summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--flake.lock18
-rw-r--r--os/kay/configuration.nix1
-rw-r--r--os/kay/modules/dns/sinanmohd.com.zone3
-rw-r--r--os/kay/modules/internal/www.nix7
-rw-r--r--os/kay/modules/services/vaultwarden/default.nix38
-rw-r--r--os/kay/modules/services/vaultwarden/secrets.yaml27
6 files changed, 84 insertions, 10 deletions
diff --git a/flake.lock b/flake.lock
index b1e3349..1844145 100644
--- a/flake.lock
+++ b/flake.lock
@@ -85,11 +85,11 @@
]
},
"locked": {
- "lastModified": 1741473158,
- "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
+ "lastModified": 1764011051,
+ "narHash": "sha256-M7SZyPZiqZUR/EiiBJnmyUbOi5oE/03tCeFrTiUZchI=",
"owner": "numtide",
"repo": "devshell",
- "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
+ "rev": "17ed8d9744ebe70424659b0ef74ad6d41fc87071",
"type": "github"
},
"original": {
@@ -226,11 +226,11 @@
]
},
"locked": {
- "lastModified": 1760298620,
- "narHash": "sha256-0mNbLZH9oy4+UHquPXu9J194pGfVyL+UJB0JopcvQeA=",
+ "lastModified": 1765742997,
+ "narHash": "sha256-zGPJzN7zMQBdlME28aJiC7/QSES0knowOJHrg2UTlI8=",
"owner": "tale",
"repo": "headplane",
- "rev": "4ccc73d7e4c9cca68db88fa609e7794cd1d644ce",
+ "rev": "985d7d9dc6636a7472262dcdc0192642e8f7fd4e",
"type": "github"
},
"original": {
@@ -418,11 +418,11 @@
},
"nixpkgs_4": {
"locked": {
- "lastModified": 1764667669,
- "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
+ "lastModified": 1766651565,
+ "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=",
"owner": "NixOs",
"repo": "nixpkgs",
- "rev": "418468ac9527e799809c900eda37cbff999199b6",
+ "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539",
"type": "github"
},
"original": {
diff --git a/os/kay/configuration.nix b/os/kay/configuration.nix
index 9ce5f86..979b9d9 100644
--- a/os/kay/configuration.nix
+++ b/os/kay/configuration.nix
@@ -26,6 +26,7 @@
./modules/services/matrix
./modules/services/cgit.nix
./modules/services/nixarr.nix
+ ./modules/services/vaultwarden
];
networking.hostName = "kay";
diff --git a/os/kay/modules/dns/sinanmohd.com.zone b/os/kay/modules/dns/sinanmohd.com.zone
index ce3b678..8baaedc 100644
--- a/os/kay/modules/dns/sinanmohd.com.zone
+++ b/os/kay/modules/dns/sinanmohd.com.zone
@@ -2,7 +2,7 @@ $ORIGIN sinanmohd.com.
$TTL 2d
@ IN SOA ns1 hostmaster (
- 2025122500 ; serial
+ 2025122700 ; serial
2h ; refresh
5m ; retry
1d ; expire
@@ -51,5 +51,6 @@ minio IN CNAME @
s3 IN CNAME @
headscale IN CNAME @
jellyfin IN CNAME @
+vaultwarden IN CNAME @
_acme-challenge IN NS ns1
diff --git a/os/kay/modules/internal/www.nix b/os/kay/modules/internal/www.nix
index 61e6893..ce5dab6 100644
--- a/os/kay/modules/internal/www.nix
+++ b/os/kay/modules/internal/www.nix
@@ -180,6 +180,13 @@ in
};
};
+ "vaultwarden.${domain}" = defaultOpts // {
+ locations."/" = {
