From aeec9b75c16d84dbdc17ce6bad834d16d16fced4 Mon Sep 17 00:00:00 2001 From: LavaDesu Date: Sun, 27 Feb 2022 13:06:17 +0700 Subject: [PATCH] services/vaultwarden: init --- hosts/caramel/default.nix | 2 ++ modules/default.nix | 1 + modules/services/unbound.nix | 5 +++++ modules/services/vaultwarden.nix | 31 +++++++++++++++++++++++++++++++ secrets.nix | 1 + secrets/warden_admin.age | 10 ++++++++++ 6 files changed, 50 insertions(+) create mode 100644 modules/services/vaultwarden.nix create mode 100644 secrets/warden_admin.age diff --git a/hosts/caramel/default.nix b/hosts/caramel/default.nix index 2112c65..1e3bd35 100644 --- a/hosts/caramel/default.nix +++ b/hosts/caramel/default.nix @@ -6,6 +6,7 @@ age.secrets = { acme_dns.file = ../../secrets/acme_dns.age; passwd.file = ../../secrets/passwd.age; + warden_admin.file = ../../secrets/warden_admin.age; wpa_conf.file = ../../secrets/wpa_conf.age; wg_caramel.file = ../../secrets/wg_caramel.age; }; @@ -33,5 +34,6 @@ synapse tmptsync unbound + vaultwarden ]); } diff --git a/modules/default.nix b/modules/default.nix index 7a1b111..255b9e2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -20,6 +20,7 @@ in { ./services/synapse.nix ./services/tmptsync.nix ./services/unbound.nix + ./services/vaultwarden.nix ]; system = mkAttrsFromPaths [ ./system/audio.nix diff --git a/modules/services/unbound.nix b/modules/services/unbound.nix index c312359..6976551 100644 --- a/modules/services/unbound.nix +++ b/modules/services/unbound.nix @@ -28,6 +28,11 @@ in { "10.0.0.0/8 allow" "192.168.100.0/24 allow" ]; + domain-insecure = [ "local.lava.moe" ]; + local-zone = [ "local.lava.moe. redirect" ]; + local-data = [ + "warden.local.lava.moe. IN A 192.168.100.15" + ]; }; include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf"; diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix new file mode 100644 index 0000000..c1f2cc3 --- /dev/null +++ b/modules/services/vaultwarden.nix @@ -0,0 +1,31 @@ +{ config, ... }: +let + dir = "/persist/vaultwarden"; + user = config.users.users.vaultwarden.name; + group = config.users.groups.vaultwarden.name; +in { + systemd.tmpfiles.rules = [ + "d ${dir} 700 ${user} ${group}" + "d ${dir}_backup 700 ${user} ${group}" + ]; + services.vaultwarden = { + backupDir = "${dir}_backup"; + config = { + dataFolder = dir; + signupsAllowed = false; + rocketPort = 8002; + }; + domain = "warden.local.lava.moe"; + environmentFile = config.age.secrets.warden_admin.path; + }; + + services.nginx.virtualHosts."warden.local.lava.moe" = { + forceSSL = true; + useACMEHost = "lava.moe"; + + locations."/".proxyPass = "http://[::1]:8002"; + }; + + systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ dir ]; + systemd.services.backup-vaultwarden.environment.DATA_FOLDER = dir; +} diff --git a/secrets.nix b/secrets.nix index fa81f33..a713b13 100644 --- a/secrets.nix +++ b/secrets.nix @@ -9,6 +9,7 @@ in { "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ]; "secrets/acme_dns.age".publicKeys = [ caramel rin ]; + "secrets/warden_admin.age".publicKeys = [ caramel rin ]; "secrets/wg_blossom.age".publicKeys = [ blossom rin ]; "secrets/wg_caramel.age".publicKeys = [ caramel rin ]; "secrets/wg_sugarcane.age".publicKeys = [ sugarcane rin ]; diff --git a/secrets/warden_admin.age b/secrets/warden_admin.age new file mode 100644 index 0000000..972ef49 --- /dev/null +++ b/secrets/warden_admin.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 U9FXlg YL/xEUVIIOIeP2FRVxZhkCg/yaiX50S74HSMslKzoSw +SqzuQt4hd6ICDRlq+6Vqy0j/ZuNm3waCg7pUt9EqVD0 +-> ssh-ed25519 krYeuQ IsFu0w7BFrTm5rAE6Ysxuievf3NiC60h/KkoUO51FUA +/BCYR/4qP+1449Kf2MY79sq0ahpjqI5fq7Sme2swU6U +-> V;-grease ^F.M +lxjBnTXUAhPceJGeXm985SzVP4D2PsxkUEv/kKSx+6LGCHUzYAggYXi8C2ahorkY +XrYNvorBDG0aezi2GSicmAf4pQkkrLcvZhsmU+/QOKzyAxMw7V0 +--- jUlhN0y3o/J/jQlcN0um+lTQ3hZv2Ur0crxSsGeZ28c +DJ?w9%s5zkA3U"V3[in0kXi:LoaD'$O54&Ս² ^ULEQP/ \ No newline at end of file