From abdf363fba588374b98847e973d91bebab95b87a Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 18 Jun 2023 01:12:08 +0200 Subject: [PATCH] feat: add vaultwarden microvm --- hosts/common/core/system.nix | 3 + hosts/ward/default.nix | 1 + hosts/ward/microvms/vaultwarden/default.nix | 89 ++++++++++++++++++ .../microvms/vaultwarden/secrets/host.pub | 1 + .../vaultwarden/secrets/vaultwarden-env.age | Bin 0 -> 810 bytes hosts/ward/vaultwarden.nix | 77 --------------- .../proxy-sentinel/keys/ward-vaultwarden.age | Bin 0 -> 397 bytes .../proxy-sentinel/keys/ward-vaultwarden.pub | 1 + .../psks/sentinel+ward-vaultwarden.age | 9 ++ .../ward-local-vms/keys/ward-vaultwarden.age | 9 ++ .../ward-local-vms/keys/ward-vaultwarden.pub | 1 + .../psks/ward+ward-vaultwarden.age | Bin 0 -> 439 bytes .../psks/ward-grafana+ward-vaultwarden.age | 9 ++ .../psks/ward-kanidm+ward-vaultwarden.age | Bin 0 -> 472 bytes .../psks/ward-loki+ward-vaultwarden.age | Bin 0 -> 473 bytes 15 files changed, 123 insertions(+), 77 deletions(-) create mode 100644 hosts/ward/microvms/vaultwarden/default.nix create mode 100644 hosts/ward/microvms/vaultwarden/secrets/host.pub create mode 100644 hosts/ward/microvms/vaultwarden/secrets/vaultwarden-env.age delete mode 100644 hosts/ward/vaultwarden.nix create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-vaultwarden.age create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.age create mode 100644 secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.pub create mode 100644 secrets/wireguard/ward-local-vms/psks/ward+ward-vaultwarden.age create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-vaultwarden.age create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-vaultwarden.age create mode 100644 secrets/wireguard/ward-local-vms/psks/ward-loki+ward-vaultwarden.age diff --git a/hosts/common/core/system.nix b/hosts/common/core/system.nix index be97dbc..5fcd5a2 100644 --- a/hosts/common/core/system.nix +++ b/hosts/common/core/system.nix @@ -412,5 +412,8 @@ promtail = uidGid 993; grafana = uidGid 992; acme = uidGid 991; + kanidm = uidGid 990; + loki = uidGid 989; + vaultwarden = uidGid 988; }; } diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index c9af3a5..0ce87f2 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -38,6 +38,7 @@ kanidm = defaults; grafana = defaults; loki = defaults; + vaultwarden = defaults; }; #ddclient = defineVm; diff --git a/hosts/ward/microvms/vaultwarden/default.nix b/hosts/ward/microvms/vaultwarden/default.nix new file mode 100644 index 0000000..b9e51fe --- /dev/null +++ b/hosts/ward/microvms/vaultwarden/default.nix @@ -0,0 +1,89 @@ +{ + config, + lib, + nodes, + utils, + ... +}: let + sentinelCfg = nodes.sentinel.config; + vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}"; +in { + imports = [ + ../../../../modules/proxy-via-sentinel.nix + ]; + + age.secrets.vaultwarden-env = { + rekeyFile = ./secrets/vaultwarden-env.age; + mode = "440"; + group = "vaultwarden"; + }; + + networking.nftables.firewall.rules = lib.mkForce { + sentinel-to-local.allowedTCPPorts = [ + config.services.vaultwarden.config.rocketPort + config.services.vaultwarden.config.websocketPort + ]; + }; + + nodes.sentinel = { + proxiedDomains.vaultwarden = vaultwardenDomain; + + services.caddy.virtualHosts.${vaultwardenDomain} = { + useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert vaultwardenDomain; + extraConfig = '' + import common + + reverse_proxy { + to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT} + header_up X-Real-IP {remote_host} + } + + reverse_proxy /notifications/hub { + to http://${config.services.vaultwarden.settings.WEBSOCKET_ADDRESS}:${toString config.services.vaultwarden.settings.WEBSOCKET_PORT} + header_up X-Real-IP {remote_host} + } + + reverse_proxy /notifications/hub/negotiate { + to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT} + header_up X-Real-IP {remote_host} + } + ''; + }; + }; + + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + config = { + dataFolder = lib.mkForce "/var/lib/vaultwarden"; + extendedLogging = true; + useSyslog = true; + webVaultEnabled = true; + + websocketEnabled = true; + websocketAddress = config.extra.wireguard.proxy-sentinel.ipv4; + websocketPort = 3012; + rocketAddress = config.extra.wireguard.proxy-sentinel.ipv4; + rocketPort = 8012; + + signupsAllowed = false; + passwordIterations = 1000000; + invitationsAllowed = true; + invitationOrgName = "Vaultwarden"; + domain = vaultwardenDomain; + + smtpEmbedImages = true; + smtpSecurity = "force_tls"; + smtpPort = 465; + }; + #backupDir = "/data/backup"; + environmentFile = config.age.secrets.vaultwarden-env.path; + }; + + # Replace uses of old name + systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden"; + systemd.services.vaultwarden = { + after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + serviceConfig.StateDirectory = lib.mkForce "vaultwarden"; + }; +} diff --git a/hosts/ward/microvms/vaultwarden/secrets/host.pub b/hosts/ward/microvms/vaultwarden/secrets/host.pub new file mode 100644 index 0000000..f227506 --- /dev/null +++ b/hosts/ward/microvms/vaultwarden/secrets/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno diff --git a/hosts/ward/microvms/vaultwarden/secrets/vaultwarden-env.age b/hosts/ward/microvms/vaultwarden/secrets/vaultwarden-env.age new file mode 100644 index 0000000000000000000000000000000000000000..af0671a342a868dd1bd1a69668919689992c39d9 GIT binary patch literal 810 zcmV+_1J(RtXJsvAZewzJaCB*JZZ2W=d*VcrP|lGB^rMXL46sM@m^lR6|%~XLxI7O;jst zGiy;XZ)7WVd0}i&Lv1v7L_%;@FJ}rZJ|J*ub}eu+H8vo4aZ_bDQ6ND%OKEgUOfWWT zT1qlEF*jjvZgWIzcS}n*Q!;5rV{$i4LQQU3K{-xuNm&XvM=~&3FGWFWIBI83I8`)3MOlJx$J|HbNT`gyFWnpt=ASo?