diff --git a/modules/nixos/services/vaultwarden/default.nix b/modules/nixos/services/vaultwarden/default.nix index 94689b6..5344629 100755 --- a/modules/nixos/services/vaultwarden/default.nix +++ b/modules/nixos/services/vaultwarden/default.nix @@ -2,93 +2,76 @@ flake, config, lib, - pkgs, ... }: let - inherit (flake.config.people) user0; - inherit (flake.config.services.instances) vaultwarden smtp web; - service = vaultwarden; - host = vaultwarden.domains.url0; - vmInterface = service.interface.id; - vmMac = service.interface.mac; - vmIP = service.interface.ip; - vmGateway = service.interface.gate; - acmeCertPath = config.security.acme.certs.${host}.directory; + inherit (flake.config.services) instances; + service = instances.vaultwarden; + localhost = instances.web.localhost.address0; + host = service.domains.url0; + syncthing = instances.syncthing; + + backupPath = "${syncthing.paths.path1}/${service.name}"; in { - # Import the microvm host module - imports = [ - # Add microvm.nixosModules.host to your flake inputs if not already present - ]; - - # Configure the bridge for microVM networking - systemd.network = { - # Don't enable globally - you already have networking configured - netdevs."10-virbr0" = { - netdevConfig = { - Kind = "bridge"; - Name = "virbr0"; - }; - }; - - networks."10-virbr0" = { - matchConfig.Name = "virbr0"; - addresses = [ - { Address = "${vmGateway}/24"; } - ]; - networkConfig = { - IPv6AcceptRA = false; - }; - }; - - # Attach tap interfaces to bridge - networks."11-microvm" = { - matchConfig.Name = "vm-*"; - networkConfig = { - Bridge = "virbr0"; - }; - }; - }; - - # Enable NAT for microVMs to access internet - networking = { - nat = { + services = { + vaultwarden = { + backupDir = backupPath; enable = true; - internalInterfaces = [ "virbr0" ]; - externalInterface = lib.mkDefault "enp10s0"; # Use your WireGuard interface by default + environmentFile = config.sops.secrets."${service.name}/env".path; + config = { + # Domain Configuration + DOMAIN = "https://${host}"; + + # Email Configuration + SMTP_AUTH_MECHANISM = "Plain"; + SMTP_EMBED_IMAGES = true; + SMTP_FROM = instances.smtp.email.address0; + SMTP_FROM_NAME = service.label; + SMTP_HOST = instances.smtp.hostname; + SMTP_PORT = instances.smtp.ports.port1; + SMTP_SECURITY = instances.smtp.records.record1; + SMTP_USERNAME = instances.smtp.email.address0; + + # Security Configuration + DISABLE_ADMIN_TOKEN = false; + + # Event and Backup Management + EVENTS_DAYS_RETAIN = 90; + + # User Features + SENDS_ALLOWED = true; + SIGNUPS_VERIFY = true; + WEB_VAULT_ENABLED = true; + + # Rocket (Web Server) Settings + ROCKET_ADDRESS = localhost; + ROCKET_PORT = service.ports.port0; + }; }; - firewall = { - trustedInterfaces = [ "virbr0" ]; - }; - nftables = { - enable = true; - ruleset = '' - table inet filter { - chain forward { - iifname "virbr0" oifname "virbr0" accept - } - } - ''; + caddy = { + virtualHosts = { + "${host}" = { + extraConfig = '' + reverse_proxy ${localhost}:${toString service.ports.port0} { + header_up X-Real-IP {remote_host} + } + + tls ${service.ssl.cert} ${service.ssl.key} + + encode zstd gzip + ''; + }; + }; }; }; - # Persist microVM data with impermanence - environment.persistence."