services: vaultwarden: move to fort

Signed-off-by: Christoph Heiss <christoph@c8h4.io>

.sops.yaml

@@ -18,14 +18,14 @@ creation_rules:
           - *christoph_maui
           - *machine_tank
           - *machine_fort
-  - path_regex: secrets/sops/(forgejo|grafana|home-assistant|navidrome|tank|vaultwarden)\.yaml
+  - path_regex: secrets/sops/(forgejo|grafana|home-assistant|navidrome|tank)\.yaml
     key_groups:
       - age:
           - *christoph_trek
           - *christoph_zero
           - *christoph_maui
           - *machine_tank
-  - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vikunja|wireguard)\.yaml
+  - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vaultwarden|vikunja|wireguard)\.yaml
     key_groups:
       - age:
           - *christoph_trek

machines/fort.nix

@@ -25,6 +25,7 @@ in {
     ../services/nginx.nix
     ../services/node-exporter.nix
     ../services/restic-client.nix
+    ../services/vaultwarden.nix
     ../services/vikunja.nix
     ../services/web/c8h4-io.nix
     ../system/btrfs.nix

machines/tank.nix

@@ -14,7 +14,6 @@
     ../services/postgresql.nix
     ../services/prometheus.nix
     ../services/restic-client.nix
-    ../services/vaultwarden.nix
     ../system/baremetal-server.nix
     ../system/btrfs.nix
     ../system/ucode-amd.nix