&NLyw?EDBF^ zM>thzb!v4*NI_UxOjBujG&xgJOjvDHYguPOXkmFcF*q}7Rcb?JZwf6fEg&>7PgXZs zcxf|XRY)*xW?EBOPeL{?b!=o-NJ~*+Zcj)wVp?`XMOZm6Zwf1IZf)!kq=^lW07>)Fj_}!s=jz-()k$8%$mZ1`xf*?3h8n<%`wUQs z0v9bR6zFno{SyL&hT!`6xs}%T5e;2PAF8E7m}6Rq@DEP4(xZDm%#iRbjIK5yty#w% z*eppXXie?=d-_}U^lsi>`QL#ECkie-U;m9VQtWLk-JOh(n^%UxO-22u-1By$6&W%G z#^7Xz;g>k2vkLAyqrH6=hJ=u6Le7mpTq$C znVpvM-jw!RlT3fiThF<>8Xb&z+oc&;Ze1{q{}E?ZHIK>UQUy<@)Z zaP6@Wvvbi**gArbrn|?&3Rx(LXJ4oDC~+l!*Dtss(W5LhEn3m o3NhR))ruY=X#A=m-><;(@t2_fEe^cuTZ@>00J9@J3-s%0Cg(F(CIA2c literal 0 HcmV?d00001 diff --git a/hosts/ward/vaultwarden.nix b/hosts/ward/vaultwarden.nix deleted file mode 100644 index 64fb243..0000000 --- a/hosts/ward/vaultwarden.nix +++ /dev/null @@ -1,77 +0,0 @@ -{config, ...}: { - services.vaultwarden = { - enable = true; - dbBackend = "sqlite"; - settings = { - DATA_FOLDER = "/var/lib/vaultwarden"; - EXTENDED_LOGGING = true; - USE_SYSLOG = true; - WEB_VAULT_ENABLED = true; - - WEBSOCKET_ENABLED = true; - WEBSOCKET_ADDRESS = "127.0.0.1"; - WEBSOCKET_PORT = 3012; - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8012; - - SIGNUPS_ALLOWED = false; - PASSWORD_ITERATIONS = 1000000; - INVITATIONS_ALLOWED = true; - INVITATION_ORG_NAME = "Vaultwarden"; - DOMAIN = config.repo.secrets.local.vaultwarden.domain; - - SMTP_EMBED_IMAGES = true; - }; - #backupDir = "/data/backup"; - #YUBICO_CLIENT_ID=; - #YUBICO_SECRET_KEY=; - #ADMIN_TOKEN="$argon2id:TODO"; - #SMTP_HOST={{ vaultwarden_smtp_host }}; - #SMTP_FROM={{ vaultwarden_smtp_from }}; - #SMTP_FROM_NAME={{ vaultwarden_smtp_from_name }}; - #SMTP_PORT = 465; - #SMTP_SECURITY = "force_tls"; - #SMTP_USERNAME={{ vaultwarden_smtp_username }}; - #SMTP_PASSWORD={{ vaultwarden_smtp_password }}; - #environmentFile = config.age.secrets.vaultwarden-env.path; - }; - - # Replace uses of old name - systemd.services.vaultwarden.seviceConfig.StateDirectory = "vaultwarden"; - systemd.services.backup-vaultwarden.environment.DATA_FOLDER = "/var/lib/vaultwarden"; - - services.nginx = { - upstreams."vaultwarden" = { - servers."localhost:8012" = {}; - extraConfig = '' - zone vaultwarden 64k; - keepalive 2; - ''; - }; - upstreams."vaultwarden-websocket" = { - servers."localhost:3012" = {}; - extraConfig = '' - zone vaultwarden-websocket 64k; - keepalive 2; - ''; - }; - virtualHosts."${config.repo.secrets.local.vaultwarden.domain}" = { - forceSSL = true; - #enableACME = true; - sslCertificate = config.age.secrets."selfcert.crt".path; - sslCertificateKey = config.age.secrets."selfcert.key".path; - locations."