Add crowdsec vaultwarden config

Add vaultwarden config
2025-06-05 14:35:17 +02:00 · 2025-06-05 14:34:30 +02:00 · 2025-06-05 14:02:34 +02:00 · 2025-06-05 14:00:37 +02:00 · 2025-06-05 13:30:03 +02:00
11 changed files with 149 additions and 33 deletions
--- a/flake.nix
+++ b/flake.nix
@ -149,7 +149,7 @@
          }
        ];
      };
-    qbittorrent-vpn = nixpkgs.lib.nixosSystem {
+      qbittorrent-vpn = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = {inherit inputs;};
        modules = [
@ -218,6 +218,24 @@
          }
        ];
      };
+      vaultwarden = nixpkgs.lib.nixosSystem {
+        inherit system;
+        specialArgs = {inherit inputs;};
+        modules = [
+          agenix.nixosModules.default
+          crowdsec.nixosModules.crowdsec-firewall-bouncer
+          "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix"
+          "${inputs.self}/systems/minimalLXCConfig.nix"
+          "${inputs.self}/services"
+          "${inputs.self}/modules"
+          {
+            networking.hostName = "vaultwarden";
+            services.vm_vaultwarden = {
+              enable = true;
+            };
+          }
+        ];
+      };
      grafana-lxc = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs = {inherit inputs;};
--- a/secrets.nix
+++ b/secrets.nix
@ -11,8 +11,19 @@ let
  jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin";
  qbittorrent-vpn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILliMLQejGa5BK/pjRAjzD03i3Rc3izdXFlH/gwReLMh root@qbittorrent-vpn";
  nixarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbGn92P4OxaGWiQDrAbE8NhFp8UCtkfSzX2fkEv+ckk root@arr-box";
+  vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOX6wvwwh9JZZiLfZJU7TXSKV+NRk+Qid5CAfhk5J6z5 root@vaultwarden";

-  systems = [grafana onlyoffice postgresql forgejo nginx jellyfin];
+  systems = [
+    grafana
+    onlyoffice
+    postgresql
+    forgejo
+    nginx
+    jellyfin
+    qbittorrent-vpn
+    nixarr
+    vaultwarden
+  ];
 in {
  "secrets/initialPassword.age".publicKeys = users ++ systems;

@ -33,6 +44,7 @@ in {
  "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
  "services/postgresql/secrets/netboxDBPass.age".publicKeys = [tbarnouin postgresql];
  "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
+  "services/postgresql/secrets/vaultwardenDBPass.age".publicKeys = [tbarnouin postgresql];
  "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];

  "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
@ -43,7 +55,10 @@ in {
  "secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin];

