Add crowdsec vaultwarden config

flake.nix

@@ -218,6 +218,24 @@
           }
         ];
       };
+      vaultwarden = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = {inherit inputs;};
+        modules = [
+          agenix.nixosModules.default
+          crowdsec.nixosModules.crowdsec-firewall-bouncer
+          "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+          "${inputs.self}/systems/minimalLXCConfig.nix"
+          "${inputs.self}/services"
+          "${inputs.self}/modules"
+          {
+            networking.hostName = "vaultwarden";
+            services.vm_vaultwarden = {
+              enable = true;
+            };
+          }
+        ];
+      };
       grafana-lxc = nixpkgs.lib.nixosSystem {
         inherit system;
         specialArgs = {inherit inputs;};

secrets.nix

@@ -11,8 +11,19 @@ let
   jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin";
   qbittorrent-vpn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILliMLQejGa5BK/pjRAjzD03i3Rc3izdXFlH/gwReLMh root@qbittorrent-vpn";
   nixarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbGn92P4OxaGWiQDrAbE8NhFp8UCtkfSzX2fkEv+ckk root@arr-box";
+  vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOX6wvwwh9JZZiLfZJU7TXSKV+NRk+Qid5CAfhk5J6z5 root@vaultwarden";
 
-  systems = [grafana onlyoffice postgresql forgejo nginx jellyfin];
+  systems = [
+    grafana
+    onlyoffice
+    postgresql
+    forgejo
+    nginx
+    jellyfin
+    qbittorrent-vpn
+    nixarr
+    vaultwarden
+  ];
 in {
   "secrets/initialPassword.age".publicKeys = users ++ systems;
 
@@ -33,6 +44,7 @@ in {
   "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/netboxDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
+  "services/postgresql/secrets/vaultwardenDBPass.age".publicKeys = [tbarnouin postgresql];
   "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];
 
   "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
@@ -44,6 +56,9 @@ in {
 
   "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
 
+  "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden];
+  "secrets/vaultwarden-lapi-key.age".publicKeys = [tbarnouin vaultwarden];
+
   "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
   "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
   "secrets/docker-lapi-key.age".publicKeys = [tbarnouin qbittorrent-vpn];

secrets/vaultwarden-lapi-key.age

@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBuSGdC
+bWRvUVJPMWZSbjdNekZ5bXE1cXNabFdaaEh1Q1cyNGExd2pZeVdBCjI5VXkwTnZq
+djk3bS85QzBCcE02UUlScmNmbkZJMGdkTllCMVYzQVJXNU0KLT4gc3NoLWVkMjU1
+MTkgeDBDOU93IGpMTWQya2FHajZ3SURmWG5wd2o4azFLY0NSSGcvQTlubDd0M3Bh
+S0hWSGsKNEtXQkQyVUJwVU1LVUxDTTg4eUJ6TElhbzdOby9NMjdWZmtORTBqS3U3
+SQotPiBDUy9fKSdBUy1ncmVhc2UgLjxTXApZeHlqc2s2WDFhSjJwb3dzVDFVNk1t
+RkxGeGp1M1pwTkc2bm43SjlkWlpRSWQ4d3dZaWNycktDdFp3dE1ueWxZCk5LWE03
+RjBDZHpiMHZaQ25GeGRBCi0tLSBxRXg0VjhEcHYwLzJjdEhsWksrQUFhdkVlZFRB
+VmV3MTR4cTZ4SDFUM2FrCsGCZ0JU8HE1zUOZ4pPKG3Wy36uw0Z7pgvrMaAdAaoaN
+eqOiYnyIsrM3RI7RYeC44dyWpt4r4mDYqBfDWfWiuZhVduvRvpueLLNaW9yfTYUG
+V+NpJ2fytPOv1qqMPJfl9Wr2GcMxWCOTzjw1yvfPIMNMBsXyky+Cx5a6ojrL9RKn
+lpIpoZy6dkChoeL826XGgPqeQFNBaZ9eCVh1Eg==
+-----END AGE ENCRYPTED FILE-----

