From f45dd5d1df8566d3eafc9695efc3a51ea9067482 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Mon, 12 Aug 2024 21:23:46 +0800 Subject: [PATCH] tyo0: add vaultwarden --- hosts/tyo0/Caddyfile | 31 +++++++++++++++++------------ hosts/tyo0/default.nix | 4 ++++ hosts/tyo0/secrets.yaml | 6 ++++-- hosts/tyo0/services/vaultwarden.nix | 17 ++++++++++++++++ 4 files changed, 43 insertions(+), 15 deletions(-) create mode 100644 hosts/tyo0/services/vaultwarden.nix diff --git a/hosts/tyo0/Caddyfile b/hosts/tyo0/Caddyfile index 68d1efa..c5003b2 100644 --- a/hosts/tyo0/Caddyfile +++ b/hosts/tyo0/Caddyfile @@ -91,20 +91,20 @@ element.ny4.dev { cinny.ny4.dev { import default - @index { - not path /index.html - not path /public/* - not path /assets/* - not path /config.json - not path /manifest.json - not path /pdf.worker.min.js - not path /olm.wasm - path /* - } + @index { + not path /index.html + not path /public/* + not path /assets/* + not path /config.json + not path /manifest.json + not path /pdf.worker.min.js + not path /olm.wasm + path /* + } - root * @cinny@ - rewrite /*/olm.wasm /olm.wasm - rewrite @index /index.html + root * @cinny@ + rewrite /*/olm.wasm /olm.wasm + rewrite @index /index.html file_server } @@ -122,3 +122,8 @@ reddit.ny4.dev { import default reverse_proxy localhost:9400 } + +vault.ny4.dev { + import default + reverse_proxy localhost:9500 +} diff --git a/hosts/tyo0/default.nix b/hosts/tyo0/default.nix index d5eb511..0f10f99 100644 --- a/hosts/tyo0/default.nix +++ b/hosts/tyo0/default.nix @@ -17,6 +17,7 @@ ./services/ntfy.nix ./services/pixivfe.nix ./services/searx.nix + ./services/vaultwarden.nix ]; time.timeZone = "Asia/Tokyo"; @@ -47,6 +48,9 @@ "miniflux/environment" = { restartUnits = ["miniflux.service"]; }; + "vaultwarden/environment" = { + restartUnits = ["vaultwarden.service"]; + }; }; ### Services diff --git a/hosts/tyo0/secrets.yaml b/hosts/tyo0/secrets.yaml index 1698f3b..a121b59 100644 --- a/hosts/tyo0/secrets.yaml +++ b/hosts/tyo0/secrets.yaml @@ -6,6 +6,8 @@ pixivfe: environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str] miniflux: environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str] +vaultwarden: + environment: ENC[AES256_GCM,data:+pcUVL7yVXKVp57/feHHWmSuH/2B0hLtADxZWCQOOMG+M3UQh+4dHA5debiv,iv:Zy6xn4Z4VwVXfWWjVeCYY/gRnDp//7yUPLbtLuABFPY=,tag:LxEc31YhgyjEhDrqoJxCJw==,type:str] sops: kms: [] gcp_kms: [] @@ -30,8 +32,8 @@ sops: R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3 3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-18T09:46:47Z" - mac: ENC[AES256_GCM,data:EJsQO/XsF8SpyEP8s9u1DXQkSsqodknF9ibl94/kOOIutx9ML+L0ltYA3+/eW17K9Mwvy6CyojKiQLiYgL2RLJd1zxZKedmp+l3klu1im8Wocwh073nemHIR1J6H5hoE6y36tDCXRrMDbWIfMjvlp6FlhFsI/n3Na1iCDall6mA=,iv:O9Y0j5G3sE67Bfz0MhcPYYpU71cGgtIdde8a1WQiigs=,tag:eNIvBVu7LPnC5s2f3MzptQ==,type:str] + lastmodified: "2024-08-12T12:55:54Z" + mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/hosts/tyo0/services/vaultwarden.nix b/hosts/tyo0/services/vaultwarden.nix new file mode 100644 index 0000000..8d7aa89 --- /dev/null +++ b/hosts/tyo0/services/vaultwarden.nix @@ -0,0 +1,17 @@ +{config, ...}: { + services.vaultwarden = { + enable = true; + environmentFile = config.sops.secrets."vaultwarden/environment".path; + config = { + DOMAIN = "https://vault.ny4.dev"; + IP_HEADER = "X-Forwarded-For"; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 9500; + + EMERGENCY_ACCESS_ALLOWED = false; + SENDS_ALLOWED = false; + SIGNUPS_ALLOWED = false; + ORG_CREATION_USERS = "none"; + }; + }; +}