karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add vaultwarden

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-06-11 19:05:11 +01:00
parent 0b15c9c3fa
commit 548666f86c
7 changed files with 235 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -130,6 +130,7 @@ in
"admins"
"git"
"docs"
"vaultwarden"
];
};
}

1
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -16,6 +16,7 @@ in
(import ./prometheus { inherit user home; })
(import ./sish { inherit user home; })
(import ./traefik { inherit user home; })
(import ./vaultwarden { inherit user home; })
(import ./whoami { inherit user home; })
];

2
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -63,7 +63,7 @@ in
"--providers.docker=true"
"--providers.docker.exposedbydefault=false"
"--providers.docker.network=systemd-traefik"
"--providers.docker.network=traefik"
"--entryPoints.http.address=:80"
"--entrypoints.http.http.redirections.entryPoint.to=https"

152
hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,152 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{
config,
inputs,
pkgs,
system,
lib,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
autheliaClientId = "G9g4cRccYM1tpTO8rLqziThUlZFT4BwlvittHRSbZOJK3rfkpFKUQylI7SI40KmZDzavPrQhEWXWGspS3hxrwH9PesDw5A1EECEZ";
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
};
templates = {
vaultwarden-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/postgresql"}
'';
vaultwarden-env.content = ''
DATABASE_URL=postgresql://vaultwarden:${
hmConfig.sops.placeholder."vaultwarden/postgresql"
}@vaultwarden-postgresql:5432/vaultwarden
ADMIN_TOKEN=${hmConfig.sops.placeholder."vaultwarden/adminToken"}
SMTP_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/smtp"}
PUSH_INSTALLATION_ID=${hmConfig.sops.placeholder."vaultwarden/push/installationId"}
PUSH_INSTALLATION_KEY=${hmConfig.sops.placeholder."vaultwarden/push/installationKey"}
SSO_CLIENT_SECRET=${hmConfig.sops.placeholder."vaultwarden/authelia/password"}
'';
authelia-vaultwarden.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "vaultwarden.yaml" {
identity_providers.oidc = {
authorization_policies.vaultwarden = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:vaultwarden";
}
];
};
clients = [
{
client_id = autheliaClientId;
client_name = "Vaultwarden";
client_secret = hmConfig.sops.placeholder."vaultwarden/authelia/digest";
redirect_uris = [ "https://vault.karaolidis.com/identity/connect/oidc-signin" ];
authorization_policy = "vaultwarden";
scopes = [
"openid"
"email"
"profile"
"offline_access"
];
}
];
};
}
);
};
};
virtualisation.quadlet = {
networks.vaultwarden.networkConfig.internal = true;
volumes = {
vaultwarden-postgresql = { };
vaultwarden = { };
};
containers = {
vaultwarden = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-oidcwarden}";
volumes = [ "${volumes.vaultwarden.ref}:/var/lib/vaultwarden" ];
networks = [
networks.vaultwarden.ref
networks.traefik.ref
];
environments = {
DOMAIN = "https://vault.karaolidis.com";
LOG_LEVEL = "warn";
SIGNUPS_ALLOWED = "false";
INVITATIONS_ALLOWED = "false";
SMTP_HOST = "smtp.protonmail.ch";
SMTP_FROM = "jupiter@karaolidis.com";
SMTP_PORT = "587";
SMTP_SECURITY = "starttls";
SMTP_USERNAME = "jupiter@karaolidis.com";
PUSH_ENABLED = "true";
PUSH_RELAY_URI = "https://api.bitwarden.eu";
PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
SSO_ENABLED = "true";
SSO_AUTHORITY = "https://id.karaolidis.com";
SSO_SCOPES = "openid email profile offline_access";
SSO_CLIENT_ID = autheliaClientId;
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = "true";
};
environmentFiles = [ hmConfig.sops.templates.vaultwarden-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.vaultwarden.rule=Host(`vault.karaolidis.com`)"
];
};
unitConfig.After = [
"${containers.vaultwarden-postgresql._serviceName}.service"
"sops-nix.service"
];
};
vaultwarden-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.vaultwarden.ref ];
volumes = [ "${volumes.vaultwarden-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "vaultwarden";
POSTGRES_USER = "vaultwarden";
};
environmentFiles = [ hmConfig.sops.templates.vaultwarden-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia-init.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-vaultwarden.path}:/etc/authelia/conf.d/vaultwarden.yaml:ro"
];
};
};
};
}

5
packages/default.nix
View File

@@ -15,6 +15,9 @@
docker-grafana = import ./docker/grafana { inherit pkgs; };
docker-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; };
docker-ntfy = import ./docker/ntfy { inherit pkgs; };
docker-oidcwarden = import ./docker/oidcwarden {
inherit pkgs inputs system;
};
docker-outline = import ./docker/outline { inherit pkgs; };
docker-postgresql = import ./docker/postgresql { inherit pkgs; };
docker-prometheus = import ./docker/prometheus { inherit pkgs; };
@@ -49,6 +52,8 @@
obsidian-theme-minimal = import ./obsidian/themes/minimal { inherit pkgs; };
oidcwarden = import ./oidcwarden { inherit pkgs; };
prometheus-fail2ban-exporter = import ./prometheus-fail2ban-exporter { inherit pkgs; };
prometheus-podman-exporter = import ./prometheus-podman-exporter { inherit pkgs; };

41
packages/docker/oidcwarden/default.nix Normal file
View File

@@ -0,0 +1,41 @@
{
pkgs,
inputs,
system,
...
}:
let
selfPkgs = inputs.self.packages.${system};
in
pkgs.dockerTools.buildImage {
name = "oidcwarden";
fromImage = import ../base { inherit pkgs; };
copyToRoot = pkgs.buildEnv {
name = "root";
paths = with selfPkgs; [
oidcwarden
oidcwarden.webvault
];
pathsToLink = [
"/bin"
"/share"
];
};
config = {
Entrypoint = [ "/bin/oidcwarden" ];
Env = [
"WEB_VAULT_FOLDER=${selfPkgs.oidcwarden.webvault}/share/vaultwarden/vault"
"DATA_FOLDER=/var/lib/vaultwarden"
"ROCKET_PROFILE=release"
"ROCKET_ADDRESS=0.0.0.0"
];
Volumes = {
"/var/lib/vaultwarden" = { };
};
ExposedPorts = {
"8000/tcp" = { };
};
};
}

34
packages/oidcwarden/default.nix Normal file
View File

@@ -0,0 +1,34 @@
{ pkgs, ... }:
# AUTO-UPDATE: nix-update --flake oidcwarden
# FIXME: https://github.com/dani-garcia/vaultwarden/pull/3899
pkgs.rustPlatform.buildRustPackage rec {
pname = "oidcwarden";
version = "2025.5.1-4";
src = pkgs.fetchFromGitHub {
owner = "Timshel";
repo = "OIDCWarden";
rev = "v${version}";
hash = "sha256-OEKksnZlL6kkNkU1pu7y58++EmunN0yQHwJtZwt3Cbs=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-ZQ4Q5nD2WOkVX7OXEk1JTgN8zHvI6Cqmb1ifcHkXKp4=";
env.VW_VERSION = version;
nativeBuildInputs = with pkgs; [ pkg-config ];
buildInputs = with pkgs; [
openssl
libpq
];
buildFeatures = [ "postgresql" ];
passthru = with pkgs.vaultwarden; {
inherit webvault updateScript;
tests = pkgs.lib.nixosTests.vaultwarden;
};
meta.mainProgram = "oidcwarden";
}