Add vaultwarden.

2025-02-03 18:10:01 -06:00 · 2025-02-03 18:10:01 -06:00 · cf9c488824
commit cf9c488824
parent abeef2cb58
8 changed files with 29 additions and 10 deletions
--- a/machines/lebesgue/config/configuration.nix
+++ b/machines/lebesgue/config/configuration.nix
@ -4,15 +4,18 @@
  pkgs,
  ...
 }: {
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
  foehammer = {
    users.admin = {
      enable = true;
      hashedPasswordFile = config.sops.secrets.admin-password.path;
    };
+
+    services.vaultwarden = {
+      enable = true;
+      domain = "https://passwords.foehammer.me";
+      signups = false;
+      envPath = config.sops.secrets.vaultwarden-env.path;
+    };
  };

  services.tailscale = {
--- a/machines/lebesgue/config/routing.nix
+++ b/machines/lebesgue/config/routing.nix
@ -0,0 +1,13 @@
+{config, ...}: {
+  foehammer.caddy.enable = true;
+
+  services.caddy = {
+    virtualHosts = {
+      "passwords.foehammer.me" = {
+        extraConfig = ''
+          reverse_proxy :${toString config.foehammer.services.vaultwarden.port}
+        '';
+      };
+    };
+  };
+}
--- a/machines/lebesgue/config/secrets.nix
+++ b/machines/lebesgue/config/secrets.nix
@ -5,6 +5,7 @@
    secrets = {
      admin-password.neededForUsers = true;
      tskey = {};
+      vaultwarden-env = {};
    };
  };
 }
--- a/machines/lebesgue/config/state.nix
+++ b/machines/lebesgue/config/state.nix
@ -8,6 +8,7 @@
        "/var/log"
        "/var/lib/nixos"
        "/var/lib/docker"
+        "/var/lib/caddy/.local/share/caddy"
      ]
      ++ config.foehammer.backups.paths;

--- a/machines/lebesgue/flake.lock
+++ b/machines/lebesgue/flake.lock
@ -7,7 +7,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-WEokvgGDzO4WVp5gHu9rZVPyNzMdLuX8dMV/Zhf9OwQ=",
+        "narHash": "sha256-o3CFNeEY0LvR1kOSCVC8nxPqL3TggTQ9PcWKdy+2l2A=",
        "path": "../../nixos",
        "type": "path"
      },
--- a/machines/lebesgue/secrets/main.yaml
+++ b/machines/lebesgue/secrets/main.yaml
@ -1,5 +1,6 @@
 admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str]
 tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str]
+vaultwarden-env: ENC[AES256_GCM,data:A1iRHxFxgI5P8DtsXQa1KvEKKnF+qZY7LVuJba00CLj7kp7EdiWBV8cXyHs189ncJ/vG02QCkrv46BH2eBN6kq4eHhefAoklS8kT0v9/7w==,iv:JrWh/0/arWoXOFhtgC+s/eoRDV9tppGXblZR3YOrTZg=,tag:3+wVYTlOodSwkLzApAsLOg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -15,8 +16,8 @@ sops:
            L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
            8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-03T20:29:36Z"
-    mac: ENC[AES256_GCM,data:mdK+B9R2THvjrKGlghcVVzCSSOnsJe9AqjMkj8H80l+Ij2SLPw/tS+/EgVwD6f87QGdV0o4U482CZc4GzbvrwdZgwYcjd2v2z7qUurDuga4SD/ex3czV43dmfzgePPnhVV60bVVfRebsuUdf48wwnZ8WA5aNtUxcFhoJ9zUaMjs=,iv:sMU3YgIVfynURvN6Jv8ixB7q4IuRYSGxvyRw4KhQwjg=,tag:4sRYLtAwkBBERdPS9qY/+w==,type:str]
+    lastmodified: "2025-02-03T23:49:44Z"
+    mac: ENC[AES256_GCM,data:gtH6PMQzxRGMpFI2hAka/MpXeLEivczq+L4Vruo1Vdain9f7iIdvATjomYO+NwkWUiDNWXqzU3VBb8NoyfqDeywtbu6GaUhmAUgVEFt0W2ceyqSF8qje+inI8rCjduodzIRG8XFgHoCvR8iQOtYWseyo6oOHFqBGiw1cBr/ciW8=,iv:9SeerJbjF3LTbjnAkvqqg4ceGJQCJScRBg1rG+xJ5dk=,tag:09H9oJU25ApddCgiMGIQFg==,type:str]
    pgp:
        - created_at: "2025-02-03T18:58:54Z"
          enc: |-