secrets/sops/vaultwarden.yaml

@@ -1,5 +1,19 @@
 vaultwarden:
-    env: ENC[AES256_GCM,data:0Ayxqf30Gto5ek5l4ECbTrgwg7XVfA9L+viFX2FfHJsEfmAg4PY7aO/43JvQEfYOMz0Hnpus1bEDgUUSiuiRFB830GkQ9f/70GcMP8V4GjZyM0JDpOt7Mr585cWow0Z7zC4oGCXamFeFL0tsMZbtpWp0rftP/RBiK8zlLYT/ggJkC+6R6wtN7nqXpvwO+0ttyhsiB9oDLWnLawnxa2R6+zcd+r/Agk8eVG+yDrY=,iv:mH9MC80np5TVzN+u3IddBei05lye2oqH4CKFeBI2/hY=,tag:p5kBU3AQWsz7tlsznp6ZMg==,type:str]
+    env: ENC[AES256_GCM,data:tXcAvMe2WbXTocph2L+zo88V8+elofKZbLx9tIyWCCGMc7nnWbAyjZkpVNtBT+T2Gvx36tLlgubtjuHWznVSUC4TwSJ51/N5XaLVQaYRRBlCIIPtTLnba/zyYgTKLcfUu1F0F2oTV7/MTRFWkQnmF/4SljOtujB2LOOt65eXqq5WWID9GhOaIYXuZMQ9PhyUDTUw3OgofP3KNNSkbcSnWLCK2+pdNss5Fj7yyDEEiRAXoeLLqVQWk/yn2NBzAF+ds4TEiL7dHaHVRrZ9Ppf9yLS+PCGE3usvL0Hlo5/c8oNwiFXp++uMTiOgHGr2WlzG3ckc55FqOWKxBzawhQh0Co70wJ+bCSNe8jWWKDsu+CleDOQdpeuFvdh28wvOBbmPAYeWMjDoh/9AGqrkxA1Dy5vrLBmAV+JxpUUd0BqyB9hqiAKkKWGnnnIhlp4SZB8bt5E1dQvPI/jhdsp+ekbjnEF4jAIISHDu3xFugjfhKMlszVI8in92P8buezC3SIdE0znklN/bdFqzFbiAToihn8hN7cXdyDsj1GSlfb3IhLndZQ==,iv:Z0vHZwRy6eAA5hSQOa+1N41VlW+Ov9IwG/ah6TYWS1E=,tag:QNRhGTNwKDDP3F+g/UO3YA==,type:str]
+#ENC[AES256_GCM,data:6aYRL6qCTcTAa7j+rxCL5+HhsEQ3iXawAR8=,iv:uzF0anmKoGw/m1sahhkBQQjGEi4B7cKxOh9+7Gx99pM=,tag:6VYhld57nPaZzq9Zl3BoIg==,type:comment]
+#ENC[AES256_GCM,data:7whKAOXM32LpVlLazf5Xgn0t6qU9Jaxr6Ywmc3ygeN59,iv:RWBARnS7FxdukL60J5TiDQNXJVx5mU8fzdoumRILiY0=,tag:B5bnjiy5rq+3FCR6cxWrBA==,type:comment]
+#ENC[AES256_GCM,data:KLEMq1v8/Stk7nSWWeUEGUF64zXs5rIB0sFF,iv:yAxd+j1CjPO1Uk5wJePAJO1loq3dgJJDp1b6dNoWtQc=,tag:1Rnmur+Krr39VD3rxgvHhw==,type:comment]
+#ENC[AES256_GCM,data:LToUU1nm2c0BCYA9M10oFVNIxGKJXpU=,iv:JB+UsIscG40oSbkIpdYZ/PYHM4MsM9IBe4ZXgFc6xPU=,tag:8neW9D0m8F/8gDiAgV9cAA==,type:comment]
+#ENC[AES256_GCM,data:CgiJ5lagyG38v3MS6RdiRRQLzqdggGo=,iv:SlIGxYlsZRMXkxAaWV/Qz0+Lt7dlcg6ACvpd843eMhw=,tag:SAEqvGLI39bNspzT5S9ydA==,type:comment]
+#ENC[AES256_GCM,data:aAZgKSAOILWC432RGbOBiw==,iv:6A7RtvtI9G3MtEJOUky0Ubzmz8hXbeeg4ECYU6FVfqI=,tag:7zNHTc5jsNuFwQdXszz6UQ==,type:comment]
+#ENC[AES256_GCM,data:j/v2P+dtBSsyqMVJZBDhMe6M+lF++QqLQTzL0wSITpryddXvfaG+gmrTIIkA1RVPGedn879BxhrZv4LX+fd0xmbvxgCszsgfMg5V,iv:VnDLgugeLJoPO5c25JU/E2jIk09IS9wJXnhcQ9u3nu8=,tag:hQ7dvGdX2iHd1fjzqMhIEA==,type:comment]
+#ENC[AES256_GCM,data:xzLHFpl+VLzx+t1SRdCvGLAGqs7o6T3hV9g51A==,iv:i8jQ97tDdm3DQQic/dme3kyaqcH+PvoJwfvZVzayErU=,tag:Gtbsg8frs+6VeluAl3drDw==,type:comment]
+#ENC[AES256_GCM,data:a5bWP1JkDNCsBQlK3NjXTKANPDkNtqfSASFCXsM86catzHtwZwjYbw==,iv:+3SckFOHQPO7sxOS748j0xLA2Lsn4rr9HFIVrNOOBw8=,tag:jGg1wEutF/aeumdmnYzbfQ==,type:comment]
+#ENC[AES256_GCM,data:CDoVjPT7hKXZ3J+2HDnCktXG3Pj8Pr3Uhdkp5pMpHUFuHMb4CrPWTXk=,iv:n3XJOAw/IzfsDxa7fB5p6KoL06AUxNnhVcDo94JDFDY=,tag:0hnPq1PYnox6vx17zJzAcA==,type:comment]
