karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add vaultwarden

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-06-11 19:05:11 +01:00
parent 0b15c9c3fa
commit 548666f86c
7 changed files with 235 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -130,6 +130,7 @@ in
"admins"
"git"
"docs"
"vaultwarden"
];
};
}

1
hosts/jupiter/users/storm/configs/console/podman/default.nix
View File

@@ -16,6 +16,7 @@ in
(import ./prometheus { inherit user home; })
(import ./sish { inherit user home; })
(import ./traefik { inherit user home; })
(import ./vaultwarden { inherit user home; })
(import ./whoami { inherit user home; })
];

2
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -63,7 +63,7 @@ in
"--providers.docker=true"
"--providers.docker.exposedbydefault=false"
"--providers.docker.network=systemd-traefik"
"--providers.docker.network=traefik"
"--entryPoints.http.address=:80"
"--entrypoints.http.http.redirections.entryPoint.to=https"

152
hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,152 @@
{
user ? throw "user argument is required",
home ? throw "home argument is required",
}:
{
config,
inputs,
pkgs,
system,
lib,
...
}:
let
selfPkgs = inputs.self.packages.${system};
hmConfig = config.home-manager.users.${user};
inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
autheliaClientId = "G9g4cRccYM1tpTO8rLqziThUlZFT4BwlvittHRSbZOJK3rfkpFKUQylI7SI40KmZDzavPrQhEWXWGspS3hxrwH9PesDw5A1EECEZ";
in
{
home-manager.users.${user} = {
sops = {
secrets = {
"vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
"vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
};
templates = {
vaultwarden-postgresql-env.content = ''
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/postgresql"}
'';
vaultwarden-env.content = ''
DATABASE_URL=postgresql://vaultwarden:${
hmConfig.sops.placeholder."vaultwarden/postgresql"
}@vaultwarden-postgresql:5432/vaultwarden
ADMIN_TOKEN=${hmConfig.sops.placeholder."vaultwarden/adminToken"}
SMTP_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/smtp"}
PUSH_INSTALLATION_ID=${hmConfig.sops.placeholder."vaultwarden/push/installationId"}
PUSH_INSTALLATION_KEY=${hmConfig.sops.placeholder."vaultwarden/push/installationKey"}
SSO_CLIENT_SECRET=${hmConfig.sops.placeholder."vaultwarden/authelia/password"}
'';
authelia-vaultwarden.content = builtins.readFile (
(pkgs.formats.yaml { }).generate "vaultwarden.yaml" {
identity_providers.oidc = {
authorization_policies.vaultwarden = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:vaultwarden";
}
];
};
clients = [
{
client_id = autheliaClientId;
client_name = "Vaultwarden";
client_secret = hmConfig.sops.placeholder."vaultwarden/authelia/digest";
redirect_uris = [ "https://vault.karaolidis.com/identity/connect/oidc-signin" ];
authorization_policy = "vaultwarden";
scopes = [
"openid"
"email"
"profile"
"offline_access"
];
}
];
};
}
);
};
};
virtualisation.quadlet = {
networks.vaultwarden.networkConfig.internal = true;
volumes = {
vaultwarden-postgresql = { };
vaultwarden = { };
};
containers = {
vaultwarden = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-oidcwarden}";
volumes = [ "${volumes.vaultwarden.ref}:/var/lib/vaultwarden" ];
networks = [
networks.vaultwarden.ref
networks.traefik.ref
];
environments = {
DOMAIN = "https://vault.karaolidis.com";
LOG_LEVEL = "warn";
SIGNUPS_ALLOWED = "false";
INVITATIONS_ALLOWED = "false";
SMTP_HOST = "smtp.protonmail.ch";
SMTP_FROM = "jupiter@karaolidis.com";
SMTP_PORT = "587";
SMTP_SECURITY = "starttls";
SMTP_USERNAME = "jupiter@karaolidis.com";
PUSH_ENABLED = "true";
PUSH_RELAY_URI = "https://api.bitwarden.eu";
PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
SSO_ENABLED = "true";
SSO_AUTHORITY = "https://id.karaolidis.com";
SSO_SCOPES = "openid email profile offline_access";
SSO_CLIENT_ID = autheliaClientId;
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = "true";
};
environmentFiles = [ hmConfig.sops.templates.vaultwarden-env.path ];
labels = [
"traefik.enable=true"
"traefik.http.routers.vaultwarden.rule=Host(`vault.karaolidis.com`)"
];
};
unitConfig.After = [
"${containers.vaultwarden-postgresql._serviceName}.service"
"sops-nix.service"
];
};
vaultwarden-postgresql = {
containerConfig = {
image = "docker-archive:${selfPkgs.docker-postgresql}";
networks = [ networks.vaultwarden.ref ];
volumes = [ "${volumes.vaultwarden-postgresql.ref}:/var/lib/postgresql/data" ];
environments = {
POSTGRES_DB = "vaultwarden";
POSTGRES_USER = "vaultwarden";
};
environmentFiles = [ hmConfig.sops.templates.vaultwarden-postgresql-env.path ];
};
unitConfig.After = [ "sops-nix.service" ];
};
authelia-init.containerConfig.volumes = [
"${hmConfig.sops.templates.authelia-vaultwarden.path}:/etc/authelia/conf.d/vaultwarden.yaml:ro"
];
};
};
};
}