Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

move modules to web host

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-08-19 14:19:04 +02:00
parent 1890173440
commit edb55af964
15 changed files with 116 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
hosts/web-01.cloonar.com/modules/bitwarden/default.nix Normal file
View File

@@ -0,0 +1,114 @@
{
pkgs,
config,
...
}: let
ldapConfig = {
vaultwarden_url = "https://bitwarden.cloonar.com";
vaultwarden_admin_token = "@ADMIN_TOKEN@";
ldap_host = "ldap.cloonar.com";
ldap_ssl = true;
ldap_bind_dn = "cn=bitwarden,ou=system,ou=users,dc=cloonar,dc=com";
ldap_bind_password = "@LDAP_PASSWORD@";
ldap_search_base_dn = "ou=users,dc=cloonar,dc=com";
ldap_search_filter = "(&(objectClass=cloonarUser))";
ldap_sync_interval_seconds = 3600;
};
ldapConfigFile =
pkgs.runCommand "config.toml"
{
buildInputs = [pkgs.remarshal];
preferLocalBuild = true;
} ''
remarshal -if json -of toml \
< ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \
> $out
'';
in {
imports = [
../nur.nix
];
environment.systemPackages = with pkgs; [
nur.repos.mic92.vaultwarden_ldap
];
services.vaultwarden = {
enable = true;
dbBackend = "mysql";
config = {
domain = "https://bitwarden.cloonar.com";
signupsAllowed = false;
rocketPort = 3011;
enableDbWal = "false";
websocketEnabled = true;
smtpHost = "mail.cloonar.com";
smtpFrom = "bitwarden@cloonar.com";
smtpUsername = "bitwarden@cloonar.com";
};
};
systemd.services.vaultwarden.serviceConfig = {
EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path];
};
systemd.services.vaultwarden_ldap = {
wantedBy = ["multi-user.target"];
preStart = ''
sed \
-e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \
-e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \
${ldapConfigFile} \
> /run/vaultwarden_ldap/config.toml
'';
serviceConfig = {
Restart = "on-failure";
RestartSec = "2s";
ExecStart = "${pkgs.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap";
Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml";
RuntimeDirectory = ["vaultwarden_ldap"];
User = "vaultwarden_ldap";
};
};
services.nginx.virtualHosts."bitwarden.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
extraConfig = ''
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://localhost:3011";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:3011";
proxyWebsockets = true;
};
};
sops.secrets = {
bitwarden-admin-token.owner = "vaultwarden_ldap";
bitwarden-ldap-password.owner = "vaultwarden_ldap";
bitwarden-db-password.owner = "vaultwarden";
bitwarden-smtp-password.owner = "vaultwarden";
};
users.users.vaultwarden_ldap = {
isSystemUser = true;
group = "vaultwarden_ldap";
};
users.groups.vaultwarden_ldap = {};
services.mysqlBackup.databases = [ "bitwarden" ];
}

33
hosts/web-01.cloonar.com/modules/bitwarden/secrets.yaml Normal file
View File

@@ -0,0 +1,33 @@
bitwarden-admin-token: ENC[AES256_GCM,data:nCj7kwQHTwezG3hh5J+c2MmUXwlGpdNjeh4A4SK/wgdBroAAghMSTuT6B7sjPgX5PmyBpzspdI3XqVUoBHzL6g==,iv:11C/ScaTqI1VlBSd71TA2cZNAu/wSbOs6rnDTlKlPsI=,tag:8eD0VkJn/KZ49yMe4D/MrA==,type:str]
bitwarden-db-password: ENC[AES256_GCM,data:4l3ntOHX4pdiUzfSqOwzObgMRp9eS5fjze6rJu1h3kKr/g/lsESLWiIHUoguixaNmoPU2zy42jEDvhXII6R+1g==,iv:mEMGGGyWerJaAvo7ymNfkR1YgTG1ieB3n40BB6L+UM4=,tag:iRd88BjFMMht9Ku9K34SXQ==,type:str]
bitwarden-ldap-password: ENC[AES256_GCM,data:g6tp0NzXk3ZJTGKHSzFxVZs4DhauzPS6SGW99WFX/CO0Wprgp9lh/evI6T56g2YhIv/3jqNSmi+p1FwdOzValw==,iv:mHMlhJx2aKLLkrPy+Z+/6plS/uMiK+xhYk/PF5m7+wQ=,tag:BgRNstiVnN95/pSX0DYfSw==,type:str]
bitwarden-smtp-password: ENC[AES256_GCM,data:4ruP8yMeTG5A19Oyvv2MBTj2LwecwwYc8BBU1xDT2i757orCNrQHJd0VLtzynluS9ge4vAU7G8islKwR/IIDGsEq74//CxJIyXyH9XLBfc5Jb2Rs1uz/Nz2uCWOCqm1AZ2/8uxXOPPNVhKcs3wxOLbLnA3Yzh+VFKsKIO753FkKllpFbeZanhfD2/N4fAGU4C5F+0HcrLBLBGC3X/CfQyPUSio1uwWPxRJR94DlRdPq+ir4YXHW48Mw/33lJZ+HqApk1Nf+gmTff7XTib1d44ac4JR8m20D8qOQ2Y9vfqJOxD7/PdgeqRLXN3K1PaSDE7JkWoiE0dM3vJ0q+Pqf47tm/xT4qaJvqI0jLXMwqmUg=,iv:TiZrLMPx9UbUf/4zKmRWTERM8phtyTX7Q3dCFqn+Ew4=,tag:55tuxMBWu6WpT4BllKV+pA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMUmttaXRmcXh2UDRyL1pJ
MmxMSzBqUmxlY290K1djQ3ZSYWM1OXhFbEhvCjlmNnd6T2Z2bHNZK3oxRmllNUFI
RzNvc3hqMXIwd3dwa3crckxVNmNyQXcKLS0tIHFLSXpUOFpyaUVXa2hJU0pheU5h
NlZoeVNYdTQ1c0pUQ1o4NnJxaWFTTFEK0l7vHpXj00fUFno5gjS3apPRWercgng6
SOygmyQiP/EWI/G0M6W8gjq76pQamYJWVVJVFwxqg4BxAhdMwxtVXQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNjE2c21zVktrTUJDVWJ2
UWdqZHErWkpGVnY5Q0F3QUlBNkprRFJFbHpjCnJvQmZoZ0x2c0dxU0FwbExGaTIz
eGFoczZma2dBVEJjQ1ljb24zYWJEQWsKLS0tIDVmWWQyYmQ1RS9oV0p0ZmwyUzJI
NkdzbFczM0VteW5ESGFNcmNJdFRNODAK8HRoc2thwAH8pvnMwesRs8OesVGHW/Iu
viPtt+w6FNwYt4LXnFlBMdGXfrWE0fWxokM0sm5GglKuFGn1zf3+VA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-28T21:53:06Z"
mac: ENC[AES256_GCM,data:jZq4UzkxyX/UhrmeKO7sFQpTlMB13lyi5/duXA0s2XX3W0U9g+TSZm21WiRGPjKmteJg0w2OhFsNk/y0uvD/oPE1ttLz/YRgiinuCoyufoX51AgQqS0KFxNBkTaDzoaKk3z1j8nEhAY2U0YS4fpOCNAkMsKdVZeTVOitcp/UeIE=,iv:5EzYCqUZri1VmD9wqQGxpypZe4F2h8W3D8a7mYbBBrg=,tag:iEFJBFmRJVw4YP5/V+21dQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3