diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix index be97dbc..5fcd5a2 100644 --- a/hosts/common/core/system.nix +++ b/hosts/common/core/system.nix @@ -412,5 +412,8 @@ promtail = uidGid 993; grafana = uidGid 992; acme = uidGid 991; + kanidm = uidGid 990; + loki = uidGid 989; + vaultwarden = uidGid 988; }; } diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index c9af3a5..0ce87f2 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -38,6 +38,7 @@ kanidm = defaults; grafana = defaults; loki = defaults; + vaultwarden = defaults; }; #ddclient = defineVm; diff --git a/hosts/ward/microvms/vaultwarden/default.nix b/hosts/ward/microvms/vaultwarden/default.nix new file mode 100644 index 0000000..b9e51fe --- /dev/null +++ b/hosts/ward/microvms/vaultwarden/default.nix @@ -0,0 +1,89 @@ +{ + config, + lib, + nodes, + utils, + ... +}: let + sentinelCfg = nodes.sentinel.config; + vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}"; +in { + imports = [ + ../../../../modules/proxy-via-sentinel.nix + ]; + + age.secrets.vaultwarden-env = { + rekeyFile = ./secrets/vaultwarden-env.age; + mode = "440"; + group = "vaultwarden"; + }; + + networking.nftables.firewall.rules = lib.mkForce { + sentinel-to-local.allowedTCPPorts = [ + config.services.vaultwarden.config.rocketPort + config.services.vaultwarden.config.websocketPort + ]; + }; + + nodes.sentinel = { + proxiedDomains.vaultwarden = vaultwardenDomain; + + services.caddy.virtualHosts.${vaultwardenDomain} = { + useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert vaultwardenDomain; + extraConfig = '' + import common + + reverse_proxy { + to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT} + header_up X-Real-IP {remote_host} + } + + reverse_proxy /notifications/hub { + to http://${config.services.vaultwarden.settings.WEBSOCKET_ADDRESS}:${toString config.services.vaultwarden.settings.WEBSOCKET_PORT} + header_up X-Real-IP {remote_host} + } + + reverse_proxy /notifications/hub/negotiate { + to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT} + header_up X-Real-IP {remote_host} + } + ''; + }; + }; + + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + config = { + dataFolder = lib.mkForce "/var/lib/vaultwarden"; + extendedLogging = true; + useSyslog = true; + webVaultEnabled = true; + + websocketEnabled = true; + websocketAddress = config.extra.wireguard.proxy-sentinel.ipv4; + websocketPort = 3012; + rocketAddress = config.extra.wireguard.proxy-sentinel.ipv4; + rocketPort = 8012; + + signupsAllowed = false; + passwordIterations = 1000000; + invitationsAllowed = true; + invitationOrgName = "Vaultwarden"; + domain = vaultwardenDomain; + + smtpEmbedImages = true; + smtpSecurity = "force_tls"; + smtpPort = 465; + }; + #backupDir = "/data/backup"; + environmentFile = config.age.secrets.vaultwarden-env.path; + }; + + # Replace uses of old name + systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden"; + systemd.services.vaultwarden = { + after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + serviceConfig.StateDirectory = lib.mkForce "vaultwarden"; + }; +} diff --git a/hosts/ward/microvms/vaultwarden/secrets/host.pub b/hosts/ward/microvms/vaultwarden/secrets/host.pub new file mode 100644 index 0000000..f227506 --- /dev/null +++ b/hosts/ward/microvms/vaultwarden/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno diff --git a/hosts/ward/microvms/vaultwarden/secrets/vaultwarden-env.age b/hosts/ward/microvms/vaultwarden/secrets/vaultwarden-env.age new file mode 100644 index 0000000..af0671a Binary files /dev/null and b/hosts/ward/microvms/vaultwarden/secrets/vaultwarden-env.age differ diff --git a/hosts/ward/vaultwarden.nix b/hosts/ward/vaultwarden.nix deleted file mode 100644 index 64fb243..0000000 --- a/hosts/ward/vaultwarden.nix +++ /dev/null @@ -1,77 +0,0 @@ -{config, ...}: { - services.vaultwarden = { - enable = true; - dbBackend = "sqlite"; - settings = { - DATA_FOLDER = "/var/lib/vaultwarden"; - EXTENDED_LOGGING = true; - USE_SYSLOG = true; - WEB_VAULT_ENABLED = true; - - WEBSOCKET_ENABLED = true; - WEBSOCKET_ADDRESS = "127.0.0.1"; - WEBSOCKET_PORT = 3012; - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8012; - - SIGNUPS_ALLOWED = false; - PASSWORD_ITERATIONS = 1000000; - INVITATIONS_ALLOWED = true; - INVITATION_ORG_NAME = "Vaultwarden"; - DOMAIN = config.repo.secrets.local.vaultwarden.domain; - - SMTP_EMBED_IMAGES = true; - }; - #backupDir = "/data/backup"; - #YUBICO_CLIENT_ID=; - #YUBICO_SECRET_KEY=; - #ADMIN_TOKEN="$argon2id:TODO"; - #SMTP_HOST={{ vaultwarden_smtp_host }}; - #SMTP_FROM={{ vaultwarden_smtp_from }}; - #SMTP_FROM_NAME={{ vaultwarden_smtp_from_name }}; - #SMTP_PORT = 465; - #SMTP_SECURITY = "force_tls"; - #SMTP_USERNAME={{ vaultwarden_smtp_username }}; - #SMTP_PASSWORD={{ vaultwarden_smtp_password }}; - #environmentFile = config.age.secrets.vaultwarden-env.path; - }; - - # Replace uses of old name - systemd.services.vaultwarden.seviceConfig.StateDirectory = "vaultwarden"; - systemd.services.backup-vaultwarden.environment.DATA_FOLDER = "/var/lib/vaultwarden"; - - services.nginx = { - upstreams."vaultwarden" = { - servers."localhost:8012" = {}; - extraConfig = '' - zone vaultwarden 64k; - keepalive 2; - ''; - }; - upstreams."vaultwarden-websocket" = { - servers."localhost:3012" = {}; - extraConfig = '' - zone vaultwarden-websocket 64k; - keepalive 2; - ''; - }; - virtualHosts."${config.repo.secrets.local.vaultwarden.domain}" = { - forceSSL = true; - #enableACME = true; - sslCertificate = config.age.secrets."selfcert.crt".path; - sslCertificateKey = config.age.secrets."selfcert.key".path; - locations."/" = { - proxyPass = "http://vaultwarden"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://vaultwarden-websocket"; - proxyWebsockets = true; - }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://vaultwarden"; - proxyWebsockets = true; - }; - }; - }; -} diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.age b/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.age new file mode 100644 index 0000000..303b7fe Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.age differ diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.pub b/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.pub new file mode 100644 index 0000000..21129ba --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.pub @@ -0,0 +1 @@ +XM/U2rKPwcPcdyStTEs312ESxdJyzABDzbO+A/6fLQg= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-vaultwarden.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-vaultwarden.age new file mode 100644 index 0000000..f283311 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-vaultwarden.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 2ztzgenwUPP5C2rKU2xID+tDu6++RTHxZBW1mmBFf3U +bl1z/Y9jb6ZXixPrN4HYUU+rvp9EfEIr/vVgnaLMN5E +-> piv-p256 xqSe8Q Av2UX0cH3bIQI9p5JtPLFakLo8qlAiAlyZPt3+QICh5P +gF3Ci5ilgYudH3JNM92TGj+wKZgGbFH7Jb2UPINhfKU +-> NK~(7\-grease !] AF +A737hzahkGTCFBsK +--- kJ7bqJpZLteEgGqy3LHSLWBszsu2pJ/3zBibhfZWcOc +=:fdmi@z(G!Ν̝ ?CE Z:8Glmiˍ.L;X Z #u;|I \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.age new file mode 100644 index 0000000..6c01974 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 QhMKv/vatS9aasHJC2HyElb48Ge4v32ui8D8WjuWmG8 +sqq3AAjc2/daHzwrB3eczjl97UupH/7z8JP+iBcwV48 +-> piv-p256 xqSe8Q A+h3Xv+Q3aaCcOk2P21RbFva28uIBru0ygvgbDux2623 +RxWTuljV2p12ppqGJXZn1K/WrfQXglDRkaPYaYupKmQ +-> lW=F-grease K1G) ~`6k E96)NYBZ +6cTJrhmLT13+g9X4Yq8 +--- NUlUtQ5p4wPVHeP6v80ItUv7+IHggcWboLTpaeHGBMw +H:ML,2 c bgU=y~8^*t4Q$rBKBɥc };]#K] \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.pub b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.pub new file mode 100644 index 0000000..8fb6c63 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.pub @@ -0,0 +1 @@ +KABWFKtu7ZgyyDmLRhtdY2ffjBZ+vcpdAd2FscvLZGc= diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-vaultwarden.age new file mode 100644 index 0000000..cba358a Binary files /dev/null and b/secrets/wireguard/ward-local-vms/psks/ward+ward-vaultwarden.age differ diff --git a/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-vaultwarden.age new file mode 100644 index 0000000..1f377e7 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-vaultwarden.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 +9XaBavmWqwwDxFFtVwee/8rKza1JHZ0mSK90eY+r38 +WQnmfsxNRISCQ5pTIptSXdonwTU14z4OrQkldXBxEBQ +-> piv-p256 xqSe8Q A0Jy6YUqXxVwFDwsamsMoUGK0Un/AtE9Ku5s3gSnicax +YjYo8ybAvbrTdCnAWQa46sZ4qP6Z7JJHXjDgye4e+GQ +-> i-grease W?" *Ry# Y{bH" E^Qy+Ls +ds/OM23+0bJHIIH5W5rdZjG+SU9QWq2OSWhqLEU +--- 2S/2SUwFjSZnQoM0IOKJf/OMyMbsUydgw3pat3bV36E ++}ȶ~LO|74WYiv:2.GH_mal²~Hތ#Y ޹f \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-vaultwarden.age new file mode 100644 index 0000000..c62dd80 Binary files /dev/null and b/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-vaultwarden.age differ diff --git a/secrets/wireguard/ward-local-vms/psks/ward-loki+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward-loki+ward-vaultwarden.age new file mode 100644 index 0000000..0de5097 Binary files /dev/null and b/secrets/wireguard/ward-local-vms/psks/ward-loki+ward-vaultwarden.age differ