patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: vaultwarden config

Browse source
This commit is contained in:
Patrick Großmann 2024-01-12 17:16:37 +01:00
parent 7efb7a9761
commit 50c3646e5b
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
6 changed files with 77 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
hosts/elisabeth/guests.nix
View file

@ -10,11 +10,31 @@
adguardhomedomain = "adguardhome.${config.secrets.secrets.global.domains.web}"; adguardhomedomain = "adguardhome.${config.secrets.secrets.global.domains.web}";
nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}"; nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}";
giteadomain = "git.${config.secrets.secrets.global.domains.web}"; giteadomain = "git.${config.secrets.secrets.global.domains.web}";
vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}";
ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnet; ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnet;
in { in {
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedSetup = true; recommendedSetup = true;
upstreams.vaultwarden = {
servers."${ipOf "vaultwarden"}:3000" = {};
extraConfig = ''
zone vaultwarden 64k ;
keepalive 5 ;
'';
};
virtualHosts.${vaultwardendomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "http://vaultwarden";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 1G ;
'';
};
upstreams.gitea = { upstreams.gitea = {
servers."${ipOf "gitea"}:3000" = {}; servers."${ipOf "gitea"}:3000" = {};
@ -141,6 +161,7 @@ in {
in in
{} {}
// mkContainer "adguardhome" {} // mkContainer "adguardhome" {}
// mkContainer "vaultwarden" {}
// mkContainer "nextcloud" { // mkContainer "nextcloud" {
enablePanzer = true; enablePanzer = true;
} }

BIN
hosts/elisabeth/secrets/nextcloud/option.json.age Normal file
View file

Binary file not shown.

BIN
hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age Normal file
View file

Binary file not shown.

1
modules/config/users.nix
View file

@ -22,6 +22,7 @@
redis-nextcloud = uidGid 214; redis-nextcloud = uidGid 214;
radicale = uidGid 215; radicale = uidGid 215;
gitea = uidGid 215; gitea = uidGid 215;
vaultwarden = uidGid 215;
systemd-oom = uidGid 300; systemd-oom = uidGid 300;
systemd-coredump = uidGid 301; systemd-coredump = uidGid 301;
patrick = uidGid 1000; patrick = uidGid 1000;

55
modules/services/vaultwarden.nix Normal file
View file

@ -0,0 +1,55 @@
{
config,
lib,
...
}: let
vaultwardenDomain = "pw.${config.secrets.secrets.global.domains.web}";
in {
age.secrets.vaultwarden-env = {
rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
mode = "440";
group = "vaultwarden";
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/vaultwarden";
user = "vaultwarden";
group = "vaultwarden";
mode = "0700";
}
];
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
dataFolder = lib.mkForce "/var/lib/vaultwarden";
extendedLogging = true;
useSyslog = true;
webVaultEnabled = true;
rocketAddress = "0.0.0.0";
rocketPort = 3000;
signupsAllowed = false;
passwordIterations = 1000000;
invitationsAllowed = true;
invitationOrgName = "Vaultwarden";
domain = "https://${vaultwardenDomain}";
smtpEmbedImages = true;
smtpSecurity = "force_tls";
smtpPort = 465;
};
#backupDir = "/data/backup";
environmentFile = config.age.secrets.vaultwarden-env.path;
};
# Replace uses of old name
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
systemd.services.vaultwarden.serviceConfig = {
StateDirectory = lib.mkForce "vaultwarden";
RestartSec = "600"; # Retry every 10 minutes
};
}

BIN
secrets/secrets.nix.age
View file

Binary file not shown.