+ proxyWebsockets = true;
+ proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+ };
+ };
+
"s3.${domain}" = defaultOpts // {
extraConfig = ''
# Allow special characters in headers
diff --git a/os/kay/modules/services/vaultwarden/default.nix b/os/kay/modules/services/vaultwarden/default.nix
new file mode 100644
index 0000000..1fdb22f
--- /dev/null
+++ b/os/kay/modules/services/vaultwarden/default.nix
@@ -0,0 +1,38 @@
+{ config, lib, ... }:
+let
+ domain = config.global.userdata.domain;
+in
+{
+ sops.secrets = {
+ "vaultwarden/env".sopsFile = ./secrets.yaml;
+ "vaultwarden/rsa.pem" = {
+ sopsFile = ./secrets.yaml;
+ owner = config.systemd.services.vaultwarden.serviceConfig.User;
+ };
+ };
+
+ services.vaultwarden = {
+ enable = true;
+ dbBackend = "postgresql";
+ configurePostgres = true;
+ environmentFile = config.sops.secrets."vaultwarden/env".path;
+ config = {
+ # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+ DOMAIN = "https://vaultwarden.${domain}";
+ SIGNUPS_ALLOWED = false;
+ RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa.pem".path;
+
+ ROCKET_ADDRESS = "127.0.0.1";
+ ROCKET_PORT = 8222;
+ ROCKET_LOG = "critical";
+
+ # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+ SMTP_HOST = "mail.${domain}";
+ SMTP_FROM = "no-reply@${domain}";
+ SMTP_FROM_NAME = "Sinan's Vaultwarden server";
+ SMTP_PORT = 465;
+ SMTP_SECURITY = "force_tls";
+ SMTP_USERNAME = "no-reply@${domain}";
+ };
+ };
+}
diff --git a/os/kay/modules/services/vaultwarden/secrets.yaml b/os/kay/modules/services/vaultwarden/secrets.yaml
new file mode 100644
index 0000000..e5fed12
--- /dev/null
+++ b/os/kay/modules/services/vaultwarden/secrets.yaml
@@ -0,0 +1,27 @@
+vaultwarden:
+ rsa.pem: ENC[AES256_GCM,data:si+VKSL8tN7IeiKzKA8aoNWQ+IBSR3vw2Zc3dm2SSBwsdzg3kQbSs60rl2Ldjy6eiD6BY9MGmxVJSSIPCJj1+jBAvDegQJHyKlfnA+2bp4nQY/eced4oJ/tSH35H1/hW8qtDtunAYUCTILh5iYtgMC/LvcTf4LzDZ8KeCvvscSqSlP+ePUqfbNHRaVAgV7dsO6MYj75qSFT5YDdiAFSH1cFJfwqbD6vl066lD/RHdllU0dF8VOoNiAyzwdKf7GAf/dZExFflfKlwNBryzSnHUbe+ciu4kvQ3J679NqH6i2eUmBodfT5SHN5u4XCTdEK3zdnkmc7XgjjDC3xpw8cCvcQgoROjg9MvAHzu9GEgP3Yjmt3dvwjRg/ryWZAjhhoCO7PU0MXiH4hdDaORvhNqV06NYuCO7cqc8CjEsdabIjeQywc//2zxXmmfE0jup84LGJpEsiPmN4ngXmZdHwTPuQIuRRLfzKuBieBUk7ydwGicSHhwnuH78STa6sA4hsZPvr6APoftyNgIQxzK3Xz0foIIc1cbC6G+BWdSQtpgtZRHCbf/sj0QImCqTIJPU6NCy0iNfjwUSskRcIrLwIsb0PeotBgefadS9kU8n4f0CD49TKyZITt/2zDkjNrhYw2U0HJvkJgvGx+87N9LKivPrzODg6ygMAwEL1LurqyaRf6ngkTHByt05tHIuPO46DmiCVPsmlrqjgg2GqjfHXmklhXPgUbNOJYeB4K7+nxvggm5WkEwf/TVbEDj9CUf/cfX8OE2Farn1U1NqAnE3mTz3AgHdwL0CEWF+XYeQUxae4bEwhT7ciholAge43J7VoIefXYIQxvmdJ7XkJM5OlOEsWX0AZ0GpA1MLP8wZDR6dz9zFzeinIXLrHWVZVuwLc0Yc8xnzG0OkdWb8T/xv0doguI4mAD1Mgc8c4X4XjkeJDfXt6ZqJM+U9cQwgelu5r4jI5zNB7F2ColqBYE9E+K9jrN2f7SmOWJJTbvggbL6f9Kw1hhBqrrKIltRVHaHGzp85c4Bac60adZbm9ZS8apxBtCu/Uqpi56X9cPdgVPrisjMtTG+QntGVx2zLKymmG4fIH7h+9J6M