+#ENC[AES256_GCM,data:bn9KhTkRLj0wstp9tcy3ZpJM0cG5KxeqrUanTd2ULrzSOQ==,iv:Ku/1WWM7Erq1IGpvAmUxx7NbLkuXwGslX644jwuAT4U=,tag:3sCXU01sM7e0CIYjPA4k5g==,type:comment]
+#ENC[AES256_GCM,data:X1dW9x+eJFe4hv3HoAcAwNWNtEVSLDgnH4qNDixDr3QtpGH3DuzRN1u/6XaKR++2B2tmcmgLfPOTj0Du1YHDnuvppMi9JVvkpRqLOlUhHqwayVsCcGDhQWwVsrP86Bcbf0l3q4o9wJ6pfdswlwBRDNmgFLaXYHOzX+3p2nYmX0DPxOsTbvkmsQklj+S2FGqfxv+UEzcZrERI7JUA2z7D5GG5zHsdu5J8NHkAhVKkgLc6R5mpHPeu4Sv06pS6Q2I=,iv:Sc12G7JZBv0+mDTMMix+8RfpaECWHKXSc6ATTBfQoUM=,tag:zqjdYtIfysCBkF5bvb6i3Q==,type:comment]
+#ENC[AES256_GCM,data:4DKLq+191i+ADCysZJF5l7UlbZiYwjU=,iv:MFFLBeb3zdFk9H6aBPwqriBch3lUkbUPtza/0tKhe6M=,tag:eRLZ9BqGIulLSdSbh4ifjQ==,type:comment]
+#ENC[AES256_GCM,data:dTvSvmTANt9H/G2HX4Y=,iv:vmcY1+PIdeCtI4ySilSWSxQmvf7ogc/o6D/rJ7B+7uA=,tag:uAL8ZEHUWpIxPKMtfPetYw==,type:comment]
 sops:
     kms: []
     gcp_kms: []
@@ -9,41 +23,41 @@ sops:
         - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldWY2M1hubmtvQVhiWjdO
-            UTNkczkyU2pmUStDa1Nucld3NjQ4UVFiY2k4CjdkSUJpN2pHMHdwWkwramJESFpD
-            MmVVSGFhem45dzBncGxkQ2xoTkNVekUKLS0tIEx3WlhhODlFM0xFeW5xUlNpai9S
-            ZWU1b1RrUTdNdXUvYjlFaU5naVlKTTAKQgnzvbMvgRC51AhQSvJJ1OjWDl/y+Ysw
-            APTVhnxiZqpQ6NK4LgD2gmheXZXvRPTTKE3QbhI18tAEF1Qhwk4jPw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDc01Tdzh3TzlIWnBQYlFo
+            REdMcmsxdzY0VXJjWmhqUzd5WXgzRHA4dVh3Cjd3NStHSUFuQnlDazFkMGx1TklS
+            U1kxWWo2Wko2RTFUd0YvcmlVSUdDL0EKLS0tIE9SNnRUWXV3aktsVW5MUEFtQTJZ
+            NnNrUFMweFNlaXc4TFZUU2tCRnM5R2sKAvgHLGK0aFkYvZp61NNGTjoNFGplxPIL
+            Rz5CHVej00P2eVMh8v1MlyQV6wlxPW78dlPHoCwcTeuK3bE6gcn65A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWjQ0cURtQ0FtVGx4V1pp
-            a1E3RTNBbHhIRUxwVUY0akZsYVVTdVg2eDF3Clk0REpYVnZnbkduR1RtZ3ZwSnZy
-            dzVsVWlkSnFlWGg3Ky91VHQ3dWRyOVEKLS0tIDhwT2NZbG1wKzlQZlhLQXRQMU9T
-            QkFPdkxZNUpYY1RmcTUzeFcwYUNsR28KoH6t3aHfzepl7BKu4tVDsY+mnDLpERbo
-            EmrLu0fps2Aov4gSBr00ueEwtfOfcjB7mOKlSIXhpHtb0n5ufmNG2Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QlY0VkR0MDU1a1Y0OXFC
+            dEhKTklSZHNkK2IxVm1iZE56S1RPRDhya0d3CklyMlB4RnhWaThJWFFwNEcxNlJm
+            ZnlMR3NuazZnSjAxbi9uNGlERzlsaEUKLS0tIFA0WXNKV0xJMThGNkZzdnZIVElw
+            aEV0anRHN3c5N2Jsa1UrWUR0aUtxNk0KWMvGAybNgj7+UQVhe+5r3DR14rDldlYt
+            YrCXG0Lsh/u7iMYOuP5g/RBhrrwtUJeh/XY8GRurasDMLr34vGpxyg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SVhydzBIblp4TDBRSGo2
-            Y1pOK2d6VWsvTE9YRVAyeEtOY1R2c0xCb2tBClVIZFRibUlydVc4a3J5UzBib3Zs
-            ZjlhSm9JRjd3ZTFzTjJYTlIxSEdhTDAKLS0tIFNJSm1mQXl1cFpFMnV2eEE2eDRZ
-            aVdYdElyQ2xMTG9VQVdRUnA1V2lKL0EKKzxOylzyyy5MRBKusPAhw+TjW7F2aLCE
