WIP: Add Vaultwarden service

2024-11-29 16:11:55 +01:00 · 2024-11-29 16:11:55 +01:00 · 4891f0964a
commit 4891f0964a
parent 87cd7000a1
4 changed files with 82 additions and 0 deletions
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -2,5 +2,6 @@
  imports = [
    ./media-mgr.nix
    ./nextcloud.nix
    ./vaultwarden.nix
  ];
 }
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@ -0,0 +1,69 @@
 {
  lib,
  config,
  pkgs,
  ...
 }:
 let
  cfg = config.my.services.vaultwarden;
  user = config.users.users.vaultwarden.name;
  group = config.users.groups.vaultwarden.name;
 in
 {
  options.my.services.vaultwarden = {
    enable = lib.mkEnableOption "Enable Vaultwarden module";
    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";
      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };
      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          host name where the service is running
        '';
      };
    };
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.enable {
      age.secrets.vaultwarden-admin-pwd.file = ../../secrets/vaultwarden-admin-pwd.age;
      services.vaultwarden = {
        enable = true;
        dbBackend = "postgresql";
        environmentFile = config.age.secrets.vaultwarden-admin-pwd.path;
        config = {
          DOMAIN = "https://vault.${cfg.proxy.domain}";
          SENDS_ALLOWED = true;
          SIGNUPS_ALLOWED = false;
          WEBSOCKET_ENABLED = true;
          ROCKET_ADDRESS = "0.0.0.0";
          ROCKET_PORT = 8222;
        };
      };
    })
    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."vault.${domain}".extraConfig = ''
          reverse_proxy http://${host}:80
          import cloudflare
        '';
      };
    })
  ];
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -12,6 +12,7 @@ let
    bazarr-apiKey = [ machines.metrics ];
    grafana-admin-pwd = [ machines.metrics ];
    nextcloud-admin-pwd = [ machines.nextcloud ];
    vaultwarden-admin-pwd = [ machines.vaultwarden ];
  };
 in
 builtins.listToAttrs (
--- a/secrets/vaultwarden-admin-pwd.age
+++ b/secrets/vaultwarden-admin-pwd.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 wVuNWQ sEhh9IloX2y//QoLoT4EMKku9xzZHIt4ZR27OEmd6n0
 H5JKqRUVW0pPKQ9oNm3XMA8+pjmzHo/g98P4fuuyiB0
 -> ssh-ed25519 Si3UKw cTVv8lCl6k184gC/oqnrfQ+C4y2zSDG+L8GfcUMjrSs
 fgSgMm4Aeh3CI7MmpeHfioGklZ9MiprQFxSHB0hNyAw
 -> ssh-ed25519 3UG3uw ZDGGoEGY8AtPuG6XXQlR5G0EsU/73tP/C+efcXVrrBg
 ZLZeoDM6b/g0VWU4QmVaCTZMJPZpFHRrmgElN9EzP9c
 -> ssh-ed25519 JEhtoQ Qq+Kq/I1Vm3zsfWHExSqdTaBIOGnKhiS1sRwCwLqoCI
 hgeSSlvnT7/K1RPneCEqR8FB9U+WCpyBqmY1lX/HgLw
 --- dc/R679QuFt0wd/73GC2DzQP3A+dOoRCokRB73GY9sc
 ~òFaBˆ;ÕFwÆå¹D³h(QŸ“¸×¿“âÆèÄ¾¯¨@ÝÊƒÂòª;Eÿ1“ÒÇÃÚ°ÞpÇ	€¼•=®~íh(Æ}Æ·7†ñÿÓþBEé„[—ï3ÅA<C385>¶S3iT³½ÿ¶x