upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-07 21:42:16 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

test: forgejo microVM

Browse source
This commit is contained in:
Nick 2025-11-06 04:08:29 -06:00
parent 1f4c493072
commit 1376cdbe77
9 changed files with 245 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

232
modules/nixos/services/vaultwarden/default.nix
View file

@ -1,76 +1,174 @@
{
flake,
config,
lib,
...
}:
let
inherit (flake.config.services) instances;
service = instances.vaultwarden;
localhost = instances.web.localhost.address0;
host = service.domains.url0;
syncthing = instances.syncthing;
backupPath = "${syncthing.paths.path1}/${service.name}";
inherit (flake.config.people) user0;
inherit (flake.config.services.instances) vaultwarden smtp web;
service = vaultwarden;
host = vaultwarden.domains.url0;
secrets = service.secretPaths.path0;
localhost = web.localhost.address0;
sshPort = 22;
in
{
services = {
vaultwarden = {
backupDir = backupPath;
enable = true;
environmentFile = config.sops.secrets."${service.name}/env".path;
config = {
# Domain Configuration
DOMAIN = "https://${host}";
microvm = {
vms = {
vaultwarden = {
autostart = true;
config =
{
config,
pkgs,
lib,
...
}:
{
system.stateVersion = "25.05";
time.timeZone = "America/Winnipeg";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = instances.smtp.email.address0;
SMTP_FROM_NAME = service.label;
SMTP_HOST = instances.smtp.hostname;
SMTP_PORT = instances.smtp.ports.port1;
SMTP_SECURITY = instances.smtp.records.record1;
SMTP_USERNAME = instances.smtp.email.address0;
users.users.root = {
openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
};
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
services = {
vaultwarden = {
enable = true;
environmentFile = config.sops.secrets."${service.name}-env".path;
config = {
# Domain Configuration
DOMAIN = "https://${host}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = smtp.email.address0;
SMTP_FROM_NAME = service.label;
SMTP_HOST = smtp.hostname;
SMTP_PORT = smtp.ports.port1;
SMTP_SECURITY = smtp.records.record1;
SMTP_USERNAME = smtp.email.address0;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = localhost;
ROCKET_PORT = service.ports.port0;
};
};
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
systemd = {
tmpfiles.rules = [
"d ${secrets} 0755 ${service.name} ${service.name} -"
];
# Rocket (Web Server) Settings
ROCKET_ADDRESS = localhost;
ROCKET_PORT = service.ports.port0;
network = {
enable = true;
networks."10-enp" = {
matchConfig.Name = "enp0s4";
addresses = [ { Address = "${service.interface.ip}/24"; } ];
routes = [
{
Destination = "${localhost}/0";
Gateway = service.interface.gate;
}
];
dns = [ service.interface.gate ];
};
};
};
networking.firewall.allowedTCPPorts = [
sshPort
service.ports.port0
];
microvm = {
vcpu = 2;
mem = 2048;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = service.interface.id;
mac = service.interface.mac;
}
{
type = "user";
id = service.interface.idUser;
mac = service.interface.macUser;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = service.varPaths.path0;
proto = "virtiofs";
source = service.mntPaths.path0;
tag = "${service.name}_data";
}
{
mountPoint = service.secretPaths.path0;
proto = "virtiofs";
source = service.secretPaths.path0;
tag = "${service.name}_secrets";
}
{
mountPoint = service.ssl.path;
proto = "virtiofs";
source = service.ssl.path;
tag = "acme_certs";
}
];
forwardPorts = [
{
from = "host";
host.port = service.interface.ssh;
guest.port = sshPort;
}
];
};
};
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0} {
header_up X-Real-IP {remote_host}
}
};
tls ${service.ssl.cert} ${service.ssl.key}
encode zstd gzip
'';
};
};
};
services.caddy.virtualHosts."${host}" = {
extraConfig = ''
reverse_proxy ${service.interface.ip}:${toString service.ports.port0} {
header_up X-Real-IP {remote_host}
}
tls ${service.ssl.cert} ${service.ssl.key}
encode zstd gzip
'';
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
path = "${secrets}/${service.name}-${secret}";
owner = "root";
mode = "600";
};
in
@ -78,7 +176,7 @@ in
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}/${secret}";
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
@ -86,30 +184,4 @@ in
]
);
};
systemd = {
tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
services.backup-vaultwarden = {
serviceConfig = {
Group = lib.mkForce syncthing.name;
};
wantedBy = lib.mkForce [ ];
after = [ "${service.name}.service" ];
};
};
users.users.${service.name}.extraGroups = [
syncthing.name
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}