From 087a8a6220704301f1c6f56e8a16d6054cd6d65e Mon Sep 17 00:00:00 2001 From: ahtlon Date: Thu, 18 Dec 2025 18:57:42 +0100 Subject: [PATCH] [Vaultwarden] outline --- machines/.sops.yaml | 7 +++ machines/vaultwarden/configuration.nix | 60 ++++++++++++++++++++++++++ machines/vaultwarden/secrets.yaml | 55 +++++++++++++++++++++++ 3 files changed, 122 insertions(+) create mode 100644 machines/vaultwarden/configuration.nix create mode 100644 machines/vaultwarden/secrets.yaml diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 7a4260d..5e5ef72 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -95,6 +95,13 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan + - path_regex: vaultwarden/secrets.yaml$ + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan - path_regex: .*/secrets/.* key_groups: - pgp: diff --git a/machines/vaultwarden/configuration.nix b/machines/vaultwarden/configuration.nix new file mode 100644 index 0000000..393b6ef --- /dev/null +++ b/machines/vaultwarden/configuration.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, inputs, ... }: + +with lib; + +{ + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + vaultUser = {}; + vaultPass = {}; + }; + networking = { + hostName = mkDefault "uptimekuma"; + useDHCP = false; + }; + + imports = [ + ../modules/malobeo_user.nix + ../modules/sshd.nix + ]; + + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.nginx = { + enable = true; + virtualHosts."status.malobeo.org" = { + locations."/" = { + proxyPass = "http://127.0.0.1:3001"; + extraConfig = '' + ''; + }; + + }; + }; + + services.vaultwarden = { + enable = true; + backupDir = ""; + enviromentDile = sops.nochewas.file ; + config = { + DOMAIN = "keys.malobeo.org"; #maybe vault.malobeo.org + SIGNUPS_ALLOWED = true; + #WEBSERVER + ROCKET_ADDRESS = "::1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; + #EMAIL + SMTP_HOST = "mail.systemli.org"; + SMTP_PORT = 465; + SMTP_SECURITY = "force_tls"; + SMTP_USERNAME = sops.smtpUser; + SMTP_PASSWORD = sops.smtpPass; + + SMTP_FROM = "malobot@systemli.org"; + SMTP_FROM_NAME = "Malobeo Vaultwarden Server"; + }; + }; + + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/machines/vaultwarden/secrets.yaml b/machines/vaultwarden/secrets.yaml new file mode 100644 index 0000000..417196b --- /dev/null +++ b/machines/vaultwarden/secrets.yaml @@ -0,0 +1,55 @@ +smtpUser: ENC[AES256_GCM,data:BsHFhpQtQ2Jhi3nuhJXjReJvbzU=,iv:jdSLeAgYj8JFSsLU3ZiVCG2ox8ZBo/HV6szCQUU5YWQ=,tag:XjS12SnmC6NNhWcTUvEhlA==,type:str] +sops: + age: + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRnd3NGpkWjZVZjYxZ2VP + QUpTMjNwTml3NW8zL2o2c2R0TE53aEtlK0JNCi9jTjhZVXNMZ29oNDIrbFJBenkz + UkVBKzBQVUlYREc3bkxRb1R6RE5MaUUKLS0tIDJmdmlidmZCOXU5dDdFRmY2Q2pu + bWhRZS9oamtQYnRZVnI1clVGNytHWlkKb1hYwkqfSiMCVFOWraCiWoAU1Ua/U0Kc + 2UnXRByOST5hfKkTnpJ0765UATUny0K53H/ieMR0cyQxE3aCbk5AfA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-12-18T17:56:54Z" + mac: ENC[AES256_GCM,data:/TofX/71rLHMpin9hhKcXQRTuCb+CXkTkHtZozuqSL0SHR0hTacLNZrmkPlzYlxmvzYsJekBOWTfrhxOD5cOhdOhfsZ/zhXi0e3RVDBPDE//faARYvbQ9IJGsDOGQzaZopwXx098MVNGj3NP6XqDgCI5aDXfL8Uklg0ORTXfPwE=,iv:Th7+EY9BdV8nmMi7rYQjgLN8nxDOwNSiWy3movkyIAw=,tag:caMd5aeQbaVAWbYJYe5K+A==,type:str] + pgp: + - created_at: "2025-12-18T17:32:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQv/X02f2/84Twa9Sgj7husyP8ZOva1gsUnakZRd670K1Vxe + Z7eY4THMkP59qtbzCDkop0GulM1WNXd3jocT169WKYA5+myjNl131Ppn/DfAHMCk + QqguILH7K8X7zQkDU6Y4LE2sLuxYeoYz7aptdwoZpWZRKJjX6Q0pFrbFLZP54CJD + BXqcRAGHXSmr8lMJVmaQolzyn9B08Vv/D1LTfgI9qA+K+sxjKQopOjvv03NFSM67 + PbNNqjQpToM2LaFJTfxXrwljRUkt1BN98wxKlFRIKVbb4spezYHFU+zf5XqM8+sg + V9mIGw/5lhYPfSB9EN/2mcqabaWFEqmhBRKRHVirXWBrUmvb5+cKTRQ93zM7Lipr + prz7MK+1DRxB5BgKxOiLTz+q/1JlmwpulxBBSSd8o3nHhpjEyaMBoa30TYuUWAVl + lW8zCC9H0H8vnqam2OXalu6tu8jvQ6AIquQGOKb3NtWf6pCTQNv0F7t0AWK2zkUL + WjrkEiG3lv3vGJeVGq9U0lgBj8HtXnnHsDMJkhPGClQeJcWiv7Tj8f79+Mni8QhM + dVWXVesg+dsUazptP35n2S2XlLY8Jk3tyD1KTLrt5R/MMGhAZOmgPS4I4q+zrZSj + S0Dj9iTJcJ/F + =YEYS + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-12-18T17:32:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ/+LMZHO0oxmlivnL1qKaDz5JKAL718pHmjshxc53gUo4aN + x9WC4USniK8IMV4MTZUxti/ekJ5Bxd+myMMIORHE4R1q1FNO1tWx9n8PXAVhIrDx + XF/2NZKzUzCHd3OE3GvS+LSTITLnJdtSuAOPA9MjOeC2TU52r3CkNxUfYMjLYIuk + soZi8HfTWVfXKyEq300CLdEqoiaN6lqaxY+e0LoiQjPTpZSs0KhpcjvvmKBpZI0x + temAZ+VbEU93DuCVxsXQAQria5GUYs66237goctBjto6G0uOyzJ3lOE17ThDkL8J + PpbmoR+CkT++lJnSeeRuhF5FYaVWPl0LDGVLAQrkeblGUjhLtzSrN/ZNyjhGaYdk + zlUOFUNVlaok1fcC+8PNsfcna7keLW+N4YPTeZQljjH1uWvdzIZaJto1TaDYrSyu + EVF4J0FDThMCu7fyf0TrbqE8n7xs/1F7BBfhUC0wWztX4sNo9mNBZK1d96ihFlzB + FRBjrAKCGSD4eZcwaJZB/4NoipFDUh9kmQemmSalDNaHjvdXsT4euY4JNqwKw2iK + 76EYBym1fvEaOeYvoOotLU3vrW6dH0YNEf0+Zvtl8XiUHlDCnxeLaBoVybA7p+Rt + 0J/S3wPMubikTuq3mSsJcUM8c25sRBD90LjZsAcwKbmfDZntkTNGUr3AEaBdEyTS + WAGKfeJiKoH24BQrslUV8V4i4Fcz6xh1tb11Dmg9XcEiZm4+IF/P+UvjHgXanVdu + GvEauo1dOpGu+L8xc68fSFfMNQcWDJ1UmZIyJ3FLDbaxI/66H041peA= + =YUFg + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.11.0