From dbd399fb1a115d235be54570a9f0df9f3546d690 Mon Sep 17 00:00:00 2001 From: DerGrumpf Date: Sat, 11 Apr 2026 13:31:06 +0200 Subject: [PATCH] Added Vaultwarden; Not tested --- hosts/cyper-node-2/configuration.nix | 3 +- nixos/roles/vaultwarden.nix | 41 ++++++++++++++++++++++++++++ nixos/sops.nix | 13 ++++++++- secrets/secrets.yaml | 5 ++-- 4 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 nixos/roles/vaultwarden.nix diff --git a/hosts/cyper-node-2/configuration.nix b/hosts/cyper-node-2/configuration.nix index 0256e07..307ce61 100644 --- a/hosts/cyper-node-2/configuration.nix +++ b/hosts/cyper-node-2/configuration.nix @@ -1,8 +1,7 @@ { imports = [ ./hardware-configuration.nix - ../../nixos/roles/wyl.nix - ../../nixos/roles/unifi.nix + ../../nixos/roles/vaultwarden.nix ]; networking = { diff --git a/nixos/roles/vaultwarden.nix b/nixos/roles/vaultwarden.nix new file mode 100644 index 0000000..3cc881d --- /dev/null +++ b/nixos/roles/vaultwarden.nix @@ -0,0 +1,41 @@ +{ config, pkgs, ... }: + +let + address = config.systemd.network.networks."10-ethernet".networkConfig.Address; + ip = builtins.head (builtins.splitVersion address); # strips the /24 + port = 8222; +in +{ + services.vaultwarden = { + enable = true; + environmentFile = config.sops.templates.vaultwarden_env.path; + backupDir = "/var/lib/vaultwarden/backup"; + + config = { + DOMAIN = "http://${ip}:${toString port}"; + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = port; + ROCKET_LOG = "critical"; + SIGNUPS_ALLOWED = false; + WEBSOCKET_ENABLED = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ port ]; + + systemd.services.vaultwarden-backup-rotate = { + description = "Rotate old Vaultwarden backups"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete"; + }; + }; + + systemd.timers.vaultwarden-backup-rotate = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + }; +} diff --git a/nixos/sops.nix b/nixos/sops.nix index 5ff6f32..64bff13 100644 --- a/nixos/sops.nix +++ b/nixos/sops.nix @@ -1,4 +1,4 @@ -{ primaryUser, ... }: +{ primaryUser, config, ... }: { sops = { defaultSopsFile = ../secrets/secrets.yaml; @@ -14,6 +14,17 @@ owner = "matrix-synapse"; group = "matrix-synapse"; }; + vaultwarden_admin_token = { + owner = "vaultwarden"; + group = "vaultwarden"; + }; + }; + templates.vaultwarden_env = { + content = '' + ADMIN_TOKEN=${config.sops.placeholder.vaultwarden_admin_token} + ''; + owner = "vaultwarden"; + group = "vaultwarden"; }; }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index b149bd0..c1cc1ce 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -3,6 +3,7 @@ OPENWEATHER_API_KEY: ENC[AES256_GCM,data:bcuLz70u40nZfNgPTaeNRXdR/zjx0SQjwMbMNNF grafana_secret_key: ENC[AES256_GCM,data:d6tu4kL7flfbdeOYk21zkSRmVe+NvVwd14jgr9Ds0adfgYetN852G25Z8/g=,iv:uWuwGBZVK1syhEfO9nLZUWwa801759tNJx+Pmnz3xeg=,tag:X6/NcdGZHAdIlOwxNPo/Ew==,type:str] matrix_macaroon_secret: ENC[AES256_GCM,data:a9nMar+p+FXIsxxSqO/to2OJOvD1erfwLwwBeKOcWBu7xykHxqD+pCmrGhg=,iv:rp4ZDVIlZ7SN1RFHB2CfSV5ISPMl9pC4U8Jgqpz48Qs=,tag:LxmWUZE3mG4acagQmlieag==,type:str] matrix_registration_secret: ENC[AES256_GCM,data:KhKkJZqwE8xk4/tuQ7NYTv/Ot1qCAiy8yUbDyVvRa0H5BT4amCBIdATfR4Q=,iv:HBN+GorT1VpWCVkDugk4UxYLEYKJIoDZh2d+oUDLc8g=,tag:hHus458yVnH0qaQ4u37IZg==,type:str] +vaultwarden_admin_token: ENC[AES256_GCM,data:Q5lrwi9Sjy9938yDm8vaml4bf7CrIGK27BSeBG1A42c20OF0l6dF2VGsHVkanEol6Z5gpcVRalkeRLCwGQ8fn3jfqDjJERDXCXn0em0pfsSR+0JYPgPZxxORj0D03QmqvGAraM0Yu6btWvJs0i4+JqQZrq/u0Cvqqj7LTy2twcSCe5RJ39g=,iv:HgRZHkovWuL2TBJ87YI7c8jMoJ4663+f4CaacfmrtYc=,tag:d2fM4Ya0s7SG9u5U0wQ2CA==,type:str] ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str] ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str] sops: @@ -16,7 +17,7 @@ sops: N3I5dzUwc3JtYzczMUhyT04vSHlZamMKT+FzYcDLmlEFYxm/XoBpJb8XaZzBH1v9 6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-10T23:41:09Z" - mac: ENC[AES256_GCM,data:fmuWldQQtFdifhnWzoopi34flCEgPIk9QUB5KeSj0AAhFPMkSNmnL7lpgrCotvti4TUqn/mbpzxa0yVUWdWv7Ti9dPQ8P8PM6cnyqLHFd57wrVURkEo8hgaigEj+QTn3Jz2Yl5IA97V/OJkhIBEL45GCNi1RMWIAA/xrSla7bcE=,iv:sKlziFvnY0dKa6mKHtUFqSWwV0id970StiTk+nua8jk=,tag:vC7HktIcoCfQ2+0sfUtutQ==,type:str] + lastmodified: "2026-04-11T11:21:08Z" + mac: ENC[AES256_GCM,data:Ez6u8PzHILp2bZ4ksarA3KZhtbSPTFVkBDJ4HSl2O38dMn/hX/KhQoJnZzGnSRXT1S+FieMoRJOIElbHPkz4owgBhIOo4xyC8A1a9cmfEtsa2GOOhNauXjlalneZbN8miVBj7QIVUe77DYuDJS5NMelxqVZOlnX3Kkntc5jqzJE=,iv:B3aQi8Z2dUDVsU4q/upsZabcQiy+2WbgFA8fiXfoaWY=,tag:N06t/DLpQsc4upWAfTmH9w==,type:str] unencrypted_suffix: _unencrypted version: 3.12.2