mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-12-06 21:17:14 -06:00
187 lines
5.2 KiB
Nix
Executable file
187 lines
5.2 KiB
Nix
Executable file
{
|
|
flake,
|
|
...
|
|
}:
|
|
let
|
|
inherit (flake.config.people) user0;
|
|
inherit (flake.config.services.instances) vaultwarden smtp web;
|
|
service = vaultwarden;
|
|
host = vaultwarden.domains.url0;
|
|
secrets = service.secretPaths.path0;
|
|
localhost = web.localhost.address0;
|
|
sshPort = 22;
|
|
in
|
|
{
|
|
microvm = {
|
|
vms = {
|
|
vaultwarden = {
|
|
autostart = true;
|
|
config =
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
{
|
|
system.stateVersion = "25.05";
|
|
time.timeZone = "America/Winnipeg";
|
|
|
|
users.users.root = {
|
|
openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
|
|
};
|
|
|
|
services = {
|
|
vaultwarden = {
|
|
enable = true;
|
|
environmentFile = config.sops.secrets."${service.name}-env".path;
|
|
config = {
|
|
# Domain Configuration
|
|
DOMAIN = "https://${host}";
|
|
# Email Configuration
|
|
SMTP_AUTH_MECHANISM = "Plain";
|
|
SMTP_EMBED_IMAGES = true;
|
|
SMTP_FROM = smtp.email.address0;
|
|
SMTP_FROM_NAME = service.label;
|
|
SMTP_HOST = smtp.hostname;
|
|
SMTP_PORT = smtp.ports.port1;
|
|
SMTP_SECURITY = smtp.records.record1;
|
|
SMTP_USERNAME = smtp.email.address0;
|
|
# Security Configuration
|
|
DISABLE_ADMIN_TOKEN = false;
|
|
# Event and Backup Management
|
|
EVENTS_DAYS_RETAIN = 90;
|
|
# User Features
|
|
SENDS_ALLOWED = true;
|
|
SIGNUPS_VERIFY = true;
|
|
WEB_VAULT_ENABLED = true;
|
|
# Rocket (Web Server) Settings
|
|
ROCKET_ADDRESS = localhost;
|
|
ROCKET_PORT = service.ports.port0;
|
|
};
|
|
};
|
|
|
|
openssh = {
|
|
enable = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = "prohibit-password";
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
tmpfiles.rules = [
|
|
"d ${secrets} 0755 ${service.name} ${service.name} -"
|
|
];
|
|
|
|
network = {
|
|
enable = true;
|
|
networks."10-enp" = {
|
|
matchConfig.Name = "enp0s4";
|
|
addresses = [ { Address = "${service.interface.ip}/24"; } ];
|
|
routes = [
|
|
{
|
|
Destination = "${localhost}/0";
|
|
Gateway = service.interface.gate;
|
|
}
|
|
];
|
|
dns = [ service.interface.gate ];
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
sshPort
|
|
service.ports.port0
|
|
];
|
|
|
|
microvm = {
|
|
vcpu = 2;
|
|
mem = 2048;
|
|
hypervisor = "qemu";
|
|
|
|
interfaces = [
|
|
{
|
|
type = "tap";
|
|
id = service.interface.id;
|
|
mac = service.interface.mac;
|
|
}
|
|
{
|
|
type = "user";
|
|
id = service.interface.idUser;
|
|
mac = service.interface.macUser;
|
|
}
|
|
];
|
|
|
|
shares = [
|
|
{
|
|
mountPoint = "/nix/.ro-store";
|
|
proto = "virtiofs";
|
|
source = "/nix/store";
|
|
tag = "read_only_nix_store";
|
|
}
|
|
{
|
|
mountPoint = service.varPaths.path0;
|
|
proto = "virtiofs";
|
|
source = service.mntPaths.path0;
|
|
tag = "${service.name}_data";
|
|
}
|
|
{
|
|
mountPoint = service.secretPaths.path0;
|
|
proto = "virtiofs";
|
|
source = service.secretPaths.path0;
|
|
tag = "${service.name}_secrets";
|
|
}
|
|
{
|
|
mountPoint = service.ssl.path;
|
|
proto = "virtiofs";
|
|
source = service.ssl.path;
|
|
tag = "acme_certs";
|
|
}
|
|
];
|
|
|
|
forwardPorts = [
|
|
{
|
|
from = "host";
|
|
host.port = service.interface.ssh;
|
|
guest.port = sshPort;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.caddy.virtualHosts."${host}" = {
|
|
extraConfig = ''
|
|
reverse_proxy ${service.interface.ip}:${toString service.ports.port0} {
|
|
header_up X-Real-IP {remote_host}
|
|
}
|
|
tls ${service.ssl.cert} ${service.ssl.key}
|
|
encode zstd gzip
|
|
'';
|
|
};
|
|
|
|
sops =
|
|
let
|
|
sopsPath = secret: {
|
|
path = "${secrets}/${service.name}-${secret}";
|
|
owner = "root";
|
|
mode = "600";
|
|
};
|
|
in
|
|
{
|
|
secrets = builtins.listToAttrs (
|
|
map
|
|
(secret: {
|
|
name = "${service.name}-${secret}";
|
|
value = sopsPath secret;
|
|
})
|
|
[
|
|
"env"
|
|
]
|
|
);
|
|
};
|
|
}
|