feat: add vaultwarden microvm

hosts/ward/default.nix

@@ -38,6 +38,7 @@
     kanidm = defaults;
     grafana = defaults;
     loki = defaults;
+    vaultwarden = defaults;
   };
 
   #ddclient = defineVm;

hosts/ward/microvms/vaultwarden/default.nix

@@ -0,0 +1,89 @@
+{
+  config,
+  lib,
+  nodes,
+  utils,
+  ...
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];
+
+  age.secrets.vaultwarden-env = {
+    rekeyFile = ./secrets/vaultwarden-env.age;
+    mode = "440";
+    group = "vaultwarden";
+  };
+
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [
+      config.services.vaultwarden.config.rocketPort
+      config.services.vaultwarden.config.websocketPort
+    ];
+  };
+
+  nodes.sentinel = {
+    proxiedDomains.vaultwarden = vaultwardenDomain;
+
+    services.caddy.virtualHosts.${vaultwardenDomain} = {
+      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert vaultwardenDomain;
+      extraConfig = ''
+        import common
+
+        reverse_proxy {
+          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          header_up X-Real-IP {remote_host}
+        }
+
+        reverse_proxy /notifications/hub {
+          to http://${config.services.vaultwarden.settings.WEBSOCKET_ADDRESS}:${toString config.services.vaultwarden.settings.WEBSOCKET_PORT}
+          header_up X-Real-IP {remote_host}
+        }
+
+        reverse_proxy /notifications/hub/negotiate {
+          to http://${config.services.vaultwarden.settings.ROCKET_ADDRESS}:${toString config.services.vaultwarden.settings.ROCKET_PORT}
+          header_up X-Real-IP {remote_host}
+        }
+      '';
+    };
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    config = {
+      dataFolder = lib.mkForce "/var/lib/vaultwarden";
+      extendedLogging = true;
+      useSyslog = true;
+      webVaultEnabled = true;
+
+      websocketEnabled = true;
+      websocketAddress = config.extra.wireguard.proxy-sentinel.ipv4;
+      websocketPort = 3012;
+      rocketAddress = config.extra.wireguard.proxy-sentinel.ipv4;
+      rocketPort = 8012;
+
+      signupsAllowed = false;
+      passwordIterations = 1000000;
+      invitationsAllowed = true;
+      invitationOrgName = "Vaultwarden";
+      domain = vaultwardenDomain;
+
+      smtpEmbedImages = true;
+      smtpSecurity = "force_tls";
+      smtpPort = 465;
+    };
+    #backupDir = "/data/backup";
+    environmentFile = config.age.secrets.vaultwarden-env.path;
+  };
+
+  # Replace uses of old name
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
+  systemd.services.vaultwarden = {
+    after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+    serviceConfig.StateDirectory = lib.mkForce "vaultwarden";
+  };
+}

hosts/ward/microvms/vaultwarden/secrets/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno

hosts/ward/vaultwarden.nix

@@ -1,77 +0,0 @@
-{config, ...}: {
-  services.vaultwarden = {
-    enable = true;
-    dbBackend = "sqlite";
-    settings = {
-      DATA_FOLDER = "/var/lib/vaultwarden";
-      EXTENDED_LOGGING = true;
-      USE_SYSLOG = true;
-      WEB_VAULT_ENABLED = true;
-
-      WEBSOCKET_ENABLED = true;
-      WEBSOCKET_ADDRESS = "127.0.0.1";
-      WEBSOCKET_PORT = 3012;
-      ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = 8012;
-
-      SIGNUPS_ALLOWED = false;
-      PASSWORD_ITERATIONS = 1000000;
-      INVITATIONS_ALLOWED = true;
-      INVITATION_ORG_NAME = "Vaultwarden";
-      DOMAIN = config.repo.secrets.local.vaultwarden.domain;
-
-      SMTP_EMBED_IMAGES = true;
-    };
-    #backupDir = "/data/backup";
-    #YUBICO_CLIENT_ID=;
-    #YUBICO_SECRET_KEY=;
-    #ADMIN_TOKEN="$argon2id:TODO";
-    #SMTP_HOST={{ vaultwarden_smtp_host }};
-    #SMTP_FROM={{ vaultwarden_smtp_from }};
-    #SMTP_FROM_NAME={{ vaultwarden_smtp_from_name }};
-    #SMTP_PORT = 465;
-    #SMTP_SECURITY = "force_tls";
-    #SMTP_USERNAME={{ vaultwarden_smtp_username }};
-    #SMTP_PASSWORD={{ vaultwarden_smtp_password }};
-    #environmentFile = config.age.secrets.vaultwarden-env.path;
-  };
-
-  # Replace uses of old name
-  systemd.services.vaultwarden.seviceConfig.StateDirectory = "vaultwarden";
-  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = "/var/lib/vaultwarden";
-
-  services.nginx = {
-    upstreams."vaultwarden" = {
-      servers."localhost:8012" = {};
-      extraConfig = ''
-        zone vaultwarden 64k;
-        keepalive 2;
-      '';
-    };
-    upstreams."vaultwarden-websocket" = {
-      servers."localhost:3012" = {};
-      extraConfig = ''
-        zone vaultwarden-websocket 64k;
-        keepalive 2;
-      '';
-    };
-    virtualHosts."${config.repo.secrets.local.vaultwarden.domain}" = {
-      forceSSL = true;
-      #enableACME = true;
-      sslCertificate = config.age.secrets."selfcert.crt".path;
-      sslCertificateKey = config.age.secrets."selfcert.key".path;
-      locations."/" = {
-        proxyPass = "http://vaultwarden";
-        proxyWebsockets = true;
-      };
-      locations."/notifications/hub" = {
-        proxyPass = "http://vaultwarden-websocket";
-        proxyWebsockets = true;
-      };
-      locations."/notifications/hub/negotiate" = {
-        proxyPass = "http://vaultwarden";
-        proxyWebsockets = true;
-      };
-    };
-  };
-}