diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 6fc5c0d..a07894d 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -96,6 +96,13 @@ creation_rules: age: - *admin_atlan - *machine_overwatch + - path_regex: vaultwarden/secrets.yaml$ + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + age: + - *admin_atlan - path_regex: .*/secrets/.* key_groups: - pgp: diff --git a/machines/durruti/host_config.nix b/machines/durruti/host_config.nix index b4e1d0d..229b238 100644 --- a/machines/durruti/host_config.nix +++ b/machines/durruti/host_config.nix @@ -57,6 +57,17 @@ in }; }; + services.nginx.virtualHosts."keys.malobeo.org" = { + forceSSL = true; + enableACME= true; + locations."/" = { + proxyPass = "http://10.0.0.10"; + extraConfig = '' + ''; + }; + }; + + services.nginx.virtualHosts."grafana.malobeo.org" = { forceSSL = true; enableACME= true; diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 7300e51..1617b5b 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -135,6 +135,7 @@ in "nextcloud" "durruti" "zineshop" + "vaultwarden" ]; networking = { @@ -173,6 +174,15 @@ in }; }; + virtualHosts."keys.malobeo.org" = { + locations."/" = { + proxyPass = "http://10.0.0.16"; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + virtualHosts."grafana.malobeo.org" = { locations."/" = { proxyPass = "http://10.0.0.14"; diff --git a/machines/hosts.nix b/machines/hosts.nix index 41dee83..666d14b 100644 --- a/machines/hosts.nix +++ b/machines/hosts.nix @@ -75,6 +75,14 @@ }; }; + vaultwarden = { + type = "microvm"; + network = { + address = "10.0.0.16"; + mac = "D0:E5:CA:F0:D7:F2"; + }; + }; + testvm = { type = "host"; }; diff --git a/machines/vaultwarden/configuration.nix b/machines/vaultwarden/configuration.nix new file mode 100644 index 0000000..8ae1e29 --- /dev/null +++ b/machines/vaultwarden/configuration.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, inputs, ... }: + +with lib; + +{ + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + vaultwarden_env = { + owner = "vaultwarden"; + group = "vaultwarden"; + }; + }; + networking = { + hostName = mkDefault "vaultwarden"; + useDHCP = false; + }; + + imports = [ + ../modules/malobeo_user.nix + ../modules/sshd.nix + ]; + + networking.firewall.allowedTCPPorts = [ 80 ]; + + services.nginx = { + enable = true; + virtualHosts."keys.malobeo.org" = { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + extraConfig = '' + ''; + }; + }; + }; + + services.vaultwarden = { + enable = true; + backupDir = "/var/local/vaultwarden/backup"; + environmentFile = config.sops.secrets.vaultwarden_env.path; + config = { + DOMAIN = "http://keys.malobeo.org"; + SIGNUPS_ALLOWED = true; + #WEBSERVER + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; + #EMAIL + SMTP_HOST = "mail.systemli.org"; + SMTP_PORT = 465; + SMTP_SECURITY = "force_tls"; + SMTP_USERNAME = "malobot@systemli.org"; + + SMTP_FROM = "malobot@systemli.org"; + SMTP_FROM_NAME = "Malobeo Vaultwarden Server"; + }; + }; + + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/machines/vaultwarden/dummy.yaml b/machines/vaultwarden/dummy.yaml new file mode 100644 index 0000000..33302f4 --- /dev/null +++ b/machines/vaultwarden/dummy.yaml @@ -0,0 +1,64 @@ +vaultwarden_env: ENC[AES256_GCM,data:dgEYC2VcGKrIvts9sw60kmEemhRdaaLWvsEQjAE52mAfhA29iLpB/sKXt3bxRGV8gpSF8OQoXdniWwCrDhOWUihawy2WFhLENamIyY4tVBOKkEtkhQDkoAhZ1VCShb1fgN+BzfM=,iv:zvg1uh8fxeHNFOq/DpicwAk+5j1fDogrnpTX5Ua0yDQ=,tag:rcyLE928+DQF41y4ztvMbQ==,type:str] +sops: + age: + - recipient: age18jn5mrfs4gqrnv0e2sxsgh3kq4sgxx39hwr8z7mz9kt7wlgaasjqlr88ng + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZE9qK2tmTWxERklOSFdZ + bVVUbW5aajFrWkVBREZtallvS1dreGNFVjJFCmdBdGNQQzZkMUp4dzZUYTg1Tmgr + K3BmajYxY01jdVVubmRUUy8rNm9oVTgKLS0tIGNtTTQwWUdzaXpjVGt5aTEvUFZy + UWlGRzhPcDlVb0s2OGJTOTBVS2RKVDAKKyFK+ISjqbwOftiDn5uuIJfAl3fkX4C9 + iNHl84utfFyeUnJJK59uX3YGY8B4wEG7L3/hPt9gLtuX6Ey64yusIA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Y1l4Uzd1TjlKbHpuQ01v + YnFFWWRNNU1relVHSTk4ZjE5eXdnS2czZWpBCnJwbmRhdUtkVDUrcnFJSmVmcjBJ + eVBDd0l5bEovZEpRdEZMTlFMUFJ1UjAKLS0tIGo5bEQ3Tis0aXcyc1JxSVRCeXFU + OXFDMHExSWQ4U0RleXBqaXBGcnhEUmsKmBGLpusD28V406Gz9uHV0N43J9wEWkY3 + WJ8R2OjVeRfMmOriWLzEkHHJw+3DJc9abzSOoIS/ViN30MkhdqzOMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-03T20:56:51Z" + mac: ENC[AES256_GCM,data:zkykMvBMjSmyhSPFTvyeUVZZwu0Fb4cgXD4m4lWQWKEXiHeCHQEy6YIxqutdW6vjaO/P64Hk72OH4Dh/gDl+riMbWIpFwtkzIWvclqui+PmdMoRG7u8oLa7wE9C/zypTw0yzbREyeoouIZq4zzWZsCmljfgcYSpMpQxdWgYkkbU=,iv:WbW7NAZUb2B7421chzK9LDUEkpGJ9rvnuA3jW3VjlZs=,tag:HiOV2LSLqsv+XGrVB0MugQ==,type:str] + pgp: + - created_at: "2026-02-03T20:09:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQwAmyshbidzh+sGpxfFEAbvcLv02pt31PopMM9XzceV0z17 + 7MaJ8+qZpif1SMpyjNmrZ4vvBa/nGF55tHLGQ+jijsEqqOqnR1+MihxLBX71wRVj + G9VdoaSnlKTgXLbtimo7qRjNIm4UaONLIw9M7l4DwhUNxYucNEr2eFy2wzrNgmDF + As5NswJXap0maBb78ieevqlTa7mE5I9FyBgTDsMubBZpD9CU6+vav9KrYLwgDuKj + X2SFfIo3SJdZFHDTTS3e/DTpRRf80bJ5PDChiDZ3Qr3SmaV7m+0V2EMRT7duoZ7J + bremMsVJo+0RhuncLgIWXFDiqU43VVfriQJeTFFTaqzqqnWTn+1Nx1ORH5NmhBhk + qMi2Eqc7K15Q/0AU8lHYOOvYdn62OjdyJciCBq/hTSscEpRxJNvz5G+WChMJyU6X + PytHqw2mFNs3jx3DleAZat+SBD8aa1e4ORC5AIVVAaVdsT4a1lFJ5V1jlk5ddg55 + tFPh2qOqGX4V6HBBZS740lgBo7EYNFeKleDKCN8jjJYyUUfC13JnaWJy/5/9xMyi + YtTh7w5lTFV349zlBZSLqPuunanGN+dylWSZZrp5XTw7Q/rpa7za5LwjcDQpwaY1 + FaFNoImglFKQ + =C4re + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2026-02-03T20:09:53Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ//Z6puWp6MFQZgNp95JMkCJyVMKAYDUJ4d/WRMWWxaA8pt + dtWokpON0st30dhXBGsicUGjAsM15gIuN3d5I2hDQqGA5Dt2LchBjdt392FoTpij + fdwUKpwhi91j71PrbRP1iCS6+66t5rDmUk8AWNv+9eA/4xJ+JQKgZWpBv19qbc9i + sb6IjhuZ3/m1Yooh7LywKUM/5qeWSeH5QFfpbhrCLLEmpL6W4/6LMl/HcF+on4h6 + 6bMZQoT+cFInBw9N3Rq4B8ffwahlkf2bv17k8sjEBvrH+rpFi85Kh0pBB8elPiUr + 4zMJkuZZcv4YfUFoxSqVcUee5uen8RtoOHMM2tSuEq8Mjo86oIA95JkROhGLq9qz + NPq7k4DyotMf/2T6fZJ1nQOWAoH9ZJp4Q10qTc/Xg4xzWBlpwZh9oaLBw+HdUsYm + mP2ZvPw1/FHJuP2RhMz/kbEoeABm3JMGFPg1BmvVudZsr7kLpByPRGcKtm3qjARW + 9+6fp0AYXw3C1fpYsQC+CwaSaw57GiiITtGTHCWR70yuV+G3ev/uqsFjj+96c8gy + h7hJaI0Ff2bFakkuwRb64UsY4FjJel1oyvDbW6y2IIswwYpzBEMV5ANzPGMIvw/G + x1+olgWwhXTaLZ9jIaVDfcZ2SL6v6VcMoOBhiWbeqdm+BFEkZsOitZARDIcl1trS + WAGu6rvESbtRp/G1ATxmP9xHCTfjNHKRj8D1eHfkObjFFG2DSL9BXozBBuvkJi8H + CPqVEOQZMheyU2ZnH1JNXQyANBAllEJ++XdFB5RvcTNxxeJS/APS9NM= + =zSyS + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/machines/vaultwarden/secrets.yaml b/machines/vaultwarden/secrets.yaml new file mode 100644 index 0000000..2ff0d53 --- /dev/null +++ b/machines/vaultwarden/secrets.yaml @@ -0,0 +1,55 @@ +vaultwarden_env: ENC[AES256_GCM,data:AsgpcUGW8y5WKL+9pOYemupgB6eVlMSLYj7uCFtYQFisjGcCwBFcGTKRpzMysroo32Ugicl8WImGybrmqdJ/Xht9lAx2ralNHrgSpps3QFg+c34LFVP/F1FO3Vk+jjU00XcV1uVghxpRh95HSTEVuu9kgjYeWpAQVqp68Ku2Dww=,iv:/9l4smzqPpB5Qr+mcroiLUnRg+9GQ+pmxF523N1bOIU=,tag:jBmrxvfA8HG1Gp1KHgwssw==,type:str] +sops: + age: + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRnd3NGpkWjZVZjYxZ2VP + QUpTMjNwTml3NW8zL2o2c2R0TE53aEtlK0JNCi9jTjhZVXNMZ29oNDIrbFJBenkz + UkVBKzBQVUlYREc3bkxRb1R6RE5MaUUKLS0tIDJmdmlidmZCOXU5dDdFRmY2Q2pu + bWhRZS9oamtQYnRZVnI1clVGNytHWlkKb1hYwkqfSiMCVFOWraCiWoAU1Ua/U0Kc + 2UnXRByOST5hfKkTnpJ0765UATUny0K53H/ieMR0cyQxE3aCbk5AfA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-03T20:58:16Z" + mac: