From c910159cb271ce071eec499b110e98d43ef8fc60 Mon Sep 17 00:00:00 2001
From: Tom Hubrecht <tom@hubrecht.ovh>
Date: Sat, 14 Oct 2023 14:26:48 +0200
Subject: [PATCH] feat(compute01): Deploy vaultwarden on pass.dgnum.eu

---
 machines/compute01/_configuration.nix         |   1 +
 machines/compute01/secrets/secrets.nix        |   1 +
 .../secrets/vaultwarden-environment_file      | Bin 0 -> 1413 bytes
 machines/compute01/vaultwarden.nix            |  71 ++++++++++++++++++
 4 files changed, 73 insertions(+)
 create mode 100644 machines/compute01/secrets/vaultwarden-environment_file
 create mode 100644 machines/compute01/vaultwarden.nix

diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix
index 1c0f049..c7d7c86 100644
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@@ -18,6 +18,7 @@ lib.extra.mkConfig {
     "outline"
     "rstudio-server"
     "satosa"
+    "vaultwarden"
     "zammad"
   ];
 
diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix
index f1888c5..6764df1 100644
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@@ -14,5 +14,6 @@ lib.setDefault { inherit publicKeys; } [
   "outline-smtp_password_file"
   "outline-storage_secret_key_file"
   "satosa-env_file"
+  "vaultwarden-environment_file"
   "zammad-secret_key_base_file"
 ]
diff --git a/machines/compute01/secrets/vaultwarden-environment_file b/machines/compute01/secrets/vaultwarden-environment_file
new file mode 100644
index 0000000000000000000000000000000000000000..a9242edfac3d1ae640ae3815b9b6d64ed8302cb1
GIT binary patch
literal 1413
zcmZY8&Fk9)90qU^9IQV#MVN;<S;ZY3S(leKZ6Z3zOVg%pnkG%sBrq{)lQb_)^VYl+
z#|F*`GSq`iMbVQxD2T`$GL<PPINiY=1n*-YdYSlk6Mr6dng77|!}sBN4999%;XJ9L
z%w31a*NFq>aIJBoo~Fx&wLnl5#_Jg!4@9S4Ry}&c;U+N^MrwD+&em}R_|a5pag4n7
z0%1v@DWp#cX<oBX9%NcV!b|}f@)b|!BF!lTn(s03rjQVf52ppr(N*Hyt$D0!Pl&q6
zbK{{n1!HzJa>$Mt49GFn41C-QQfA4a{0Qw16`qM9qBa{sqf$ipq&3&(Xf}#N&auR-
z9ZwvO;pnY73XO%6DvAF;O$bC17wWxLYE@{MOl(tODWJ!)?AkA!l8{D)ob)y=0~ol3
zlOnqpOd4_vFHoUyfGJ^bozD7Ewk@`Xy>#$^T5s1d?SyD6C+BznmH^=p6za_oON%M9
zS^5zi3(U6kjm2zXZCSqLEQyCb6H~!5la)SJQ`>pdn;?lK&Z}ZI#<nvOQ?VtOlLIZ(
z^IoAhwQAg(EEmEZElG{KpUkL{Q1jDGMCD335}RYFay@pd`SaK#L&)`XQwR*K6;uQh
zDg+1QWT3F2RI0Jj6O1+QQVLPS9V62Xr0Q}8ks4KBR|IpeORY&Z19hAo3IlUKX(#cF
zqB~yY+KGi@ZP_Q5qj5CJDYu4}xZvm#X~KgNQ`h3qg9BZ1fh`Gw6mPF|ezVL2tTXTx
zV(gTbID<SCcQ*(#lBP18)x5dZf?IQBk$HjdbZl@KV+)heb4Dl;sxwLewr{8gpOMTm
z#Vn1hd})#hIWS8GSxTcdp@4+KBexZk+f3V!5PjuD@_Gi4K-8u3!6r2TvpLoKBH2yb
z#$tqMOO+9!(jX;R>8Ul#!`YRn14$fhR&5jLEOD_a?xcNZC173%bD^$}*6myz^IC_n
z$D=lCvom<M9YYJ-o`YV`)n;nPBQO`9IyIRxg}CA*I8uVn+7~cqn#f?$L2Seu4(4cu
za0|p)50NEtw+4xLXLltEivybgVT@vkb@Pd`k<4U(mVpbgXx3E6_zG1`aIE7hRMS{g
zO}S2Q!czS$Nc4P^YT>TvXKk5I{4!-!Hd^H+H9@ieG|z1~iDjf#eL6)?g~yK6kDDQV
z^66FmR6oz2M32_;>296SrA#wgHyR>tLQqR>?Zgwj)w0X2LPd(ch5ED$M%>B*WZ%?f
zQ|?eE5n+?zDy`W;+;OP!wCHUl-jejDRC#iXn+wDyYjt%IhX;yH7rdGT-C4hBZnTx$
zclvp-TlGexZd<sEBRP$^1tpJR9v%u<0>XN{%rzQ;NsbZe?s(SMyG8B!2d{s(=gaGj
z-*<pl4xDJb{OnWDym9Px=K^-<v-jVB@5Y<MYv<p(X&<dUf<BSH^xQuWpMLk=^MC$w
z>!Gg>9XfFNqf6gk-1FC^YcHPqb^rYz-?#UJeLo+$eXF&T246!DocXkEo&Dk4pWZob
zyztuN=c=>6$==0%KkhwjUD^C`^7DgdKK%R9^{cUPReVgodil!jPj>D(j_kjF?(ojR
MZ*F{X^MdyFzggqoJOBUy

literal 0
HcmV?d00001

diff --git a/machines/compute01/vaultwarden.nix b/machines/compute01/vaultwarden.nix
new file mode 100644
index 0000000..58b6991
--- /dev/null
+++ b/machines/compute01/vaultwarden.nix
@@ -0,0 +1,71 @@
+{ config, ... }:
+
+let host = "pass.dgnum.eu";
+
+in {
+  services.vaultwarden = {
+    enable = true;
+
+    config = {
+      DOMAIN = "https://${host}";
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_PORT = 10500;
+      SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
+      ROCKET_PORT = 10501;
+      ROCKET_ADDRESS = "127.0.0.1";
+      SIGNUPS_VERIFY = true;
+      USE_SYSLOG = true;
+
+      DATABASE_URL = "postgresql://vaultwarden?host=/run/postgresql";
+
+      SMTP_USERNAME = "web-services@infra.dgnum.eu";
+      SMTP_FROM = "noreply@infra.dgnum.eu";
+      SMTP_FROM_NAME = "DGNum Vault";
+      SMTP_PORT = 465;
+      SMTP_HOST = "kurisu.lahfa.xyz";
+      SMTP_SECURITY = "force_tls";
+    };
+
+    dbBackend = "postgresql";
+    environmentFile = config.age.secrets."vaultwarden-environment_file".path;
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+
+      virtualHosts.${host} = {
+        forceSSL = true;
+        enableACME = true;
+
+        locations = {
+          "/" = {
+            proxyPass = "http://127.0.0.1:10501";
+            proxyWebsockets = true;
+          };
+
+          "/notifications/hub" = {
+            proxyPass = "http://127.0.0.1:10500";
+            proxyWebsockets = true;
+          };
+
+          "/notifications/hub/negotiate" = {
+            proxyPass = "http://127.0.0.1:10501";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    postgresql = {
+      enable = true;
+
+      ensureDatabases = [ "vaultwarden" ];
+
+      ensureUsers = [{
+        name = "vaultwarden";
+        ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
+      }];
+    };
+  };
+}