feat: vaultwarden config

2024-01-12 17:16:37 +01:00 · 2024-01-12 17:16:37 +01:00 · 50c3646e5b
parent 7efb7a9761
commit 50c3646e5b
6 changed files with 77 additions and 0 deletions
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -10,11 +10,31 @@
  adguardhomedomain = "adguardhome.${config.secrets.secrets.global.domains.web}";
  nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}";
  giteadomain = "git.${config.secrets.secrets.global.domains.web}";
+  vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}";
  ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnet;
 in {
  services.nginx = {
    enable = true;
    recommendedSetup = true;
+    upstreams.vaultwarden = {
+      servers."${ipOf "vaultwarden"}:3000" = {};
+
+      extraConfig = ''
+        zone vaultwarden 64k ;
+        keepalive 5 ;
+      '';
+    };
+    virtualHosts.${vaultwardendomain} = {
+      forceSSL = true;
+      useACMEHost = "web";
+      locations."/" = {
+        proxyPass = "http://vaultwarden";
+        proxyWebsockets = true;
+      };
+      extraConfig = ''
+        client_max_body_size 1G ;
+      '';
+    };
    upstreams.gitea = {
      servers."${ipOf "gitea"}:3000" = {};

@ -141,6 +161,7 @@ in {
  in
    {}
    // mkContainer "adguardhome" {}
+    // mkContainer "vaultwarden" {}
    // mkContainer "nextcloud" {
      enablePanzer = true;
    }
--- a/hosts/elisabeth/secrets/nextcloud/option.json.age
+++ b/hosts/elisabeth/secrets/nextcloud/option.json.age
--- a/hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age
+++ b/hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -22,6 +22,7 @@
    redis-nextcloud = uidGid 214;
    radicale = uidGid 215;
    gitea = uidGid 215;
+    vaultwarden = uidGid 215;
    systemd-oom = uidGid 300;
    systemd-coredump = uidGid 301;
    patrick = uidGid 1000;
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  vaultwardenDomain = "pw.${config.secrets.secrets.global.domains.web}";
+in {
+  age.secrets.vaultwarden-env = {
+    rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
+    mode = "440";
+    group = "vaultwarden";
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/vaultwarden";
+      user = "vaultwarden";
+      group = "vaultwarden";
+      mode = "0700";
+    }
+  ];
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    config = {
+      dataFolder = lib.mkForce "/var/lib/vaultwarden";
+      extendedLogging = true;
+      useSyslog = true;
+      webVaultEnabled = true;
+
+      rocketAddress = "0.0.0.0";
+      rocketPort = 3000;
+
+      signupsAllowed = false;
+      passwordIterations = 1000000;
+      invitationsAllowed = true;
+      invitationOrgName = "Vaultwarden";
+      domain = "https://${vaultwardenDomain}";
+
+      smtpEmbedImages = true;
+      smtpSecurity = "force_tls";
+      smtpPort = 465;
+    };
+    #backupDir = "/data/backup";
+    environmentFile = config.age.secrets.vaultwarden-env.path;
+  };
+
+  # Replace uses of old name
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
+  systemd.services.vaultwarden.serviceConfig = {
+    StateDirectory = lib.mkForce "vaultwarden";
+    RestartSec = "600"; # Retry every 10 minutes
+  };
+}
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age