diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index c781eef..6e92abc 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -66,7 +66,6 @@ in vaultwarden # website # zookeeper - # wireguard - moved to systems/ceres/config/wireguard.nix ; }; }; diff --git a/modules/nixos/services/acme/acmeCeres/default.nix b/modules/nixos/services/acme/acmeCeres/default.nix index 877fef6..edf1b9d 100755 --- a/modules/nixos/services/acme/acmeCeres/default.nix +++ b/modules/nixos/services/acme/acmeCeres/default.nix @@ -37,9 +37,7 @@ in # "${instances.ollama.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.searx.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.syncthing.domains.url0}" = dnsConfig dns0Path dns0; - "${instances.vaultwarden.domains.url0}" = (dnsConfig dns0Path dns0) // { - group = "caddy"; - }; + # "${instances.vaultwarden.domains.url0}" = dnsConfig dns0Path dns0; # Moved to vaultwarden service module # "${instances.prompter.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.comfyui.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.firefly-iii.domains.url0}" = dnsConfig dns0Path dns0; diff --git a/modules/nixos/services/vaultwarden/default.nix b/modules/nixos/services/vaultwarden/default.nix index 4dafdfa..98fd43d 100755 --- a/modules/nixos/services/vaultwarden/default.nix +++ b/modules/nixos/services/vaultwarden/default.nix @@ -1,11 +1,188 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: let - inherit (import ../../../helpers.nix) directoryImport; - modules = directoryImport ./.; + vaultwardenCfg = flake.config.services.instances.vaultwarden; + smtpCfg = flake.config.services.instances.smtp; + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + dns0 = instances.web.dns.provider0; + dns0Path = "dns/${dns0}"; in { - imports = builtins.attrValues { - inherit (modules) - vaultwardenCeres - ; + # Ensure Caddy can access the ACME certificates + users.users.caddy.extraGroups = [ "acme" ]; + + # ACME certificate configuration for vaultwarden + security.acme.certs."${vaultwardenCfg.domains.url0}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; + + # MicroVM configuration + microvm.vms.vaultwarden = { + autostart = true; + restartIfChanged = true; + + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + + # Vaultwarden service configuration + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + + config = { + # Domain Configuration + DOMAIN = "https://${vaultwardenCfg.domains.url0}"; + + # Email Configuration + SMTP_AUTH_MECHANISM = "Plain"; + SMTP_EMBED_IMAGES = true; + SMTP_FROM = vaultwardenCfg.email.address0; + SMTP_FROM_NAME = vaultwardenCfg.label; + SMTP_HOST = smtpCfg.hostname; + SMTP_PORT = smtpCfg.ports.port1; + SMTP_SECURITY = smtpCfg.records.record1; + SMTP_USERNAME = smtpCfg.email.address0; + + # Security Configuration + DISABLE_ADMIN_TOKEN = false; + + # Event and Backup Management + EVENTS_DAYS_RETAIN = 90; + + # User Features + SENDS_ALLOWED = true; + SIGNUPS_VERIFY = true; + WEB_VAULT_ENABLED = true; + + # Rocket (Web Server) Settings + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = vaultwardenCfg.ports.port0; + }; + + # Environment file with secrets (mounted from host) + environmentFile = "/run/secrets/vaultwarden/env"; + }; + + # SSH access + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 22 + vaultwardenCfg.ports.port0 + ]; + + # Network configuration inside the VM + systemd.network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ { Address = "${vaultwardenCfg.interface.ip}/24"; } ]; + routes = [ + { + Destination = "0.0.0.0/0"; + Gateway = vaultwardenCfg.interface.gate; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + + # Actually start systemd-networkd service + systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; + + microvm = { + vcpu = 2; + mem = 1024; + hypervisor = "qemu"; + + interfaces = [ + { + type = "tap"; + id = vaultwardenCfg.interface.id; + mac = vaultwardenCfg.interface.mac; + } + { + type = "user"; + id = vaultwardenCfg.interface.idUser; + mac = vaultwardenCfg.interface.macUser; + } + ]; + + forwardPorts = [ + { + from = "host"; + host.port = vaultwardenCfg.interface.ssh; + guest.port = 22; + } + ]; + + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/bitwarden_rs"; + proto = "virtiofs"; + source = vaultwardenCfg.mntPaths.path0; + tag = "vaultwarden_data"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + + # Host-side configuration + systemd.tmpfiles.rules = [ + "d ${vaultwardenCfg.mntPaths.path0} 0755 root root -" + ]; + + # Caddy reverse proxy configuration + services.caddy.virtualHosts."