rm coredns and step-ca. use hs extra dns records. resolve vaultwarden
This commit is contained in:
parent
1bb2b7c194
commit
41ce9b892b
10 changed files with 73 additions and 36 deletions
|
|
@ -16,6 +16,7 @@ forgejo-runner:
|
|||
vaultwarden:
|
||||
admin-token: ENC[AES256_GCM,data:HhD0xNZ/Ep7pCOX1j6p/M/ZZ3gs=,iv:7QT71KlYz+HQYBhiRavpiXS9sNS2PoJiM/WkxM3Hk/g=,tag:SYTRWpyA2+WMSMiRM8mvew==,type:str]
|
||||
smtp-password: ENC[AES256_GCM,data:eQo7op5+74EID6689hL0/J1pq2s=,iv:JqrEqxabWGydRuJJ/27e1q+4YnQhTQ1bKRSsOvjQ+bE=,tag:weqnrhqK+LGEfAacBcuPUA==,type:str]
|
||||
hetzner-api-key: ENC[AES256_GCM,data:casjNOXzuQDWgnSFftbBMygA8kGpGiZDqup08faWO9kfjvgOyWOXeqPd2VA1ND8yfM2LvoLYvPs6gUWtni2ldQ==,iv:p2W24uhJgBvpi3g4+cHw0/XbbTM5oYCPHreMBUR4CNs=,tag:lpwjZGoJe/91+CHX/hAkKA==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
|
||||
|
|
@ -36,7 +37,7 @@ sops:
|
|||
NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
|
||||
f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-05-17T16:35:00Z"
|
||||
mac: ENC[AES256_GCM,data:U2WT4ENx8I9sr3byj7fQjv3H+mQTlhTI1HL9tufryKcUGjvb35ChwkIBcvEiYLa8udOR631sWwN4dCqZ4qwtCQ3MNjR8s1P6HqhzXeAPwyxfMLPZG1mbKXvYpamkxAOq8RxVHnVsPbrvFsxc57J11SI5IUfWT5T5GPQyJ+U8gMs=,iv:/xDaNV0fgKf9z+sql4BwwyIO/LQhRm3TrMhgaYZsPuE=,tag:Y0bfT1ZuiJ05F/+EwyzbSg==,type:str]
|
||||
lastmodified: "2026-05-17T20:34:39Z"
|
||||
mac: ENC[AES256_GCM,data:lSSotIfDcS6oJpSDSe2hLx1M9L8a+bjkPstcPv1h2ohSiOu8WGAwTy4lsKD1n9rnhTzFmMqi2Xgh4K0n3WiqWFBeNcA6UeM7+a6PcDtUeCC3JKsP/XZvCoPq5uBwUWcovRSm4UElaL5MteZkV3e+qZWeUpZCTWWWEjYBYnHPLpQ=,iv:t4Up4DuTuQyQQNa7lmZK6kt5O0/aShXSF2XBj9Y6/z8=,tag:oNmP8e7jEZ3ttPkwXkWSZw==,type:str]
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.12.1
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
|
||||
let
|
||||
inherit (constants) domain;
|
||||
inherit (constants.hosts.rx4) ip;
|
||||
inherit (constants.services.vaultwarden) fqdn port;
|
||||
in
|
||||
{
|
||||
|
|
@ -21,6 +22,7 @@ in
|
|||
environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
|
||||
|
||||
config = {
|
||||
ENABLE_WEBSOCKET = true;
|
||||
SIGNUPS_ALLOWED = false;
|
||||
|
||||
SMTP_FROM = "vaultwarden@${domain}";
|
||||
|
|
@ -30,12 +32,50 @@ in
|
|||
SMTP_SECURITY = "starttls";
|
||||
SMTP_USERNAME = "vaultwarden@${domain}";
|
||||
|
||||
ROCKET_ADDRESS = "0.0.0.0";
|
||||
ROCKET_ADDRESS = "127.0.0.1";
|
||||
ROCKET_PORT = port;
|
||||
ROCKET_LOG = "critical";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${fqdn}" = {
|
||||
useACMEHost = "pw-custom";
|
||||
forceSSL = true;
|
||||
listen = [
|
||||
{
|
||||
addr = "${ip}:443";
|
||||
ssl = true;
|
||||
}
|
||||
];
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString port}";
|
||||
};
|
||||
"= /notifications/alerts" = {
|
||||
proxyPass = "http://127.0.0.1:${toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
"= /notifications/hub" = {
|
||||
proxyPass = "http://127.0.0.1:${toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "admin@${domain}";
|
||||
certs."pw-custom" = {
|
||||
domain = fqdn;
|
||||
dnsProvider = "hetzner";
|
||||
dnsResolver = "1.1.1.1:53";
|
||||
credentialFiles = {
|
||||
HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
|
||||
};
|
||||
group = "nginx";
|
||||
};
|
||||
};
|
||||
|
||||
sops =
|
||||
let
|
||||
owner = config.users.users.vaultwarden.name;
|
||||
|
|
@ -50,6 +90,11 @@ in
|
|||
"vaultwarden/smtp-password" = {
|
||||
inherit owner group mode;
|
||||
};
|
||||
hetzner-api-key = {
|
||||
inherit mode;
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
};
|
||||
};
|
||||
templates = {
|
||||
"vaultwarden/env-file" = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue