move vaultwarden to fwminex
This commit is contained in:
parent
70d2833fa0
commit
8c74bdca64
3
data.nix
3
data.nix
@ -24,9 +24,6 @@ rec {
|
||||
grafana = 3000;
|
||||
gitea = 3001;
|
||||
|
||||
# not necessary from vaultwarden 1.29.0
|
||||
vaultwarden_ws = 3012;
|
||||
|
||||
soju = 6697;
|
||||
soju-ws = 6698;
|
||||
matrix-synapse = 8008;
|
||||
|
@ -210,6 +210,7 @@
|
||||
headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
|
||||
borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
|
||||
grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
|
||||
vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
|
||||
photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
|
||||
syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
|
||||
syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
|
||||
|
@ -178,9 +178,14 @@ in
|
||||
};
|
||||
|
||||
services = {
|
||||
sshguard.enable = false;
|
||||
sshguard.enable = true;
|
||||
gitea.enable = true;
|
||||
hass.enable = true;
|
||||
vaultwarden = {
|
||||
enable = true;
|
||||
port = myData.ports.vaultwarden;
|
||||
secretsEnvFile = config.age.secrets.vaultwarden-secrets-env.path;
|
||||
};
|
||||
|
||||
grafana = {
|
||||
enable = true;
|
||||
@ -229,6 +234,7 @@ in
|
||||
"gitea"
|
||||
"grafana"
|
||||
"headscale"
|
||||
"bitwarden_rs"
|
||||
"private/photoprism"
|
||||
];
|
||||
patterns = [ "- gitea/data/repo-archive/" ];
|
||||
|
@ -61,7 +61,6 @@
|
||||
mountpoint = "/var/lib";
|
||||
repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib";
|
||||
paths = [
|
||||
"bitwarden_rs"
|
||||
"caddy"
|
||||
"nsd-acme"
|
||||
"tailscale"
|
||||
@ -81,7 +80,6 @@
|
||||
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
|
||||
}:${config.networking.hostName}.${config.networking.domain}-var_lib";
|
||||
paths = [
|
||||
"bitwarden_rs"
|
||||
"caddy"
|
||||
"nsd-acme"
|
||||
"tailscale"
|
||||
@ -255,7 +253,7 @@
|
||||
X-Frame-Options "SAMEORIGIN"
|
||||
}
|
||||
|
||||
reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} {
|
||||
reverse_proxy ${fwminex-jakst}:${toString myData.ports.vaultwarden} {
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
'';
|
||||
@ -381,40 +379,10 @@
|
||||
'';
|
||||
};
|
||||
|
||||
vaultwarden = {
|
||||
enable = true;
|
||||
|
||||
config = {
|
||||
ROCKET_ADDRESS = "127.0.0.1";
|
||||
ROCKET_PORT = myData.ports.vaultwarden;
|
||||
LOG_LEVEL = "warn";
|
||||
DOMAIN = "https://bitwarden.jakstys.lt";
|
||||
SIGNUPS_ALLOWED = false;
|
||||
INVITATION_ORG_NAME = "jakstys";
|
||||
PUSH_ENABLED = true;
|
||||
|
||||
SMTP_HOST = "localhost";
|
||||
SMTP_PORT = 25;
|
||||
SMTP_SECURITY = "off";
|
||||
SMTP_FROM = "admin@jakstys.lt";
|
||||
SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
|
||||
};
|
||||
};
|
||||
|
||||
minidlna = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
settings = {
|
||||
media_dir = [ "/home/motiejus/video" ];
|
||||
friendly_name = "vno1-oh2";
|
||||
inotify = "yes";
|
||||
};
|
||||
};
|
||||
|
||||
syncthing.relay = {
|
||||
enable = true;
|
||||
providedBy = "11sync.net";
|
||||
};
|
||||
#syncthing.relay = {
|
||||
# enable = true;
|
||||
# providedBy = "11sync.net";
|
||||
#};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
@ -460,15 +428,6 @@
|
||||
requires = [ "nsd-acme-irc.jakstys.lt.service" ];
|
||||
};
|
||||
|
||||
vaultwarden = {
|
||||
preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
|
||||
serviceConfig = {
|
||||
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
|
||||
RuntimeDirectory = "vaultwarden";
|
||||
LoadCredential = [ "secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}" ];
|
||||
};
|
||||
};
|
||||
|
||||
cert-watcher = {
|
||||
description = "Restart caddy when tls keys/certs change";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
@ -20,6 +20,7 @@
|
||||
./sshguard
|
||||
./syncthing
|
||||
./tailscale
|
||||
./vaultwarden
|
||||
./wifibackup
|
||||
./zfsunlock
|
||||
];
|
||||
|
57
modules/services/vaultwarden/default.nix
Normal file
57
modules/services/vaultwarden/default.nix
Normal file
@ -0,0 +1,57 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
myData,
|
||||
...