${vaultwardenCfg.domains.url0}" = { + extraConfig = '' + reverse_proxy ${vaultwardenCfg.interface.ip}:${toString vaultwardenCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + + tls ${vaultwardenCfg.ssl.cert} ${vaultwardenCfg.ssl.key} + + encode zstd gzip + ''; + }; + + # SOPS secrets configuration + sops.secrets = { + "vaultwarden/env" = { + owner = "root"; + mode = "0600"; + }; }; } diff --git a/modules/nixos/services/vaultwarden/vaultwardenCeres/default.nix b/modules/nixos/services/vaultwarden/vaultwardenCeres/default.nix deleted file mode 100755 index fb758a6..0000000 --- a/modules/nixos/services/vaultwarden/vaultwardenCeres/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - # Ensure Caddy can access the ACME certificates - users.users.caddy.extraGroups = [ "acme" ]; -} diff --git a/systems/ceres/default.nix b/systems/ceres/default.nix index 74ed872..a3744f2 100755 --- a/systems/ceres/default.nix +++ b/systems/ceres/default.nix @@ -1,26 +1,17 @@ { lib, ... }: let configPath = ./config; - microVMsPath = ./microvms; - ceresImports = + deimosImports = let files = builtins.attrNames (builtins.readDir configPath); in map (name: configPath + "/${name}") ( builtins.filter (name: builtins.match ".*\\.nix$" name != null) files ); - - microVMImports = - let - files = builtins.attrNames (builtins.readDir microVMsPath); - in - map (name: microVMsPath + "/${name}") ( - builtins.filter (name: builtins.match ".*\\.nix$" name != null) files - ); in { - imports = ceresImports ++ microVMImports; + imports = deimosImports; nixpkgs.hostPlatform = lib.mkForce "x86_64-linux"; system.stateVersion = lib.mkForce "24.05"; } diff --git a/systems/ceres/microvms/vaultwarden.nix b/systems/ceres/microvms/vaultwarden.nix deleted file mode 100755 index 9557c00..0000000 --- a/systems/ceres/microvms/vaultwarden.nix +++ /dev/null @@ -1,172 +0,0 @@ -{ - config, - lib, - pkgs, - flake, - ... -}: -let - vaultwardenCfg = flake.config.services.instances.vaultwarden; - smtpCfg = flake.config.services.instances.smtp; - inherit (flake.config.people) user0; -in -{ - microvm.vms.vaultwarden = { - autostart = true; - restartIfChanged = true; - - config = { - system.stateVersion = "24.05"; - time.timeZone = "America/Winnipeg"; - - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - - # Vaultwarden service configuration - services.vaultwarden = { - enable = true; - dbBackend = "sqlite"; - - config = { - # Domain Configuration - DOMAIN = "https://${vaultwardenCfg.domains.url0}"; - - # Email Configuration - SMTP_AUTH_MECHANISM = "Plain"; - SMTP_EMBED_IMAGES = true; - SMTP_FROM = vaultwardenCfg.email.address0; - SMTP_FROM_NAME = vaultwardenCfg.label; - SMTP_HOST = smtpCfg.hostname; - SMTP_PORT = smtpCfg.ports.port1; - SMTP_SECURITY = smtpCfg.records.record1; - SMTP_USERNAME = smtpCfg.email.address0; - - # Security Configuration - DISABLE_ADMIN_TOKEN = false; - - # Event and Backup Management - EVENTS_DAYS_RETAIN = 90; - - # User Features - SENDS_ALLOWED = true; - SIGNUPS_VERIFY = true; - WEB_VAULT_ENABLED = true; - - # Rocket (Web Server) Settings - ROCKET_ADDRESS = "0.0.0.0"; - ROCKET_PORT = vaultwardenCfg.ports.port0; - }; - - # Environment file with secrets (mounted from host) - environmentFile = "/run/secrets/vaultwarden/env"; - }; - - # SSH access - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - - networking.firewall.allowedTCPPorts = [ - 22 - vaultwardenCfg.ports.port0 - ]; - - systemd.network = { - enable = true; - networks."20-lan" = { - matchConfig.Name = "enp0s5"; - addresses = [ { Address = "${vaultwardenCfg.interface.ip}/24"; } ]; - routes = [ - { - Destination = "0.0.0.0/0"; - Gateway = vaultwardenCfg.interface.gate; - } - ]; - dns = [ - "1.1.1.1" - "8.8.8.8" - ]; - }; - }; - - # Actually start systemd-networkd service - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - - microvm = { - vcpu = 2; - mem = 1024; - hypervisor = "qemu"; - - interfaces = [ - { - type = "tap"; - id = vaultwardenCfg.interface.id; - mac = vaultwardenCfg.interface.mac; - } - { - type = "user"; - id = vaultwardenCfg.interface.idUser; - mac = vaultwardenCfg.interface.macUser; - } - ]; - - forwardPorts = [ - { - from = "host"; - host.port = vaultwardenCfg.interface.ssh; - guest.port = 22; - } - ]; - - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "read_only_nix_store"; - } - { - mountPoint = "/var/lib/bitwarden_rs"; - proto = "virtiofs"; - source = vaultwardenCfg.mntPaths.path0; - tag = "vaultwarden_data"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets"; - tag = "host_secrets"; - } - ]; - - }; - }; - }; - - # Host-side configuration - systemd.tmpfiles.rules = [ - "d ${vaultwardenCfg.mntPaths.path0} 0755 root root -" - ]; - - services.caddy.virtualHosts."${vaultwardenCfg.domains.url0}" = { - extraConfig = '' - reverse_proxy ${vaultwardenCfg.interface.ip}:${toString vaultwardenCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - - tls ${vaultwardenCfg.ssl.cert} ${vaultwardenCfg.ssl.key} - - encode zstd gzip - ''; - }; - - sops.secrets = { - "vaultwarden/env" = { - owner = "root"; - mode = "0600"; - }; - }; -}