services/authentik/default.nix

@@ -1,18 +0,0 @@
-{
-  inputs,
-  config,
-  lib,
-  authentik-nix,
-  ...
-}: let
-  cfg = config.services.vm_authentik;
-in {
-  options.services.vm_authentik = {
-    enable = lib.mkEnableOption "Enable minimal config";
-  };
-  config = lib.mkIf cfg.enable {
-    networking = {
-      firewall.allowedTCPPorts = [9000 9300 9443];
-    };
-  };
-}

services/default.nix

@@ -6,11 +6,11 @@
     ./jellyfin
     ./nextcloud
     ./grafana
-    ./authentik
     ./postgresql
     ./onlyoffice
     ./collabora
     ./qbittorrent-vpn
     ./nixarr
+    ./vaultwarden
   ];
 }

services/nginx/default.nix

@@ -192,7 +192,7 @@ in {
             forceSSL = true;
             enableACME = true;
             locations."/" = {
-              proxyPass = "http://192.168.1.125:8888";
+              proxyPass = "http://192.168.1.22:8000";
               recommendedProxySettings = true;
             };
           };

services/onlyoffice/default.nix

@@ -30,7 +30,6 @@ in {
         port = 8000;
         postgresName = "onlyoffice";
         postgresHost = "${cfg.pgsql_ip}";
-        postgresUser = "onlyoffice";
         postgresPasswordFile = config.age.secrets.office-dbpass.path;
         jwtSecretFile = config.age.secrets.office-jwtpass.path;
       };

services/postgresql/default.nix

@@ -39,6 +39,10 @@ in {
         file = ./secrets/onlyofficeDBPass.age;
         owner = "postgres";
       };
+      vaultwardenDBPass = {
+        file = ./secrets/vaultwardenDBPass.age;
+        owner = "postgres";
+      };
     };
     services = {
       crowdsec = {
@@ -70,6 +74,7 @@ in {
           host  grafana     grafana     192.168.1.27/32   md5
           host  netbox      netbox      192.168.1.90/32   md5
           host  onlyoffice  onlyoffice  192.168.1.20/32   md5
+          host  vaultwarden vaultwarden 192.168.1.22/32   md5
           ";
         initialScript = pkgs.writeText "init-sql-script" ''
           CREATE ROLE nextcloud WITH LOGIN CREATEDB;
@@ -95,6 +100,10 @@ in {
           CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
           CREATE DATABASE onlyoffice;
           GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+
+          CREATE ROLE vaultwarden WITH LOGIN CREATEDB;
+          CREATE DATABASE vaultwarden;
+          GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
         '';
       };
     };
@@ -106,7 +115,7 @@ in {
       authentikDBPass = config.age.secrets.authentikDBPass.path;
       grafanaDBPass = config.age.secrets.grafanaDBPass.path;
       netboxDBPass = config.age.secrets.netboxDBPass.path;
-      onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
+      vaultwardenDBPass = config.age.secrets.vaultwardenDBPass.path;
     in ''
       $PSQL -tA <<'EOF'
         DO $$
@@ -127,8 +136,8 @@ in {
           password := trim(both from replace(pg_read_file('${netboxDBPass}'), E'\n', '''));
           EXECUTE format('ALTER ROLE netbox WITH PASSWORD '''%s''';', password);
 
-          password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
+          password := trim(both from replace(pg_read_file('${vaultwardenDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
+          EXECUTE format('ALTER ROLE vaultwarden WITH PASSWORD '''%s''';', password);
         END $$;
       EOF
     '';

