nixos/vaultwarden: Real hardware config

2022-06-18 23:22:44 +01:00
parent 45ffefc328
commit 661233344c
13 changed files with 57 additions and 46 deletions
--- a/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
+++ b/nixos/boxes/colony/vms/shill/containers/vaultwarden.nix
@@ -21,7 +21,6 @@
      inherit (lib.my) networkdAssignment;
      vwData = "/var/lib/vaultwarden";
      vwSecrets = "vaultwarden.env";
    in
    {
      config = mkMerge [
@@ -31,12 +30,12 @@
            server.enable = true;
            secrets = {
-              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILakffcjRp6h6lxSOADOsTK5h2MCkt8hKDv0cvchM7iw";
+              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFP2mF50ENpnJnr+VTnG9P+JFPjgwvoIxCLyJPzXRpVy";
-              files."${vwSecrets}" = {};
+              files."vaultwarden.env" = {};
            };
            firewall = {
-              tcp.allowed = [ 80 3012 ];
+              tcp.allowed = with config.services.vaultwarden.config; [ ROCKET_PORT WEBSOCKET_PORT ];
            };
            tmproot.persistence.config.directories = [
@@ -57,14 +56,30 @@
            vaultwarden = {
              enable = true;
              config = {
-                dataFolder = vwData;
+                DATA_FOLDER = vwData;
                webVaultEnabled = true;
-                rocketPort = 80;
+                WEB_VAULT_ENABLED = true;
-                websocketEnabled = true;
+
-                websocketPort = 3012;
+                WEBSOCKET_ENABLED = true;
                WEBSOCKET_ADDRESS = "::";
                WEBSOCKET_PORT = 3012;
                SIGNUPS_ALLOWED = false;
                DOMAIN = "https://pass.${lib.my.pubDomain}";
                ROCKET_ADDRESS = "::";
                ROCKET_PORT = 80;
                SMTP_HOST = "mail.nul.ie";
                SMTP_FROM = "pass@nul.ie";
                SMTP_FROM_NAME = "Vaultwarden";
                SMTP_SECURITY = "starttls";
                SMTP_PORT = 587;
                SMTP_USERNAME = "pass@nul.ie";
                SMTP_TIMEOUT = 15;
              };
-              environmentFile = config.age.secrets."${vwSecrets}".path;
+              environmentFile = config.age.secrets."vaultwarden.env".path;
            };
          };
        }
--- a/secrets/dhparams.pem.age
+++ b/secrets/dhparams.pem.age
--- a/secrets/estuary/netdata/powerdns.conf.age
+++ b/secrets/estuary/netdata/powerdns.conf.age
--- a/secrets/estuary/netdata/powerdns_recursor.conf.age
+++ b/secrets/estuary/netdata/powerdns_recursor.conf.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 n8CpUw z/wgsbTnvMwnFg5jjtMDHkQ7wPz2SY8oCdNFIFEuuBo
+-> ssh-ed25519 n8CpUw +a8D5DCZQCK5Yv/U+ApOAP8TxcA7cjAXG2aulHdQG2I
-DM1P19QwM8TmG0fBw52BjUPfCkimf7dvMMu86KZg2Eo
+9WDr8i1YxZ29daFIeT0yDwhHPNvx87JmBp/Rg5cFOJI
-> X25519 xdsqtPpZaQJN3yvgulASl0OdIy+HH5BzXkRGrK0Sakg