  "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
-  
+
+  "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden];
+  "secrets/vaultwarden-lapi-key.age".publicKeys = [tbarnouin vaultwarden];
+
  "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
  "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
  "secrets/docker-lapi-key.age".publicKeys = [tbarnouin qbittorrent-vpn];
--- a/secrets/vaultwarden-lapi-key.age
+++ b/secrets/vaultwarden-lapi-key.age
@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBuSGdC
+bWRvUVJPMWZSbjdNekZ5bXE1cXNabFdaaEh1Q1cyNGExd2pZeVdBCjI5VXkwTnZq
+djk3bS85QzBCcE02UUlScmNmbkZJMGdkTllCMVYzQVJXNU0KLT4gc3NoLWVkMjU1
+MTkgeDBDOU93IGpMTWQya2FHajZ3SURmWG5wd2o4azFLY0NSSGcvQTlubDd0M3Bh
+S0hWSGsKNEtXQkQyVUJwVU1LVUxDTTg4eUJ6TElhbzdOby9NMjdWZmtORTBqS3U3
+SQotPiBDUy9fKSdBUy1ncmVhc2UgLjxTXApZeHlqc2s2WDFhSjJwb3dzVDFVNk1t
+RkxGeGp1M1pwTkc2bm43SjlkWlpRSWQ4d3dZaWNycktDdFp3dE1ueWxZCk5LWE03
+RjBDZHpiMHZaQ25GeGRBCi0tLSBxRXg0VjhEcHYwLzJjdEhsWksrQUFhdkVlZFRB
+VmV3MTR4cTZ4SDFUM2FrCsGCZ0JU8HE1zUOZ4pPKG3Wy36uw0Z7pgvrMaAdAaoaN
+eqOiYnyIsrM3RI7RYeC44dyWpt4r4mDYqBfDWfWiuZhVduvRvpueLLNaW9yfTYUG
+V+NpJ2fytPOv1qqMPJfl9Wr2GcMxWCOTzjw1yvfPIMNMBsXyky+Cx5a6ojrL9RKn
+lpIpoZy6dkChoeL826XGgPqeQFNBaZ9eCVh1Eg==
+-----END AGE ENCRYPTED FILE-----
--- a/services/authentik/default.nix
+++ b/services/authentik/default.nix
@ -1,18 +0,0 @@
-{
-  inputs,
-  config,
-  lib,
-  authentik-nix,
-  ...
-}: let
-  cfg = config.services.vm_authentik;
-in {
-  options.services.vm_authentik = {
-    enable = lib.mkEnableOption "Enable minimal config";
-  };
-  config = lib.mkIf cfg.enable {
-    networking = {
-      firewall.allowedTCPPorts = [9000 9300 9443];
-    };
-  };
-}
--- a/services/default.nix
+++ b/services/default.nix
@ -6,11 +6,11 @@
    ./jellyfin
    ./nextcloud
    ./grafana
-    ./authentik
    ./postgresql
    ./onlyoffice
    ./collabora
    ./qbittorrent-vpn
    ./nixarr
+    ./vaultwarden
  ];
 }
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@ -192,7 +192,7 @@ in {
            forceSSL = true;
            enableACME = true;
            locations."/" = {
-              proxyPass = "http://192.168.1.125:8888";
+              proxyPass = "http://192.168.1.22:8000";
              recommendedProxySettings = true;
            };
          };
--- a/services/onlyoffice/default.nix
+++ b/services/onlyoffice/default.nix
@ -30,7 +30,6 @@ in {
        port = 8000;
        postgresName = "onlyoffice";
        postgresHost = "${cfg.pgsql_ip}";
-        postgresUser = "onlyoffice";
        postgresPasswordFile = config.age.secrets.office-dbpass.path;
        jwtSecretFile = config.age.secrets.office-jwtpass.path;
      };
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@ -39,6 +39,10 @@ in {
        file = ./secrets/onlyofficeDBPass.age;
        owner = "postgres";
      };
+      vaultwardenDBPass = {
+        file = ./secrets/vaultwardenDBPass.age;
+        owner = "postgres";
+      };
    };
    services = {
      crowdsec = {
@ -64,12 +68,13 @@ in {
        enableTCPIP = true;
        settings.port = 5432;
        authentication = "
-          host  nextcloud  nextcloud  192.168.1.45/32   md5
-          host  gitea      gitea      192.168.1.14/32   md5
-          host  authentik  authentik  192.168.1.125/32  md5
-          host  grafana    grafana    192.168.1.27/32   md5
-          host  netbox     netbox     192.168.1.90/32   md5
-          host  onlyoffice onlyoffice 192.168.1.20/32   md5
+          host  nextcloud   nextcloud   192.168.1.45/32   md5
+          host  gitea       gitea       192.168.1.14/32   md5
+          host  authentik   authentik   192.168.1.125/32  md5
+          host  grafana     grafana     192.168.1.27/32   md5
+          host  netbox      netbox      192.168.1.90/32   md5
+          host  onlyoffice  onlyoffice  192.168.1.20/32   md5
+          host  vaultwarden vaultwarden 192.168.1.22/32   md5
          ";
        initialScript = pkgs.writeText "init-sql-script" ''
          CREATE ROLE nextcloud WITH LOGIN CREATEDB;
@ -95,6 +100,10 @@ in {
          CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
          CREATE DATABASE onlyoffice;
          GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+
+          CREATE ROLE vaultwarden WITH LOGIN CREATEDB;
+          CREATE DATABASE vaultwarden;
+          GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
        '';
      };
    };
@ -106,7 +115,7 @@ in {
      authentikDBPass = config.age.secrets.authentikDBPass.path;
      grafanaDBPass = config.age.secrets.grafanaDBPass.path;
      netboxDBPass = config.age.secrets.netboxDBPass.path;
-      onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
+      vaultwardenDBPass = config.age.secrets.vaultwardenDBPass.path;
    in ''
      $PSQL -tA <<'EOF'
        DO $$
@ -127,8 +136,8 @@ in {
          password := trim(both from replace(pg_read_file('${netboxDBPass}'), E'\n', '''));
          EXECUTE format('ALTER ROLE netbox WITH PASSWORD '''%s''';', password);

