zaphyra's git: nixfiles

zaphyra and void's nixfiles

path: /config/nixos/modules/websites/vault.zaphyra.eu.nix 3.13 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
105 
106 
107 
108 
109 
110 
111 
112 
113 
114 
115 
116 
117 
118 
119 
{
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
    subdomain = {
      type = types.str;
      default = "vault";
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];

    modules.filesystem.impermanence.system.dirs = [
      {
        directory = "/var/lib/vaultwarden";
        mode = "0700";
        user = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
      }
      {
        directory = config.services.vaultwarden.backupDir;
        mode = "0700";
        user = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
      }
    ];

    systemd.services.vaultwarden.after = [ "sops-install-secrets.service" ];
    sops.secrets = {
      "resticPasswords/vaultwarden" = { };
      "environments/vaultwarden" = {
        owner = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
        restartUnits = [ "vaultwarden.service" ];
      };
    };

    systemd.tmpfiles.settings.vaultwarden = {
      "${config.services.vaultwarden.backupDir}".d = {
        user = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
        mode = "750";
        age = "-";
      };
    };

    modules.services.resticBackup.paths = {
      vaultwarden = {
        enable = true;
        passwordFile = config.sops.secrets."resticPasswords/vaultwarden".path;
        paths = [ config.services.vaultwarden.backupDir ];
        runBeforeBackup = ''
          ${pkgs.systemd}/bin/systemctl start backup-vaultwarden.service
        '';
      };
    };

    services = {
      vaultwarden = {
        enable = true;
        dbBackend = "sqlite";
        backupDir = "/var/backups/vaultwarden";
        environmentFile = config.sops.secrets."environments/vaultwarden".path;
        config = {
          DOMAIN = "https://${cfg.subdomain}.${cfg.domain}";
          SIGNUPS_ALLOWED = false;

          PUSH_ENABLED = true;

          SMTP_HOST = "morio.infra.zaphyra.eu";
          SMTP_FROM = "vaultwarden@zaphyra.eu";
          SMTP_USERNAME = "vaultwarden@zaphyra.eu";
          SMTP_PORT = 465;
          SMTP_SECURITY = "force_tls";

          ROCKET_ADDRESS = "::1";
          ROCKET_PORT = 8582;
        };
      };
      nginx = {
        enable = true;
        virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
          useACMEHost = "${config.networking.fqdn}";
          forceSSL = true;
          kTLS = true;
          locations = {
            "/" = {
              proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };

}