diff --git a/flake.lock b/flake.lock index 4ea336d..f0f9fdc 100644 --- a/flake.lock +++ b/flake.lock @@ -786,11 +786,11 @@ "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1732838483, - "narHash": "sha256-I73ckA2YONWTK5teDyW4YauUVQLh8+wfakYYukfOc78=", + "lastModified": 1733046123, + "narHash": "sha256-nfi/zbiXgYRJ3RnO1GrypvKlUxqUsp1ORlTbgMgKNE4=", "ref": "main", - "rev": "c3e89a8a6abdb33cbc2e79d9ef744810680ee11d", - "revCount": 8, + "rev": "d0ffd1a57e5a2d91e5c689f0304c21f6fd5f519d", + "revCount": 12, "type": "git", "url": "https://git.acomputer.lol/adtya/recipes.nix" }, diff --git a/hosts/bifrost/services/apps/default.nix b/hosts/bifrost/services/apps/default.nix index 16687c9..4958869 100644 --- a/hosts/bifrost/services/apps/default.nix +++ b/hosts/bifrost/services/apps/default.nix @@ -8,6 +8,7 @@ _: { ./ironyofprivacy.org.nix ./ntfy.nix ./proofs.nix + ./vaultwarden.nix ./wiki.nix ../../../shared/prometheus-exporters.nix ../../../shared/promtail.nix diff --git a/hosts/bifrost/services/apps/vaultwarden.nix b/hosts/bifrost/services/apps/vaultwarden.nix new file mode 100644 index 0000000..60c745c --- /dev/null +++ b/hosts/bifrost/services/apps/vaultwarden.nix @@ -0,0 +1,7 @@ +_: { + services.caddy.virtualHosts."vault.acomputer.lol" = { + extraConfig = '' + reverse_proxy 10.10.10.13:8222 + ''; + }; +} diff --git a/hosts/wynne/services/apps/default.nix b/hosts/wynne/services/apps/default.nix index 242b767..aaf6e00 100644 --- a/hosts/wynne/services/apps/default.nix +++ b/hosts/wynne/services/apps/default.nix @@ -4,6 +4,7 @@ _: { ./forgejo.nix ./ntfy.nix ./postgresql.nix + ./vaultwarden.nix ../../../shared/prometheus-exporters.nix ../../../shared/promtail.nix ]; diff --git a/hosts/wynne/services/apps/forgejo.nix b/hosts/wynne/services/apps/forgejo.nix index 05c73cc..e134054 100644 --- a/hosts/wynne/services/apps/forgejo.nix +++ b/hosts/wynne/services/apps/forgejo.nix @@ -75,7 +75,10 @@ in }; }; systemd.services = { - forgejo.after = [ "wg-quick-Homelab.service" "postgresql.service" ]; + forgejo = { + after = [ "wg-quick-Homelab.service" "postgresql.service" ]; + wants = [ "postgresql.service" ]; + }; "gitea-runner-${utils.escapeSystemdPath "X86_64-runner"}".unitConfig.RequiresMountsFor = [ "/var/lib/private" ]; }; } diff --git a/hosts/wynne/services/apps/postgresql.nix b/hosts/wynne/services/apps/postgresql.nix index b8c5b14..f5b7f07 100644 --- a/hosts/wynne/services/apps/postgresql.nix +++ b/hosts/wynne/services/apps/postgresql.nix @@ -15,12 +15,16 @@ host all all ::1/128 trust host all all 10.10.10.0/24 trust ''; - ensureDatabases = [ "forgejo" ]; + ensureDatabases = [ "forgejo" "vaultwarden" ]; ensureUsers = [ { name = "forgejo"; ensureDBOwnership = true; } + { + name = "vaultwarden"; + ensureDBOwnership = true; + } ]; }; }; diff --git a/hosts/wynne/services/apps/vaultwarden.nix b/hosts/wynne/services/apps/vaultwarden.nix new file mode 100644 index 0000000..7c20c58 --- /dev/null +++ b/hosts/wynne/services/apps/vaultwarden.nix @@ -0,0 +1,32 @@ +{ config, ... }: { + sops.secrets = { + "vaultwarden/secrets" = { + mode = "400"; + owner = config.users.users.root.name; + group = config.users.users.root.group; + }; + }; + + recipes.vaultwarden = { + enable = true; + databaseBackend = "postgresql"; + config = { + ROCKET_ADDRESS = config.nodeconfig.facts.wireguard-ip; + ROCKET_PORT = "8222"; + DOMAIN = "https://vault.acomputer.lol"; + SIGNUPS_ALLOWED = "false"; + DATABASE_URL = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable"; + WEB_VAULT_ENABLED = "true"; + SMTP_FROM = "vault@acomputer.lol"; + SMTP_FROM_NAME = "Vaultwarden"; + IP_HEADER = "X-Forwarded-For"; + LOG_LEVEL = "warn"; + }; + environmentFiles = [ config.sops.secrets."vaultwarden/secrets".path ]; + }; + systemd.services.vaultwarden = { + after = [ "wg-quick-Homelab.service" "postgresql.service" ]; + wants = [ "postgresql.service" ]; + unitConfig.RequiresMountsFor = [ "/var/lib/private" ]; + }; +} diff --git a/secrets.yaml b/secrets.yaml index 4acc15c..c146921 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -22,6 +22,8 @@ forgejo: runner_registration_token_file: ENC[AES256_GCM,data:fHHAk5i3xjsTx7Zro1EOpbQaMCii0kksjTLgM+gXH2Gu2Mw+bCgKCKfeYccEQg==,iv:6jrQwEfqGDdbI/QCMvHcIEtZXtoDFT7OxVu80+oykCs=,tag:u3UClo6ca6ipBeQ/Am8yVA==,type:str] conduwuit: secrets: ENC[AES256_GCM,data:un4yAJoVLZxa4TcVs718HgOiDBZNRpU+Im4XlZYgPoofpMA5UgcsRoyOR3aubt8yzZKUnQpsUaJ4pmTPWoXwlbcRLFyyP8yK5KHBuN7bIIZhV0AivjktDLL4Rk8EVgrDEA==,iv:5f+Eh2aXBf2Mro12hozzMyZPsbsDyAttZYvdrdV6xsE=,tag:ylK3PtEIOhnXmoVhiTmS3w==,type:str] +vaultwarden: + secrets: ENC[AES256_GCM,data:hKcB0KnJm/ml0cYsYzKtQACl78OK2f+jx8xexzsWeB3VfmPznxYK5Fa7VSn9sCHFfRlqK6Uwpgmh4uNK6otcd6h4edlHlY7eGxAUgTy1VL4qXi5aZLwLitzShXc7iyJdlY3q7ZBWm+fqVYvLHxEItkeYh8ge1PcvMlAg2RF10txJpv3I5vwCWmsXscTBQe/eYRISad92KiEK6MvvHKCwrMtZeGfBHdcOP9j7/VqAvg0Yc+6QLWUh2teFbVGMQ0brnBdcE03asxYxliDSeVpVCT9o16LQYTk3w6txKG8wCXhrGcEOyQVoxftjMoXRlRD5/PtIiu31yeHe8dHfDo8+6OKfIbGX4RRsFEFxoMI/19cwuEO1,iv:/FOqTBbuxreExUztNidjXaeSeybgba7J8Fnm99JJd88=,tag:p8u7p2ZmdcqcWD7MirU/Fg==,type:str] sops: kms: [] gcp_kms: [] @@ -100,8 +102,8 @@ sops: Ynd0czBOK0NCdnZIQzNJZ3BqNndlSG8Kg9UUjMZ2p7xUhHLEL6SjSiVPw5JemYxh sdiuZVVxzEasXLXXk6tax6AD5fz5mXEhXB24Op5scF4+VTfSZ+g9Cg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-27T19:01:37Z" - mac: ENC[AES256_GCM,data:x3UKZyjZbcVfFwX1D7HAfrMvqH7K21gp+aqz5XGHAXbk2QeaO2DzdW+nX4JHCZoypD8JctX2zvdcKGzN3k8C8umox9c0KMXceD13BZFY5CsnQab0fyj2pMUICydvr+yP8CPbHkeKcjbxFiqfhgRFQeUh6ACxjqOcoFLlWJqcfxE=,iv:p49ko9Z1RZcVuE9Cmbe9IhVB1wpA2j1PTbPIOR4aEus=,tag:oR+NuuKg/Y2w2q/NnRtgcQ==,type:str] + lastmodified: "2024-12-01T16:15:59Z" + mac: ENC[AES256_GCM,data:/fHhWwm4/5Qi181FmIRXPJU2XogoMOpzhqzltNAyTHDKIWYxGCDB7gZvCfNizWFxjqAvFBzoWa7XA/+VjXaaYARg/M2RrwQYnPuVE9V7NXEPjLuEeiYRfru4Vq8fZF9IFiSF+k3LXcZ+Tq7x7xqsFcHivAnYYECebWK6o9+dVVA=,iv:nrkF65Cj8cNytzt2SFiWUB6H0lxXdVt69Nwv5hFtLAo=,tag:55bnetcD4ofKsEgD0kfpfw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1