tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add vaultwarden service

Browse source
This commit is contained in:
Théo Barnouin 2025-06-05 13:30:03 +02:00
parent 3e9dafde76
commit 2918c6fd89
6 changed files with 74 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

16
secrets.nix
View file

@ -11,8 +11,19 @@ let
jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin";
qbittorrent-vpn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILliMLQejGa5BK/pjRAjzD03i3Rc3izdXFlH/gwReLMh root@qbittorrent-vpn";
nixarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbGn92P4OxaGWiQDrAbE8NhFp8UCtkfSzX2fkEv+ckk root@arr-box";
vaultwarden = "";
systems = [grafana onlyoffice postgresql forgejo nginx jellyfin];
systems = [
grafana
onlyoffice
postgresql
forgejo
nginx
jellyfin
qbittorrent-vpn
nixarr
vaultwarden
];
in {
"secrets/initialPassword.age".publicKeys = users ++ systems;
@ -33,6 +44,7 @@ in {
"services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
"services/postgresql/secrets/netboxDBPass.age".publicKeys = [tbarnouin postgresql];
"services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
"services/postgresql/secrets/vaultwardenDBPass.age".publicKeys = [tbarnouin postgresql];
"secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];
"services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
@ -44,6 +56,8 @@ in {
"secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
"services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden];
"services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
"services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
"secrets/docker-lapi-key.age".publicKeys = [tbarnouin qbittorrent-vpn];

18
services/authentik/default.nix
View file

@ -1,18 +0,0 @@
{
inputs,
config,
lib,
authentik-nix,
...
}: let
cfg = config.services.vm_authentik;
in {
options.services.vm_authentik = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
networking = {
firewall.allowedTCPPorts = [9000 9300 9443];
};
};
}

1
services/onlyoffice/default.nix
View file

@ -30,7 +30,6 @@ in {
port = 8000;
postgresName = "onlyoffice";
postgresHost = "${cfg.pgsql_ip}";
postgresUser = "onlyoffice";
postgresPasswordFile = config.age.secrets.office-dbpass.path;
jwtSecretFile = config.age.secrets.office-jwtpass.path;
};

27
services/postgresql/default.nix
View file

@ -39,6 +39,10 @@ in {
file = ./secrets/onlyofficeDBPass.age;
owner = "postgres";
};
vaultwardenDBPass = {
file = ./secrets/vaultwardenDBPass.age;
owner = "postgres";
};
};
services = {
crowdsec = {
@ -64,12 +68,13 @@ in {
enableTCPIP = true;
settings.port = 5432;
authentication = "
host nextcloud nextcloud 192.168.1.45/32 md5
host gitea gitea 192.168.1.14/32 md5
host authentik authentik 192.168.1.125/32 md5
host grafana grafana 192.168.1.27/32 md5
host netbox netbox 192.168.1.90/32 md5
host onlyoffice onlyoffice 192.168.1.20/32 md5
host nextcloud nextcloud 192.168.1.45/32 md5
host gitea gitea 192.168.1.14/32 md5
host authentik authentik 192.168.1.125/32 md5
host grafana grafana 192.168.1.27/32 md5
host netbox netbox 192.168.1.90/32 md5
host onlyoffice onlyoffice 192.168.1.20/32 md5
host vaultwarden vaultwarden 192.168.1.22/32 md5
";
initialScript = pkgs.writeText "init-sql-script" ''
CREATE ROLE nextcloud WITH LOGIN CREATEDB;
@ -95,6 +100,10 @@ in {
CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
CREATE DATABASE onlyoffice;
GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
CREATE ROLE vaultwarden WITH LOGIN CREATEDB;
CREATE DATABASE vaultwarden;
GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
'';
};
};
@ -106,7 +115,7 @@ in {
authentikDBPass = config.age.secrets.authentikDBPass.path;
grafanaDBPass = config.age.secrets.grafanaDBPass.path;
netboxDBPass = config.age.secrets.netboxDBPass.path;
onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
vaultwardenDBPass = config.age.secrets.vaultwardenDBPass.path;
in ''
$PSQL -tA <<'EOF'
DO $$
@ -127,8 +136,8 @@ in {
password := trim(both from replace(pg_read_file('${netboxDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE netbox WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
password := trim(both from replace(pg_read_file('${vaultwardenDBPass}'), E'\n', '''));
EXECUTE format('ALTER ROLE vaultwarden WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';

12
services/postgresql/secrets/vaultwardenDBPass.age Normal file
View file

@ -0,0 +1,12 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4L3gy
RnJDQ2VOQitLNVd2d0haN2RveUE5OWJOcnUxakdyOGNBVWhMYUdnCjZGTDJuRjda
L1ZuZmNxVEVLaElQQXlWWjR4NmgrekpnSzNKWi9xdGNVb2cKLT4gc3NoLWVkMjU1
MTkgc2luZ3ZRIC9Pcy95WTM1Tm1oOUIxVlJUT3RHZ3lOZjdBN2dhUm14blRMSzNI
SS9ORlUKQUZiMGF5eWNWUVNCL0h5OU5UQ0d6bytxTkxPdTVyRVF0c0FwZkRiUGJD
TQotPiBFV09dKy1ncmVhc2Ugby4sbiBmJnJZZkYgaCQsZ3RhCkpOakF5akVSTEpE
b2w4Q1pSN1ZxY3ltOTV3eGhNank3eHVWazlVT3h2WWNXUUhaUHl5aHhFdTNqQUJn
SFRSSVUKUlpaeDRaUEF2VVdSNUY1L3Z3UQotLS0ganBmdU4yVmNNMUh2NFlZN09t
WE5LRmlYU0RxL25JZXJXaFdzeTVBbmtMRQqkmAEDkEwwBnIxkBH6I6qzzwg5fPy/
IL6FzdjsGrBYOrfP1IVfFF/iz5Phd8fsSkusyg==
-----END AGE ENCRYPTED FILE-----

28
services/vaultwarden/default.nix Normal file
View file

@ -0,0 +1,28 @@
{
lib,
config,
...
}: let
cfg = config.services.vm_vaultwarden;
in {
options.services.vm_vaultwarden = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
age.secrets.env-file = {
file = ./secrets/env-file.age;
};
services = {
vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = config.age.secrets.env-file.path;
config = {
DOMAIN = "https://vault.le43.eu";
SIGNUPS_ALLOWED = false;
IP_HEADER = "X-Forwarded-For";
};
};
};
};
}