cilly/flakes
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

services/vaultwarden: init

Browse source
This commit is contained in:
LavaDesu 2022-02-27 13:06:17 +07:00
parent b0923384df
commit aeec9b75c1
Signed by: cilly
GPG key ID: 6500251E087653C9
6 changed files with 50 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/caramel/default.nix
View file

@ -6,6 +6,7 @@
age.secrets = { age.secrets = {
acme_dns.file = ../../secrets/acme_dns.age; acme_dns.file = ../../secrets/acme_dns.age;
passwd.file = ../../secrets/passwd.age; passwd.file = ../../secrets/passwd.age;
warden_admin.file = ../../secrets/warden_admin.age;
wpa_conf.file = ../../secrets/wpa_conf.age; wpa_conf.file = ../../secrets/wpa_conf.age;
wg_caramel.file = ../../secrets/wg_caramel.age; wg_caramel.file = ../../secrets/wg_caramel.age;
}; };
@ -33,5 +34,6 @@
synapse synapse
tmptsync tmptsync
unbound unbound
vaultwarden
]); ]);
} }

1
modules/default.nix
View file

@ -20,6 +20,7 @@ in {
./services/synapse.nix ./services/synapse.nix
./services/tmptsync.nix ./services/tmptsync.nix
./services/unbound.nix ./services/unbound.nix
./services/vaultwarden.nix
]; ];
system = mkAttrsFromPaths [ system = mkAttrsFromPaths [
./system/audio.nix ./system/audio.nix

5
modules/services/unbound.nix
View file

@ -28,6 +28,11 @@ in {
"10.0.0.0/8 allow" "10.0.0.0/8 allow"
"192.168.100.0/24 allow" "192.168.100.0/24 allow"
]; ];
domain-insecure = [ "local.lava.moe" ];
local-zone = [ "local.lava.moe. redirect" ];
local-data = [
"warden.local.lava.moe. IN A 192.168.100.15"
];
}; };
include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf"; include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";

31
modules/services/vaultwarden.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, ... }:
let
dir = "/persist/vaultwarden";
user = config.users.users.vaultwarden.name;
group = config.users.groups.vaultwarden.name;
in {
systemd.tmpfiles.rules = [
"d ${dir} 700 ${user} ${group}"
"d ${dir}_backup 700 ${user} ${group}"
];
services.vaultwarden = {
backupDir = "${dir}_backup";
config = {
dataFolder = dir;
signupsAllowed = false;
rocketPort = 8002;
};
domain = "warden.local.lava.moe";
environmentFile = config.age.secrets.warden_admin.path;
};
services.nginx.virtualHosts."warden.local.lava.moe" = {
forceSSL = true;
useACMEHost = "lava.moe";
locations."/".proxyPass = "http://[::1]:8002";
};
systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ dir ];
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = dir;
}

1
secrets.nix
View file

@ -9,6 +9,7 @@ in {
"secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ]; "secrets/wpa_conf.age".publicKeys = [ blossom caramel rin ];
"secrets/acme_dns.age".publicKeys = [ caramel rin ]; "secrets/acme_dns.age".publicKeys = [ caramel rin ];
"secrets/warden_admin.age".publicKeys = [ caramel rin ];
"secrets/wg_blossom.age".publicKeys = [ blossom rin ]; "secrets/wg_blossom.age".publicKeys = [ blossom rin ];
"secrets/wg_caramel.age".publicKeys = [ caramel rin ]; "secrets/wg_caramel.age".publicKeys = [ caramel rin ];
"secrets/wg_sugarcane.age".publicKeys = [ sugarcane rin ]; "secrets/wg_sugarcane.age".publicKeys = [ sugarcane rin ];

10
secrets/warden_admin.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 U9FXlg YL/xEUVIIOIeP2FRVxZhkCg/yaiX50S74HSMslKzoSw
SqzuQt4hd6ICDRlq+6Vqy0j/ZuNm3waCg7pUt9EqVD0
-> ssh-ed25519 krYeuQ IsFu0w7BFrTm5rAE6Ysxuievf3NiC60h/KkoUO51FUA
/BCYR/4qP+1449Kf2MY79sq0ahpjqI5fq7Sme2swU6U
-> V;-grease ^F.M
lxjBnTXUAhPceJGeXm985SzVP4D2PsxkUEv/kKSx+6LGCHUzYAggYXi8C2ahorkY
XrYNvorBDG0aezi2GSicmAf4pQkkrLcvZhsmU+/QOKzyAxMw7V0
--- jUlhN0y3o/J/jQlcN0um+lTQ3hZv2Ur0crxSsGeZ28c
ºDJ?…w䟆9%s5ÕzüÈ­k<C2AD>¢ÒõŒˆA3U"»V3Î[ŒinÊå<C38A>0÷¹Ù¿k”Óø°X„Íøôi°:­LÇÆo¹aDºé'$Oý<4F>54õ<>Þ² ˆÎ^UL±EQP¶Ïû/