motiejus
/
config
1
Fork 0
Code Packages Releases Activity

move vaultwarden to fwminex

This commit is contained in:
Motiejus Jakštys 2024-08-03 06:53:37 +03:00
parent 70d2833fa0
commit 8c74bdca64
8 changed files with 84 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
data.nix
View File

@ -24,9 +24,6 @@ rec {
grafana = 3000; grafana = 3000;
gitea = 3001; gitea = 3001;
# not necessary from vaultwarden 1.29.0
vaultwarden_ws = 3012;
soju = 6697; soju = 6697;
soju-ws = 6698; soju-ws = 6698;
matrix-synapse = 8008; matrix-synapse = 8008;

1
flake.nix
View File

@ -210,6 +210,7 @@
headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age; headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age; borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age; grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age; photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age; syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age; syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;

8
hosts/fwminex/configuration.nix
View File

@ -178,9 +178,14 @@ in
}; };
services = { services = {
sshguard.enable = false; sshguard.enable = true;
gitea.enable = true; gitea.enable = true;
hass.enable = true; hass.enable = true;
vaultwarden = {
enable = true;
port = myData.ports.vaultwarden;
secretsEnvFile = config.age.secrets.vaultwarden-secrets-env.path;
};
grafana = { grafana = {
enable = true; enable = true;
@ -229,6 +234,7 @@ in
"gitea" "gitea"
"grafana" "grafana"
"headscale" "headscale"
"bitwarden_rs"
"private/photoprism" "private/photoprism"
]; ];
patterns = [ "- gitea/data/repo-archive/" ]; patterns = [ "- gitea/data/repo-archive/" ];

51
hosts/vno1-oh2/configuration.nix
View File

@ -61,7 +61,6 @@
mountpoint = "/var/lib"; mountpoint = "/var/lib";
repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib"; repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib";
paths = [ paths = [
"bitwarden_rs"
"caddy" "caddy"
"nsd-acme" "nsd-acme"
"tailscale" "tailscale"
@ -81,7 +80,6 @@
myData.hosts."vno3-rp3b.servers.jakst".jakstIP myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-var_lib"; }:${config.networking.hostName}.${config.networking.domain}-var_lib";
paths = [ paths = [
"bitwarden_rs"
"caddy" "caddy"
"nsd-acme" "nsd-acme"
"tailscale" "tailscale"
@ -255,7 +253,7 @@
X-Frame-Options "SAMEORIGIN" X-Frame-Options "SAMEORIGIN"
} }
reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} { reverse_proxy ${fwminex-jakst}:${toString myData.ports.vaultwarden} {
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
} }
''; '';
@ -381,40 +379,10 @@
''; '';
}; };
vaultwarden = { #syncthing.relay = {
enable = true; # enable = true;
# providedBy = "11sync.net";
config = { #};
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = myData.ports.vaultwarden;
LOG_LEVEL = "warn";
DOMAIN = "https://bitwarden.jakstys.lt";
SIGNUPS_ALLOWED = false;
INVITATION_ORG_NAME = "jakstys";
PUSH_ENABLED = true;
SMTP_HOST = "localhost";
SMTP_PORT = 25;
SMTP_SECURITY = "off";
SMTP_FROM = "admin@jakstys.lt";
SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
};
};
minidlna = {
enable = true;
openFirewall = true;
settings = {
media_dir = [ "/home/motiejus/video" ];
friendly_name = "vno1-oh2";
inotify = "yes";
};
};
syncthing.relay = {
enable = true;
providedBy = "11sync.net";
};
}; };
systemd.services = { systemd.services = {
@ -460,15 +428,6 @@
requires = [ "nsd-acme-irc.jakstys.lt.service" ]; requires = [ "nsd-acme-irc.jakstys.lt.service" ];
}; };
vaultwarden = {
preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
serviceConfig = {
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
RuntimeDirectory = "vaultwarden";
LoadCredential = [ "secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}" ];
};
};
cert-watcher = { cert-watcher = {
description = "Restart caddy when tls keys/certs change"; description = "Restart caddy when tls keys/certs change";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];

1
modules/services/default.nix
View File

@ -20,6 +20,7 @@
./sshguard ./sshguard
./syncthing ./syncthing
./tailscale ./tailscale
./vaultwarden
./wifibackup ./wifibackup
./zfsunlock ./zfsunlock
]; ];

57
modules/services/vaultwarden/default.nix Normal file
View File

@ -0,0 +1,57 @@
{
config,
lib,
myData,
...
}:
let
cfg = config.mj.services.vaultwarden;
in
{
options.mj.services.vaultwarden = with lib.types; {
enable = lib.mkEnableOption "Enable vautwarden";
port = lib.mkOption { type = port; };
secretsEnvFile = lib.mkOption { type = path; };
};
config = lib.mkIf cfg.enable {
services.vaultwarden = {
enable = true;
config = {
# TODO http migration
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = cfg.port;
LOG_LEVEL = "warn";
DOMAIN = "https://bitwarden.jakstys.lt";
SIGNUPS_ALLOWED = false;
INVITATION_ORG_NAME = "jakstys";
PUSH_ENABLED = true;
SMTP_HOST = "localhost";
SMTP_PORT = 25;
SMTP_SECURITY = "off";
SMTP_FROM = "admin@jakstys.lt";
SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
};
};
systemd.services.vaultwarden = {
preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
serviceConfig = {
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
RuntimeDirectory = "vaultwarden";
LoadCredential = [ "secrets.env:${cfg.secretsEnvFile}" ];
};
};
mj.services.friendlyport.ports = [
{
subnets = [ myData.subnets.tailscale.cidr ];
tcp = [ cfg.port ];
}
];
};
}

21
secrets.nix
View File

@ -33,7 +33,6 @@ in
// mk ([ vno1-oh2 ] ++ motiejus) [ // mk ([ vno1-oh2 ] ++ motiejus) [
"secrets/vno1-oh2/borgbackup/password.age" "secrets/vno1-oh2/borgbackup/password.age"
"secrets/letsencrypt/account.key.age" "secrets/letsencrypt/account.key.age"
"secrets/vaultwarden/secrets.env.age"
"secrets/synapse/jakstys_lt_signing_key.age" "secrets/synapse/jakstys_lt_signing_key.age"
"secrets/synapse/registration_shared_secret.age" "secrets/synapse/registration_shared_secret.age"
@ -50,13 +49,19 @@ in
"secrets/mtworx/syncthing/key.pem.age" "secrets/mtworx/syncthing/key.pem.age"
"secrets/mtworx/syncthing/cert.pem.age" "secrets/mtworx/syncthing/cert.pem.age"
] ]
// mk ( //
[ mk
fwminex (
vno1-oh2 [
] fwminex
++ motiejus vno1-oh2
) [ "secrets/grafana.jakstys.lt/oidc.age" ] ]
++ motiejus
)
[
"secrets/grafana.jakstys.lt/oidc.age"
"secrets/vaultwarden/secrets.env.age"
]
// mk ([ fwminex ] ++ motiejus) [ // mk ([ fwminex ] ++ motiejus) [
"secrets/motiejus_server_passwd_hash.age" "secrets/motiejus_server_passwd_hash.age"
"secrets/root_server_passwd_hash.age" "secrets/root_server_passwd_hash.age"

BIN
secrets/vaultwarden/secrets.env.age
View File

Binary file not shown.