|
||||
}:
|
||||
let
|
||||
cfg = config.mj.services.vaultwarden;
|
||||
in
|
||||
{
|
||||
options.mj.services.vaultwarden = with lib.types; {
|
||||
enable = lib.mkEnableOption "Enable vautwarden";
|
||||
port = lib.mkOption { type = port; };
|
||||
secretsEnvFile = lib.mkOption { type = path; };
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
|
||||
config = {
|
||||
# TODO http migration
|
||||
ROCKET_ADDRESS = "0.0.0.0";
|
||||
ROCKET_PORT = cfg.port;
|
||||
LOG_LEVEL = "warn";
|
||||
DOMAIN = "https://bitwarden.jakstys.lt";
|
||||
SIGNUPS_ALLOWED = false;
|
||||
INVITATION_ORG_NAME = "jakstys";
|
||||
PUSH_ENABLED = true;
|
||||
|
||||
SMTP_HOST = "localhost";
|
||||
SMTP_PORT = 25;
|
||||
SMTP_SECURITY = "off";
|
||||
SMTP_FROM = "admin@jakstys.lt";
|
||||
SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.vaultwarden = {
|
||||
preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
|
||||
serviceConfig = {
|
||||
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
|
||||
RuntimeDirectory = "vaultwarden";
|
||||
LoadCredential = [ "secrets.env:${cfg.secretsEnvFile}" ];
|
||||
};
|
||||
};
|
||||
|
||||
mj.services.friendlyport.ports = [
|
||||
{
|
||||
subnets = [ myData.subnets.tailscale.cidr ];
|
||||
tcp = [ cfg.port ];
|
||||
}
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
}
|
21
secrets.nix
21
secrets.nix
@ -33,7 +33,6 @@ in
|
||||
// mk ([ vno1-oh2 ] ++ motiejus) [
|
||||
"secrets/vno1-oh2/borgbackup/password.age"
|
||||
"secrets/letsencrypt/account.key.age"
|
||||
"secrets/vaultwarden/secrets.env.age"
|
||||
|
||||
"secrets/synapse/jakstys_lt_signing_key.age"
|
||||
"secrets/synapse/registration_shared_secret.age"
|
||||
@ -50,13 +49,19 @@ in
|
||||
"secrets/mtworx/syncthing/key.pem.age"
|
||||
"secrets/mtworx/syncthing/cert.pem.age"
|
||||
]
|
||||
// mk (
|
||||
[
|
||||
fwminex
|
||||
vno1-oh2
|
||||
]
|
||||
++ motiejus
|
||||
) [ "secrets/grafana.jakstys.lt/oidc.age" ]
|
||||
//
|
||||
mk
|
||||
(
|
||||
[
|
||||
fwminex
|
||||
vno1-oh2
|
||||
]
|
||||
++ motiejus
|
||||
)
|
||||
[
|
||||
"secrets/grafana.jakstys.lt/oidc.age"
|
||||
"secrets/vaultwarden/secrets.env.age"
|
||||
]
|
||||
// mk ([ fwminex ] ++ motiejus) [
|
||||
"secrets/motiejus_server_passwd_hash.age"
|
||||
"secrets/root_server_passwd_hash.age"
|
||||
|
Binary file not shown.
Loading…
Reference in New Issue
Block a user