vault.zaphyra.eu.nix

1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
105 
106 
107 
108 
109 
{
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.websites."vault.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."vault.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."vault".CNAME = [
      "${config.networking.fqdn}."
    ];

    users = {
      users.vaultwarden.uid = 523;
      groups.vaultwarden.gid = 523;
    };

    sops.secrets = {
      "restic/vaultwarden/repositoryPassword" = { };
      "restic/vaultwarden/sshPrivateKey" = { };
      "environments/vaultwarden" = {
        owner = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
        restartUnits = [ "vaultwarden.service" ];
      };
    };

    systemd = {
      services.vaultwarden.after = [ "sops-install-secrets.service" ];
      tmpfiles.settings.vaultwarden = {
        "${config.services.vaultwarden.backupDir}".d = {
          user = config.systemd.services.vaultwarden.serviceConfig.User;
          group = config.systemd.services.vaultwarden.serviceConfig.Group;
          mode = "750";
          age = "-";
        };
      };
    };

    common = {
      configure.persist.system.dirs = [
        {
          directory = "/var/lib/vaultwarden";
          mode = "0700";
          user = config.systemd.services.vaultwarden.serviceConfig.User;
          group = config.systemd.services.vaultwarden.serviceConfig.Group;
        }
        {
          directory = config.services.vaultwarden.backupDir;
          mode = "0700";
          user = config.systemd.services.vaultwarden.serviceConfig.User;
          group = config.systemd.services.vaultwarden.serviceConfig.Group;
        }
      ];
      services.resticBackup.vaultwarden = {
        enable = true;
        targets = [
          "restic-target.fc9f.de"
          "isodon.fc9f.de"
        ];
        sshKeyFile = config.sops.secrets."restic/vaultwarden/sshPrivateKey".path;
        passwordFile = config.sops.secrets."restic/vaultwarden/repositoryPassword".path;
        paths = [ config.services.vaultwarden.backupDir ];
        runBeforeBackup = ''
          ${lib.getExe' pkgs.systemd "systemctl"} start --wait backup-vaultwarden.service
        '';
      };
    };

    services = {
      vaultwarden = {
        enable = true;
        domain = "vault.zaphyra.eu";
        dbBackend = "sqlite";
        backupDir = "/var/backups/vaultwarden";
        environmentFile = config.sops.secrets."environments/vaultwarden".path;
        config = {
          ROCKET_ADDRESS = "::1";
          ROCKET_PORT = 8582;

          DOMAIN = "https://vault.zaphyra.eu";
          SIGNUPS_ALLOWED = false;

          PUSH_ENABLED = true;

          SMTP_HOST = "morio.infra.zaphyra.eu";
          SMTP_FROM = "vaultwarden@zaphyra.eu";
          SMTP_USERNAME = "vaultwarden@zaphyra.eu";
          SMTP_PORT = 465;
          SMTP_SECURITY = "force_tls";
        };
      };
      nginx.virtualHosts."vault.zaphyra.eu" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        locations."/" = {
          proxyPass = "http://[${config.services.vaultwarden.config.ROCKET_ADDRESS}]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
          proxyWebsockets = true;
        };
      };
    };
  };

}