ENC[AES256_GCM,data:zxM4GRwlcYoJF51Hbe0VfWvO9PrHQeCUTrGgiVgrP91qX51WTGWfCQfAVAouT3sEvE6Ie5bnAMUWjVjIrnRS6WUCQwUBwFYYUKIkJPooKwlvXRAuZ9UGZERi0/i43WKwB3/xSyVqRb9T5M6exjlkYCuE4Yv3lSEUiIn8fu/Zaas=,iv:D6f3V19E+4qukW8i9wKtNPKfYgD3OXztkICMhD24IzY=,tag:e97txZiaqDPxCLQUbNHwwg==,type:str] + pgp: + - created_at: "2025-12-18T17:32:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQv/X02f2/84Twa9Sgj7husyP8ZOva1gsUnakZRd670K1Vxe + Z7eY4THMkP59qtbzCDkop0GulM1WNXd3jocT169WKYA5+myjNl131Ppn/DfAHMCk + QqguILH7K8X7zQkDU6Y4LE2sLuxYeoYz7aptdwoZpWZRKJjX6Q0pFrbFLZP54CJD + BXqcRAGHXSmr8lMJVmaQolzyn9B08Vv/D1LTfgI9qA+K+sxjKQopOjvv03NFSM67 + PbNNqjQpToM2LaFJTfxXrwljRUkt1BN98wxKlFRIKVbb4spezYHFU+zf5XqM8+sg + V9mIGw/5lhYPfSB9EN/2mcqabaWFEqmhBRKRHVirXWBrUmvb5+cKTRQ93zM7Lipr + prz7MK+1DRxB5BgKxOiLTz+q/1JlmwpulxBBSSd8o3nHhpjEyaMBoa30TYuUWAVl + lW8zCC9H0H8vnqam2OXalu6tu8jvQ6AIquQGOKb3NtWf6pCTQNv0F7t0AWK2zkUL + WjrkEiG3lv3vGJeVGq9U0lgBj8HtXnnHsDMJkhPGClQeJcWiv7Tj8f79+Mni8QhM + dVWXVesg+dsUazptP35n2S2XlLY8Jk3tyD1KTLrt5R/MMGhAZOmgPS4I4q+zrZSj + S0Dj9iTJcJ/F + =YEYS + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2025-12-18T17:32:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUAQ/+LMZHO0oxmlivnL1qKaDz5JKAL718pHmjshxc53gUo4aN + x9WC4USniK8IMV4MTZUxti/ekJ5Bxd+myMMIORHE4R1q1FNO1tWx9n8PXAVhIrDx + XF/2NZKzUzCHd3OE3GvS+LSTITLnJdtSuAOPA9MjOeC2TU52r3CkNxUfYMjLYIuk + soZi8HfTWVfXKyEq300CLdEqoiaN6lqaxY+e0LoiQjPTpZSs0KhpcjvvmKBpZI0x + temAZ+VbEU93DuCVxsXQAQria5GUYs66237goctBjto6G0uOyzJ3lOE17ThDkL8J + PpbmoR+CkT++lJnSeeRuhF5FYaVWPl0LDGVLAQrkeblGUjhLtzSrN/ZNyjhGaYdk + zlUOFUNVlaok1fcC+8PNsfcna7keLW+N4YPTeZQljjH1uWvdzIZaJto1TaDYrSyu + EVF4J0FDThMCu7fyf0TrbqE8n7xs/1F7BBfhUC0wWztX4sNo9mNBZK1d96ihFlzB + FRBjrAKCGSD4eZcwaJZB/4NoipFDUh9kmQemmSalDNaHjvdXsT4euY4JNqwKw2iK + 76EYBym1fvEaOeYvoOotLU3vrW6dH0YNEf0+Zvtl8XiUHlDCnxeLaBoVybA7p+Rt + 0J/S3wPMubikTuq3mSsJcUM8c25sRBD90LjZsAcwKbmfDZntkTNGUr3AEaBdEyTS + WAGKfeJiKoH24BQrslUV8V4i4Fcz6xh1tb11Dmg9XcEiZm4+IF/P+UvjHgXanVdu + GvEauo1dOpGu+L8xc68fSFfMNQcWDJ1UmZIyJ3FLDbaxI/66H041peA= + =YUFg + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + unencrypted_suffix: _unencrypted + version: 3.11.0 diff --git a/machines/vpn/configuration.nix b/machines/vpn/configuration.nix index 2eeafef..f41fcf6 100644 --- a/machines/vpn/configuration.nix +++ b/machines/vpn/configuration.nix @@ -53,6 +53,15 @@ with lib; }; }; + virtualHosts."keys.malobeo.org" = { + locations."/" = { + proxyPass = "http://10.100.0.101"; + extraConfig = '' + proxy_set_header Host $host; + ''; + }; + }; + virtualHosts."grafana.malobeo.org" = { locations."/" = { proxyPass = "http://10.100.0.101";