From 331b403a74560840c3fa3a922558744a39cfcc8e Mon Sep 17 00:00:00 2001 From: Lyes Saadi Date: Wed, 15 Oct 2025 04:18:07 +0200 Subject: [PATCH] Adding vaultwarden --- hosts/zora/default.nix | 1 + hosts/zora/reverse-proxy.nix | 6 +++++ modules/server/giovanni/default.nix | 35 +++++++++++++++++++++++++ secrets.nix | 1 + secrets/zora/services/giovanni-env.age | Bin 0 -> 469 bytes 5 files changed, 43 insertions(+) create mode 100644 modules/server/giovanni/default.nix create mode 100644 secrets/zora/services/giovanni-env.age diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix index b7f4705..b1af5d7 100644 --- a/hosts/zora/default.nix +++ b/hosts/zora/default.nix @@ -16,6 +16,7 @@ ../../modules/server ../../modules/server/link ../../modules/server/taf + ../../modules/server/giovanni # disko.nixosModules.disko agenix.nixosModules.default diff --git a/hosts/zora/reverse-proxy.nix b/hosts/zora/reverse-proxy.nix index 1ad4360..1fd925e 100644 --- a/hosts/zora/reverse-proxy.nix +++ b/hosts/zora/reverse-proxy.nix @@ -19,6 +19,12 @@ proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}"; }; }; + "vault.lyes.eu" = { + locations."/" = { + proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + proxyWebsockets = true; + }; + }; }; }; } diff --git a/modules/server/giovanni/default.nix b/modules/server/giovanni/default.nix new file mode 100644 index 0000000..2b6d646 --- /dev/null +++ b/modules/server/giovanni/default.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: + +{ + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + + environmentFile = config.age.secrets.giovanni-env.path; + config = { + ROCKET_PORT = 44301; + SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail"; + }; + }; + + systemd.services.vaultwarden = { + path = [ "/run/wrappers" ]; + serviceConfig = { + NoNewPrivileges = lib.mkForce false; + PrivateUsers = lib.mkForce false; + SystemCallFilter = lib.mkForce [ "@system-service" ]; + RestrictAddressFamilies = [ + "AF_LOCAL" + "AF_NETLINK" + ]; + ReadWritePaths = [ "/var/spool/mail/" ]; + }; + }; + + age.secrets = { + giovanni-env = { + file = ../../../secrets/zora/services/giovanni-env.age; + }; + }; +} + diff --git a/secrets.nix b/secrets.nix index c0b2da1..0cb5945 100644 --- a/secrets.nix +++ b/secrets.nix @@ -13,4 +13,5 @@ in "secrets/zora/services/kanidm-admin-password.age".publicKeys = all; "secrets/zora/services/kanidm-idm-admin-password.age".publicKeys = all; "secrets/zora/services/taf-token.age".publicKeys = all; + "secrets/zora/services/giovanni-env.age".publicKeys = all; } diff --git a/secrets/zora/services/giovanni-env.age b/secrets/zora/services/giovanni-env.age new file mode 100644 index 0000000000000000000000000000000000000000..efb6b6d9ac7d7441d72185ceb3c3460395197efd GIT binary patch literal 469 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH&nOKl2vkV7%q{mc z$aK$-D5&)CEzAnfE6~?2a5gP3C`@;;3^NWlk4VZk3ieNSb>s@JEH3fSOEXI@D-O*o zNGkG;vNTRk33higbqw{fh;XjT2{B61_tG{_OGdXX#H}#hGhM;U)U3k7+}zj5#HAuF zB)P(;z_B#kCpA0ME!@$?+{rOlyU^J$tI8+1DxIsuEh;}EGfUgtA}lJixGclZuUxyp zxhl#tw=kzXFxj-!Ak@e(-`lkUWSg$8LYS$OS&F%jd191lX+&~`d1j%Dp>JwNk+!yF zn0|P;XNkFKpqE*Sk$!$Q*Xz=?^}AZlM4v7!I(W>p-6LLQ=A#YVkH5WX+I6aZ$D8*d zvCh+2j;}wRWp%ZPZKu50q}M9OyY?P2ihOMlEOnOm>Zjk66U^c-e7bhTwuZ0MBJlga zC3`)L_?BlE^0&^=yY>EMczxChon(j2GS}p8DMeKCw}ynhO3m_}(H}bJxQ%B?_>ulI zx1Q}>@|a!riuw)t6(JiI8#R8&U0=~r(J6V&)PlkEv$fKl)iG1rTK+CRy{WY4=Meyd Cr@7t$ literal 0 HcmV?d00001