feat(bw): vaultwarden

2026-02-09 04:19:19 -08:00 · 2024-05-26 14:04:19 -07:00 · 2024-05-26 14:04:19 -07:00 · 0947ca0532
commit 0947ca0532
parent 0b0a91d506
15 changed files with 437 additions and 7 deletions
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@ -32,6 +32,7 @@ in {
    nixos.access.mosquitto
    nixos.access.gensokyo
    nixos.access.keycloak
+    nixos.access.vaultwarden
    nixos.access.vouch
    nixos.access.freeipa
    nixos.access.freepbx
@ -112,6 +113,14 @@ in {
        virtualHosts.keycloak'local.allServerNames
      ];
    };
+    bw = {
+      inherit (nginx) group;
+      domain = virtualHosts.vaultwarden.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.vaultwarden.otherServerNames
+        virtualHosts.vaultwarden'local.allServerNames
+      ];
+    };
    home = {
      inherit (nginx) group;
      domain = virtualHosts.home-assistant.serverName;
@ -266,6 +275,11 @@ in {
        local.denyGlobal = true;
        ssl.cert.enable = true;
      };
+      vaultwarden = {
+        # we're not the real bw record-holder, so don't respond globally..
+        local.denyGlobal = true;
+        ssl.cert.enable = true;
+      };
      vouch = {
        ssl.cert.enable = true;
      };
--- a/systems/keycloak/default.nix
+++ b/systems/keycloak/default.nix
@ -12,6 +12,7 @@ _: {
      sshd.enable = true;
      keycloak.enable = true;
      vouch-proxy.enable = true;
+      vaultwarden.enable = true;
    };
  };
 }
--- a/systems/keycloak/lxc.json
+++ b/systems/keycloak/lxc.json
@ -1,6 +1,7 @@
 {
 	"lxc": {
 		"lxc.mount.entry": [
+			"/rpool/shared/vaultwarden mnt/shared/vaultwarden none bind,optional,create=dir",
 			"/dev/net/tun dev/net/tun none bind,optional,create=file"
 		],
 		"lxc.idmap": [
--- a/systems/keycloak/nixos.nix
+++ b/systems/keycloak/nixos.nix
@ -12,6 +12,7 @@
    nixos.reisen-ct
    nixos.ipa
    nixos.keycloak
+    nixos.vaultwarden
    nixos.cloudflared
    nixos.vouch
  ];
@ -27,6 +28,8 @@
        inherit (keycloak'system.exports.services) keycloak;
        vouch'system = access.systemForServiceId "login";
        inherit (vouch'system.exports.services) vouch-proxy;
+        vaultwarden'system = access.systemForServiceId "bw";
+        inherit (vaultwarden'system.exports.services) vaultwarden;
      in {
        "${keycloak.id}.${config.networking.domain}" = let
          portName =
@ -52,6 +55,12 @@
            service = vouch-proxy;
          };
        };
+        "${vaultwarden.id}.${config.networking.domain}" = {
+          service = access.proxyUrlFor {
+            system = vaultwarden'system;
+            service = vaultwarden;
+          };
+        };
      };
    };
  };
--- a/systems/reisen/setup.sh
+++ b/systems/reisen/setup.sh
@ -160,6 +160,7 @@ mkshared plex 100193 100193 0750
 mkshared postgresql 100071 100071 0750
 mkshared unifi 100990 100990 0750
 mkshared zigbee2mqtt 100317 100317 0700
+mkshared vaultwarden 100915 100915 0750
 mkshared minecraft 100913 100913 0750
 mkshared minecraft/bedrock 100913 100913 0750