From d16269b23aca4dade040cb3840c5fe55767f5372 Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sun, 26 May 2024 04:03:55 +0200 Subject: [PATCH] bekkalokk: add vaultwarden --- hosts/bekkalokk/configuration.nix | 11 ++-- hosts/bekkalokk/services/vaultwarden.nix | 66 ++++++++++++++++++++++++ secrets/bekkalokk/bekkalokk.yaml | 7 ++- 3 files changed, 77 insertions(+), 7 deletions(-) create mode 100644 hosts/bekkalokk/services/vaultwarden.nix diff --git a/hosts/bekkalokk/configuration.nix b/hosts/bekkalokk/configuration.nix index 626fd26..bbc3c6b 100644 --- a/hosts/bekkalokk/configuration.nix +++ b/hosts/bekkalokk/configuration.nix @@ -6,13 +6,14 @@ ../../base.nix ../../misc/metrics-exporters.nix - ./services/website - ./services/nginx.nix ./services/gitea/default.nix - ./services/kerberos - ./services/webmail - ./services/mediawiki ./services/idp-simplesamlphp + ./services/kerberos + ./services/mediawiki + ./services/nginx.nix + ./services/vaultwarden.nix + ./services/webmail + ./services/website ]; sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; diff --git a/hosts/bekkalokk/services/vaultwarden.nix b/hosts/bekkalokk/services/vaultwarden.nix new file mode 100644 index 0000000..2b25e9a --- /dev/null +++ b/hosts/bekkalokk/services/vaultwarden.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.vaultwarden; + domain = "pw.pvv.ntnu.no"; + address = "127.0.1.2"; + port = 3011; + wsPort = 3012; +in { + sops.secrets."vaultwarden/environ" = { + owner = "vaultwarden"; + group = "vaultwarden"; + }; + + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = config.sops.secrets."vaultwarden/environ".path; + config = { + domain = "https://${domain}"; + + rocketAddress = address; + rocketPort = port; + + websocketEnabled = true; + websocketAddress = address; + wsPort = wsPort; + + signupsAllowed = true; + signupsVerify=true; + signupsDomainsWhitelist = "pvv.ntnu.no"; + + smtpFrom = "vaultwarden@pvv.ntnu.no"; + smtpFromName = "VaultWarden PVV"; + + smtpHost = "smtp.pvv.ntnu.no"; + smtpUsername = "vaultwarden"; + smtpSecurity = "force_tls"; + smtpAuthMechanism = "Login"; + + # Configured in environ: + # databaseUrl = "postgresql://vaultwarden@/vaultwarden"; + # smtpPassword = hemli + }; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + + extraConfig = '' + client_max_body_size 128M; + ''; + locations."/" = { + proxyPass = "http://${address}:${toString port}"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://${address}:${toString wsPort}"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://${address}:${toString port}"; + proxyWebsockets = true; + }; + }; +} diff --git a/secrets/bekkalokk/bekkalokk.yaml b/secrets/bekkalokk/bekkalokk.yaml index 899a4b9..6cf7179 100644 --- a/secrets/bekkalokk/bekkalokk.yaml +++ b/secrets/bekkalokk/bekkalokk.yaml @@ -28,6 +28,8 @@ nettsiden: postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str] cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str] admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str] +vaultwarden: + environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str] sops: kms: [] gcp_kms: [] @@ -61,8 +63,8 @@ sops: akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-12T00:24:29Z" - mac: ENC[AES256_GCM,data:/fh5yc09YTLT62oWVsz2CwW/mhEUI7uRh5fDRgLNeeBc/4bvM3z83xmy9veehmQhhCWjju2/CtYhaihm3bUPN4hu3wVzviIxvrS9lTcBUG+F/AH4SnF5Z1CGWb94Gqi/6OhQRIpA6azjISyv8lTAQ4TCqcOC4fz/c9KjqQ/CiGY=,iv:HjzzMRFz3+kZ4iDLn9kI80BwMDALkRX5gyOHARZSgDA=,tag:1ez7NiIavshfp4CTZNkW/Q==,type:str] + lastmodified: "2024-05-26T02:07:41Z" + mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str] pgp: - created_at: "2023-05-21T00:28:40Z" enc: | @@ -86,3 +88,4 @@ sops: fp: F7D37890228A907440E1FD4846B9228E814A2AAC unencrypted_suffix: _unencrypted version: 3.8.1 +