DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrated Psono Docker -> Vaultwarden Nix

Browse Source
This commit is contained in:
DerGrumpf
2026-04-11 14:18:08 +02:00
parent dbd399fb1a
commit 2abcef3df5
5 changed files with 53 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/roles/matrix.nix
View File

@@ -10,6 +10,14 @@ in
8080 8080
]; ];
sops.secrets = {
matrix_macaroon_secret = { };
matrix_registration_secret = {
owner = "matrix-synapse";
group = "matrix-synapse";
};
};
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;

5
nixos/roles/monitoring.nix
View File

@@ -5,6 +5,11 @@ let
); );
in in
{ {
sops.secrets.grafana_secret_key = {
owner = "grafana";
group = "grafana";
};
services = { services = {
grafana = { grafana = {
enable = true; enable = true;

41
nixos/roles/vaultwarden.nix
View File

@@ -1,26 +1,37 @@
{ config, pkgs, ... }: {
config,
pkgs,
lib,
...
}:
let let
address = config.systemd.network.networks."10-ethernet".networkConfig.Address; address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
ip = builtins.head (builtins.splitVersion address); # strips the /24 ip = builtins.elemAt (lib.splitString "/" address) 0;
port = 8222; port = 8222;
in in
{ {
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
environmentFile = config.sops.templates.vaultwarden_env.path; environmentFile = config.sops.secrets.vaultwarden_admin_token.path;
backupDir = "/var/lib/vaultwarden/backup"; backupDir = "/var/local/vaultwarden/backup";
config = { config = {
DOMAIN = "http://${ip}:${toString port}"; DOMAIN = "http://${ip}:${toString port}";
ROCKET_ADDRESS = "0.0.0.0"; ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = port; ROCKET_PORT = port;
ROCKET_LOG = "critical"; ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = true;
WEBSOCKET_ENABLED = true; WEBSOCKET_ENABLED = true;
ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
}; };
}; };
sops.secrets.vaultwarden_admin_token = {
owner = "vaultwarden";
group = "vaultwarden";
};
networking.firewall.allowedTCPPorts = [ port ]; networking.firewall.allowedTCPPorts = [ port ];
systemd.services.vaultwarden-backup-rotate = { systemd.services.vaultwarden-backup-rotate = {
@@ -38,4 +49,24 @@ in
Persistent = true; Persistent = true;
}; };
}; };
# TODO: Remove for proper TLS Setup
systemd.services.vaultwarden-gen-cert = {
description = "Generate self-signed cert for Vaultwarden";
before = [ "vaultwarden.service" ];
wantedBy = [ "vaultwarden.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/lib/vaultwarden/ssl
if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
-keyout /var/lib/vaultwarden/ssl/key.pem \
-out /var/lib/vaultwarden/ssl/cert.pem \
-days 3650 \
-subj "/CN=${ip}" \
-addext "subjectAltName=IP:${ip}"
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
fi
'';
};
} }

24
nixos/sops.nix
View File

@@ -1,30 +1,8 @@
{ primaryUser, config, ... }: { primaryUser, ... }:
{ {
sops = { sops = {
defaultSopsFile = ../secrets/secrets.yaml; defaultSopsFile = ../secrets/secrets.yaml;
defaultSopsFormat = "yaml"; defaultSopsFormat = "yaml";
age.keyFile = "/home/${primaryUser}/.config/nix/secrets/keys.txt"; age.keyFile = "/home/${primaryUser}/.config/nix/secrets/keys.txt";
secrets = {
grafana_secret_key = {
owner = "grafana";
group = "grafana";
};
matrix_macaroon_secret = { };
matrix_registration_secret = {
owner = "matrix-synapse";
group = "matrix-synapse";
};
vaultwarden_admin_token = {
owner = "vaultwarden";
group = "vaultwarden";
};
};
templates.vaultwarden_env = {
content = ''
ADMIN_TOKEN=${config.sops.placeholder.vaultwarden_admin_token}
'';
owner = "vaultwarden";
group = "vaultwarden";
};
}; };
} }

