tyo0: add vaultwarden

2024-08-12 21:23:46 +08:00 · 2024-08-12 21:23:46 +08:00 · f45dd5d1df
commit f45dd5d1df
parent faf34f2718
4 changed files with 43 additions and 15 deletions
--- a/hosts/tyo0/Caddyfile
+++ b/hosts/tyo0/Caddyfile
@ -122,3 +122,8 @@ reddit.ny4.dev {
 	import default
 	reverse_proxy localhost:9400
 }
+
+vault.ny4.dev {
+	import default
+	reverse_proxy localhost:9500
+}
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@ -17,6 +17,7 @@
    ./services/ntfy.nix
    ./services/pixivfe.nix
    ./services/searx.nix
+    ./services/vaultwarden.nix
  ];

  time.timeZone = "Asia/Tokyo";
@ -47,6 +48,9 @@
    "miniflux/environment" = {
      restartUnits = ["miniflux.service"];
    };
+    "vaultwarden/environment" = {
+      restartUnits = ["vaultwarden.service"];
+    };
  };

  ### Services
--- a/hosts/tyo0/secrets.yaml
+++ b/hosts/tyo0/secrets.yaml
@ -6,6 +6,8 @@ pixivfe:
    environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
 miniflux:
    environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
+vaultwarden:
+    environment: ENC[AES256_GCM,data:+pcUVL7yVXKVp57/feHHWmSuH/2B0hLtADxZWCQOOMG+M3UQh+4dHA5debiv,iv:Zy6xn4Z4VwVXfWWjVeCYY/gRnDp//7yUPLbtLuABFPY=,tag:LxEc31YhgyjEhDrqoJxCJw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -30,8 +32,8 @@ sops:
            R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
            3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-18T09:46:47Z"
-    mac: ENC[AES256_GCM,data:EJsQO/XsF8SpyEP8s9u1DXQkSsqodknF9ibl94/kOOIutx9ML+L0ltYA3+/eW17K9Mwvy6CyojKiQLiYgL2RLJd1zxZKedmp+l3klu1im8Wocwh073nemHIR1J6H5hoE6y36tDCXRrMDbWIfMjvlp6FlhFsI/n3Na1iCDall6mA=,iv:O9Y0j5G3sE67Bfz0MhcPYYpU71cGgtIdde8a1WQiigs=,tag:eNIvBVu7LPnC5s2f3MzptQ==,type:str]
+    lastmodified: "2024-08-12T12:55:54Z"
+    mac: ENC[AES256_GCM,data:H1zm+Rk9F9SkRbANU4GYjhZpys3e5qQNBBsdIbgXD3AZTAKZVyemT6Vb8k0ufkfzQ98L0Xrm/S1JQFvcyaZqRHv+C2GW3F34FlSS4IOtaJz9IgVIdvaM4WvaOTtpC5B+5CKnA/oBPOmhEBCdi2LIjzrUltEzKpemWHkIIT2eHQA=,iv:1RCjLEz0W+tHQep4EguweYKSfePXa1VE3+gzlcFsAug=,tag:Oonqihfe83l5SNOmLjOPYg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/hosts/tyo0/services/vaultwarden.nix
+++ b/hosts/tyo0/services/vaultwarden.nix
@ -0,0 +1,17 @@
+{config, ...}: {
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.sops.secrets."vaultwarden/environment".path;
+    config = {
+      DOMAIN = "https://vault.ny4.dev";
+      IP_HEADER = "X-Forwarded-For";
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 9500;
+
+      EMERGENCY_ACCESS_ALLOWED = false;
+      SENDS_ALLOWED = false;
+      SIGNUPS_ALLOWED = false;
+      ORG_CREATION_USERS = "none";
+    };
+  };
+}