feat(compute01): Deploy vaultwarden on pass.dgnum.eu

2023-10-14 14:26:48 +02:00 · 2023-10-14 14:26:48 +02:00 · c910159cb2
parent 1ea922c3f1
commit c910159cb2
4 changed files with 73 additions and 0 deletions
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -18,6 +18,7 @@ lib.extra.mkConfig {
    "outline"
    "rstudio-server"
    "satosa"
+    "vaultwarden"
    "zammad"
  ];

--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -14,5 +14,6 @@ lib.setDefault { inherit publicKeys; } [
  "outline-smtp_password_file"
  "outline-storage_secret_key_file"
  "satosa-env_file"
+  "vaultwarden-environment_file"
  "zammad-secret_key_base_file"
 ]
--- a/machines/compute01/secrets/vaultwarden-environment_file
+++ b/machines/compute01/secrets/vaultwarden-environment_file
--- a/machines/compute01/vaultwarden.nix
+++ b/machines/compute01/vaultwarden.nix
@ -0,0 +1,71 @@
+{ config, ... }:
+
+let host = "pass.dgnum.eu";
+
+in {
+  services.vaultwarden = {
+    enable = true;
+
+    config = {
+      DOMAIN = "https://${host}";
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_PORT = 10500;
+      SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
+      ROCKET_PORT = 10501;
+      ROCKET_ADDRESS = "127.0.0.1";
+      SIGNUPS_VERIFY = true;
+      USE_SYSLOG = true;
+
+      DATABASE_URL = "postgresql://vaultwarden?host=/run/postgresql";
+
+      SMTP_USERNAME = "web-services@infra.dgnum.eu";
+      SMTP_FROM = "noreply@infra.dgnum.eu";
+      SMTP_FROM_NAME = "DGNum Vault";
+      SMTP_PORT = 465;
+      SMTP_HOST = "kurisu.lahfa.xyz";
+      SMTP_SECURITY = "force_tls";
+    };
+
+    dbBackend = "postgresql";
+    environmentFile = config.age.secrets."vaultwarden-environment_file".path;
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+
+      virtualHosts.${host} = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations = {
+          "/" = {
+            proxyPass = "http://127.0.0.1:10501";
+            proxyWebsockets = true;
+          };
+
+          "/notifications/hub" = {
+            proxyPass = "http://127.0.0.1:10500";
+            proxyWebsockets = true;
+          };
+
+          "/notifications/hub/negotiate" = {
+            proxyPass = "http://127.0.0.1:10501";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    postgresql = {
+      enable = true;
+
+      ensureDatabases = [ "vaultwarden" ];
+
+      ensureUsers = [{
+        name = "vaultwarden";
+        ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
+      }];
+    };
+  };
+}