From 995d33dd5eafb4a1b7b2d9cf3795e421c5972622 Mon Sep 17 00:00:00 2001 From: Nickiel12 Date: Sat, 14 Oct 2023 20:02:06 -0700 Subject: [PATCH] added self-hosted vaultwarden instance --- hosts/Alaska/default.nix | 1 + hosts/Alaska/modules/dnsmasq.nix | 11 ++++- hosts/Alaska/modules/vaultwarden.nix | 72 ++++++++++++++++++++++++++++ 3 files changed, 82 insertions(+), 2 deletions(-) create mode 100644 hosts/Alaska/modules/vaultwarden.nix diff --git a/hosts/Alaska/default.nix b/hosts/Alaska/default.nix index 34ea8bd..41d204d 100644 --- a/hosts/Alaska/default.nix +++ b/hosts/Alaska/default.nix @@ -13,6 +13,7 @@ (import ./modules/msmtp.nix) (import ./modules/headscale.nix) (import ./modules/tailscale.nix) + (import ./modules/vaultwarden.nix) ]; networking.hosts = { diff --git a/hosts/Alaska/modules/dnsmasq.nix b/hosts/Alaska/modules/dnsmasq.nix index b597445..9e576ba 100644 --- a/hosts/Alaska/modules/dnsmasq.nix +++ b/hosts/Alaska/modules/dnsmasq.nix @@ -13,9 +13,16 @@ settings = { listen-address = "::1,127.0.0.1,10.0.0.183"; port = 53; - server = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; # Manual expection for frustrating windows devices to point at headscale server - address = "/headscale.nickiel.net/10.0.0.183"; + address = [ + "/files.nickiel.net/10.0.0.183" + "/git.nickiel.net/10.0.0.183" + "/headscale.nickiel.net/10.0.0.183" + "/irc.nickiel.net/10.0.0.183" + "/jellyfin.nickiel.net/10.0.0.183" + "/vaultwarden.nickiel.net/100.64.0.1" + ]; + server = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; bogus-priv = true; domain-needed = true; no-resolv = true; diff --git a/hosts/Alaska/modules/vaultwarden.nix b/hosts/Alaska/modules/vaultwarden.nix new file mode 100644 index 0000000..1f44cae --- /dev/null +++ b/hosts/Alaska/modules/vaultwarden.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: + +let + +in +{ + services.vaultwarden = { + enable = true; + # Set to sqlite to enable the default backups + dbBackend = "sqlite"; + backupDir = "/Aurora/Backups/Vaultwarden"; + environmentFile = "/home/nixolas/.passfiles/vaultwarden.env"; + # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template + config = { + DOMAIN = "https://vaultwarden.nickiel.net"; + ROCKET_PORT = 8022; + + # for some reason, crashes when log_file is set + # But it logs to systemctl just fine + LOG_LEVEL = "trace"; + SIGNUPS_VERIFY = true; + SIGNUPS_ALLOWED = false; + + # You can enable this in the admin portal + # USE_SENDMAIL = true; # is broken rn :`( + SENDMAIL_COMMAND = "${pkgs.msmtp}/bin/sendmail"; + + WEB_VAULT_FOLDER = "${pkgs.vaultwarden.webvault}/share/vaultwarden/vault"; + WEB_VAULT_ENABLED = true; + WEBSOCKET_ENABLED = true; + WEBSOCKET_ADDRESS = "0.0.0.0"; + WEBSOCKET_PORT = 3012; + }; + }; + + services.nginx.virtualHosts = { + "vaultwarden.nickiel.net" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8022"; + extraConfig = '' + allow 100.64.0.0/16; + allow 127.0.0.1; + deny all; + ''; + }; +# got the below from https://github.com/hlissner/dotfiles/blob/089f1a9da9018df9e5fc200c2d7bef70f4546026/hosts/ao/modules/vaultwarden.nix#L21 + + "/notifications/hub/negotiate" = { + proxyPass = "http://127.0.0.1:8022"; + proxyWebsockets = true; + extraConfig = '' + allow 100.64.0.0/16; + allow 127.0.0.1; + deny all; + ''; + }; + "/notifications/hub" = { + proxyPass = "http://127.0.0.1:3012"; + proxyWebsockets = true; + extraConfig = '' + allow 100.64.0.0/16; + allow 127.0.0.1; + deny all; + ''; + }; + }; + }; + }; +}