From 2918c6fd898282aab9297f2915de0191cf451c66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Thu, 5 Jun 2025 13:30:03 +0200 Subject: [PATCH 1/5] Add vaultwarden service --- secrets.nix | 18 ++++++++++-- services/authentik/default.nix | 18 ------------ services/onlyoffice/default.nix | 1 - services/postgresql/default.nix | 27 ++++++++++++------ .../postgresql/secrets/vaultwardenDBPass.age | 12 ++++++++ services/vaultwarden/default.nix | 28 +++++++++++++++++++ 6 files changed, 74 insertions(+), 30 deletions(-) delete mode 100644 services/authentik/default.nix create mode 100644 services/postgresql/secrets/vaultwardenDBPass.age create mode 100644 services/vaultwarden/default.nix diff --git a/secrets.nix b/secrets.nix index 73b43a0..74913d4 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,8 +11,19 @@ let jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin"; qbittorrent-vpn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILliMLQejGa5BK/pjRAjzD03i3Rc3izdXFlH/gwReLMh root@qbittorrent-vpn"; nixarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbGn92P4OxaGWiQDrAbE8NhFp8UCtkfSzX2fkEv+ckk root@arr-box"; + vaultwarden = ""; - systems = [grafana onlyoffice postgresql forgejo nginx jellyfin]; + systems = [ + grafana + onlyoffice + postgresql + forgejo + nginx + jellyfin + qbittorrent-vpn + nixarr + vaultwarden + ]; in { "secrets/initialPassword.age".publicKeys = users ++ systems; @@ -33,6 +44,7 @@ in { "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/netboxDBPass.age".publicKeys = [tbarnouin postgresql]; "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql]; + "services/postgresql/secrets/vaultwardenDBPass.age".publicKeys = [tbarnouin postgresql]; "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql]; "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx]; @@ -43,7 +55,9 @@ in { "secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin]; "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis]; - + + "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden]; + "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn]; "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn]; "secrets/docker-lapi-key.age".publicKeys = [tbarnouin qbittorrent-vpn]; diff --git a/services/authentik/default.nix b/services/authentik/default.nix deleted file mode 100644 index 5e92ecd..0000000 --- a/services/authentik/default.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - inputs, - config, - lib, - authentik-nix, - ... -}: let - cfg = config.services.vm_authentik; -in { - options.services.vm_authentik = { - enable = lib.mkEnableOption "Enable minimal config"; - }; - config = lib.mkIf cfg.enable { - networking = { - firewall.allowedTCPPorts = [9000 9300 9443]; - }; - }; -} diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix index 9a0a2ac..72716f4 100644 --- a/services/onlyoffice/default.nix +++ b/services/onlyoffice/default.nix @@ -30,7 +30,6 @@ in { port = 8000; postgresName = "onlyoffice"; postgresHost = "${cfg.pgsql_ip}"; - postgresUser = "onlyoffice"; postgresPasswordFile = config.age.secrets.office-dbpass.path; jwtSecretFile = config.age.secrets.office-jwtpass.path; }; diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index c97a620..471ebe4 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -39,6 +39,10 @@ in { file = ./secrets/onlyofficeDBPass.age; owner = "postgres"; }; + vaultwardenDBPass = { + file = ./secrets/vaultwardenDBPass.age; + owner = "postgres"; + }; }; services = { crowdsec = { @@ -64,12 +68,13 @@ in { enableTCPIP = true; settings.port = 5432; authentication = " - host nextcloud nextcloud 192.168.1.45/32 md5 - host gitea gitea 192.168.1.14/32 md5 - host authentik authentik 192.168.1.125/32 