Add vaultwarden service

2025-06-05 13:30:03 +02:00 · 2025-06-05 13:30:03 +02:00 · 2918c6fd89
commit 2918c6fd89
parent 3e9dafde76
6 changed files with 74 additions and 30 deletions
--- a/secrets.nix
+++ b/secrets.nix
@ -11,8 +11,19 @@ let
  jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin";
  qbittorrent-vpn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILliMLQejGa5BK/pjRAjzD03i3Rc3izdXFlH/gwReLMh root@qbittorrent-vpn";
  nixarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbGn92P4OxaGWiQDrAbE8NhFp8UCtkfSzX2fkEv+ckk root@arr-box";
+  vaultwarden = "";

-  systems = [grafana onlyoffice postgresql forgejo nginx jellyfin];
+  systems = [
+    grafana
+    onlyoffice
+    postgresql
+    forgejo
+    nginx
+    jellyfin
+    qbittorrent-vpn
+    nixarr
+    vaultwarden
+  ];
 in {
  "secrets/initialPassword.age".publicKeys = users ++ systems;

@ -33,6 +44,7 @@ in {
  "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
  "services/postgresql/secrets/netboxDBPass.age".publicKeys = [tbarnouin postgresql];
  "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
+  "services/postgresql/secrets/vaultwardenDBPass.age".publicKeys = [tbarnouin postgresql];
  "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];

  "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
@ -43,7 +55,9 @@ in {
  "secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin];

  "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
-  
+
+  "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden];
+
  "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
  "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
  "secrets/docker-lapi-key.age".publicKeys = [tbarnouin qbittorrent-vpn];
--- a/services/authentik/default.nix
+++ b/services/authentik/default.nix
@ -1,18 +0,0 @@
-{
-  inputs,
-  config,
-  lib,
-  authentik-nix,
-  ...
-}: let
-  cfg = config.services.vm_authentik;
-in {
-  options.services.vm_authentik = {
-    enable = lib.mkEnableOption "Enable minimal config";
-  };
-  config = lib.mkIf cfg.enable {
-    networking = {
-      firewall.allowedTCPPorts = [9000 9300 9443];
-    };
-  };
-}
--- a/services/onlyoffice/default.nix
+++ b/services/onlyoffice/default.nix
@ -30,7 +30,6 @@ in {
        port = 8000;
        postgresName = "onlyoffice";
        postgresHost = "${cfg.pgsql_ip}";
-        postgresUser = "onlyoffice";
        postgresPasswordFile = config.age.secrets.office-dbpass.path;
        jwtSecretFile = config.age.secrets.office-jwtpass.path;
      };
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@ -39,6 +39,10 @@ in {
        file = ./secrets/onlyofficeDBPass.age;
        owner = "postgres";
      };
+      vaultwardenDBPass = {
+        file = ./secrets/vaultwardenDBPass.age;
+        owner = "postgres";
+      };
    };
    services = {
      crowdsec = {
@ -64,12 +68,13 @@ in {
        enableTCPIP = true;
        settings.port = 5432;
        authentication = "
-          host  nextcloud  nextcloud  192.168.1.45/32   md5
-          host  gitea      gitea      192.168.1.14/32   md5
-          host  authentik  authentik  192.168.1.125/32  md5
-          host  grafana    grafana    192.168.1.27/32   md5
-          host  netbox     netbox     192.168.1.90/32   md5
-          host  onlyoffice onlyoffice 192.168.1.20/32   md5
+          host  nextcloud   nextcloud   192.168.1.45/32   md5
+          host  gitea       gitea       192.168.1.14/32   md5
+          host  authentik   authentik   192.168.1.125/32  md5
+          host  grafana     grafana     192.168.1.27/32   md5
+          host  netbox      netbox      192.168.1.90/32   md5
+          host  onlyoffice  onlyoffice  192.168.1.20/32   md5
+          host  vaultwarden vaultwarden 192.168.1.22/32   md5
          ";
        initialScript = pkgs.writeText "init-sql-script" ''
          CREATE ROLE nextcloud WITH LOGIN CREATEDB;
@ -95,6 +100,10 @@ in {
          CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
          CREATE DATABASE onlyoffice;
          GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+
+          CREATE ROLE vaultwarden WITH LOGIN CREATEDB;
+          CREATE DATABASE vaultwarden;
+          GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
        '';
      };
    };
@ -106,7 +115,7 @@ in {
      authentikDBPass = config.age.secrets.authentikDBPass.path;
      grafanaDBPass = config.age.secrets.grafanaDBPass.path;
      netboxDBPass = config.age.secrets.netboxDBPass.path;
-      onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
+      vaultwardenDBPass = config.age.secrets.vaultwardenDBPass.path;
    in ''
      $PSQL -tA <<'EOF'
        DO $$
@ -127,8 +136,8 @@ in {
          password := trim(both from replace(pg_read_file('${netboxDBPass}'), E'\n', '''));
          EXECUTE format('ALTER ROLE netbox WITH PASSWORD '''%s''';', password);

-          password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
+          password := trim(both from replace(pg_read_file('${vaultwardenDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE vaultwarden WITH PASSWORD '''%s''';', password);
        END $$;
      EOF
    '';
--- a/services/postgresql/secrets/vaultwardenDBPass.age
+++ b/services/postgresql/secrets/vaultwardenDBPass.age
@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4L3gy
+RnJDQ2VOQitLNVd2d0haN2RveUE5OWJOcnUxakdyOGNBVWhMYUdnCjZGTDJuRjda
+L1ZuZmNxVEVLaElQQXlWWjR4NmgrekpnSzNKWi9xdGNVb2cKLT4gc3NoLWVkMjU1
+MTkgc2luZ3ZRIC9Pcy95WTM1Tm1oOUIxVlJUT3RHZ3lOZjdBN2dhUm14blRMSzNI
+SS9ORlUKQUZiMGF5eWNWUVNCL0h5OU5UQ0d6bytxTkxPdTVyRVF0c0FwZkRiUGJD
+TQotPiBFV09dKy1ncmVhc2Ugby4sbiBmJnJZZkYgaCQsZ3RhCkpOakF5akVSTEpE
+b2w4Q1pSN1ZxY3ltOTV3eGhNank3eHVWazlVT3h2WWNXUUhaUHl5aHhFdTNqQUJn
+SFRSSVUKUlpaeDRaUEF2VVdSNUY1L3Z3UQotLS0ganBmdU4yVmNNMUh2NFlZN09t
+WE5LRmlYU0RxL25JZXJXaFdzeTVBbmtMRQqkmAEDkEwwBnIxkBH6I6qzzwg5fPy/
+IL6FzdjsGrBYOrfP1IVfFF/iz5Phd8fsSkusyg==
+-----END AGE ENCRYPTED FILE-----
--- a/services/vaultwarden/default.nix
+++ b/services/vaultwarden/default.nix
@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.services.vm_vaultwarden;
+in {
+  options.services.vm_vaultwarden = {
+    enable = lib.mkEnableOption "Enable minimal config";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.env-file = {
+      file = ./secrets/env-file.age;
+    };
+    services = {
+      vaultwarden = {
+        enable = true;
+        dbBackend = "postgresql";
+        environmentFile = config.age.secrets.env-file.path;
+        config = {
+          DOMAIN = "https://vault.le43.eu";
+          SIGNUPS_ALLOWED = false;
+          IP_HEADER = "X-Forwarded-For";
+        };
+      };
+    };
+  };
+}