/" = { - proxyPass = "http://vaultwarden"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://vaultwarden-websocket"; - proxyWebsockets = true; - }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://vaultwarden"; - proxyWebsockets = true; - }; - }; - }; -} diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.age b/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.age new file mode 100644 index 0000000000000000000000000000000000000000..303b7fefb10db8238f7451d2129c67386f830483 GIT binary patch literal 397 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR2FFfuhYv{dk~Nb>b}Ew%^=an3CZcQW$y zsz`J(wJ2~iw2a7(N;0o7s&FkgGb%34%jU}UaB|EpOV1B4GcPbMEzdLeayKya)i?Ha zO!q9&4=oGQH#12L2`mgO$_Cj`kXfc%U}S2hP*E71Y7wa5SZbN(?PRQNR#}p&AC;6C zTxptHm7W{qV(gYx;b`n!>TGV}ROD<~Y-|+HrR{2vlv0)B7o3-v5mZu;lAmiDk(pCu z9#I;em+c)9tZ!UtSsIj`7G+@ovP-!xPNgC?-#|CLC^fM-l`GM})x0n`&oaa~JkLDG z$hn{*%dN`Eu$)U*S69J1zsfwZq@dKWG%CcnJkq2%JSaFRueiv_$jz|AFU8Q(JtQRE zKPWY;B%6z&?Ck2cWil((5(@s-=LIlX{VmEqZ2D2>>X*ecMFlqOYn-YVQePi%aH&Ju oc3$V1H%i_{{kU>kDbkGPd#}!F+sSG386<2(;M1& literal 0 HcmV?d00001 diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.pub b/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.pub new file mode 100644 index 0000000..21129ba --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-vaultwarden.pub @@ -0,0 +1 @@ +XM/U2rKPwcPcdyStTEs312ESxdJyzABDzbO+A/6fLQg= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-vaultwarden.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-vaultwarden.age new file mode 100644 index 0000000..f283311 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-vaultwarden.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 2ztzgenwUPP5C2rKU2xID+tDu6++RTHxZBW1mmBFf3U +bl1z/Y9jb6ZXixPrN4HYUU+rvp9EfEIr/vVgnaLMN5E +-> piv-p256 xqSe8Q Av2UX0cH3bIQI9p5JtPLFakLo8qlAiAlyZPt3+QICh5P +gF3Ci5ilgYudH3JNM92TGj+wKZgGbFH7Jb2UPINhfKU +-> NK~(7\-grease !] AF +A737hzahkGTCFBsK +--- kJ7bqJpZLteEgGqy3LHSLWBszsu2pJ/3zBibhfZWcOc +=:fdmi@z(G!Ν̝ ?CE Z:8Glmiˍ.L;X Z #u;|I \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.age new file mode 100644 index 0000000..6c01974 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 QhMKv/vatS9aasHJC2HyElb48Ge4v32ui8D8WjuWmG8 +sqq3AAjc2/daHzwrB3eczjl97UupH/7z8JP+iBcwV48 +-> piv-p256 xqSe8Q A+h3Xv+Q3aaCcOk2P21RbFva28uIBru0ygvgbDux2623 +RxWTuljV2p12ppqGJXZn1K/WrfQXglDRkaPYaYupKmQ +-> lW=F-grease K1G) ~`6k E96)NYBZ +6cTJrhmLT13+g9X4Yq8 +--- NUlUtQ5p4wPVHeP6v80ItUv7+IHggcWboLTpaeHGBMw +H:ML,2 c bgU=y~8^*t4Q$rBKBɥc };]#K] \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.pub b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.pub new file mode 100644 index 0000000..8fb6c63 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-vaultwarden.pub @@ -0,0 +1 @@ +KABWFKtu7ZgyyDmLRhtdY2ffjBZ+vcpdAd2FscvLZGc= diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-vaultwarden.age new file mode 100644 index 0000000000000000000000000000000000000000..cba358ac0264cd14cf08347fba7f749d8b20b033 GIT binary patch literal 439 zcmWm7yKd7^002Vy+8GHXSeU9V42XdRHrRj(_58rG5F}t=Csnj|!