upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-07 05:27:13 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

feat: vaultwarden microVM works!

Browse source
This commit is contained in:
Nick 2025-11-08 02:25:01 -06:00
parent 6086fc1d99
commit 90a6524759
6 changed files with 186 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/nixos/default.nix
View file

@ -66,7 +66,6 @@ in
vaultwarden vaultwarden
# website # website
# zookeeper # zookeeper
# wireguard - moved to systems/ceres/config/wireguard.nix
; ;
}; };
}; };

4
modules/nixos/services/acme/acmeCeres/default.nix
View file

@ -37,9 +37,7 @@ in
# "${instances.ollama.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.ollama.domains.url0}" = dnsConfig dns0Path dns0;
# "${instances.searx.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.searx.domains.url0}" = dnsConfig dns0Path dns0;
# "${instances.syncthing.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.syncthing.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.vaultwarden.domains.url0}" = (dnsConfig dns0Path dns0) // { # "${instances.vaultwarden.domains.url0}" = dnsConfig dns0Path dns0; # Moved to vaultwarden service module
group = "caddy";
};
# "${instances.prompter.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.prompter.domains.url0}" = dnsConfig dns0Path dns0;
# "${instances.comfyui.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.comfyui.domains.url0}" = dnsConfig dns0Path dns0;
# "${instances.firefly-iii.domains.url0}" = dnsConfig dns0Path dns0; # "${instances.firefly-iii.domains.url0}" = dnsConfig dns0Path dns0;

189
modules/nixos/services/vaultwarden/default.nix
View file

@ -1,11 +1,188 @@
{
config,
lib,
pkgs,
flake,
...
}:
let let
inherit (import ../../../helpers.nix) directoryImport; vaultwardenCfg = flake.config.services.instances.vaultwarden;
modules = directoryImport ./.; smtpCfg = flake.config.services.instances.smtp;
inherit (flake.config.people) user0;
inherit (flake.config.services) instances;
dns0 = instances.web.dns.provider0;
dns0Path = "dns/${dns0}";
in in
{ {
imports = builtins.attrValues { # Ensure Caddy can access the ACME certificates
inherit (modules) users.users.caddy.extraGroups = [ "acme" ];
vaultwardenCeres
; # ACME certificate configuration for vaultwarden
security.acme.certs."${vaultwardenCfg.domains.url0}" = {
dnsProvider = dns0;
environmentFile = config.sops.secrets.${dns0Path}.path;
group = "caddy";
};
# MicroVM configuration
microvm.vms.vaultwarden = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
# Vaultwarden service configuration
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
# Domain Configuration
DOMAIN = "https://${vaultwardenCfg.domains.url0}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = vaultwardenCfg.email.address0;
SMTP_FROM_NAME = vaultwardenCfg.label;
SMTP_HOST = smtpCfg.hostname;
SMTP_PORT = smtpCfg.ports.port1;
SMTP_SECURITY = smtpCfg.records.record1;
SMTP_USERNAME = smtpCfg.email.address0;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = vaultwardenCfg.ports.port0;
};
# Environment file with secrets (mounted from host)
environmentFile = "/run/secrets/vaultwarden/env";
};
# SSH access
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
networking.firewall.allowedTCPPorts = [
22
vaultwardenCfg.ports.port0
];
# Network configuration inside the VM
systemd.network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
addresses = [ { Address = "${vaultwardenCfg.interface.ip}/24"; } ];
routes = [
{
Destination = "0.0.0.0/0";
Gateway = vaultwardenCfg.interface.gate;
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
# Actually start systemd-networkd service
systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];
microvm = {
vcpu = 2;
mem = 1024;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = vaultwardenCfg.interface.id;
mac = vaultwardenCfg.interface.mac;
}
{
type = "user";
id = vaultwardenCfg.interface.idUser;
mac = vaultwardenCfg.interface.macUser;
}
];
forwardPorts = [
{
from = "host";
host.port = vaultwardenCfg.interface.ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/bitwarden_rs";
proto = "virtiofs";
source = vaultwardenCfg.mntPaths.path0;
tag = "vaultwarden_data";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets";
tag = "host_secrets";
}
];
};
};
};
# Host-side configuration
systemd.tmpfiles.rules = [
"d ${vaultwardenCfg.mntPaths.path0} 0755 root root -"
];
# Caddy reverse proxy configuration
services.caddy.virtualHosts."${vaultwardenCfg.domains.url0}" = {
extraConfig = ''
reverse_proxy ${vaultwardenCfg.interface.ip}:${toString vaultwardenCfg.ports.port0} {
header_up X-Real-IP {remote_host}
}
tls ${vaultwardenCfg.ssl.cert} ${vaultwardenCfg.ssl.key}
encode zstd gzip
'';
};
# SOPS secrets configuration
sops.secrets = {
"vaultwarden/env" = {
owner = "root";
mode = "0600";
};
}; };
} }