-            qy140yDr5CGbIznAdDyAbr/yobNYy+asC39Qsz/Ari0cNUHOGGItRQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydnY5b1RKOUNpZlFZdy9Q
+            ZlVzNkJyaEtMaFpJYTZHQ1IrUk8rL2lKdURJCkhGVzlUTGxYbjY3OUoxZVdXaXVE
+            RHlhTkJwLzlQTWF6VHQxdUhPQ012bmsKLS0tIFJ6a2RXSWlMRklqcW9wclR0TThY
+            VXI0Ui9kVlhMYlNkTVlSWEIwU1dQVkkKZUU3cu3g+pccKuHyYOUPmlYmRt4zDFLV
+            bXBmP/lEs/GkE4FtMwvAxkgWcs5LrgFcz9so3Z5jEAtai4VX7YdzJA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh
+        - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNEF5ZGNyaGNxQUs0SDBI
-            MG0vVWVkR2w0ZGZzOGlEQTZZNWdrcEs0MGxBCkZDQWpKUzROWVd0ZlBHeHlCMXpB
-            RGMxYmVGK0dRQlMzQTVKODF0Yi9wRDQKLS0tIFZKYjJvSlM1dW5NWFhRTFpqbFFn
-            SWJreFhhLy9WbHBIU1V0UEFnZ0xxencKfU8YMMgA7xadfreNwUGpd+EVstH3nlVP
-            cbVqTCrEw4D7HDjywzSn/5fIAskgND4u2YE5iE5MU3H1TFVg2dvrLQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WVh3dGIweHZ0Z0VFTVpF
+            Y0ZpT3E1SHcwVkN4dTRaSzNDWUtUZDcyakhVClc0SjVxU3FiWXlsZEJzRjdER1J6
+            OS8vbWo5OEFKN1lmOFBZWjVUQUtreGMKLS0tIDlUQXNNTE1Oa1R5c0xLQmNqcXdq
+            ZEdZR05aM0ZacVNRdVZ1TWF5b0VLMUEKJ17UVbD1jEBtAUEXTV5s3BSct1Ady5X3
+            VFi6xnbK4a6/2uQsAzAe1cPRUvKF1OJOi4jkZbGYuQhmdA9LmybGQg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-03T13:14:32Z"
-    mac: ENC[AES256_GCM,data:xRCSk5E/sl0A2//xh1Qi91whUrAeN/ZMHuxAVdSeT0YxKQWQ9RKMaQQzZAm/fiiQzeEhm45LLg24X5iPNeu3nQbEwO0CZlAuWLgDCYsIaw2mNtZKQSNl7W5hEwXamqlDqQVSjyctuQ70AZEacIixrnn+o2XABW8EZeExhvzDTGg=,iv:1p97jbZB0zHn6invGdjuy0q34P1ToMx+ZHyITfMGKJk=,tag:BD5ZjIRFJ0zYKg8YewLRWQ==,type:str]
+    lastmodified: "2024-08-17T16:14:32Z"
+    mac: ENC[AES256_GCM,data:00k9iqe4KNt7/16onCmuIoQYXWv9eszhkyEiaiHSiiCID4ac07bwYAxfi6812vnjgvqEkNguYuHTIVBajWtrYBnN/E+DvZ/L5dHkSGo3pgaPHg4+vMmZjFWGJNW4SWLrTykSD7dpRkDCQ8TP1eIlKtoOLUU/K+gyg3sJusgkArI=,iv:foYe2nOInd6hlxkpsoXtb5nHsDT7FBtQ7cOJQtioyQo=,tag:7MlfNrVCPGzdfUD663UGHg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0

services/vaultwarden.nix

@@ -1,4 +1,4 @@
-{ lib, my, secrets, ... }:
+{ config, lib, my, secrets, ... }:
 
 let fqdn = "vault.${my.domain}";
 in {
@@ -26,4 +26,19 @@ in {
 
   systemd.services.vaultwarden.serviceConfig.StateDirectory =
     lib.mkForce "vaultwarden";
+
+  services.nginx.virtualHosts.${fqdn} =
+    let inherit (config.services.vaultwarden.config) ROCKET_ADDRESS ROCKET_PORT;
+    in {
+      forceSSL = true;
+      useACMEHost = my.domain;
+      kTLS = true;
+      locations."/" = {
+        proxyPass = "http://[${ROCKET_ADDRESS}]:${toString ROCKET_PORT}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 256M;
+        '';
+      };
+    };
 }