diff --git a/.sops.yaml b/.sops.yaml index b51e98a..8c0e677 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,14 +18,14 @@ creation_rules: - *christoph_maui - *machine_tank - *machine_fort - - path_regex: secrets/sops/(forgejo|grafana|home-assistant|navidrome|tank|vaultwarden)\.yaml + - path_regex: secrets/sops/(forgejo|grafana|home-assistant|navidrome|tank)\.yaml key_groups: - age: - *christoph_trek - *christoph_zero - *christoph_maui - *machine_tank - - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vikunja|wireguard)\.yaml + - path_regex: secrets/sops/(alertmanager|fort|matrix-hookshot|vaultwarden|vikunja|wireguard)\.yaml key_groups: - age: - *christoph_trek diff --git a/machines/fort.nix b/machines/fort.nix index 500962a..841784d 100644 --- a/machines/fort.nix +++ b/machines/fort.nix @@ -25,6 +25,7 @@ in { ../services/nginx.nix ../services/node-exporter.nix ../services/restic-client.nix + ../services/vaultwarden.nix ../services/vikunja.nix ../services/web/c8h4-io.nix ../system/btrfs.nix diff --git a/machines/tank.nix b/machines/tank.nix index 499f5d5..bcffdce 100644 --- a/machines/tank.nix +++ b/machines/tank.nix @@ -14,7 +14,6 @@ ../services/postgresql.nix ../services/prometheus.nix ../services/restic-client.nix - ../services/vaultwarden.nix ../system/baremetal-server.nix ../system/btrfs.nix ../system/ucode-amd.nix diff --git a/secrets/machines/fort.nix b/secrets/machines/fort.nix index 18ef6d6..e30df5b 100644 Binary files a/secrets/machines/fort.nix and b/secrets/machines/fort.nix differ diff --git a/secrets/machines/tank.nix b/secrets/machines/tank.nix index 2ef1891..610b464 100644 Binary files a/secrets/machines/tank.nix and b/secrets/machines/tank.nix differ diff --git a/secrets/sops/vaultwarden.yaml b/secrets/sops/vaultwarden.yaml index 1432353..aa8f7a7 100644 --- a/secrets/sops/vaultwarden.yaml +++ b/secrets/sops/vaultwarden.yaml @@ -1,5 +1,19 @@ vaultwarden: - env: ENC[AES256_GCM,data:0Ayxqf30Gto5ek5l4ECbTrgwg7XVfA9L+viFX2FfHJsEfmAg4PY7aO/43JvQEfYOMz0Hnpus1bEDgUUSiuiRFB830GkQ9f/70GcMP8V4GjZyM0JDpOt7Mr585cWow0Z7zC4oGCXamFeFL0tsMZbtpWp0rftP/RBiK8zlLYT/ggJkC+6R6wtN7nqXpvwO+0ttyhsiB9oDLWnLawnxa2R6+zcd+r/Agk8eVG+yDrY=,iv:mH9MC80np5TVzN+u3IddBei05lye2oqH4CKFeBI2/hY=,tag:p5kBU3AQWsz7tlsznp6ZMg==,type:str] + env: ENC[AES256_GCM,data:tXcAvMe2WbXTocph2L+zo88V8+elofKZbLx9tIyWCCGMc7nnWbAyjZkpVNtBT+T2Gvx36tLlgubtjuHWznVSUC4TwSJ51/N5XaLVQaYRRBlCIIPtTLnba/zyYgTKLcfUu1F0F2oTV7/MTRFWkQnmF/4SljOtujB2LOOt65eXqq5WWID9GhOaIYXuZMQ9PhyUDTUw3OgofP3KNNSkbcSnWLCK2+pdNss5Fj7yyDEEiRAXoeLLqVQWk/yn2NBzAF+ds4TEiL7dHaHVRrZ9Ppf9yLS+PCGE3usvL0Hlo5/c8oNwiFXp++uMTiOgHGr2WlzG3ckc55FqOWKxBzawhQh0Co70wJ+bCSNe8jWWKDsu+CleDOQdpeuFvdh28wvOBbmPAYeWMjDoh/9AGqrkxA1Dy5vrLBmAV+JxpUUd0BqyB9hqiAKkKWGnnnIhlp4SZB8bt5E1dQvPI/jhdsp+ekbjnEF4jAIISHDu3xFugjfhKMlszVI8in92P8buezC3SIdE0znklN/bdFqzFbiAToihn8hN7cXdyDsj1GSlfb3IhLndZQ==,iv:Z0vHZwRy6eAA5hSQOa+1N41VlW+Ov9IwG/ah6TYWS1E=,tag:QNRhGTNwKDDP3F+g/UO3YA==,type:str] +#ENC[AES256_GCM,data:6aYRL6qCTcTAa7j+rxCL5+HhsEQ3iXawAR8=,iv:uzF0anmKoGw/m1sahhkBQQjGEi4B7cKxOh9+7Gx99pM=,tag:6VYhld57nPaZzq9Zl3BoIg==,type:comment] +#ENC[AES256_GCM,data:7whKAOXM32LpVlLazf5Xgn0t6qU9Jaxr6Ywmc3ygeN59,iv:RWBARnS7FxdukL60J5TiDQNXJVx5mU8fzdoumRILiY0=,tag:B5bnjiy5rq+3FCR6cxWrBA==,type:comment] +#ENC[AES256_GCM,data:KLEMq1v8/Stk7nSWWeUEGUF64zXs5rIB0sFF,iv:yAxd+j1CjPO1Uk5wJePAJO1loq3dgJJDp1b6dNoWtQc=,tag:1Rnmur+Krr39VD3rxgvHhw==,type:comment] +#ENC[AES256_GCM,data:LToUU1nm2c0BCYA9M10oFVNIxGKJXpU=,iv:JB+UsIscG40oSbkIpdYZ/PYHM4MsM9IBe4ZXgFc6xPU=,tag:8neW9D0m8F/8gDiAgV9cAA==,type:comment] +#ENC[AES256_GCM,data:CgiJ5lagyG38v3MS6RdiRRQLzqdggGo=,iv:SlIGxYlsZRMXkxAaWV/Qz0+Lt7dlcg6ACvpd843eMhw=,tag:SAEqvGLI39bNspzT5S9ydA==,type:comment] +#ENC[AES256_GCM,data:aAZgKSAOILWC432RGbOBiw==,iv:6A7RtvtI9G3MtEJOUky0Ubzmz8hXbeeg4ECYU6FVfqI=,tag:7zNHTc5jsNuFwQdXszz6UQ==,type:comment] +#ENC[AES256_GCM,data:j/v2P+dtBSsyqMVJZBDhMe6M+lF++QqLQTzL0wSITpryddXvfaG+gmrTIIkA1RVPGedn879BxhrZv4LX+fd0xmbvxgCszsgfMg5V,iv:VnDLgugeLJoPO5c25JU/E2jIk09IS9wJXnhcQ9u3nu8=,tag:hQ7dvGdX2iHd1fjzqMhIEA==,type:comment] +#ENC[AES256_GCM,data:xzLHFpl+VLzx+t1SRdCvGLAGqs7o6T3hV9g51A==,iv:i8jQ97tDdm3DQQic/dme3kyaqcH+PvoJwfvZVzayErU=,tag:Gtbsg8frs+6VeluAl3drDw==,type:comment] +#ENC[AES256_GCM,data:a5bWP1JkDNCsBQlK3NjXTKANPDkNtqfSASFCXsM86catzHtwZwjYbw==,iv:+3SckFOHQPO7sxOS748j0xLA2Lsn4rr9HFIVrNOOBw8=,tag:jGg1wEutF/aeumdmnYzbfQ==,type:comment] +#ENC[AES256_GCM,data:CDoVjPT7hKXZ3J+2HDnCktXG3Pj8Pr3Uhdkp5pMpHUFuHMb4CrPWTXk=,iv:n3XJOAw/IzfsDxa7fB5p6KoL06AUxNnhVcDo94JDFDY=,tag:0hnPq1PYnox6vx17zJzAcA==,type:comment] +#ENC[AES256_GCM,data:bn9KhTkRLj0wstp9tcy3ZpJM0cG5KxeqrUanTd2ULrzSOQ==,iv:Ku/1WWM7Erq1IGpvAmUxx7NbLkuXwGslX644jwuAT4U=,tag:3sCXU01sM7e0CIYjPA4k5g==,type:comment] +#ENC[AES256_GCM,data:X1dW9x+eJFe4hv3HoAcAwNWNtEVSLDgnH4qNDixDr3QtpGH3DuzRN1u/6XaKR++2B2tmcmgLfPOTj0Du1YHDnuvppMi9JVvkpRqLOlUhHqwayVsCcGDhQWwVsrP86Bcbf0l3q4o9wJ6pfdswlwBRDNmgFLaXYHOzX+3p2nYmX0DPxOsTbvkmsQklj+S2FGqfxv+UEzcZrERI7JUA2z7D5GG5zHsdu5J8NHkAhVKkgLc6R5mpHPeu4Sv06pS6Q2I=,iv:Sc12G7JZBv0+mDTMMix+8RfpaECWHKXSc6ATTBfQoUM=,tag:zqjdYtIfysCBkF5bvb6i3Q==,type:comment] +#ENC[AES256_GCM,data:4DKLq+191i+ADCysZJF5l7UlbZiYwjU=,iv:MFFLBeb3zdFk9H6aBPwqriBch3lUkbUPtza/0tKhe6M=,tag:eRLZ9BqGIulLSdSbh4ifjQ==,type:comment] +#ENC[AES256_GCM,data:dTvSvmTANt9H/G2HX4Y=,iv:vmcY1+PIdeCtI4ySilSWSxQmvf7ogc/o6D/rJ7B+7uA=,tag:uAL8ZEHUWpIxPKMtfPetYw==,type:comment] sops: kms: [] gcp_kms: [] @@ -9,41 +23,41 @@ sops: - recipient: age1kdkzjqy88en4m65s7ld28srupzwaq30gu2e63ylayhqedpgfxews9kf6fy enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldWY2M1hubmtvQVhiWjdO - UTNkczkyU2pmUStDa1Nucld3NjQ4UVFiY2k4CjdkSUJpN2pHMHdwWkwramJESFpD - MmVVSGFhem45dzBncGxkQ2xoTkNVekUKLS0tIEx3WlhhODlFM0xFeW5xUlNpai9S - ZWU1b1RrUTdNdXUvYjlFaU5naVlKTTAKQgnzvbMvgRC51AhQSvJJ1OjWDl/y+Ysw - APTVhnxiZqpQ6NK4LgD2gmheXZXvRPTTKE3QbhI18tAEF1Qhwk4jPw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDc01Tdzh3TzlIWnBQYlFo + REdMcmsxdzY0VXJjWmhqUzd5WXgzRHA4dVh3Cjd3NStHSUFuQnlDazFkMGx1TklS + U1kxWWo2Wko2RTFUd0YvcmlVSUdDL0EKLS0tIE9SNnRUWXV3aktsVW5MUEFtQTJZ + NnNrUFMweFNlaXc4TFZUU2tCRnM5R2sKAvgHLGK0aFkYvZp61NNGTjoNFGplxPIL + Rz5CHVej00P2eVMh8v1MlyQV6wlxPW78dlPHoCwcTeuK3bE6gcn65A== -----END AGE ENCRYPTED FILE----- - recipient: age1es8273vc2yq89kvs4s84m6qffep86sm924k4my47a5qtau4ueypsgz3kqh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWjQ0cURtQ0FtVGx4V1pp - a1E3RTNBbHhIRUxwVUY0akZsYVVTdVg2eDF3Clk0REpYVnZnbkduR1RtZ3ZwSnZy - dzVsVWlkSnFlWGg3Ky91VHQ3dWRyOVEKLS0tIDhwT2NZbG1wKzlQZlhLQXRQMU9T - QkFPdkxZNUpYY1RmcTUzeFcwYUNsR28KoH6t3aHfzepl7BKu4tVDsY+mnDLpERbo - EmrLu0fps2Aov4gSBr00ueEwtfOfcjB7mOKlSIXhpHtb0n5ufmNG2Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4QlY0VkR0MDU1a1Y0OXFC + dEhKTklSZHNkK2IxVm1iZE56S1RPRDhya0d3CklyMlB4RnhWaThJWFFwNEcxNlJm + ZnlMR3NuazZnSjAxbi9uNGlERzlsaEUKLS0tIFA0WXNKV0xJMThGNkZzdnZIVElw + aEV0anRHN3c5N2Jsa1UrWUR0aUtxNk0KWMvGAybNgj7+UQVhe+5r3DR14rDldlYt + YrCXG0Lsh/u7iMYOuP5g/RBhrrwtUJeh/XY8GRurasDMLr34vGpxyg== -----END AGE ENCRYPTED FILE----- - recipient: age1ul99nmekam6rs9fpjka32aaxmnjq0p3a8x8drzxwtxa4g2u23anq6p2g6s enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SVhydzBIblp4TDBRSGo2 - Y1pOK2d6VWsvTE9YRVAyeEtOY1R2c0xCb2tBClVIZFRibUlydVc4a3J5UzBib3Zs - ZjlhSm9JRjd3ZTFzTjJYTlIxSEdhTDAKLS0tIFNJSm1mQXl1cFpFMnV2eEE2eDRZ - aVdYdElyQ2xMTG9VQVdRUnA1V2lKL0EKKzxOylzyyy5MRBKusPAhw+TjW7F2aLCE - qy140yDr5CGbIznAdDyAbr/yobNYy+asC39Qsz/Ari0cNUHOGGItRQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBydnY5b1RKOUNpZlFZdy9Q + ZlVzNkJyaEtMaFpJYTZHQ1IrUk8rL2lKdURJCkhGVzlUTGxYbjY3OUoxZVdXaXVE + RHlhTkJwLzlQTWF6VHQxdUhPQ012bmsKLS0tIFJ6a2RXSWlMRklqcW9wclR0TThY + VXI0Ui9kVlhMYlNkTVlSWEIwU1dQVkkKZUU3cu3g+pccKuHyYOUPmlYmRt4zDFLV + bXBmP/lEs/GkE4FtMwvAxkgWcs5LrgFcz9so3Z5jEAtai4VX7YdzJA== -----END AGE ENCRYPTED FILE----- - - recipient: age165nqtky9a5kdhca70uwd0cewqle7egzm4vmcmrpfnqfuchjdg3esn7frvh + - recipient: age1h96sm0j0k5kjmuf857xurtq7rwk5fhptenjdlkgmadtrz4lm95rqm6ctm2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmNEF5ZGNyaGNxQUs0SDBI - MG0vVWVkR2w0ZGZzOGlEQTZZNWdrcEs0MGxBCkZDQWpKUzROWVd0ZlBHeHlCMXpB - RGMxYmVGK0dRQlMzQTVKODF0Yi9wRDQKLS0tIFZKYjJvSlM1dW5NWFhRTFpqbFFn - SWJreFhhLy9WbHBIU1V0UEFnZ0xxencKfU8YMMgA7xadfreNwUGpd+EVstH3nlVP - cbVqTCrEw4D7HDjywzSn/5fIAskgND4u2YE5iE5MU3H1TFVg2dvrLQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WVh3dGIweHZ0Z0VFTVpF + Y0ZpT3E1SHcwVkN4dTRaSzNDWUtUZDcyakhVClc0SjVxU3FiWXlsZEJzRjdER1J6 + OS8vbWo5OEFKN1lmOFBZWjVUQUtreGMKLS0tIDlUQXNNTE1Oa1R5c0xLQmNqcXdq + ZEdZR05aM0ZacVNRdVZ1TWF5b0VLMUEKJ17UVbD1jEBtAUEXTV5s3BSct1Ady5X3 + VFi6xnbK4a6/2uQsAzAe1cPRUvKF1OJOi4jkZbGYuQhmdA9LmybGQg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-03T13:14:32Z" - mac: ENC[AES256_GCM,data:xRCSk5E/sl0A2//xh1Qi91whUrAeN/ZMHuxAVdSeT0YxKQWQ9RKMaQQzZAm/fiiQzeEhm45LLg24X5iPNeu3nQbEwO0CZlAuWLgDCYsIaw2mNtZKQSNl7W5hEwXamqlDqQVSjyctuQ70AZEacIixrnn+o2XABW8EZeExhvzDTGg=,iv:1p97jbZB0zHn6invGdjuy0q34P1ToMx+ZHyITfMGKJk=,tag:BD5ZjIRFJ0zYKg8YewLRWQ==,type:str] + lastmodified: "2024-08-17T16:14:32Z" + mac: ENC[AES256_GCM,data:00k9iqe4KNt7/16onCmuIoQYXWv9eszhkyEiaiHSiiCID4ac07bwYAxfi6812vnjgvqEkNguYuHTIVBajWtrYBnN/E+DvZ/L5dHkSGo3pgaPHg4+vMmZjFWGJNW4SWLrTykSD7dpRkDCQ8TP1eIlKtoOLUU/K+gyg3sJusgkArI=,iv:foYe2nOInd6hlxkpsoXtb5nHsDT7FBtQ7cOJQtioyQo=,tag:7MlfNrVCPGzdfUD663UGHg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.0 diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 4e52231..9baf070 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -1,4 +1,4 @@ -{ lib, my, secrets, ... }: +{ config, lib, my, secrets, ... }: let fqdn = "vault.${my.domain}"; in { @@ -26,4 +26,19 @@ in { systemd.services.vaultwarden.serviceConfig.StateDirectory = lib.mkForce "vaultwarden"; + + services.nginx.virtualHosts.${fqdn} = + let inherit (config.services.vaultwarden.config) ROCKET_ADDRESS ROCKET_PORT; + in { + forceSSL = true; + useACMEHost = my.domain; + kTLS = true; + locations."/" = { + proxyPass = "http://[${ROCKET_ADDRESS}]:${toString ROCKET_PORT}"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 256M; + ''; + }; + }; }