-          password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
+          password := trim(both from replace(pg_read_file('${vaultwardenDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE vaultwarden WITH PASSWORD '''%s''';', password);
        END $$;
      EOF
    '';
--- a/services/postgresql/secrets/vaultwardenDBPass.age
+++ b/services/postgresql/secrets/vaultwardenDBPass.age
@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4L3gy
+RnJDQ2VOQitLNVd2d0haN2RveUE5OWJOcnUxakdyOGNBVWhMYUdnCjZGTDJuRjda
+L1ZuZmNxVEVLaElQQXlWWjR4NmgrekpnSzNKWi9xdGNVb2cKLT4gc3NoLWVkMjU1
+MTkgc2luZ3ZRIC9Pcy95WTM1Tm1oOUIxVlJUT3RHZ3lOZjdBN2dhUm14blRMSzNI
+SS9ORlUKQUZiMGF5eWNWUVNCL0h5OU5UQ0d6bytxTkxPdTVyRVF0c0FwZkRiUGJD
+TQotPiBFV09dKy1ncmVhc2Ugby4sbiBmJnJZZkYgaCQsZ3RhCkpOakF5akVSTEpE
+b2w4Q1pSN1ZxY3ltOTV3eGhNank3eHVWazlVT3h2WWNXUUhaUHl5aHhFdTNqQUJn
+SFRSSVUKUlpaeDRaUEF2VVdSNUY1L3Z3UQotLS0ganBmdU4yVmNNMUh2NFlZN09t
+WE5LRmlYU0RxL25JZXJXaFdzeTVBbmtMRQqkmAEDkEwwBnIxkBH6I6qzzwg5fPy/
+IL6FzdjsGrBYOrfP1IVfFF/iz5Phd8fsSkusyg==
+-----END AGE ENCRYPTED FILE-----
--- a/services/vaultwarden/default.nix
+++ b/services/vaultwarden/default.nix
@ -0,0 +1,54 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.services.vm_vaultwarden;
+in {
+  options.services.vm_vaultwarden = {
+    enable = lib.mkEnableOption "Enable minimal config";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets = {
+      vaultwarden-lapi-key = {
+        file = ../../secrets/vaultwarden-lapi-key.age;
+        owner = "crowdsec";
+      };
+      env-file = {
+        file = ./secrets/env-file.age;
+      };
+    };
+    services = {
+      crowdsec = {
+        hub.collections = [
+          "Dominic-Wagner/vaultwarden"
+        ];
+        settings.lapi.credentialsFile = "${config.age.secrets.vaultwarden-lapi-key.path}";
+        localConfig = {
+          acquisitions = [
+            {
+              source = "journalctl";
+              journalctl_filter = ["_SYSTEMD_UNIT=vaultwarden.service"];
+              labels = {
+                type = "syslog";
+              };
+            }
+          ];
+        };
+      };
+      vaultwarden = {
+        enable = true;
+        dbBackend = "postgresql";
+        environmentFile = config.age.secrets.env-file.path;
+        config = {
+          ROCKET_ADDRESS = "0.0.0.0";
+          ROCKET_PORT = "8000";
+          DOMAIN = "https://vault.le43.eu";
+          SIGNUPS_ALLOWED = false;
+          IP_HEADER = "X-Forwarded-For";
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [8000];
+  };
+}
--- a/services/vaultwarden/secrets/env-file.age
+++ b/services/vaultwarden/secrets/env-file.age
@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBhb2hF
+emtvdEdTWUI2UVRJeVBmejN0YWliR1lEbmoyeVpIOFVZdHFOVFdvCmtXOXE2WVZs
+TFkvUnhCZGY0UG14VE42SGxQQVpLQk9OblFtbWRQWWJuMzQKLT4gc3NoLWVkMjU1
+MTkgeDBDOU93IFFsWmxnNXZzR0xUanpxTXRyeE9BWWpPcFlYYytpaUduK2lXYXQ4
+LzJSbTAKTHdLMGpsQ0t2eDhYSy9CaTlVWWo0SDB0SFE0dytLckZyYklxVlI4WE0w
+SQotPiBxLWdyZWFzZSBxKS8wRyBJCmZ4dnRmYzVPZ3c1TDNKdHptcTkzVEExZWw3
+dlF0MzJrS2pNeHRsUVRWakxhS3pVaDg2RSs5eFcwYWhlVmFsUkYKQm5ZeURKMXR6
+eEwzSGVmb1NwKzBDTEVZbk9oWHJuT0piQQotLS0gdWZ0dThlU2tMa3ZlTWJFaTdD
+bWc2cGlZVEJzV3h6ZWJBenVyVUdlRlNJOAqu2t8gss9xXx4P+8PIPJLzqLiU26Cc
+4MxIYDk6g7KQOGbchP4tvwpZPGD2Aafaa+lI12xw2wLB3/y0FAxmi0mX3c3u6RZL
+sFzBKE6Yr2CernqyEeTt/tD4h3xQ4dSbW+zNvajIQHHg4GFckbEdaDCk4A==
+-----END AGE ENCRYPTED FILE-----
Author	SHA1	Message	Date
Théo Barnouin	0a7fca6f82	Add crowdsec vaultwarden config Some checks are pending / Build Nix targets (push) Waiting to run Details	2025-06-05 14:35:17 +02:00
Théo Barnouin	dc84347b88	Add crowdsec vaultwarden config	2025-06-05 14:34:30 +02:00
Théo Barnouin	5251de6062	Add vaultwarden config	2025-06-05 14:02:34 +02:00
Théo Barnouin	7c96801a45	Add vaultwarden config	2025-06-05 14:00:37 +02:00
Théo Barnouin	2918c6fd89	Add vaultwarden service	2025-06-05 13:30:03 +02:00