meow set up vaultwarden

This commit is contained in:
Schrottkatze 2023-02-03 23:06:00 +01:00
parent b6670bcd1a
commit b159ff8c4b
6 changed files with 164 additions and 0 deletions

View file

@ -54,6 +54,23 @@
nixos-hardware.nixosModules.apple-t2
];
};
schrottserver = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs;
};
system = "x86_64-linux";
modules = [
./schrottserver/configuration.nix
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.jade = { nixosConfig, pkgs, ... }: {
home.sessionVariables.TZ = nixosConfig.time.timeZone;
home.stateVersion = "${nixosConfig.system.stateVersion}";
};
}
];
};
};
};
}

View file

@ -0,0 +1,35 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
../common.nix
./proxy.nix
./vaultwarden.nix
];
jade = {
neovim.enable = true;
zsh.enable = true;
};
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
networking.hostName = "schrottserver"; # Define your hostname.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
networking.firewall.enable = false;
# default settings for stateful data; don't change unless reinstall with newer version
system.stateVersion = "22.11"; # Did you read the comment?
}

View file

@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/e8d88849-3746-4c24-9ecd-09921645ef81";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0107-0E2C";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

44
schrottserver/proxy.nix Normal file
View file

@ -0,0 +1,44 @@
{ inputs, config, pkgs, ... }:
let
domain = "schrottkatze.de";
vaultwardenSubdomain = "vw";
in {
security.acme = {
acceptTerms = true;
defaults.email = "jade@schrottkatze.de";
certs = {
"${vaultwardenSubdomain}.${domain}" = {
group = "nginx";
keyType = "rsa2048";
};
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"${vaultwardenSubdomain}.${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8812"; #changed the default rocket port due to some conflict
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
};
};
}

View file

@ -0,0 +1,31 @@
{ pkgs, ... }:
{
services.vaultwarden = {
enable = true;
#backupDir = "/vw-backups";
config = {
#WEB_VAULT_FOLDER = "${pkgs.vaultwarden}/share/vaultwarden/vault";
#WEB_VAULT_ENABLED = true;
DATA_FOLDER = "/var/lib/bitwarden_rs/";
DATABASE_URL = "/var/lib/bitwarden_rs/db.sqlite3";
LOG_FILE = "/var/log/bitwarden";
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "0.0.0.0";
WEBSOCKET_PORT = 3012;
SIGNUPS_VERIFY = true;
ROCKET_LOG = "debug";
ENABLE_WAL = false;
ADMIN_TOKEN = builtins.readFile ../secret-data/vaultwarden-admin-token;
DOMAIN = "http://localhost";
#SMTP_HOST = "mx.example.com";
#SMTP_FROM = "bitwarden@example.com";
#SMTP_FROM_NAME = "Bitwarden_RS";
#SMTP_PORT = 587;
#SMTP_SSL = true;
#SMTP_USERNAME = (import /etc/nixos/secret/bitwarden.nix).SMTP_USERNAME;
#SMTP_PASSWORD = (import /etc/nixos/secret/bitwarden.nix).SMTP_PASSWORD;
SMTP_TIMEOUT = 15;
ROCKET_PORT = 8812;
};
};
}

Binary file not shown.