services/postgresql/secrets/vaultwardenDBPass.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4L3gy
+RnJDQ2VOQitLNVd2d0haN2RveUE5OWJOcnUxakdyOGNBVWhMYUdnCjZGTDJuRjda
+L1ZuZmNxVEVLaElQQXlWWjR4NmgrekpnSzNKWi9xdGNVb2cKLT4gc3NoLWVkMjU1
+MTkgc2luZ3ZRIC9Pcy95WTM1Tm1oOUIxVlJUT3RHZ3lOZjdBN2dhUm14blRMSzNI
+SS9ORlUKQUZiMGF5eWNWUVNCL0h5OU5UQ0d6bytxTkxPdTVyRVF0c0FwZkRiUGJD
+TQotPiBFV09dKy1ncmVhc2Ugby4sbiBmJnJZZkYgaCQsZ3RhCkpOakF5akVSTEpE
+b2w4Q1pSN1ZxY3ltOTV3eGhNank3eHVWazlVT3h2WWNXUUhaUHl5aHhFdTNqQUJn
+SFRSSVUKUlpaeDRaUEF2VVdSNUY1L3Z3UQotLS0ganBmdU4yVmNNMUh2NFlZN09t
+WE5LRmlYU0RxL25JZXJXaFdzeTVBbmtMRQqkmAEDkEwwBnIxkBH6I6qzzwg5fPy/
+IL6FzdjsGrBYOrfP1IVfFF/iz5Phd8fsSkusyg==
+-----END AGE ENCRYPTED FILE-----

services/vaultwarden/default.nix

@@ -0,0 +1,54 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.services.vm_vaultwarden;
+in {
+  options.services.vm_vaultwarden = {
+    enable = lib.mkEnableOption "Enable minimal config";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      vaultwarden-lapi-key = {
+        file = ../../secrets/vaultwarden-lapi-key.age;
+        owner = "crowdsec";
+      };
+      env-file = {
+        file = ./secrets/env-file.age;
+      };
+    };
+    services = {
+      crowdsec = {
+        hub.collections = [
+          "Dominic-Wagner/vaultwarden"
+        ];
+        settings.lapi.credentialsFile = "${config.age.secrets.vaultwarden-lapi-key.path}";
+        localConfig = {
+          acquisitions = [
+            {
+              source = "journalctl";
+              journalctl_filter = ["_SYSTEMD_UNIT=vaultwarden.service"];
+              labels = {
+                type = "syslog";
+              };
+            }
+          ];
+        };
+      };
+      vaultwarden = {
+        enable = true;
+        dbBackend = "postgresql";
+        environmentFile = config.age.secrets.env-file.path;
+        config = {
+          ROCKET_ADDRESS = "0.0.0.0";
+          ROCKET_PORT = "8000";
+          DOMAIN = "https://vault.le43.eu";
+          SIGNUPS_ALLOWED = false;
+          IP_HEADER = "X-Forwarded-For";
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [8000];
+  };
+}

services/vaultwarden/secrets/env-file.age

@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBhb2hF
+emtvdEdTWUI2UVRJeVBmejN0YWliR1lEbmoyeVpIOFVZdHFOVFdvCmtXOXE2WVZs
+TFkvUnhCZGY0UG14VE42SGxQQVpLQk9OblFtbWRQWWJuMzQKLT4gc3NoLWVkMjU1
+MTkgeDBDOU93IFFsWmxnNXZzR0xUanpxTXRyeE9BWWpPcFlYYytpaUduK2lXYXQ4
+LzJSbTAKTHdLMGpsQ0t2eDhYSy9CaTlVWWo0SDB0SFE0dytLckZyYklxVlI4WE0w
+SQotPiBxLWdyZWFzZSBxKS8wRyBJCmZ4dnRmYzVPZ3c1TDNKdHptcTkzVEExZWw3
+dlF0MzJrS2pNeHRsUVRWakxhS3pVaDg2RSs5eFcwYWhlVmFsUkYKQm5ZeURKMXR6
+eEwzSGVmb1NwKzBDTEVZbk9oWHJuT0piQQotLS0gdWZ0dThlU2tMa3ZlTWJFaTdD
+bWc2cGlZVEJzV3h6ZWJBenVyVUdlRlNJOAqu2t8gss9xXx4P+8PIPJLzqLiU26Cc
+4MxIYDk6g7KQOGbchP4tvwpZPGD2Aafaa+lI12xw2wLB3/y0FAxmi0mX3c3u6RZL
+sFzBKE6Yr2CernqyEeTt/tD4h3xQ4dSbW+zNvajIQHHg4GFckbEdaDCk4A==
+-----END AGE ENCRYPTED FILE-----