Add vaultwarden

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix

@@ -130,6 +130,7 @@ in
                 "admins"
                 "git"
                 "docs"
+                "vaultwarden"
               ];
             };
           }

hosts/jupiter/users/storm/configs/console/podman/default.nix

@@ -16,6 +16,7 @@ in
     (import ./prometheus { inherit user home; })
     (import ./sish { inherit user home; })
     (import ./traefik { inherit user home; })
+    (import ./vaultwarden { inherit user home; })
     (import ./whoami { inherit user home; })
   ];
 

hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix

@@ -63,7 +63,7 @@ in
 
               "--providers.docker=true"
               "--providers.docker.exposedbydefault=false"
-              "--providers.docker.network=systemd-traefik"
+              "--providers.docker.network=traefik"
 
               "--entryPoints.http.address=:80"
               "--entrypoints.http.http.redirections.entryPoint.to=https"

hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix

@@ -0,0 +1,152 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{
+  config,
+  inputs,
+  pkgs,
+  system,
+  lib,
+  ...
+}:
+let
+  selfPkgs = inputs.self.packages.${system};
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
+  autheliaClientId = "G9g4cRccYM1tpTO8rLqziThUlZFT4BwlvittHRSbZOJK3rfkpFKUQylI7SI40KmZDzavPrQhEWXWGspS3hxrwH9PesDw5A1EECEZ";
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
+      };
+
+      templates = {
+        vaultwarden-postgresql-env.content = ''
+          POSTGRES_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/postgresql"}
+        '';
+
+        vaultwarden-env.content = ''
+          DATABASE_URL=postgresql://vaultwarden:${
+            hmConfig.sops.placeholder."vaultwarden/postgresql"
+          }@vaultwarden-postgresql:5432/vaultwarden
+          ADMIN_TOKEN=${hmConfig.sops.placeholder."vaultwarden/adminToken"}
+          SMTP_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/smtp"}
+          PUSH_INSTALLATION_ID=${hmConfig.sops.placeholder."vaultwarden/push/installationId"}
+          PUSH_INSTALLATION_KEY=${hmConfig.sops.placeholder."vaultwarden/push/installationKey"}
+          SSO_CLIENT_SECRET=${hmConfig.sops.placeholder."vaultwarden/authelia/password"}
+        '';
+
+        authelia-vaultwarden.content = builtins.readFile (
+          (pkgs.formats.yaml { }).generate "vaultwarden.yaml" {
+            identity_providers.oidc = {
+              authorization_policies.vaultwarden = {
+                default_policy = "deny";
+                rules = [
+                  {
+                    policy = "one_factor";
+                    subject = "group:vaultwarden";
+                  }
+                ];
+              };
+
+              clients = [
+                {
+                  client_id = autheliaClientId;
+                  client_name = "Vaultwarden";
+                  client_secret = hmConfig.sops.placeholder."vaultwarden/authelia/digest";
+                  redirect_uris = [ "https://vault.karaolidis.com/identity/connect/oidc-signin" ];
+                  authorization_policy = "vaultwarden";
+                  scopes = [
+                    "openid"
+                    "email"
+                    "profile"
+                    "offline_access"
+                  ];
+                }
+              ];
+            };
+          }
+        );
+      };
+    };
+
+    virtualisation.quadlet = {
+      networks.vaultwarden.networkConfig.internal = true;
+
+      volumes = {
+        vaultwarden-postgresql = { };
+        vaultwarden = { };
+      };
+
+      containers = {
+        vaultwarden = {
+          containerConfig = {
+            image = "docker-archive:${selfPkgs.docker-oidcwarden}";
+            volumes = [ "${volumes.vaultwarden.ref}:/var/lib/vaultwarden" ];
+            networks = [
+              networks.vaultwarden.ref
+              networks.traefik.ref
+            ];
+            environments = {
+              DOMAIN = "https://vault.karaolidis.com";
+              LOG_LEVEL = "warn";
+              SIGNUPS_ALLOWED = "false";
+              INVITATIONS_ALLOWED = "false";
+              SMTP_HOST = "smtp.protonmail.ch";
+              SMTP_FROM = "jupiter@karaolidis.com";
+              SMTP_PORT = "587";
+              SMTP_SECURITY = "starttls";
+              SMTP_USERNAME = "jupiter@karaolidis.com";
+              PUSH_ENABLED = "true";
+              PUSH_RELAY_URI = "https://api.bitwarden.eu";
+              PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
+              SSO_ENABLED = "true";
+              SSO_AUTHORITY = "https://id.karaolidis.com";
+              SSO_SCOPES = "openid email profile offline_access";
+              SSO_CLIENT_ID = autheliaClientId;
+              SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = "true";
+            };
+            environmentFiles = [ hmConfig.sops.templates.vaultwarden-env.path ];
+            labels = [
+              "traefik.enable=true"
+              "traefik.http.routers.vaultwarden.rule=Host(`vault.karaolidis.com`)"
+            ];
+          };
+
+          unitConfig.After = [
+            "${containers.vaultwarden-postgresql._serviceName}.service"
+            "sops-nix.service"
+          ];
+        };
+
+        vaultwarden-postgresql = {
+          containerConfig = {
+            image = "docker-archive:${selfPkgs.docker-postgresql}";
+            networks = [ networks.vaultwarden.ref ];
+            volumes = [ "${volumes.vaultwarden-postgresql.ref}:/var/lib/postgresql/data" ];
+            environments = {
+              POSTGRES_DB = "vaultwarden";
+              POSTGRES_USER = "vaultwarden";
+            };
+            environmentFiles = [ hmConfig.sops.templates.vaultwarden-postgresql-env.path ];
+          };
+
+          unitConfig.After = [ "sops-nix.service" ];
+        };
+
+        authelia-init.containerConfig.volumes = [
+          "${hmConfig.sops.templates.authelia-vaultwarden.path}:/etc/authelia/conf.d/vaultwarden.yaml:ro"
+        ];
+      };
+    };
+  };
+}

