kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

[VAULTWARDEN]

Browse source
This commit is contained in:
Kat Inskip 2023-04-26 18:01:47 -07:00
parent 75936bcebf
commit dc7cdad1af
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
12 changed files with 126 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cloudflare-kittywit.ch.tf
View file

@ -75,7 +75,7 @@ resource "cloudflare_record" "terraform_managed_resource_95d39eb707041e694c6b7f0
proxied = false
ttl = 3600
type = "CNAME"
value = "daiyousei.kittywit.ch"
value = "yukari.gensokyo.zone"
zone_id = "7e44e5503a0bba73d2025d0a9679205e"
}

0
nixos/roles/matrix-server/nginx.nix → nixos/roles/matrix-homeserver/nginx.nix
View file

0
nixos/roles/matrix-server/scalpel.nix → nixos/roles/matrix-homeserver/scalpel.nix
View file

0
nixos/roles/matrix-server/secrets.nix → nixos/roles/matrix-homeserver/secrets.nix
View file

0
nixos/roles/matrix-server/secrets.yaml → nixos/roles/matrix-homeserver/secrets.yaml
View file

0
nixos/roles/matrix-server/synapse.nix → nixos/roles/matrix-homeserver/synapse.nix
View file

18
nixos/roles/vaultwarden-server/nginx.nix Normal file
View file

@ -0,0 +1,18 @@
_: {
services.nginx.virtualHosts."vault.kittywit.ch" = {
locations = {
"/" = {
proxyPass = "http://localhost:4000";
proxyWebsockets = true;
};
"/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://localhost:4000";
proxyWebsockets = true;
};
};
};
}

11
nixos/roles/vaultwarden-server/postgres.nix Normal file
View file

@ -0,0 +1,11 @@
_: {
services.postgresql = {
ensureDatabases = ["bitwarden_rs"];
ensureUsers = [
{
name = "bitwarden_rs";
ensurePermissions = {"DATABASE bitwarden_rs" = "ALL PRIVILEGES";};
}
];
};
}

20
nixos/roles/vaultwarden-server/scalpel.nix Normal file
View file

@ -0,0 +1,20 @@
_: {
secrets.files.vaultwarden-env = {
owner = "bitwarden_rs";
group = "bitwarden_rs";
};
services.vaultwarden = {
environmentFile = config.secrets.files.vaultwarden-env.path;
};
scalpel.trafos."environment_file" = {
source = "/etc/vaultwarden/environment_file_template";
matchers."VAULTWARDEN_ADMIN_TOKEN".secret = config.sops.secrets.vaultwarden_admin_token.path;
owner = "acme";
group = "acme";
mode = "0440";
};
services.vaultwarden.environmentFile = config.scalpel.trafos."environment_file".destination;
}