md5 - host grafana grafana 192.168.1.27/32 md5 - host netbox netbox 192.168.1.90/32 md5 - host onlyoffice onlyoffice 192.168.1.20/32 md5 + host nextcloud nextcloud 192.168.1.45/32 md5 + host gitea gitea 192.168.1.14/32 md5 + host authentik authentik 192.168.1.125/32 md5 + host grafana grafana 192.168.1.27/32 md5 + host netbox netbox 192.168.1.90/32 md5 + host onlyoffice onlyoffice 192.168.1.20/32 md5 + host vaultwarden vaultwarden 192.168.1.22/32 md5 "; initialScript = pkgs.writeText "init-sql-script" '' CREATE ROLE nextcloud WITH LOGIN CREATEDB; @@ -95,6 +100,10 @@ in { CREATE ROLE onlyoffice WITH LOGIN CREATEDB; CREATE DATABASE onlyoffice; GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice; + + CREATE ROLE vaultwarden WITH LOGIN CREATEDB; + CREATE DATABASE vaultwarden; + GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden; ''; }; }; @@ -106,7 +115,7 @@ in { authentikDBPass = config.age.secrets.authentikDBPass.path; grafanaDBPass = config.age.secrets.grafanaDBPass.path; netboxDBPass = config.age.secrets.netboxDBPass.path; - onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path; + vaultwardenDBPass = config.age.secrets.vaultwardenDBPass.path; in '' $PSQL -tA <<'EOF' DO $$ @@ -127,8 +136,8 @@ in { password := trim(both from replace(pg_read_file('${netboxDBPass}'), E'\n', ''')); EXECUTE format('ALTER ROLE netbox WITH PASSWORD '''%s''';', password); - password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', ''')); - EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password); + password := trim(both from replace(pg_read_file('${vaultwardenDBPass}'), E'\n', ''')); + EXECUTE format('ALTER ROLE vaultwarden WITH PASSWORD '''%s''';', password); END $$; EOF ''; diff --git a/services/postgresql/secrets/vaultwardenDBPass.age b/services/postgresql/secrets/vaultwardenDBPass.age new file mode 100644 index 0000000..cbe46eb --- /dev/null +++ b/services/postgresql/secrets/vaultwardenDBPass.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4L3gy +RnJDQ2VOQitLNVd2d0haN2RveUE5OWJOcnUxakdyOGNBVWhMYUdnCjZGTDJuRjda +L1ZuZmNxVEVLaElQQXlWWjR4NmgrekpnSzNKWi9xdGNVb2cKLT4gc3NoLWVkMjU1 +MTkgc2luZ3ZRIC9Pcy95WTM1Tm1oOUIxVlJUT3RHZ3lOZjdBN2dhUm14blRMSzNI +SS9ORlUKQUZiMGF5eWNWUVNCL0h5OU5UQ0d6bytxTkxPdTVyRVF0c0FwZkRiUGJD +TQotPiBFV09dKy1ncmVhc2Ugby4sbiBmJnJZZkYgaCQsZ3RhCkpOakF5akVSTEpE +b2w4Q1pSN1ZxY3ltOTV3eGhNank3eHVWazlVT3h2WWNXUUhaUHl5aHhFdTNqQUJn +SFRSSVUKUlpaeDRaUEF2VVdSNUY1L3Z3UQotLS0ganBmdU4yVmNNMUh2NFlZN09t +WE5LRmlYU0RxL25JZXJXaFdzeTVBbmtMRQqkmAEDkEwwBnIxkBH6I6qzzwg5fPy/ +IL6FzdjsGrBYOrfP1IVfFF/iz5Phd8fsSkusyg== +-----END AGE ENCRYPTED FILE----- diff --git a/services/vaultwarden/default.nix b/services/vaultwarden/default.nix new file mode 100644 index 0000000..bf11dc1 --- /dev/null +++ b/services/vaultwarden/default.nix @@ -0,0 +1,28 @@ +{ + lib, + config, + ... +}: let + cfg = config.services.vm_vaultwarden; +in { + options.services.vm_vaultwarden = { + enable = lib.mkEnableOption "Enable minimal config"; + }; + config = lib.mkIf cfg.enable { + age.secrets.env-file = { + file = ./secrets/env-file.age; + }; + services = { + vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = config.age.secrets.env-file.path; + config = { + DOMAIN = "https://vault.le43.eu"; + SIGNUPS_ALLOWED = false; + IP_HEADER = "X-Forwarded-For"; + }; + }; + }; + }; +} From 7c96801a458eab2e1686c389d34e54187a2e28cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Thu, 5 Jun 2025 14:00:37 +0200 Subject: [PATCH 2/5] Add vaultwarden config --- flake.nix | 20 +++++++++++++++++++- services/default.nix | 2 +- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 4d0b785..24c9114 100644 --- a/flake.nix +++ b/flake.nix @@ -149,7 +149,7 @@ } ]; }; - qbittorrent-vpn = nixpkgs.lib.nixosSystem { + qbittorrent-vpn = nixpkgs.lib.nixosSystem { inherit system; specialArgs = {inherit inputs;}; modules = [ @@ -218,6 +218,24 @@ } ]; }; + vaultwarden = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = {inherit inputs;}; + modules = [ + agenix.nixosModules.default + crowdsec.nixosModules.crowdsec-firewall-bouncer + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + "${inputs.self}/modules" + { + networking.hostName = "vaultwarden"; + services.vm_vaultwarden = { + enable = true; + }; + } + ]; + }; grafana-lxc = nixpkgs.lib.nixosSystem { inherit system; specialArgs = {inherit inputs;}; diff --git a/services/default.nix b/services/default.nix index 2d5d21e..29c63c1 100644 --- a/services/default.nix +++ b/services/default.nix @@ -6,11 +6,11 @@ ./jellyfin ./nextcloud ./grafana - ./authentik ./postgresql ./onlyoffice ./collabora ./qbittorrent-vpn ./nixarr + ./vaultwarden ]; } From 5251de60626065a6622047c3bf8087d6b6106c31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Thu, 5 Jun 2025 14:02:34 +0200 Subject: [PATCH 3/5] Add vaultwarden config --- secrets.nix | 2 +- services/vaultwarden/secrets/env-file.age | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 services/vaultwarden/secrets/env-file.age diff --git a/secrets.nix b/secrets.nix index 74913d4..ed83bce 100644 --- a/secrets.nix +++ b/secrets.nix @@ -11,7 +11,7 @@ let jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin"; qbittorrent-vpn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILliMLQejGa5BK/pjRAjzD03i3Rc3izdXFlH/gwReLMh root@qbittorrent-vpn"; nixarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbGn92P4OxaGWiQDrAbE8NhFp8UCtkfSzX2fkEv+ckk root@arr-box"; - vaultwarden = ""; + vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOX6wvwwh9JZZiLfZJU7TXSKV+NRk+Qid5CAfhk5J6z5 root@vaultwarden"; systems = [ grafana diff --git a/services/vaultwarden/secrets/env-file.age b/services/vaultwarden/secrets/env-file.age new file mode 100644 index 0000000..e6ca032 --- /dev/null +++ b/services/vaultwarden/secrets/env-file.age @@ -0,0 +1 @@ +DATABASE_URL=postgresql://vaultwarden:Vaultwarden43Zer!@192.168.1.13/vaultwarden From dc84347b885cd5f30798cb7320b5aac58e80ab8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Thu, 5 Jun 2025 14:34:30 +0200 Subject: [PATCH 4/5] Add crowdsec vaultwarden config --- secrets.nix | 1 + services/nginx/default.nix | 2 +- services/vaultwarden/default.nix | 30 +++++++++++++++++++++-- services/vaultwarden/secrets/env-file.age | 14 ++++++++++- 4 files changed, 43 insertions(+), 4 deletions(-) diff --git a/secrets.nix b/secrets.nix index ed83bce..8889720 100644 --- a/secrets.nix +++ b/secrets.nix @@ -57,6 +57,7 @@ in { "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis]; "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden]; + "secrets/vaultwarden-api-key.age".publicKeys = [tbarnouin vaultwarden]; "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn]; "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn]; diff --git a/services/nginx/default.nix b/services/nginx/default.nix index b18158d..0b76e87 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -192,7 +192,7 @@ in { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://192.168.1.125:8888"; + proxyPass = "http://192.168.1.22:8000"; recommendedProxySettings = true; }; }; diff --git a/services/vaultwarden/default.nix b/services/vaultwarden/default.nix index bf11dc1..1704e65 100644 --- a/services/vaultwarden/default.nix +++ b/services/vaultwarden/default.nix @@ -9,20 +9,46 @@ in { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { - age.secrets.env-file = { - file = ./secrets/env-file.age; + age.secrets = { + vaultwarden-lapi-key = { + file = ../../secrets/vaultwarden-lapi-key.age; + owner = "crowdsec"; + }; + env-file = { + file = ./secrets/env-file.age; + }; }; services = { + crowdsec = { + hub.collections = [ + "Dominic-Wagner/vaultwarden" + ]; + settings.lapi.credentialsFile = "${config.age.secrets.vaultwarden-lapi-key.path}"; + localConfig = { + acquisitions = [ + { + source = "journalctl"; + journalctl_filter = ["_SYSTEMD_UNIT=vaultwarden.service"]; + labels = { + type = "syslog"; + }; + } + ]; + }; + }; vaultwarden = { enable = true; dbBackend = "postgresql"; environmentFile = config.age.secrets.env-file.path; config = { + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = "8000"; DOMAIN = "https://vault.le43.eu"; SIGNUPS_ALLOWED = false; IP_HEADER = "X-Forwarded-For"; }; }; }; + networking.firewall.allowedTCPPorts = [8000]; }; } diff --git a/services/vaultwarden/secrets/env-file.age b/services/vaultwarden/secrets/env-file.age index e6ca032..5d80d5d 100644 --- a/services/vaultwarden/secrets/env-file.age +++ b/services/vaultwarden/secrets/env-file.age @@ -1 +1,13 @@ -DATABASE_URL=postgresql://vaultwarden:Vaultwarden43Zer!@192.168.1.13/vaultwarden +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBhb2hF +emtvdEdTWUI2UVRJeVBmejN0YWliR1lEbmoyeVpIOFVZdHFOVFdvCmtXOXE2WVZs +TFkvUnhCZGY0UG14VE42SGxQQVpLQk9OblFtbWRQWWJuMzQKLT4gc3NoLWVkMjU1 +MTkgeDBDOU93IFFsWmxnNXZzR0xUanpxTXRyeE9BWWpPcFlYYytpaUduK2lXYXQ4 +LzJSbTAKTHdLMGpsQ0t2eDhYSy9CaTlVWWo0SDB0SFE0dytLckZyYklxVlI4WE0w +SQotPiBxLWdyZWFzZSBxKS8wRyBJCmZ4dnRmYzVPZ3c1TDNKdHptcTkzVEExZWw3 +dlF0MzJrS2pNeHRsUVRWakxhS3pVaDg2RSs5eFcwYWhlVmFsUkYKQm5ZeURKMXR6 +eEwzSGVmb1NwKzBDTEVZbk9oWHJuT0piQQotLS0gdWZ0dThlU2tMa3ZlTWJFaTdD +bWc2cGlZVEJzV3h6ZWJBenVyVUdlRlNJOAqu2t8gss9xXx4P+8PIPJLzqLiU26Cc +4MxIYDk6g7KQOGbchP4tvwpZPGD2Aafaa+lI12xw2wLB3/y0FAxmi0mX3c3u6RZL +sFzBKE6Yr2CernqyEeTt/tD4h3xQ4dSbW+zNvajIQHHg4GFckbEdaDCk4A== +-----END AGE ENCRYPTED FILE----- From 0a7fca6f827381fa3618a1f9997691061050b34e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Thu, 5 Jun 2025 14:35:17 +0200 Subject: [PATCH 5/5] Add crowdsec vaultwarden config --- secrets.nix | 2 +- secrets/vaultwarden-lapi-key.age | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 secrets/vaultwarden-lapi-key.age diff --git a/secrets.nix b/secrets.nix index 8889720..186891a 100644 --- a/secrets.nix +++ b/secrets.nix @@ -57,7 +57,7 @@ in { "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis]; "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden]; - "secrets/vaultwarden-api-key.age".publicKeys = [tbarnouin vaultwarden]; + "secrets/vaultwarden-lapi-key.age".publicKeys = [tbarnouin vaultwarden]; "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn]; "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn]; diff --git a/secrets/vaultwarden-lapi-key.age b/secrets/vaultwarden-lapi-key.age new file mode 100644 index 0000000..b98778a --- /dev/null +++ b/secrets/vaultwarden-lapi-key.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBuSGdC +bWRvUVJPMWZSbjdNekZ5bXE1cXNabFdaaEh1Q1cyNGExd2pZeVdBCjI5VXkwTnZq +djk3bS85QzBCcE02UUlScmNmbkZJMGdkTllCMVYzQVJXNU0KLT4gc3NoLWVkMjU1 +MTkgeDBDOU93IGpMTWQya2FHajZ3SURmWG5wd2o4azFLY0NSSGcvQTlubDd0M3Bh +S0hWSGsKNEtXQkQyVUJwVU1LVUxDTTg4eUJ6TElhbzdOby9NMjdWZmtORTBqS3U3 +SQotPiBDUy9fKSdBUy1ncmVhc2UgLjxTXApZeHlqc2s2WDFhSjJwb3dzVDFVNk1t +RkxGeGp1M1pwTkc2bm43SjlkWlpRSWQ4d3dZaWNycktDdFp3dE1ueWxZCk5LWE03 +RjBDZHpiMHZaQ25GeGRBCi0tLSBxRXg0VjhEcHYwLzJjdEhsWksrQUFhdkVlZFRB +VmV3MTR4cTZ4SDFUM2FrCsGCZ0JU8HE1zUOZ4pPKG3Wy36uw0Z7pgvrMaAdAaoaN +eqOiYnyIsrM3RI7RYeC44dyWpt4r4mDYqBfDWfWiuZhVduvRvpueLLNaW9yfTYUG +V+NpJ2fytPOv1qqMPJfl9Wr2GcMxWCOTzjw1yvfPIMNMBsXyky+Cx5a6ojrL9RKn +lpIpoZy6dkChoeL826XGgPqeQFNBaZ9eCVh1Eg== +-----END AGE ENCRYPTED FILE-----