seber: set up vaultwarden · koi.rip/dotfiles@0e1460a

koi.rip / dotfiles

fork atom

my nixos dotfiles :3 (git.koi.rip mirror) git.koi.rip/koi/dotfiles

linux dotfiles neovim nixos catppuccin

fork atom

seber: set up vaultwarden

koi.rip 3 months ago 0e1460ac 1806ae4d

+34 -7

5 changed files

expand all

unified split

secrets

secrets.nix

vaultwarden.env.age

systems

miku

default.nix

modules

systemd-boot.nix

seber

default.nix

secrets/secrets.nix

··· 8 "jellyfin-rpc.json.age".publicKeys = [ adam ]; 9 "wakatime.cfg.age".publicKeys = [ adam ]; 10 11 "ssl-adamperkowski.cert.pem.age".publicKeys = [ seber ]; 12 "ssl-adamperkowski.key.pem.age".publicKeys = [ seber ]; 13 }

··· 8 "jellyfin-rpc.json.age".publicKeys = [ adam ]; 9 "wakatime.cfg.age".publicKeys = [ adam ]; 10 11 + "vaultwarden.env.age".publicKeys = [ seber ]; 12 "ssl-adamperkowski.cert.pem.age".publicKeys = [ seber ]; 13 "ssl-adamperkowski.key.pem.age".publicKeys = [ seber ]; 14 }

secrets/vaultwarden.env.age

This is a binary file and will not be displayed.

-1

systems/miku/default.nix

··· 41 42 services.jellyfin = { 43 enable = true; 44 - package = pkgs.jellyfin; 45 openFirewall = true; 46 }; 47

··· 41 42 services.jellyfin = { 43 enable = true; 44 openFirewall = true; 45 }; 46

-6

systems/modules/systemd-boot.nix

··· 1 - { 2 - boot.loader = { 3 - systemd-boot.enable = true; 4 - efi.canTouchEfiVariables = true; 5 - }; 6 - }

···

+33

systems/seber/default.nix

··· 30 age = { 31 identityPaths = [ "/home/adam/.ssh/id_ed25519" ]; 32 secrets = { 33 ssl-adamperkowski-cert = { 34 file = ../../secrets/ssl-adamperkowski.cert.pem.age; 35 mode = "0440"; ··· 60 sslCertificate = "/run/agenix/ssl-adamperkowski-cert"; 61 sslCertificateKey = "/run/agenix/ssl-adamperkowski-key"; 62 }; 63 }; 64 }; 65

··· 30 age = { 31 identityPaths = [ "/home/adam/.ssh/id_ed25519" ]; 32 secrets = { 33 + vaultwarden-env = { 34 + file = ../../secrets/vaultwarden.env.age; 35 + mode = "0400"; 36 + owner = "vaultwarden"; 37 + }; 38 ssl-adamperkowski-cert = { 39 file = ../../secrets/ssl-adamperkowski.cert.pem.age; 40 mode = "0440"; ··· 65 sslCertificate = "/run/agenix/ssl-adamperkowski-cert"; 66 sslCertificateKey = "/run/agenix/ssl-adamperkowski-key"; 67 }; 68 + 69 + "vault.adamperkowski.dev" = { 70 + locations."/" = { 71 + proxyPass = "http://127.0.0.1:8222"; 72 + extraConfig = '' 73 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 74 + proxy_set_header X-Forwarded-Proto $scheme; 75 + proxy_set_header Host $host; 76 + ''; 77 + }; 78 + 79 + onlySSL = true; 80 + sslCertificate = "/run/agenix/ssl-adamperkowski-cert"; 81 + sslCertificateKey = "/run/agenix/ssl-adamperkowski-key"; 82 + }; 83 + }; 84 + }; 85 + 86 + services.vaultwarden = { 87 + enable = true; 88 + environmentFile = "/run/agenix/vaultwarden-env"; 89 + config = { 90 + DOMAIN = "https://vault.adamperkowski.dev"; 91 + SIGNUPS_ALLOWED = false; 92 + ROCKET_ADDRESS = "127.0.0.1"; 93 + ROCKET_PORT = 8222; 94 + ROCKET_LOG = "critical"; 95 + LOG_LEVEL = "warn"; 96 }; 97 }; 98