5
modules/nixos/services/vaultwarden/vaultwardenCeres/default.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
# Ensure Caddy can access the ACME certificates
users.users.caddy.extraGroups = [ "acme" ];
}

13
systems/ceres/default.nix
View file

@ -1,26 +1,17 @@
{ lib, ... }: { lib, ... }:
let let
configPath = ./config; configPath = ./config;
microVMsPath = ./microvms;
ceresImports = deimosImports =
let let
files = builtins.attrNames (builtins.readDir configPath); files = builtins.attrNames (builtins.readDir configPath);
in in
map (name: configPath + "/${name}") ( map (name: configPath + "/${name}") (
builtins.filter (name: builtins.match ".*\\.nix$" name != null) files builtins.filter (name: builtins.match ".*\\.nix$" name != null) files
); );
microVMImports =
let
files = builtins.attrNames (builtins.readDir microVMsPath);
in
map (name: microVMsPath + "/${name}") (
builtins.filter (name: builtins.match ".*\\.nix$" name != null) files
);
in in
{ {
imports = ceresImports ++ microVMImports; imports = deimosImports;
nixpkgs.hostPlatform = lib.mkForce "x86_64-linux"; nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
system.stateVersion = lib.mkForce "24.05"; system.stateVersion = lib.mkForce "24.05";
} }

172
systems/ceres/microvms/vaultwarden.nix
View file

@ -1,172 +0,0 @@
{
config,
lib,
pkgs,
flake,
...
}:
let
vaultwardenCfg = flake.config.services.instances.vaultwarden;
smtpCfg = flake.config.services.instances.smtp;
inherit (flake.config.people) user0;
in
{
microvm.vms.vaultwarden = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
# Vaultwarden service configuration
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
# Domain Configuration
DOMAIN = "https://${vaultwardenCfg.domains.url0}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = vaultwardenCfg.email.address0;
SMTP_FROM_NAME = vaultwardenCfg.label;
SMTP_HOST = smtpCfg.hostname;
SMTP_PORT = smtpCfg.ports.port1;
SMTP_SECURITY = smtpCfg.records.record1;
SMTP_USERNAME = smtpCfg.email.address0;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = vaultwardenCfg.ports.port0;
};
# Environment file with secrets (mounted from host)
environmentFile = "/run/secrets/vaultwarden/env";
};
# SSH access
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
networking.firewall.allowedTCPPorts = [
22
vaultwardenCfg.ports.port0
];
systemd.network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
addresses = [ { Address = "${vaultwardenCfg.interface.ip}/24"; } ];
routes = [
{
Destination = "0.0.0.0/0";
Gateway = vaultwardenCfg.interface.gate;
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
# Actually start systemd-networkd service
systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];
microvm = {
vcpu = 2;
mem = 1024;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = vaultwardenCfg.interface.id;
mac = vaultwardenCfg.interface.mac;
}
{
type = "user";
id = vaultwardenCfg.interface.idUser;
mac = vaultwardenCfg.interface.macUser;
}
];
forwardPorts = [
{
from = "host";
host.port = vaultwardenCfg.interface.ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/bitwarden_rs";
proto = "virtiofs";
source = vaultwardenCfg.mntPaths.path0;
tag = "vaultwarden_data";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets";
tag = "host_secrets";
}
];
};
};
};
# Host-side configuration
systemd.tmpfiles.rules = [
"d ${vaultwardenCfg.mntPaths.path0} 0755 root root -"
];
services.caddy.virtualHosts."${vaultwardenCfg.domains.url0}" = {
extraConfig = ''
reverse_proxy ${vaultwardenCfg.interface.ip}:${toString vaultwardenCfg.ports.port0} {
header_up X-Real-IP {remote_host}
}
tls ${vaultwardenCfg.ssl.cert} ${vaultwardenCfg.ssl.key}
encode zstd gzip
'';
};
sops.secrets = {
"vaultwarden/env" = {
owner = "root";
mode = "0600";
};
};
}