packages/default.nix

@@ -15,6 +15,9 @@
   docker-grafana = import ./docker/grafana { inherit pkgs; };
   docker-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; };
   docker-ntfy = import ./docker/ntfy { inherit pkgs; };
+  docker-oidcwarden = import ./docker/oidcwarden {
+    inherit pkgs inputs system;
+  };
   docker-outline = import ./docker/outline { inherit pkgs; };
   docker-postgresql = import ./docker/postgresql { inherit pkgs; };
   docker-prometheus = import ./docker/prometheus { inherit pkgs; };
@@ -49,6 +52,8 @@
 
   obsidian-theme-minimal = import ./obsidian/themes/minimal { inherit pkgs; };
 
+  oidcwarden = import ./oidcwarden { inherit pkgs; };
+
   prometheus-fail2ban-exporter = import ./prometheus-fail2ban-exporter { inherit pkgs; };
   prometheus-podman-exporter = import ./prometheus-podman-exporter { inherit pkgs; };
 

packages/docker/oidcwarden/default.nix

@@ -0,0 +1,41 @@
+{
+  pkgs,
+  inputs,
+  system,
+  ...
+}:
+let
+  selfPkgs = inputs.self.packages.${system};
+in
+pkgs.dockerTools.buildImage {
+  name = "oidcwarden";
+  fromImage = import ../base { inherit pkgs; };
+
+  copyToRoot = pkgs.buildEnv {
+    name = "root";
+    paths = with selfPkgs; [
+      oidcwarden
+      oidcwarden.webvault
+    ];
+    pathsToLink = [
+      "/bin"
+      "/share"
+    ];
+  };
+
+  config = {
+    Entrypoint = [ "/bin/oidcwarden" ];
+    Env = [
+      "WEB_VAULT_FOLDER=${selfPkgs.oidcwarden.webvault}/share/vaultwarden/vault"
+      "DATA_FOLDER=/var/lib/vaultwarden"
+      "ROCKET_PROFILE=release"
+      "ROCKET_ADDRESS=0.0.0.0"
+    ];
+    Volumes = {
+      "/var/lib/vaultwarden" = { };
+    };
+    ExposedPorts = {
+      "8000/tcp" = { };
+    };
+  };
+}

packages/oidcwarden/default.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+# AUTO-UPDATE: nix-update --flake oidcwarden
+# FIXME: https://github.com/dani-garcia/vaultwarden/pull/3899
+pkgs.rustPlatform.buildRustPackage rec {
+  pname = "oidcwarden";
+  version = "2025.5.1-4";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "Timshel";
+    repo = "OIDCWarden";
+    rev = "v${version}";
+    hash = "sha256-OEKksnZlL6kkNkU1pu7y58++EmunN0yQHwJtZwt3Cbs=";
+  };
+
+  useFetchCargoVendor = true;
+  cargoHash = "sha256-ZQ4Q5nD2WOkVX7OXEk1JTgN8zHvI6Cqmb1ifcHkXKp4=";
+
+  env.VW_VERSION = version;
+
+  nativeBuildInputs = with pkgs; [ pkg-config ];
+  buildInputs = with pkgs; [
+    openssl
+    libpq
+  ];
+
+  buildFeatures = [ "postgresql" ];
+
+  passthru = with pkgs.vaultwarden; {
+    inherit webvault updateScript;
+    tests = pkgs.lib.nixosTests.vaultwarden;
+  };
+
+  meta.mainProgram = "oidcwarden";
+}