6
secrets/secrets.yaml
View File

@@ -3,7 +3,7 @@ OPENWEATHER_API_KEY: ENC[AES256_GCM,data:bcuLz70u40nZfNgPTaeNRXdR/zjx0SQjwMbMNNF
grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds0adfgYetN852G25Z8/g=,iv:uWuwGBZVK1syhEfO9nLZUWwa801759tNJx+Pmnz3xeg=,tag:X6/NcdGZHAdIlOwxNPo/Ew==,type:str] grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds0adfgYetN852G25Z8/g=,iv:uWuwGBZVK1syhEfO9nLZUWwa801759tNJx+Pmnz3xeg=,tag:X6/NcdGZHAdIlOwxNPo/Ew==,type:str]
matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str] matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str]
matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str] matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str]
vaultwarden_admin_token: ENC[AES256_GCM,data:Q5lrwi9Sjy9938yDm8vaml4bf7CrIGK27BSeBG1A42c20OF0l6dF2VGsHVkanEol6Z5gpcVRalkeRLCwGQ8fn3jfqDjJERDXCXn0em0pfsSR+0JYPgPZxxORj0D03QmqvGAraM0Yu6btWvJs0i4+JqQZrq/u0Cvqqj7LTy2twcSCe5RJ39g=,iv:HgRZHkovWuL2TBJ87YI7c8jMoJ4663+f4CaacfmrtYc=,tag:d2fM4Ya0s7SG9u5U0wQ2CA==,type:str] vaultwarden_admin_token: ENC[AES256_GCM,data:yoBs4CaIEJXB5b3PEwTpXFgxpX39hR9A4r9yamwDV7cTSRRp3n3O2VjDKTcI5Vo6RP2QUjcqUqYf98cZ09wDMc+6+oHHJke7+O0FgRgOC0vOQFs4bfZCBJBLxogrGiwtLGkyykR6VYhrT64AN3CbrXflj82OED2Hl8WwEdruBzGIcfnh6FqQowDx6vDR/kXXJHk=,iv:PJQo5V7FaKPQ+GzZNsy3KB+xyjcDKJ1UBHErrqgn/1U=,tag:BRIDJEDOAeToqio/DHMQaA==,type:str]
ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str] ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str]
ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str] ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str]
sops: sops:
@@ -17,7 +17,7 @@ sops:
N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9 N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9
6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w== 6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-11T11:21:08Z" lastmodified: "2026-04-11T11:56:39Z"
mac: ENC[AES256_GCM,data:Ez6u8PzHILp2bZ4ksarA3KZhtbSPTFVkBDJ4HSl2O38dMn/hX/KhQoJnZzGnSRXT1S+FieMoRJOIElbHPkz4owgBhIOo4xyC8A1a9cmfEtsa2GOOhNauXjlalneZbN8miVBj7QIVUe77DYuDJS5NMelxqVZOlnX3Kkntc5jqzJE=,iv:B3aQi8Z2dUDVsU4q/upsZabcQiy+2WbgFA8fiXfoaWY=,tag:N06t/DLpQsc4upWAfTmH9w==,type:str] mac: ENC[AES256_GCM,data:PvlzNkTrXA61gXToaB1VhTRE3fP8jWJrCb5Fmk2dpFOv48WB4vO5nUwQM/XnDvk9A3j3HRuCnIOtEs5Fs5N3lrEFh51PBgUBHPGh+vJIumqbemsxc//oEF4e/FrqUpouW0i6P82ZHKs4qAMT9qG53+2m9/wc2pp8IWlQC9Gkg8o=,iv:zAzOdxiwgnKI8yYxTXzXzbDm2fZYEzmXkAjpJXAD0lY=,tag:/p7YAx+FmKVuFOLNbYzBZA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.12.2