upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-06 21:17:14 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

test: vaultwarden microVM

Browse source
This commit is contained in:
Nick 2025-11-07 01:11:07 -06:00
parent 0b0beb869b
commit eef59d8114
1 changed files with 76 additions and 214 deletions
Download patch file Download diff file Expand all files Collapse all files

290
modules/nixos/services/vaultwarden/default.nix
View file

@ -2,93 +2,76 @@
flake, flake,
config, config,
lib, lib,
pkgs,
... ...
}: }:
let let
inherit (flake.config.people) user0; inherit (flake.config.services) instances;
inherit (flake.config.services.instances) vaultwarden smtp web; service = instances.vaultwarden;
service = vaultwarden; localhost = instances.web.localhost.address0;
host = vaultwarden.domains.url0; host = service.domains.url0;
vmInterface = service.interface.id; syncthing = instances.syncthing;
vmMac = service.interface.mac;
vmIP = service.interface.ip; backupPath = "${syncthing.paths.path1}/${service.name}";
vmGateway = service.interface.gate;
acmeCertPath = config.security.acme.certs.${host}.directory;
in in
{ {
# Import the microvm host module services = {
imports = [ vaultwarden = {
# Add microvm.nixosModules.host to your flake inputs if not already present backupDir = backupPath;
];
# Configure the bridge for microVM networking
systemd.network = {
# Don't enable globally - you already have networking configured
netdevs."10-virbr0" = {
netdevConfig = {
Kind = "bridge";
Name = "virbr0";
};
};
networks."10-virbr0" = {
matchConfig.Name = "virbr0";
addresses = [
{ Address = "${vmGateway}/24"; }
];
networkConfig = {
IPv6AcceptRA = false;
};
};
# Attach tap interfaces to bridge
networks."11-microvm" = {
matchConfig.Name = "vm-*";
networkConfig = {
Bridge = "virbr0";
};
};
};
# Enable NAT for microVMs to access internet
networking = {
nat = {
enable = true; enable = true;
internalInterfaces = [ "virbr0" ]; environmentFile = config.sops.secrets."${service.name}/env".path;
externalInterface = lib.mkDefault "enp10s0"; # Use your WireGuard interface by default config = {
# Domain Configuration
DOMAIN = "https://${host}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = instances.smtp.email.address0;
SMTP_FROM_NAME = service.label;
SMTP_HOST = instances.smtp.hostname;
SMTP_PORT = instances.smtp.ports.port1;
SMTP_SECURITY = instances.smtp.records.record1;
SMTP_USERNAME = instances.smtp.email.address0;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = localhost;
ROCKET_PORT = service.ports.port0;
};
}; };
firewall = { caddy = {
trustedInterfaces = [ "virbr0" ]; virtualHosts = {
}; "${host}" = {
nftables = { extraConfig = ''
enable = true; reverse_proxy ${localhost}:${toString service.ports.port0} {
ruleset = '' header_up X-Real-IP {remote_host}
table inet filter { }
chain forward {
iifname "virbr0" oifname "virbr0" accept tls ${service.ssl.cert} ${service.ssl.key}
}
} encode zstd gzip
''; '';
};
};
}; };
}; };
# Persist microVM data with impermanence
environment.persistence."/persist" = {
directories = [
# Keep existing directories...
"/var/lib/microvms"
service.varPaths.path0
];
};
# SOPS secrets configuration (only env file needed)
sops = sops =
let let
sopsPath = secret: { sopsPath = secret: {
path = "${service.secretPaths.path0}/${service.name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = "root"; owner = service.name;
mode = "0600"; mode = "600";
}; };
in in
{ {
@ -104,150 +87,29 @@ in
); );
}; };
# MicroVM configuration systemd = {
microvm.vms.vaultwarden = { tmpfiles.rules = [
autostart = true; "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
config = "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
{ ];
config, services.backup-vaultwarden = {
pkgs, serviceConfig = {
lib, Group = lib.mkForce syncthing.name;
...
}:
{
system.stateVersion = "25.05";
time.timeZone = "America/Winnipeg";
# Network configuration
systemd.network = {
enable = true;
networks."20-enp0s5" = {
matchConfig.Name = "enp0s5";
addresses = [ { Address = "${vmIP}/24"; } ];
routes = [
{
Destination = "0.0.0.0/0";
Gateway = vmGateway;
}
];
dns = [
"8.8.8.8"
"8.8.4.4"
];
};
};
networking = {
hostName = "vaultwarden";
firewall = {
enable = true;
allowedTCPPorts = [
22
service.ports.port0
];
};
};
users.users.root = {
openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
};
services = {
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
vaultwarden = {
enable = true;
environmentFile = "/run/secrets/${service.name}-env";
config = {
# Domain Configuration
DOMAIN = "https://${host}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = smtp.email.address0;
SMTP_FROM_NAME = service.label;
SMTP_HOST = smtp.hostname;
SMTP_PORT = smtp.ports.port1;
SMTP_SECURITY = smtp.records.record1;
SMTP_USERNAME = smtp.email.address0;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = service.ports.port0;
};
};
};
# MicroVM-specific configuration
microvm = {
vcpu = 2;
mem = 2048;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = vmInterface;
mac = vmMac;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "ro-store";
}
{
mountPoint = "/var/lib/vaultwarden";
proto = "virtiofs";
source = service.varPaths.path0;
tag = "vaultwarden-data";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets";
tag = "secrets";
}
];
};
}; };
}; wantedBy = lib.mkForce [ ];
after = [ "${service.name}.service" ];
# Caddy reverse proxy configuration on host
services.caddy = {
enable = true;
virtualHosts."${host}" = {
extraConfig = ''
reverse_proxy ${vmIP}:${toString service.ports.port0} {
header_up X-Real-IP {remote_host}
}
tls ${acmeCertPath}/fullchain.pem ${acmeCertPath}/key.pem
encode zstd gzip
'';
}; };
}; };
# Ensure data directory exists users.users.${service.name}.extraGroups = [
systemd.tmpfiles.rules = [ syncthing.name
"d ${service.varPaths.path0} 0755 root root -"
]; ];
# Ensure caddy can read ACME certs networking = {
users.users.caddy.extraGroups = [ "acme" ]; firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
} }