/persist" = { - directories = [ - # Keep existing directories... - "/var/lib/microvms" - service.varPaths.path0 - ]; - }; - - # SOPS secrets configuration (only env file needed) sops = let sopsPath = secret: { - path = "${service.secretPaths.path0}/${service.name}-${secret}"; - owner = "root"; - mode = "0600"; + path = "${service.sops.path0}/${service.name}-${secret}"; + owner = service.name; + mode = "600"; }; in { @@ -104,150 +87,29 @@ in ); }; - # MicroVM configuration - microvm.vms.vaultwarden = { - autostart = true; - config = - { - config, - pkgs, - lib, - ... - }: - { - system.stateVersion = "25.05"; - time.timeZone = "America/Winnipeg"; - - # Network configuration - systemd.network = { - enable = true; - networks."20-enp0s5" = { - matchConfig.Name = "enp0s5"; - addresses = [ { Address = "${vmIP}/24"; } ]; - routes = [ - { - Destination = "0.0.0.0/0"; - Gateway = vmGateway; - } - ]; - dns = [ - "8.8.8.8" - "8.8.4.4" - ]; - }; - }; - - networking = { - hostName = "vaultwarden"; - firewall = { - enable = true; - allowedTCPPorts = [ - 22 - service.ports.port0 - ]; - }; - }; - - users.users.root = { - openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - }; - - services = { - openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; - }; - }; - - vaultwarden = { - enable = true; - environmentFile = "/run/secrets/${service.name}-env"; - config = { - # Domain Configuration - DOMAIN = "https://${host}"; - # Email Configuration - SMTP_AUTH_MECHANISM = "Plain"; - SMTP_EMBED_IMAGES = true; - SMTP_FROM = smtp.email.address0; - SMTP_FROM_NAME = service.label; - SMTP_HOST = smtp.hostname; - SMTP_PORT = smtp.ports.port1; - SMTP_SECURITY = smtp.records.record1; - SMTP_USERNAME = smtp.email.address0; - # Security Configuration - DISABLE_ADMIN_TOKEN = false; - # Event and Backup Management - EVENTS_DAYS_RETAIN = 90; - # User Features - SENDS_ALLOWED = true; - SIGNUPS_VERIFY = true; - WEB_VAULT_ENABLED = true; - # Rocket (Web Server) Settings - ROCKET_ADDRESS = "0.0.0.0"; - ROCKET_PORT = service.ports.port0; - }; - }; - }; - - # MicroVM-specific configuration - microvm = { - vcpu = 2; - mem = 2048; - hypervisor = "qemu"; - - interfaces = [ - { - type = "tap"; - id = vmInterface; - mac = vmMac; - } - ]; - - shares = [ - { - mountPoint = "/nix/.ro-store"; - proto = "virtiofs"; - source = "/nix/store"; - tag = "ro-store"; - } - { - mountPoint = "/var/lib/vaultwarden"; - proto = "virtiofs"; - source = service.varPaths.path0; - tag = "vaultwarden-data"; - } - { - mountPoint = "/run/secrets"; - proto = "virtiofs"; - source = "/run/secrets"; - tag = "secrets"; - } - ]; - }; + systemd = { + tmpfiles.rules = [ + "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" + "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" + ]; + services.backup-vaultwarden = { + serviceConfig = { + Group = lib.mkForce syncthing.name; }; - }; - - # Caddy reverse proxy configuration on host - services.caddy = { - enable = true; - virtualHosts."${host}" = { - extraConfig = '' - reverse_proxy ${vmIP}:${toString service.ports.port0} { - header_up X-Real-IP {remote_host} - } - tls ${acmeCertPath}/fullchain.pem ${acmeCertPath}/key.pem - encode zstd gzip - ''; + wantedBy = lib.mkForce [ ]; + after = [ "${service.name}.service" ]; }; }; - # Ensure data directory exists - systemd.tmpfiles.rules = [ - "d ${service.varPaths.path0} 0755 root root -" + users.users.${service.name}.extraGroups = [ + syncthing.name ]; - # Ensure caddy can read ACME certs - users.users.caddy.extraGroups = [ "acme" ]; + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + ]; + }; + }; }