = "admin@jakstys.lt"; + SMTP_FROM_NAME = "Bitwarden at jakstys.lt"; + }; + }; + + systemd.services.vaultwarden = { + preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env"; + serviceConfig = { + EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ]; + RuntimeDirectory = "vaultwarden"; + LoadCredential = [ "secrets.env:${cfg.secretsEnvFile}" ]; + }; + }; + + mj.services.friendlyport.ports = [ + { + subnets = [ myData.subnets.tailscale.cidr ]; + tcp = [ cfg.port ]; + } + ]; + + }; + +} diff --git a/secrets.nix b/secrets.nix index 713a735..d88a960 100644 --- a/secrets.nix +++ b/secrets.nix @@ -33,7 +33,6 @@ in // mk ([ vno1-oh2 ] ++ motiejus) [ "secrets/vno1-oh2/borgbackup/password.age" "secrets/letsencrypt/account.key.age" - "secrets/vaultwarden/secrets.env.age" "secrets/synapse/jakstys_lt_signing_key.age" "secrets/synapse/registration_shared_secret.age" @@ -50,13 +49,19 @@ in "secrets/mtworx/syncthing/key.pem.age" "secrets/mtworx/syncthing/cert.pem.age" ] -// mk ( - [ - fwminex - vno1-oh2 - ] - ++ motiejus -) [ "secrets/grafana.jakstys.lt/oidc.age" ] +// + mk + ( + [ + fwminex + vno1-oh2 + ] + ++ motiejus + ) + [ + "secrets/grafana.jakstys.lt/oidc.age" + "secrets/vaultwarden/secrets.env.age" + ] // mk ([ fwminex ] ++ motiejus) [ "secrets/motiejus_server_passwd_hash.age" "secrets/root_server_passwd_hash.age" diff --git a/secrets/vaultwarden/secrets.env.age b/secrets/vaultwarden/secrets.env.age index ad3e9948677972ded80e50a06e6b1b9973743f40..21e6d91ec25d763bfd9f84ea53a0ceb68dd4c825 100644 GIT binary patch literal 968 zcmZ9{>ucNu008i*6Iljx(oNZldKO>XdCTK2xg4#Jz3Xty&;<1C70YQ?_6@A zQ$dQ`VBiY zUES#KGwc@V!$9n*h~sE6rHP;@oQkMcNy3N-YwDEP3n48{3lx|u<1Lm-RuK{mFsjJf zFz==q*8(v%mj$c81P$Z{|s)lRLLi8Ezp@PDmE+j*fC zp&be7qxqsyD6xfFMo!tFh4M)&F$Hzg*^Y`)Xo?62L8E5?hQshl-c%&5!a2?8l%&xL zm-ndsQq+&?ZP4l!Dj5q^(E8t+_)n{z@!*~qNyo-f1d5a z9@hccP(moGIN&>YvuPu>cv=t?xSGY-R2K(4FzOpa-m81gm_g$e~h)R|Uiz=8J5RjFf%o{8X zSytJl{G<*r)wo*?<5Ht$HAT0cb*Fl;1*V{KRp5$68aC@%A*PZfx0edGEys$g!WkI(qQglcPV&AK&~VH+$P-X8qv%7n0Mbb`Wzv z6nEV_bLT_xSFX3;7`^u3rq~CIyC>E+y?grN%z;n)Yr*#Eh2OBwYlnaXYxz@;ETK;( zS6|5N{Qk)A&##}Jz3=$BZx_!!ch3ar@A>))v8um3oS*yR=C8d=8*@JnQsXz8<-JR1 bH&z~g6f)Yxm9G-)G;E@>}qb4k-QNz?Ww+FqJ|CgPhrVKBib|AHUCZ^wTe zJ2E$HGQF(O1ZhF3tDfPs2qxuvY7H@aZrMY#DVvuS;^F$7S(VrO>F?V*#~@ zvkCKmgajct&B2Y9PT^fQ+mi=8RKdd*F%U}vpAuyc(I8xvH7W@>kPPX?@C(gMSC zqqdbJ-+y|?{-aOa zzW4w*T38=H^?c*QZ;rin{rDS!xelj)J^BzDz%Sn{4G*^0UG?&=ODCi3#ofne?_K-t znSEn$>)+=Q)6fR+=Tevp>sd|J~i6)$*A@(6SFFn