xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vaultwarden

Browse source
This commit is contained in:
xunuwu 2025-02-21 03:29:51 +01:00
parent 3da5ded7dd
commit 8496751e26
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
4 changed files with 66 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
home/profiles/programs/browsers/firefox/default.nix
View file

@ -41,7 +41,8 @@
istilldontcareaboutcookies istilldontcareaboutcookies
sidebery sidebery
mal-sync mal-sync
(lib.mkIf (builtins.elem pkgs.keepassxc config.home.packages) keepassxc-browser) bitwarden
# (lib.mkIf (builtins.elem pkgs.keepassxc config.home.packages) keepassxc-browser)
#(buildFirefoxXpiAddon rec { #(buildFirefoxXpiAddon rec {
# pname = "roseal"; # pname = "roseal";
# version = "1.3.44"; # version = "1.3.44";

36
sys/machines/hopper/lab/default.nix
View file

@ -136,6 +136,16 @@ in {
reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort} reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}
''; '';
}; };
vw = {
useACMEHost = domain;
hostName = "vw.${domain}:${toString caddyPort}";
extraConfig = ''
reverse_proxy {
header_up X-Real-Ip {http.request.header.CF-Connecting-IP}
to localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}
}
'';
};
other = { other = {
useACMEHost = domain; useACMEHost = domain;
hostName = ":${toString caddyPort}"; hostName = ":${toString caddyPort}";
@ -219,6 +229,12 @@ in {
icon = "prometheus"; icon = "prometheus";
}; };
} }
{
"vaultwarden" = {
href = "https://vw.${domain}";
icon = "vaultwarden";
};
}
]; ];
} }
]; ];
@ -364,6 +380,25 @@ in {
}; };
systemd.services.navidrome.serviceConfig.EnvironmentFile = config.sops.secrets.navidrome.path; systemd.services.navidrome.serviceConfig.EnvironmentFile = config.sops.secrets.navidrome.path;
systemd.services.vaultwarden = {
serviceConfig.EnvironmentFile = config.sops.secrets.vaultwarden-env.path;
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
};
# NOTE send doesnt work, probably due to my cloudflare port rewriting rules
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${domain}:${toString caddyPort}";
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 35381;
ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = false;
};
};
services.restic.backups.hopper = { services.restic.backups.hopper = {
initialize = true; initialize = true;
inhibitsSleep = true; inhibitsSleep = true;
@ -384,6 +419,7 @@ in {
"/var/lib/navidrome" "/var/lib/navidrome"
"/var/lib/jellyfin/data" "/var/lib/jellyfin/data"
"/var/lib/jellyfin/config" "/var/lib/jellyfin/config"
"/var/lib/bitwarden_rs"
"/media/library/music" "/media/library/music"
]; ];
exclude = [ exclude = [

4
sys/profiles/secrets/hopper/default.nix
View file

@ -25,5 +25,9 @@
format = "binary"; format = "binary";
sopsFile = ./restic-password; sopsFile = ./restic-password;
}; };
vaultwarden-env = {
format = "binary";
sopsFile = ./vaultwarden-env;
};
}; };
} }

24
sys/profiles/secrets/hopper/vaultwarden-env Normal file
View file

@ -0,0 +1,24 @@
{
"data": "ENC[AES256_GCM,data:MXWMfRtc6Im1Bs0AnOWLegE9Ld0jA3KyX5YSJ0+atOV6,iv:e9bOkz4Ml0Cwyppvwm7IZL6AmHE3r5SsJk2C9BLYGbk=,tag:Nm7F7i3rKs7JeT8w+NrAPg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIU0ljQkk3Y3N0WVVLRElD\nYmFpVHMwVU5jMWdsT0dBdlVLTFQ4OUI3cDF3ClNPZUJRb3cwRk5ub2lMZTlUa0k5\nN2xCZ1RKeGJPWnlRM3plMEdjY3JNeUUKLS0tIFoyVnpBQW1ESEUyS1U4aGlpM1hM\ndFl4ZVpFSlkwL3BPUmpjSnltUG00U28KYgimIR5pc7WQMCBDStL49ZhjR1lGnwUO\nWKJaSQtGggaTwSPg8xJ1YyZadqVZ7GD00LtW2UWMJqAvpgdKEEJsAw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa0pGalI3VHdsNlRpd0hM\nK090S0M5YmRvUkNCbWFibHBrY0grNFFzNDBzCjNYMDBBcjFMa29EZ1oyd1dodU1U\neDE5YUlXZDduRUZETDdyemRQRTJQdkEKLS0tIHRzTkE3RGRRVGZ3RE0xMFRnKzYz\nMUpzazVWUzR1akc0SEplTTM0TVlPSFEKpHDK/odhvqBu2DcTxcJwnGUwR7FsiyE6\nGdXimYyPi3wErwnQ6L5XG8x/8l3OHTuCHvvHd+l2cpKVE+dgfFrFDQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-02-21T00:05:37Z",
"mac": "ENC[AES256_GCM,data:573XYHkMRvztUh9OCt6l7sYzgicQyhQhftad2AZPtFR2vfkIiDcWKY8HQWkaqSzzy5m4qBCFnShy08iQLkTSZ+snga6aNExM7r1GZgDt1tKnRBgv1POykK0e43PCTxcbHSzm3Xnu68C96vIlvMN4FKOEcMYVNXA8OQqhXu+X6I0=,iv:nsisfOGyV4iAkMRQEEnV7EVSpqGBgQfE1DQgwuHIjMg=,tag:GpBBXcp71uK2SVsKLqgt7Q==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.9.4"
}
}