add vaultwarden

This commit is contained in:
Emelie 2021-09-22 15:31:20 +02:00
parent b14a690975
commit fcba9260bc
Signed by: emelie
GPG key ID: 49D33365A7E22D12
7 changed files with 75 additions and 6 deletions

View file

@ -64,6 +64,10 @@
{ device = "rpool/safe/gitea";
fsType = "zfs";
};
fileSystems."/var/lib/vaultwarden" =
{ device = "rpool/safe/vaultwarden";
fsType = "zfs";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/e70cc088-a54e-4cd8-88ec-91944e5ff989"; }

View file

@ -20,6 +20,10 @@
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_git_graven_dev.file;
};
certs."vault.graven.dev" = {
dnsProvider = "hurricane";
credentialsFile = config.secrets.files.acme_vault_graven_dev.file;
};
};
}

View file

@ -1,10 +1,10 @@
{ config, ... }:
{
services.coturn = {
enable = true;
lt-cred-mech = true;
use-auth-secret = true;
#static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
static-auth-secret = "a_long_string_that_i_will_be_changing";
static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
realm = "turn.graven.dev";
relay-ips = [
"65.21.58.38"

View file

@ -68,6 +68,22 @@
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
};
"vault.graven.dev" = {
forceSSL = true;
useACMEHost = "vault.graven.dev";
locations."/" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:8812";
proxyWebsockets = true;
};
};
};
};
}

View file

@ -30,5 +30,14 @@
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
};
"vaultwarden" = {
paths = [ "/var/lib/vaultwarden" ];
repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
initialize = true;
pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = { "OnCalendar" = "03:30"; };
extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
passwordFile = builtins.toString config.secrets.files.restic_pass.file;
};
};
}

View file

@ -5,14 +5,24 @@
enable = true;
server_name = "graven.dev";
enable_registration = false;
# This causes infinite recursion for some reason. TODO: Investigate
#registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
#turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
turn_shared_secret = "a_long_string_that_i_will_be_changing";
registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
max_upload_size = "100M";
database_type = "psycopg2";
database_user = "synapse";
database_name = "synapse";
turn_uris = [
"turn:turn.graven.dev:3478?transport=udp"
"turn:turn.graven.dev:3478?transport=tcp"
"turn:turn.graven.dev:3479?transport=udp"
"turn:turn.graven.dev:3479?transport=tcp"
"turns:turn.graven.dev:5349?transport=udp"
"turns:turn.graven.dev:5349?transport=tcp"
"turns:turn.graven.dev:5350?transport=udp"
"turns:turn.graven.dev:5350?transport=tcp"
];
report_stats = true;
withJemalloc = true;
logConfig = ''
version: 1

View file

@ -0,0 +1,26 @@
{ config, ... }:
{
services.vaultwarden = {
enable = true;
environmentFile = config.secrets.files.vaultwarden_env.file;
backupDir = "/var/lib/vaultwarden/backup";
config = {
domain = "https://vault.graven.dev";
signupsAllowed = true;
rocketPort = 8812;
rocketLog = warn;
ipHeader = "X-Real-IP";
websocketEnabled = true;
websocketAddress = "127.0.0.1";
websocketPort = "3012";
dataDir = "/var/lib/vaultwarden";
smtpHost = "smtp.soverin.net";
smtpFrom = "vaultwarden@graven.dev";
smtpFromName = "Vaultwarden";
smtpPort = 465;
smtpSsl = true;
smtpExplicitTls = true;
smtpAuthMechanism = "Login";
};
};
}