42
nixos/roles/vaultwarden-server/secrets.yaml Normal file
View file

@ -0,0 +1,42 @@
vaultwarden_admin_token: ENC[AES256_GCM,data:aA1eO9z4XLpynGmpfdSiXtjft5Nmlu/VfZSA3J8wCbLaUau0P6qHQSAqNRTTJOUjqard7bMnjC5s3sEu9waLMQ==,iv:HWU/25zBd/v3tiySjSOsFUqCTrvtetrXIGyqqvqz+sk=,tag:TgPVkgXkzGTqO6r9H9Jixg==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTkdCQ1ptaTY2cysvRlJk
Ylh1amlFZExzc0gxSFY1Zm5XUDRkUzl0bUNZClF1REJUbXUvQjhWa3FNanZJQXh2
SVlXdHRqUDdIdHZvMlNPaGxCdlJRZW8KLS0tIEJab3NZbDZqdlIwR3laeUx3N3cr
S0ZSYXhTNnMwRXVPa3RsS29PZEM4STgKkN4KuaiH5MnSKs2HsrZvdf6c8oYUZzDs
m6Cxcoasow0eY/3G65x5Rn5Klc0LXm6/kwJuHq4Og0njDBgzY0h53g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-04-27T00:57:18Z"
mac: ENC[AES256_GCM,data:8QwxkjAuISrTs8Ls0fFtQ52AhzDRJIw130Dox2c5zrdqnr3rTjZDvz+zmOjFt+gg0iC6gDrvEkYh+4+9+g3o3D3A8wdQHCpi4ia7pSiZ4palxKwHkq8XY9sgDOamYb1534QlLZk5OmpxFPLATyNfDt1+UoM2++ATkZ3t1MjL1PM=,iv:9C59fPOga2/aih1Wty1HFdZJk5T3xyIWRVuogZ6k4dM=,tag:Eh7uYYty+mkC828aJKd9iA==,type:str]
pgp:
- created_at: "2023-04-27T00:55:52Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//egTjrBCYrVLa0vQRoFDEcflSXNzAhOGHr7O2ZL3aDHLx
V5JNYr03u6VzpFADpram8Cdz1JrCDYicjly8MT37dNqbzddr/1eaezfbzD9itI+A
iNQNrIpQiqm7boznVnlw6xm1BCforU0ddyAKVbGNkDCE9XXUWwBggGRshTFSGBa0
wOM5haBrY7AXz1VvvhTTWh5qjEZQEwlqTvtxbpXty0P9L8jkntwE+Tgr+h7sqPXR
QwWgUypxbNrV+yso+rHxMof9ti1aD0m0TzpJrKVllQYdIppNCnWF6GPB640o5g4C
S2XgDDf64xS1j1KhezPrB1s1u6P2Cwodlf45Gaoq2Xb4KQ/n+dg23P8W6Y/baEkp
5jvzvJ1SoANxvspkMCKbDcQoDT1MnvIX08yZQK5NUbwMtmwjgJh1XdRAuktCAWSV
Cxhv+hP2STVxtZqa6ekXze4Yuw0B2U3Vu2YLtgaTCMr3sq8Cvy3Mjz6lS3H6adob
x4Oq8ra56ZszAChoVpfKIyYjRaZxZjBi/XdiCugLmR3P2Em8KM7447N1p+RqP+Va
Vm3mHAfhdIemZlySJNvIQkbQQw119Lgqbr2WzrGaYts9TVHMhzgU1Ej7z9kP1IRa
mBetkO92zShSS2uEAd5g58P98SLFBncN6VVDc+nOQoUTfFWAeG0HV9EYya7oVNTS
XgHuSXOBoj2bNJlcw1QZw68CpYoBQgzJx7lXWGKAIY8r60xJcmeY9sj623rQAATS
s4tiQHXMAvRpdCogniKmdgs6Z4Br82sTQOuRw9CSBlHDHn/COsvlp/Xw1bmVsJ0=
=CFLr
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
unencrypted_suffix: _unencrypted
version: 3.7.3

32
nixos/roles/vaultwarden-server/vaultwarden.nix Normal file
View file

@ -0,0 +1,32 @@
{
config,
pkgs,
lib,
...
}:
with lib; {
secrets.variables = mapListToAttrs (field:
nameValuePair "vaultwarden-${field}" {
path = "secrets/vaultwarden";
inherit field;
}) ["password" "smtp"];
users.users.vaultwarden.name = "bitwarden_rs";
users.groups.vaultwarden.name = "bitwarden_rs";
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
config = {
rocketPort = 4000;
websocketEnabled = true;
signupsAllowed = false;
domain = "https://vault.kittywit.ch";
databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
};
};
environment.etc."vaultwarden/environment_file_template".text = ''
ADMIN_TOKEN=!!VAULTWARDEN_ADMIN_TOKEN!!
'';
}

3
systems/yukari.nix
View file

@ -13,7 +13,8 @@ _: let
server
web-server
postgres-server
matrix-server
matrix-homeserver
vaultwarden-server
]);
boot = {