diff --git a/config/services/vaultwarden.nix b/config/services/vaultwarden.nix new file mode 100644 index 0000000..eefce6b --- /dev/null +++ b/config/services/vaultwarden.nix @@ -0,0 +1,47 @@ +{ config, inputs, pkgs, ... }: { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + sops.secrets."services/vaultwarden/environmentFile" = { + sopsFile = ../../secrets/services/vaultwarden.yaml; + owner = "vaultwarden"; + }; + services.vaultwarden = { + enable = true; + environmentFile = config.sops.secrets."services/vaultwarden/environmentFile".path; + config = { + DATA_FOLDER = "/var/lib/vaultwarden"; + DOMAIN = "staging.vault.kyouma.net"; + DATABASE_MAX_CONNS = 15; + WEB_VAULT_ENABLED = true; + WEBSOCKET_ENABLED = true; + WEBSOCKET_ADDRESS = "::1"; + WEBSOCKET_PORT = 3012; + SENDS_ALLOWED = true; + ORG_ATTACHMENT_LIMIT = 1048576; + USER_ATTACHMENT_LIMIT = 524288; + USER_SEND_LIMIT = 1048576; + INCOMPLETE_2FA_TIME_LIMIT = 5; + SIGNUPS_ALLOWED = true; + SIGNUPS_VERIFY = true; + INVITATION_ORG_NAME = "vault.kyouma.net"; + PASSWORD_ITERATIONS = 1200000; + ICON_DOWNLOAD_TIMEOUT = 30; + SMTP_HOST = "mail.kyouma.net"; + SMTP_FROM = "vault@kyouma.net"; + SMTP_FROM_NAME = "vault.kyouma.net"; + SMTP_USERNAME = "vault@kyouma.net"; + SMTP_SECURITY = "starttls"; + SMTP_PORT = 587; + ROCKET_ADDRESS = "unix:/run/vaultwarden/rocket.socket"; + ROCKET_PORT = ""; + }; + }; + kyouma.nginx.virtualHosts."staging.vault.kyouma.net" = { + locations."/" = { + proxyPass = "http://unix:/run/vaultwarden/rocket.socket"; + proxyWebsockets = true; + }; + }; + security.acme.certs."staging.vault.kyouma.net" = {}; +} diff --git a/secrets/services/vaultwarden.yaml b/secrets/services/vaultwarden.yaml new file mode 100644 index 0000000..f0b796b --- /dev/null +++ b/secrets/services/vaultwarden.yaml @@ -0,0 +1,34 @@ +services: + vaultwarden: + environmentFile: ENC[AES256_GCM,data:qCzqf1xSqKdVin18WMOkFatuL2TTpvOEl1gFQyjBHbVuauDl4IJZ6aL+APrk7ADH78CRx5SntD6hjrI6hWea/IQsvw9feTTZkp+pG5qVvLdgPdl61cnAaZCUNvvzxE2NTFOTPriNLSRxwT8We1meyNe4CAkkKsMMVFInNarY8ZxuEEIEkBr7VfhB/EHCj72FSv1kR2zTw15n9b0gNxFwBC0jkTKTfEBoQNVtU6gmFTfXSNi92cothuTQbPxsYtbALpC3Y/aAJBT6SGODuqEHZ+B+NfYemX6eRYX89pXy3Tb0r2frK2XbWLowq7IP/w0MTGOsMV+ytiAD03wa65qUlYMejkGYFX1Q,iv:F/NXvyegyvIApdYaITAgGZxLUl99yfMbN/WSUOEKDmg=,tag:1MXqbpwPqG3v9h0X57k6kQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYlRnYWU0V3dOdXNYVDNP + akh2T1dUa3VxVDFMQW8rWURWRUxLNXkwWDJRCloyUGlRbGZFY2owWldxblAvK1l2 + S0UrODBFK1l0Rlp4VktlNGtONHFQWmcKLS0tICtYQkxQdlBMTGgwSGJIWHBpTWN2 + Zzc0U3JJOGJDNTViNmpsM1RGYkRSYlEK5TwOYuhhtkD3S1gJGQWTDzr7z0MX9Lwx + lSMz7CYrJtVM+Ec+IBIMXopBOnrQWvOeBgEhN9KYfngLGNbUaJelFw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-03T13:05:08Z" + mac: ENC[AES256_GCM,data:xQtCP1lRVQvr3rY/Cb3eW7tAwUSge8yFMuYSzMRUzbaNz03dHU3lhp/FGFDa1aWvbxT9YdKr4rIY2sUlMAK5ltw5uiiOXo5RA0wiC80A9bRVudnxCpF0cvwzBUZyY4I5ydAKE+peKLf76GRVE9awkZLmCu/B+P/R9AuS0GEZxKA=,iv:G3HF5py8bTnbJZBSWDHPVY6yI/ZlDaTEG0XCq0t+ykY=,tag:bs95sOcYsLn1Pls8TpqzHw==,type:str] + pgp: + - created_at: "2024-05-03T12:00:19Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D1GtNSlou/HkSAQdA/lTtX2vY6hjiqZUniapNKZBVC7paxWONm33g8GyZgj4w + mAlvN+ydpKWy2MzMpJ30ZQVv9at9OzBJyUWYWC8BU3vhv9JTxua382lDhO1IvQdw + 0l4BZayJ3woOdhIfX6BUE2jZTTBSEpdHT0hs2EVIBZSFi9fHsFpmdTGS0xAqmhra + l8nuCAPCImuRYkOHm1LIKL/QT7rPy7pcj4dXWVq/u9zexEEA24kdPvF32GQaPIbf + =bUVv + -----END PGP MESSAGE----- + fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + unencrypted_suffix: _unencrypted + version: 3.8.1