hosts.argon: setup vaultwarden

Author: Gerschtli

flake/nixpkgs.nix

@@ -41,6 +41,7 @@ import inputs.nixpkgs {
           minecraftServers
           portfolio
           teamspeak_server
+          vaultwarden
           vscode
           ;
 

hosts/argon/configuration.nix

@@ -9,6 +9,8 @@
     applications = {
       original-chattengauer.enable = true;
 
+      vaultwarden.enable = true;
+
       vereinsmanager.enable = true;
     };
 

nixos/applications/vaultwarden.nix

@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    ;
+
+  cfg = config.custom.applications.vaultwarden;
+  vaultwardenCfg = config.services.vaultwarden;
+
+  domain = "vaultwarden.tobias-happ.de";
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    custom.applications.vaultwarden.enable = mkEnableOption "vaultwarden";
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    custom = {
+      agenix.secrets = [ "vaultwarden-config" ];
+
+      services = {
+        backup.services.vaultwarden = {
+          description = "Vaultwarden";
+          interval = "Tue *-*-* 04:40:00";
+          user = "vaultwarden";
+
+          directoryToBackup = vaultwardenCfg.backupDir;
+        };
+
+        nginx.enable = true;
+      };
+    };
+
+    services = {
+      vaultwarden = {
+        enable = true;
+        dbBackend = "sqlite";
+        backupDir = "/var/backup/vaultwarden";
+        environmentFile = config.age.secrets.vaultwarden-config.path;
+
+        config = {
+          ROCKET_PORT = 8000;
+          DOMAIN = "https://${domain}";
+
+          SIGNUPS_ALLOWED = false;
+        };
+      };
+
+      nginx.virtualHosts.${domain} = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString vaultwardenCfg.config.ROCKET_PORT}/";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
+  };
+
+}

nixos/misc/agenix.nix

@@ -40,6 +40,7 @@ in
         "passwd-root-neon"
         "passwd-tobias-neon"
         "teamspeak-serverquery-password"
+        "vaultwarden-config"
         "wireless-config"
       ]);
       default = [ ];
@@ -118,6 +119,12 @@ in
           user = "teamspeak-update-notifier";
         })
 
+        (buildConfig {
+          name = "vaultwarden-config";
+          host = "argon";
+          user = "vaultwarden";
+        })
+
         (buildConfig {
           name = "wireless-config";
           host = "xenon";

secrets/argon/vaultwarden-config.age

@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQkFpM3MrVVZKMVIvWnVF
+Q3VJc1IzQkxjenlOOHJqdi9GcDc1a3kyYlU0ClRkKzU5S0JVcktGdmY0WG16UWFZ
+K0VJRzZjRWRVWWc5cWhORTQzK3FlTG8KLT4gWDI1NTE5IForNWp5L0VyT01IS1BM
+L0RnYUtwOFpUWlBKeHpmU1hEZytzcUdSTW1xblUKdmZEUXd0NUlYeHl4WEJZcGxD
+bjhhSVpxRnBtK3BDWmpYcm4ybjRFeW5FVQotPiBnL2ZhRS1ncmVhc2UgdjQtc3ty
+Cjhub2lOVUpIN2hDTmRTaWVhWXlxZDZvQis3VGpGM1VzUEkxQUFVY01vR0xiVEYr
+VkVnZE8zbkxpcUh6WVVDR1kKS2xIWHRNV1BKa0VSCi0tLSA2bG9XcG1TVjQ0c1Zt
+VFBYOVduQjR4Mjl2dFJIWUgrQzJpMkRlMEdRN05JCmfgFf0JEI+0nK5/dVIgNgXH
+11i25CpyMlWVr9ER6DLY5lwqm2L3qzdmn1R8aZfCoQFf0yvdZ4tXXlhzMpmh/VJm
+wtoybh4iq7otJNEqOW0a6QOxFk5ulKkdL+NEzlRB7VQVB6f9HkeBXgQaAUNdG/Al
+isIr9XRcf3fsiF6wwg1+ZXT5W90UQtYPxmT0ZCVnVl1B/wv7FmGeQTBqm23bHUzl
+k+E=
+-----END AGE ENCRYPTED FILE-----