nixos/vaultwarden: Real hardware config

nixos/boxes/colony/vms/shill/containers/vaultwarden.nix

@@ -21,7 +21,6 @@
       inherit (lib.my) networkdAssignment;
 
       vwData = "/var/lib/vaultwarden";
-      vwSecrets = "vaultwarden.env";
     in
     {
       config = mkMerge [
@@ -31,12 +30,12 @@
             server.enable = true;
 
             secrets = {
-              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILakffcjRp6h6lxSOADOsTK5h2MCkt8hKDv0cvchM7iw";
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFP2mF50ENpnJnr+VTnG9P+JFPjgwvoIxCLyJPzXRpVy";
-              files."${vwSecrets}" = {};
+              files."vaultwarden.env" = {};
             };
 
             firewall = {
-              tcp.allowed = [ 80 3012 ];
+              tcp.allowed = with config.services.vaultwarden.config; [ ROCKET_PORT WEBSOCKET_PORT ];
             };
 
             tmproot.persistence.config.directories = [
@@ -57,14 +56,30 @@
             vaultwarden = {
               enable = true;
               config = {
-                dataFolder = vwData;
+                DATA_FOLDER = vwData;
-                webVaultEnabled = true;
 
-                rocketPort = 80;
+                WEB_VAULT_ENABLED = true;
-                websocketEnabled = true;
+
-                websocketPort = 3012;
+                WEBSOCKET_ENABLED = true;
+                WEBSOCKET_ADDRESS = "::";
+                WEBSOCKET_PORT = 3012;
+
+                SIGNUPS_ALLOWED = false;
+
+                DOMAIN = "https://pass.${lib.my.pubDomain}";
+
+                ROCKET_ADDRESS = "::";
+                ROCKET_PORT = 80;
+
+                SMTP_HOST = "mail.nul.ie";
+                SMTP_FROM = "pass@nul.ie";
+                SMTP_FROM_NAME = "Vaultwarden";
+                SMTP_SECURITY = "starttls";
+                SMTP_PORT = 587;
+                SMTP_USERNAME = "pass@nul.ie";
+                SMTP_TIMEOUT = 15;
               };
-              environmentFile = config.age.secrets."${vwSecrets}".path;
+              environmentFile = config.age.secrets."vaultwarden.env".path;
             };
           };
         }

secrets/estuary/netdata/powerdns_recursor.conf.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw z/wgsbTnvMwnFg5jjtMDHkQ7wPz2SY8oCdNFIFEuuBo
+-> ssh-ed25519 n8CpUw +a8D5DCZQCK5Yv/U+ApOAP8TxcA7cjAXG2aulHdQG2I
-DM1P19QwM8TmG0fBw52BjUPfCkimf7dvMMu86KZg2Eo
+9WDr8i1YxZ29daFIeT0yDwhHPNvx87JmBp/Rg5cFOJI
--> X25519 xdsqtPpZaQJN3yvgulASl0OdIy+HH5BzXkRGrK0Sakg
+-> X25519 tDJjrmPEM9C5JmjhCkXo2a15u0pGubRRuae1xxaFPD8
-KR4gj4pafDrInLyz1WhV/AAuEbDWLrOKP9O7dzBnsQg
+tGH3wzDZJzK4BbozX2z9T2yXabriR2fdg4ZVO3KZk/g
--> y.-grease G5C+_ u7nR &.w1r}G 8tS
+-> SQa:-&-grease g ~"{ :m <Jo\5dz
-VUr+ZkK8wWhZwwhRGFVRXjnjiW1c5BIArlNylTrK8OwCNQ
+o9KTHn70+oFLRHA
---- fIl+/aQf4mqtRC0gTbQQkRLtFCIB9UiP4BxxTyYG4y4
+--- i/1z+jWIvlhCTq08UYqceDpaRe6CJJr8remSB6LVAH0
-’ó@¢ì0AQ¾¿Aå„8lh;%Îô<C38E>„£óÂT« *D¨æs×Bç„u>Û¼§l zÝ<7A>FáU
+L±ÍÈÿe÷SºC£±«Þ‚äË[֯ȡcÑ´ýªC@Ù¼jvvyíüל1‰ý¬£a·c÷zún7Ya=~"£J'Š‡²H‹»RZ‡´,ÕÇž<>{àÆÔFü1[±KI^Îò„ßå|»î%Yh`«Gx<>ü$¤5ÝRCŒz0«tÍ0‚uÀËåÆ“5^ ö›
-›r ß™	á<>Þ²V=ãé¤[†-s9<73>SG»ßšñÇ<>â‘ëþ¹ÃsÃ'æpu¿!´"¿ü×”ÜY{ñ¢<~úïêòQu#eö™<C3B6>ÖJžÿ„¹Úgö%éN

