From 548666f86cadcbb680223f34bd2e33b6e7114fd9 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Wed, 11 Jun 2025 19:05:11 +0100 Subject: [PATCH] Add vaultwarden Signed-off-by: Nikolaos Karaolidis --- .../console/podman/authelia/default.nix | 1 + .../storm/configs/console/podman/default.nix | 1 + .../console/podman/traefik/default.nix | 2 +- .../console/podman/vaultwarden/default.nix | 152 ++++++++++++++++++ packages/default.nix | 5 + packages/docker/oidcwarden/default.nix | 41 +++++ packages/oidcwarden/default.nix | 34 ++++ 7 files changed, 235 insertions(+), 1 deletion(-) create mode 100644 hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix create mode 100644 packages/docker/oidcwarden/default.nix create mode 100644 packages/oidcwarden/default.nix diff --git a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix index 77572fa..4b4e274 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix @@ -130,6 +130,7 @@ in "admins" "git" "docs" + "vaultwarden" ]; }; } diff --git a/hosts/jupiter/users/storm/configs/console/podman/default.nix b/hosts/jupiter/users/storm/configs/console/podman/default.nix index 8065bba..a80fe7c 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix @@ -16,6 +16,7 @@ in (import ./prometheus { inherit user home; }) (import ./sish { inherit user home; }) (import ./traefik { inherit user home; }) + (import ./vaultwarden { inherit user home; }) (import ./whoami { inherit user home; }) ]; diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix index 9040e43..24a8b7a 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix @@ -63,7 +63,7 @@ in "--providers.docker=true" "--providers.docker.exposedbydefault=false" - "--providers.docker.network=systemd-traefik" + "--providers.docker.network=traefik" "--entryPoints.http.address=:80" "--entrypoints.http.http.redirections.entryPoint.to=https" diff --git a/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix b/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix new file mode 100644 index 0000000..a62ddf5 --- /dev/null +++ b/hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix @@ -0,0 +1,152 @@ +{ + user ? throw "user argument is required", + home ? throw "home argument is required", +}: +{ + config, + inputs, + pkgs, + system, + lib, + ... +}: +let + selfPkgs = inputs.self.packages.${system}; + hmConfig = config.home-manager.users.${user}; + inherit (hmConfig.virtualisation.quadlet) volumes containers networks; + autheliaClientId = "G9g4cRccYM1tpTO8rLqziThUlZFT4BwlvittHRSbZOJK3rfkpFKUQylI7SI40KmZDzavPrQhEWXWGspS3hxrwH9PesDw5A1EECEZ"; +in +{ + home-manager.users.${user} = { + sops = { + secrets = { + "vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml; + "vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; + "vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; + "vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml; + "vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml; + "vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml; + "vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml; + }; + + templates = { + vaultwarden-postgresql-env.content = '' + POSTGRES_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/postgresql"} + ''; + + vaultwarden-env.content = '' + DATABASE_URL=postgresql://vaultwarden:${ + hmConfig.sops.placeholder."vaultwarden/postgresql" + }@vaultwarden-postgresql:5432/vaultwarden + ADMIN_TOKEN=${hmConfig.sops.placeholder."vaultwarden/adminToken"} + SMTP_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/smtp"} + PUSH_INSTALLATION_ID=${hmConfig.sops.placeholder."vaultwarden/push/installationId"} + PUSH_INSTALLATION_KEY=${hmConfig.sops.placeholder."vaultwarden/push/installationKey"} + SSO_CLIENT_SECRET=${hmConfig.sops.placeholder."vaultwarden/authelia/password"} + ''; + + authelia-vaultwarden.content = builtins.readFile ( + (pkgs.formats.yaml { }).generate "vaultwarden.yaml" { + identity_providers.oidc = { + authorization_policies.vaultwarden = { + default_policy = "deny"; + rules = [ + { + policy = "one_factor"; + subject = "group:vaultwarden"; + } + ]; + }; + + clients = [ + { + client_id = autheliaClientId; + client_name = "Vaultwarden"; + client_secret = hmConfig.sops.placeholder."vaultwarden/authelia/digest"; + redirect_uris = [ "https://vault.karaolidis.com/identity/connect/oidc-signin" ]; + authorization_policy = "vaultwarden"; + scopes = [ + "openid" + "email" + "profile" + "offline_access" + ]; + } + ]; + }; + } + ); + }; + }; + + virtualisation.quadlet = { + networks.vaultwarden.networkConfig.internal = true; + + volumes = { + vaultwarden-postgresql = { }; + vaultwarden = { }; + }; + + containers = { + vaultwarden = { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-oidcwarden}"; + volumes = [ "${volumes.vaultwarden.ref}:/var/lib/vaultwarden" ]; + networks = [ + networks.vaultwarden.ref + networks.traefik.ref + ]; + environments = { + DOMAIN = "https://vault.karaolidis.com"; + LOG_LEVEL = "warn"; + SIGNUPS_ALLOWED = "false"; + INVITATIONS_ALLOWED = "false"; + SMTP_HOST = "smtp.protonmail.ch"; + SMTP_FROM = "jupiter@karaolidis.com"; + SMTP_PORT = "587"; + SMTP_SECURITY = "starttls"; + SMTP_USERNAME = "jupiter@karaolidis.com"; + PUSH_ENABLED = "true"; + PUSH_RELAY_URI = "https://api.bitwarden.eu"; + PUSH_IDENTITY_URI = "https://identity.bitwarden.eu"; + SSO_ENABLED = "true"; + SSO_AUTHORITY = "https://id.karaolidis.com"; + SSO_SCOPES = "openid email profile offline_access"; + SSO_CLIENT_ID = autheliaClientId; + SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = "true"; + }; + environmentFiles = [ hmConfig.sops.templates.vaultwarden-env.path ]; + labels = [ + "traefik.enable=true" + "traefik.http.routers.vaultwarden.rule=Host(`vault.karaolidis.com`)" + ]; + }; + + unitConfig.After = [ + "${containers.vaultwarden-postgresql._serviceName}.service" + "sops-nix.service" + ]; + }; + + vaultwarden-postgresql = { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-postgresql}"; + networks = [ networks.vaultwarden.ref ]; + volumes = [ "${volumes.vaultwarden-postgresql.ref}:/var/lib/postgresql/data" ]; + environments = { + POSTGRES_DB = "vaultwarden"; + POSTGRES_USER = "vaultwarden"; + }; + environmentFiles = [ hmConfig.sops.templates.vaultwarden-postgresql-env.path ]; + }; + + unitConfig.After = [ "sops-nix.service" ]; + }; + + authelia-init.containerConfig.volumes = [ + "${hmConfig.sops.templates.authelia-vaultwarden.path}:/etc/authelia/conf.d/vaultwarden.yaml:ro" + ]; + }; + }; + }; +} diff --git a/packages/default.nix b/packages/default.nix index bf70533..df46ab1 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -15,6 +15,9 @@ docker-grafana = import ./docker/grafana { inherit pkgs; }; docker-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; }; docker-ntfy = import ./docker/ntfy { inherit pkgs; }; + docker-oidcwarden = import ./docker/oidcwarden { + inherit pkgs inputs system; + }; docker-outline = import ./docker/outline { inherit pkgs; }; docker-postgresql = import ./docker/postgresql { inherit pkgs; }; docker-prometheus = import ./docker/prometheus { inherit pkgs; }; @@ -49,6 +52,8 @@ obsidian-theme-minimal = import ./obsidian/themes/minimal { inherit pkgs; }; + oidcwarden = import ./oidcwarden { inherit pkgs; }; + prometheus-fail2ban-exporter = import ./prometheus-fail2ban-exporter { inherit pkgs; }; prometheus-podman-exporter = import ./prometheus-podman-exporter { inherit pkgs; }; diff --git a/packages/docker/oidcwarden/default.nix b/packages/docker/oidcwarden/default.nix new file mode 100644 index 0000000..866ceb3 --- /dev/null +++ b/packages/docker/oidcwarden/default.nix @@ -0,0 +1,41 @@ +{ + pkgs, + inputs, + system, + ... +}: +let + selfPkgs = inputs.self.packages.${system}; +in +pkgs.dockerTools.buildImage { + name = "oidcwarden"; + fromImage = import ../base { inherit pkgs; }; + + copyToRoot = pkgs.buildEnv { + name = "root"; + paths = with selfPkgs; [ + oidcwarden + oidcwarden.webvault + ]; + pathsToLink = [ + "/bin" + "/share" + ]; + }; + + config = { + Entrypoint = [ "/bin/oidcwarden" ]; + Env = [ + "WEB_VAULT_FOLDER=${selfPkgs.oidcwarden.webvault}/share/vaultwarden/vault" + "DATA_FOLDER=/var/lib/vaultwarden" + "ROCKET_PROFILE=release" + "ROCKET_ADDRESS=0.0.0.0" + ]; + Volumes = { + "/var/lib/vaultwarden" = { }; + }; + ExposedPorts = { + "8000/tcp" = { }; + }; + }; +} diff --git a/packages/oidcwarden/default.nix b/packages/oidcwarden/default.nix new file mode 100644 index 0000000..c2b2520 --- /dev/null +++ b/packages/oidcwarden/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: +# AUTO-UPDATE: nix-update --flake oidcwarden +# FIXME: https://github.com/dani-garcia/vaultwarden/pull/3899 +pkgs.rustPlatform.buildRustPackage rec { + pname = "oidcwarden"; + version = "2025.5.1-4"; + + src = pkgs.fetchFromGitHub { + owner = "Timshel"; + repo = "OIDCWarden"; + rev = "v${version}"; + hash = "sha256-OEKksnZlL6kkNkU1pu7y58++EmunN0yQHwJtZwt3Cbs="; + }; + + useFetchCargoVendor = true; + cargoHash = "sha256-ZQ4Q5nD2WOkVX7OXEk1JTgN8zHvI6Cqmb1ifcHkXKp4="; + + env.VW_VERSION = version; + + nativeBuildInputs = with pkgs; [ pkg-config ]; + buildInputs = with pkgs; [ + openssl + libpq + ]; + + buildFeatures = [ "postgresql" ]; + + passthru = with pkgs.vaultwarden; { + inherit webvault updateScript; + tests = pkgs.lib.nixosTests.vaultwarden; + }; + + meta.mainProgram = "oidcwarden"; +}