=M=^h|F6UaSNZ*EZgGo z$kPhQ*Y+gOC1uu~8nA-?FsU0-xxYB@Lc4VJnv~;^k+HEd(j=y5u4dH_vQu+L95-5RI z3h_pBg2TR};+*#2{t~}hY-7kPmjYFrV?UmNq&3enDYisMw)AO<7%hmDhU*!o?Y0J) z8F1;`%i*ZN2!g=Psc$hL1V7|!KqD;VT`S~dAa{Aw5EFx~+I@aWVTaDc`4+hS z<;tV&L$uL*_vWVm(*1t6dHH($@%YvH@%xi|KYtt_-F^GZ{rlm<#iNtYo0p!R*?&6U Y$bX-njh+k+o?qM0Ui>~ief{;ue;R0<6#xJL literal 0 HcmV?d00001 diff --git a/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-vaultwarden.age new file mode 100644 index 0000000..1f377e7 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-vaultwarden.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 +9XaBavmWqwwDxFFtVwee/8rKza1JHZ0mSK90eY+r38 +WQnmfsxNRISCQ5pTIptSXdonwTU14z4OrQkldXBxEBQ +-> piv-p256 xqSe8Q A0Jy6YUqXxVwFDwsamsMoUGK0Un/AtE9Ku5s3gSnicax +YjYo8ybAvbrTdCnAWQa46sZ4qP6Z7JJHXjDgye4e+GQ +-> i-grease W?" *Ry# Y{bH" E^Qy+Ls +ds/OM23+0bJHIIH5W5rdZjG+SU9QWq2OSWhqLEU +--- 2S/2SUwFjSZnQoM0IOKJf/OMyMbsUydgw3pat3bV36E ++}ȶ~LO|74WYiv:2.GH_mal²~Hތ#Y ޹f \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-vaultwarden.age new file mode 100644 index 0000000000000000000000000000000000000000..c62dd8067f17fdd7c217dd38566209dfcfa96b7d GIT binary patch literal 472 zcmWm7yKd7^002-JYd)Zrx&(;@MeeQb*iKc1l*YME;zx4h*iO7u!EyYI?bxyLRoNIL zvGfa&5J*T2u#|;?0VEh05JIRk9lHTTVL&}UaAvMUIqzLkUZ9=mw zbx`wwDpG^)A{*Fwdjy-I!t1c(Ekk7b5d{z)VO%)aZ8h^8p!Y1UwPb(sweJ~HN$Kq?#&Ew zZ7w(_-OQQg4q-sr^4M4|%1i{hSD&}X`xH!gXyx^8xt>DZbhGTJ&kmTDEsg1J!g%xc zw2X!lH~>YDSS;73gg8M%)lybP+SMyK5j{T$6iLOEtRR9U$r_kLVdC13FY~5S$}OBS zdck`g_oxbntuRlG2h(UD`&OevJbre1<21HE{`h?&Y%b3CjIB3cmgnY^7hjJ%zg}M5 y{eHH3fB6<(MY8^B=jr9G!_D^U)uTVJpMTrl{JZ)0V&~oG6XxgHoe%eR!PbA;9jIUc literal 0 HcmV?d00001 diff --git a/secrets/wireguard/ward-local-vms/psks/ward-loki+ward-vaultwarden.age b/secrets/wireguard/ward-local-vms/psks/ward-loki+ward-vaultwarden.age new file mode 100644 index 0000000000000000000000000000000000000000..0de5097ee06cacfff4b43f2f146d1faa739bfa71 GIT binary patch literal 473 zcmWm7Id9WY003Z^01vP;RPN9za_#sCHmFsNuQZL1mjoY3NF>hltCRS4>?BGT%7O$E zVqqc-3~Y$sfYgBjF|}f1U_pY7ff*`&`!__8fU%!1(=trr-6Th3)x?N>+@(3LDd3_w zIAWQotHel-5+-Xo0kWc+8w_izr!yX4?^Cn@LMQ_)LJYkuNhyY@X$Oj9bM8DD=QG*T zD~(w>j-pn6=~WIpy&Tf8B2t=b;ft&fd4P+l83urxO9k{(#;k*!o3Qd^!MDh`ZOK(2 zs?ec2zN4^941`mmHf9pr==Nu0zvvbcARqLkf!VO_qfv_=>jlgrPYbGqj?7e z%Hgnpc(U$2f;^tC|J&QSi{GR56HV|i$s}W=K^JysFbvym#f^Y_C!o{`uNY&p)Rio4 zH#<$ctTUhOLXu4uRNHURk}7G2=uNRI_1I(XkRjO`BM1VI@=>NG^TLAsLsQ}H%m8jF z=n)!FtyMA-C!|OUeJZb3HRi78HynqwmPaq2T}k literal 0 HcmV?d00001