secrets/estuary/pdns/auth.conf.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw vrmqoaNTgD3vR/JjMEzDtFtuJdOgOG1cAF/K4wVxpAA
+-> ssh-ed25519 n8CpUw DOBT0UVIyRCCL6hLk/F1El4MbtNYskMz+IMjD4UuOns
-ICuTWokXdt8vKHwFO/HsAOSR4mdjP1XtG2dRpwReQe4
+NT0PRGlEpQ3YcxHEUdw/90QhD8xGar6id17maVwUdb0
--> X25519 O3v69z65PU313Q9V9OFwpIVfgffCn3AEbIRZemogMVo
+-> X25519 c/SwQBGz826ezLHbZfOPNr0uhqFK6RTvxEA8HDb7+xY
-3UqbO6tA+e0kWGxgR1NyomaA9asEkUbDUvTCdHcvJ1c
+rZa2TqG0icjqMLFE79ouCFqsInQHe7a4FsaY8sPiDl8
--> N-grease Y3 a[
+-> 0A*gt-grease F:X-O^
-PBZW+W7X/tuOu1IF8spvn59M1kNAGUP7+DTbLUjlqndzGMaBJ84CJw+CAPC+Md1I
+
-1iqulKt6UAAFkpY
+--- 6nJnd0CERDygNJnpVCIrKQhpmUQJisAV/HgX1RYyf9Q
---- DQ8K63M3As26s09GVGc/nEUm/qstY0AN5yiCQ1PXKaM
+Žƒ¬<ð*ù<>IRå®
iq™¿D¡ÓO®ë¹k•Oä…sÛÕ×:-þ’Žê]ë@ch.±×ŠéO¨	UMEW%k
V<>C[Ër©
-ä„û†ª÷ø‘Èpf¨ó²ü¥5.×-yàÓiö¶ªúå¼ßa“1¼Ê•ÊJÖO†Ç"±KÍéBÈ‹-ÚEJ	_\_²y‚={]YQ"ì²â

secrets/estuary/pdns/recursor.conf.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 n8CpUw p36/Gp3jTdXE3AGFhHm9J2p0KuPRKq372go8Rplee34
+-> ssh-ed25519 n8CpUw WXvPv4yho+cwBrLItO/C+ilUzV2OW9ok+JOZJFPXnCs
-VV7OAGrst1gVp4oiFBMHRQzRrPYKQVOiTKJY/uxGPSQ
+hJWK6VyAs3BWeLelIfYSmncY9DNqfyxFg8zn3iFsnNY
--> X25519 zVxW9hWqbNkZwkxbmr+84vx/ePe6SMob8Nn3lQ5NXFY
+-> X25519 oJvXbZqzokFmN+5WpH/G0KMQvY2UFkZ7SEQEXzpNeAY
-YwbLgoNYDYmtHfeFyBR7YwpqHrYN2AV2w7zACz4px0U
+F7GBoHwPKSfioaR4YLsH7WTBeopUVXH8FYAzIy1C8Sg
--> R;D)YDog-grease l 5Im2tR&`
+-> Vvm6>F-grease y =5;b4O4 (%y Pp&
-/dg2cnvcyLH/LvhFQTukBOgqLv+nYrzyDJimzS9SqY2scN7q0V9lDrx/KYKVeeWi
+ULDWg4Kh5gcCpSSsi9vXqXSYkPEtyrvfoTxSaY59gA
-jUnKsIt9bq2gXAXKnT2GqnHWBbixMUrqLxax/nSTVOT4g0fjrBkWPg
+--- 95OJTatGi3+dxqaTpHfqZc4987YDyi3TNGTNEwjQe+Y
---- bkRusUuDjD0EzR2YvikUhjbFQ86HeGUluxSuf/kfbH0
+ç*SÆì™ÇC/¼O¨!¼S^:B*K[FµëA¬ q;ñ昸¦WTõ&s7¤XÞËM‡ÑÏ„<0C>ÔˆŠp;þ¯|€0SJÖ
-vý!ô€ªSLôœÀ÷ë[²^}›ya+‰É“‘a”I'Ýþ(‡Ò+îzu³e­#‚úeÜq`Ë:Õn’èŒâ

secrets/jackflix-wg-privkey.txt.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 vf+WVg KhusLFATFrmnujHs1WV+VR+MPktHASs+Wj82s35pfig
+-> ssh-ed25519 vf+WVg 46AUsv9pdxNRa3OqRbBhNCZ4mtmeoQ2/DPBTSiEiZTQ
-IXeX1fHQ/0CbC2D22aQLY9TnaPnW0u6iMPr0aimAxvs
+Ib4PHWRKr1x9hcxjY+DQMpahA3dpTyFzYRZ9JFzcLNc
--> X25519 4hQH9z/z4JF7chKf7P3L+eorQHojuEf51YukjyKaf2Q
+-> X25519 lm03ugY8fnUPThuqOA1zkDjLgF7swWURECXYD+lXZlY
-Ce623tTN1jGwbKnHPbnDpJMGG3KdZCd3kM1fBzC+mqI
+dW9tb6Bv+7ofIhZHV0E5Hq4jhtHMDC0wgQ+trMaPLUE
--> :(-grease mxbrVm>
+-> @-grease {3]QG.2I OR(T <FkdN$|=
-rZKeB2I+ThUqHOB43Icv91gDI6J+1yYknWHul0/Uv0LDSgSKBpIhYv4Gkd/mOnPS
+3ktwWgIO8kgJ1GPY
-Ow
+--- aOCS82AO1gSIkgDRP4ISFP9Q/XVzyjzl9ShgpxPoWLk
---- bEHjGQBQ60BLD9cnDjg+oR0W3HOwLgADCqX3yqrwjHk
+%ûœ0<C593>ÿ_K‹AñÂñpïï§9l¹iõàµÞ±ÀD=3ÎÚ<C38E>³Æ¼<C386>?/¥Ý%ó¨]5YÇñrÄ}ÚS®a¨¨ùÛ|°1J¥ÍÑFõé
-<EFBFBD>š¸¾¯y‚M£Ëã¤<EFBFBD>ÌX«Ïš¼&u(“‘áHqˆfŽdzR¾x(G©t·{¢ô r§ Àv?–Þ3üÉ·¹½¯ÞÕ‚–
YË<59>+­