7DUBnpJJwuZYtH70uOSKrVfCTYdMQlkJVCQhLYLFqVQpHPX0ldEgTo1YeqAALhefO8s/HtLVB2FsyGaVZonhmsWacVtK5cEoXZFf969imXoDjFZS9giUYLbNzhUZJnjULQKZZ3KLiGnvmvARe0SQGCYfjo5rxkk3gL8z2+XkbBNm3bm2xkMWRnT9fiPd/9C3ntDezhfwXn7f3sI69zAzNpVYRYdsm5is5T8Maqm7+Fstl3rwODGxENOhgcq+VM6s8TJla8NjGyCf+4wzwUR4HCsf1xJp9Qi6Ob0eMyoxwVV8craB56z1R2K2oKzQUEA813BXIsnPT1FntY/CLII4TNC67m1cX+6Fmi0/60zEx7SFLACU3P0YAiO5rIxuqbMM7pts5xGnRtEA6VfCxheZEyntMwvEHvVuo7xlOnMk72lm+oqlMtqHx9B/H1e2ViagDKZGtIgEp338rSlwn5v+VHmmNUVx00Uwd9LKQecyj1qGnV4KXfi2LDEWcPI39Jy1Ak0Ue2Q892dr6KH4JlS8oB0NpWWxCJUFERuSEYA7b4WGiEMCLjRzGE21vgOaqWAaJozASUzir3KhjGRTismERML6a7bNS/25qvWgcDTP3Ca+dP8cbkTWeDDbtOdDL+7aeg1R6mWU83LVkDWfsJhIdMLfgBfxgBBXYIgWIKwcGOHYlJsd13DR+YTQ8WlfePTy4e+gurOLlZBDeer4f+9qSpGrPBC6qK7xxSkHGKieSXC474UrDhv+Ua66m++Ok9IqqEzQg2okCgR062lctwWepofT/Kdi7Dv+J1f0GoXVvHSI9ZnFcIUFZZfCLx9O2Re8w1p+/UbQkESBB7n7STBkcdKmONXchY2vfjkeTmRrIFB081B5NVMS/I8ijprwODRgVO94wXn7BJml0b0zyXOUqfxPtDHitpYRAHFld2PSgNtQxLAYae8Em6iiNRHebG3FYgzBAZoRI2fGFTL7vDl8HcWyrMzzBH0ycqbrXZqdVWqA5iNqt51EmWMAHXEnFAKL64tyXLiITe7JYmrJHeXbNvoSTOXkqPC2Mtuw9rWY96d8v1FLN+OvVziyEBOgpgJTmDZGBGSt6MJQj2eh584LDIjUcQgTKa8kTmk43jc7/or0RVJ,iv:HVluM5oXQEIOwfVBYgoQlxI5LhNj0ikNAyJPzXV/l6Q=,tag:Z2Rupghywk/fd4u8m6v+xw==,type:str]
+ env: ENC[AES256_GCM,data:CpbNfVpmbBPIE5Xvyx7AxsBphjXGuC47xXn/AecXvodvS4oOxyMp3FSkuhTTvnvEKjaIPvBcNRIc6Rb6QK5NLNwOZurIVRppGls5+txxaIejvu6kzR4IrBCQWveu1qwL2+lFE/7wUajn0zeSTRaFXtSqupR8La57uCnVVajkdhNKa8FVOfcdoEWdWTbcz2meQnl6naoTHa5pQYK7wZWp92R/TtnmUAJc8AD/aYw/CNf88NNcX64JvyxyGGYxi3iTpQP0W6c=,iv:8Ip6m92lDvLDHQ9npx8NfJH79FVv98qFMUV9fSvIKFI=,tag:l55q0YnBG/3uHFG8OqnjBQ==,type:str]
+sops:
+ age:
+ - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsWmhGeGNycVFHWndORnFp
+ SXNFaVd3YmlQai9DTXJFMjZRUTYrUEZzcUdRCmhuN0FCTkx1WlNNZDB2Nm5JK1Fl
+ Q082Z3p0eDIvdnlnZjZzT3FBTkxYQncKLS0tIGRKNU8zc2dTemUvcmxjK29rWEsr
+ L1haV2IrRm1Bd2liL25FTG9OM2lCekkK0SSKykSSaNRU6NwmUNqWv89Zsu/3bSZm
+ bp64rO3pIvqnFN4C8P94F8w6RhBLzH0UdUoipijBC3JO9eoYf0whtg==
+ -----END AGE ENCRYPTED FILE-----
+ - recipient: age15989j5lkkf2kn5wa2p6qc8wlxjjksc63k5ync8rz8t4e87394pzqm7h4rm
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0UEk2ZSswRVl1YW9JaGZX
+ VUR1aG10OTQ4ZWo5REROZXBvVUtBcGpwSFNrClJkeWtlYlY1dUNNanVJdTRnbkU4
+ NmFkeFJTUVR0VjVpV05qeVB4SU91aEUKLS0tIFVVaVJBeHVPbExibmRMOEltQUNY
+ QjVkVkRQUk1FSzJTUHJpSHJReXp1WDQKozhIE+9qc2f5DaA1wllQ+Cmhr26okPQP
+ xczSPTTZuqf0xYE/VwVbOlgaM9lZxP5NRJyvJMYxxb5yJ7fFTQoqFA==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2025-12-27T07:17:19Z"
+ mac: ENC[AES256_GCM,data:r21nkz9EMVqQ0sJOFqw1aur6tdJn4j7BpaDnUSypKf+53Nhm4FoZHcy6QtM8zuY3pOleAb/MjrOCQ/XwXoHyhp/FnWxg1YOwWA5PAwPPNpYWa7OInvNoyupyKeYL9+cy/lJt0Se1BsUvV+pM1D+2VKu+CnkcC8TF27wdN7e2HYo=,iv:VI/IWQ4wnJPmHJhLcvq6i3D4mdyFFrntdnqPsJIdkZ8=,tag:NQZL9FJo9GiT9JrB8M34aA==,type:str]
+ unencrypted_suffix: _unencrypted
+ version: 3.11.0