add vaultwarden

2026-04-03 13:44:28 +02:00 · 2026-04-03 13:44:28 +02:00 · e60e33b64b
commit e60e33b64b
parent 1579126baf
7 changed files with 86 additions and 7 deletions
--- a/hosts/rx4/secrets/secrets.yaml
+++ b/hosts/rx4/secrets/secrets.yaml
@ -16,6 +16,9 @@ forgejo-runner:
 webdav:
    user: ENC[AES256_GCM,data:vCLx,iv:Nra/FprNfd02HpvqOb5uYK+IGRFHhNwnFXWrX71c0C0=,tag:TjbKKOKBTq31o/5MxmqIsA==,type:str]
    pass: ENC[AES256_GCM,data:jfIoob6R6OhqKa2EujRzTQbvIlA=,iv:HvB088H2Z2uLCveT4YfNEdkK5VU0lBFD5FrZhx79fg0=,tag:1RnrfeUEURx0C575GTxi9A==,type:str]
+vaultwarden:
+    admin-token: ENC[AES256_GCM,data:HhD0xNZ/Ep7pCOX1j6p/M/ZZ3gs=,iv:7QT71KlYz+HQYBhiRavpiXS9sNS2PoJiM/WkxM3Hk/g=,tag:SYTRWpyA2+WMSMiRM8mvew==,type:str]
+    smtp-password: ENC[AES256_GCM,data:eQo7op5+74EID6689hL0/J1pq2s=,iv:JqrEqxabWGydRuJJ/27e1q+4YnQhTQ1bKRSsOvjQ+bE=,tag:weqnrhqK+LGEfAacBcuPUA==,type:str]
 sops:
    age:
        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@ -36,7 +39,7 @@ sops:
            NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
            f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-14T18:41:58Z"
-    mac: ENC[AES256_GCM,data:2e546c6VEf7vFGgSM344upn5C7YDGAwi8cLA/RV68ukJMKLvH1gdra4ii77uOaC1sCNan5mV0Kjs5ZVYj81O8PU3WJa9ra8TeAt8F690zTxNWSo1F/4sZxAk8d1WIBoNn4IPkYxi8Ry9+xqK13Q9PvplHc14VArMYC86wU+k5hc=,iv:T3td5G+pdfWzSLDuVkb75uWub6eBPxjqJgOrv3wvaiQ=,tag:vlQJVzFJEDncDzjA3JWM6Q==,type:str]
+    lastmodified: "2026-04-03T11:36:39Z"
+    mac: ENC[AES256_GCM,data:mIufcQyHd6sWnUCF/G8aRE10uwnntRXGz5R+fK6TbZSBJrRznTBaa4tVLtGo4wSghn4eBRfxecebuxSy0C2CQjBCkMbrjh4I2sYzAb5f8ghG4cQZgccuI7MCfQZ6JAEaa0BY7HJUZzlR9H+6iuDVuWwOO3OKzj0lWUlpDA6aC/M=,iv:qMSu9tYYkoirM2WHx7St/ztWSYxm8/gSosnCZYazNgU=,tag:NuUDG8fpAlBEbvKSq7/5bQ==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1
--- a/hosts/rx4/services/default.nix
+++ b/hosts/rx4/services/default.nix
@ -19,9 +19,10 @@
    ./print-server.nix
    ./rss-bridge.nix
    ./rsshub-oci.nix
-    # ./webdav.nix # FIXME
+    ./vaultwarden.nix

    # ./alditalk-extender.nix # FIXME
+    # ./webdav.nix # FIXME
  ];

  # bootstrap
--- a/hosts/rx4/services/vaultwarden.nix
+++ b/hosts/rx4/services/vaultwarden.nix
@ -0,0 +1,68 @@
+{
+  constants,
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (constants) domain;
+  inherit (constants.services.vaultwarden) fqdn port;
+  inherit (lib) mkForce;
+in
+{
+  services.vaultwarden = {
+    enable = true;
+
+    dbBackend = "postgresql";
+    configurePostgres = true;
+
+    configureNginx = true;
+    domain = fqdn;
+
+    environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
+
+    config = {
+      SIGNUPS_ALLOWED = false;
+
+      SMTP_FROM = "vaultwarden@${domain}";
+      SMTP_FROM_NAME = "${domain} Vaultwarden server";
+      SMTP_HOST = "mail@${domain}";
+      SMTP_PORT = 587;
+      SMTP_SECURITY = "starttls";
+      SMTP_USERNAME = "vaultwarden@${domain}";
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = port;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx.virtualHosts."${fqdn}".forceSSL = mkForce false; # let Tailnet handle SSL
+
+  sops =
+    let
+      owner = config.users.users.vaultwarden.name;
+      group = config.users.groups.vaultwarden.name;
+      mode = "0400";
+    in
+    {
+      secrets = {
+        "vaultwarden/admin-token" = {
+          inherit owner group mode;
+        };
+        "vaultwarden/smtp-password" = {
+          inherit owner group mode;
+        };
+      };
+      templates = {
+        "vaultwarden/env-file" = {
+          inherit owner group mode;
+          content = ''
+            ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"}
+            SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"}
+          '';
+        };
+      };
+    };
+}