add vaultwarden

2021-09-22 15:31:20 +02:00 · 2021-09-22 15:31:20 +02:00 · fcba9260bc
parent b14a690975
commit fcba9260bc
7 changed files with 75 additions and 6 deletions
--- a/config/hosts/wind/hardware-configuration.nix
+++ b/config/hosts/wind/hardware-configuration.nix
@ -64,6 +64,10 @@
    { device = "rpool/safe/gitea";
      fsType = "zfs";
    };
+  fileSystems."/var/lib/vaultwarden" =
+    { device = "rpool/safe/vaultwarden";
+      fsType = "zfs";
+    };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/e70cc088-a54e-4cd8-88ec-91944e5ff989"; }
--- a/config/hosts/wind/services/acme.nix
+++ b/config/hosts/wind/services/acme.nix
@ -20,6 +20,10 @@
      dnsProvider = "hurricane";
      credentialsFile = config.secrets.files.acme_git_graven_dev.file;
    };
+    certs."vault.graven.dev" = {
+      dnsProvider = "hurricane";
+      credentialsFile = config.secrets.files.acme_vault_graven_dev.file;
+    };
  };
 }

--- a/config/hosts/wind/services/coturn.nix
+++ b/config/hosts/wind/services/coturn.nix
@ -1,10 +1,10 @@
+{ config, ... }:
 {
  services.coturn = {
    enable = true;
    lt-cred-mech = true;
    use-auth-secret = true;
-    #static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
-    static-auth-secret = "a_long_string_that_i_will_be_changing";
+    static-auth-secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
    realm = "turn.graven.dev";
    relay-ips = [
      "65.21.58.38"
--- a/config/hosts/wind/services/nginx.nix
+++ b/config/hosts/wind/services/nginx.nix
@ -68,6 +68,22 @@
        forceSSL = true;
        locations."/".proxyPass = "http://unix:/run/gitea/gitea.sock:";
      };
+      "vault.graven.dev" = {
+        forceSSL = true;
+        useACMEHost = "vault.graven.dev";
+        locations."/" = {
+          proxyPass = "http://localhost:8812";
+          proxyWebsockets = true;
+        };
+        locations."/notifications/hub" = {
+          proxyPass = "http://localhost:3012";
+          proxyWebsockets = true;
+        };
+        locations."/notifications/hub/negotiate" = {
+          proxyPass = "http://localhost:8812";
+          proxyWebsockets = true;
+        };
+      };
    };
  };
 }
--- a/config/hosts/wind/services/restic.nix
+++ b/config/hosts/wind/services/restic.nix
@ -30,5 +30,14 @@
      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
    };
+    "vaultwarden" = {
+      paths = [ "/var/lib/vaultwarden" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:30"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_private_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+    };
  };
 }
--- a/config/hosts/wind/services/synapse.nix
+++ b/config/hosts/wind/services/synapse.nix
@ -5,14 +5,24 @@
    enable = true;
    server_name = "graven.dev";
    enable_registration = false;
-    # This causes infinite recursion for some reason. TODO: Investigate
-    #registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
-    #turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
-    turn_shared_secret = "a_long_string_that_i_will_be_changing";
+    registration_shared_secret = builtins.toString config.secrets.files.synapse_registration_shared_secret.file;
+    turn_shared_secret = builtins.toString config.secrets.files.synapse_turn_shared_secret.file;
    max_upload_size = "100M";
    database_type = "psycopg2";
    database_user = "synapse";
    database_name = "synapse";
+    turn_uris = [
+      "turn:turn.graven.dev:3478?transport=udp"
+      "turn:turn.graven.dev:3478?transport=tcp"
+      "turn:turn.graven.dev:3479?transport=udp"
+      "turn:turn.graven.dev:3479?transport=tcp"
+      "turns:turn.graven.dev:5349?transport=udp"
+      "turns:turn.graven.dev:5349?transport=tcp"
+      "turns:turn.graven.dev:5350?transport=udp"
+      "turns:turn.graven.dev:5350?transport=tcp"
+    ];
+    report_stats = true;
+    withJemalloc = true;
    logConfig = ''
      version: 1

--- a/config/hosts/wind/services/vaultwarden.nix
+++ b/config/hosts/wind/services/vaultwarden.nix
@ -0,0 +1,26 @@
+{ config, ... }:
+{
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.secrets.files.vaultwarden_env.file;
+    backupDir = "/var/lib/vaultwarden/backup";
+    config = {
+      domain = "https://vault.graven.dev";
+      signupsAllowed = true;
+      rocketPort = 8812;
+      rocketLog = warn;
+      ipHeader = "X-Real-IP";
+      websocketEnabled = true;
+      websocketAddress = "127.0.0.1";
+      websocketPort = "3012";
+      dataDir = "/var/lib/vaultwarden";
+      smtpHost = "smtp.soverin.net";
+      smtpFrom = "vaultwarden@graven.dev";
+      smtpFromName = "Vaultwarden";
+      smtpPort = 465;
+      smtpSsl = true;
+      smtpExplicitTls = true;
+      smtpAuthMechanism = "Login";
+    };
+  };
+}