+-> X25519 tDJjrmPEM9C5JmjhCkXo2a15u0pGubRRuae1xxaFPD8
-KR4gj4pafDrInLyz1WhV/AAuEbDWLrOKP9O7dzBnsQg
+tGH3wzDZJzK4BbozX2z9T2yXabriR2fdg4ZVO3KZk/g
-> y.-grease G5C+_ u7nR &.w1r}G 8tS
+-> SQa:-&-grease g ~"{ :m <Jo\5dz
-VUr+ZkK8wWhZwwhRGFVRXjnjiW1c5BIArlNylTrK8OwCNQ
+o9KTHn70+oFLRHA
--- fIl+/aQf4mqtRC0gTbQQkRLtFCIB9UiP4BxxTyYG4y4
+--- i/1z+jWIvlhCTq08UYqceDpaRe6CJJr8remSB6LVAH0
-<10><>@<40><>0AQ<EFBFBD><EFBFBD>A<EFBFBD><EFBFBD>8lh;%<25>􁄣<EFBFBD><F48184A3>T<EFBFBD> *D<><44>s<EFBFBD>B<EFBFBD><42>u>ۼ<>l<EFBFBD>z݁F<DD81>U
+L<EFBFBD><EFBFBD><EFBFBD><EFBFBD>e<EFBFBD>S<EFBFBD>C<EFBFBD><EFBFBD><EFBFBD>ނ<EFBFBD><EFBFBD>[<5B><0E>ȡcѴ<02><>C@ټjvvy<76><79>ל1<D79C><31><EFBFBD><EFBFBD>a<EFBFBD>c<EFBFBD>z<EFBFBD>n7Ya=~"<22>J'<27><><EFBFBD>H<18><>RZ<><0F>,<2C><><EFBFBD><EFBFBD>{<EFBFBD><EFBFBD><0F>F<EFBFBD>1[<5B>KI^<5E><><EFBFBD><EFBFBD><19>|<14><>%Yh`<60>Gx<><78>$<24>5<EFBFBD>RC<52>z0<>t<EFBFBD>0<>u<EFBFBD><75><EFBFBD>Ɠ5^<5E><11><>
 <EFBFBD>r<18>ߙ	<09><>޲V=<11><><0B>[<5B>-s9<73>SG<53>ߚ<07>ǝ<><EFBFBD><7F><EFBFBD><EFBFBD><EFBFBD>s<EFBFBD>'<27>pu<70>!<21>"<22><>ה<EFBFBD>Y{<7B><><~<7E><><EFBFBD><EFBFBD>Qu#e<06><><EFBFBD><EFBFBD>J<EFBFBD><4A><EFBFBD><0B><>g<EFBFBD>%<25>N
--- a/secrets/estuary/pdns/auth.conf.age
+++ b/secrets/estuary/pdns/auth.conf.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 n8CpUw vrmqoaNTgD3vR/JjMEzDtFtuJdOgOG1cAF/K4wVxpAA
+-> ssh-ed25519 n8CpUw DOBT0UVIyRCCL6hLk/F1El4MbtNYskMz+IMjD4UuOns
-ICuTWokXdt8vKHwFO/HsAOSR4mdjP1XtG2dRpwReQe4
+NT0PRGlEpQ3YcxHEUdw/90QhD8xGar6id17maVwUdb0
-> X25519 O3v69z65PU313Q9V9OFwpIVfgffCn3AEbIRZemogMVo
+-> X25519 c/SwQBGz826ezLHbZfOPNr0uhqFK6RTvxEA8HDb7+xY
-3UqbO6tA+e0kWGxgR1NyomaA9asEkUbDUvTCdHcvJ1c
+rZa2TqG0icjqMLFE79ouCFqsInQHe7a4FsaY8sPiDl8
-> N-grease Y3 a[
+-> 0A*gt-grease F:X-O^
-PBZW+W7X/tuOu1IF8spvn59M1kNAGUP7+DTbLUjlqndzGMaBJ84CJw+CAPC+Md1I
+
-1iqulKt6UAAFkpY
+--- 6nJnd0CERDygNJnpVCIrKQhpmUQJisAV/HgX1RYyf9Q
--- DQ8K63M3As26s09GVGc/nEUm/qstY0AN5yiCQ1PXKaM
+<EFBFBD><EFBFBD><EFBFBD><<3C>*<12><>IR<49><52>
 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><1C><18><><EFBFBD><EFBFBD>pf<70><66><EFBFBD><EFBFBD><EFBFBD>5.<2E>-y<><79>i<EFBFBD><69><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>a<EFBFBD>1<EFBFBD>ʕ<1D>J<EFBFBD>O<EFBFBD><4F>"<22>K<19><>Bȋ-<2D>EJ	_\_<>y<EFBFBD>={]YQ"<22><><EFBFBD>
--- a/secrets/estuary/pdns/recursor.conf.age
+++ b/secrets/estuary/pdns/recursor.conf.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 n8CpUw p36/Gp3jTdXE3AGFhHm9J2p0KuPRKq372go8Rplee34
+-> ssh-ed25519 n8CpUw WXvPv4yho+cwBrLItO/C+ilUzV2OW9ok+JOZJFPXnCs
-VV7OAGrst1gVp4oiFBMHRQzRrPYKQVOiTKJY/uxGPSQ
+hJWK6VyAs3BWeLelIfYSmncY9DNqfyxFg8zn3iFsnNY
-> X25519 zVxW9hWqbNkZwkxbmr+84vx/ePe6SMob8Nn3lQ5NXFY
+-> X25519 oJvXbZqzokFmN+5WpH/G0KMQvY2UFkZ7SEQEXzpNeAY
-YwbLgoNYDYmtHfeFyBR7YwpqHrYN2AV2w7zACz4px0U
+F7GBoHwPKSfioaR4YLsH7WTBeopUVXH8FYAzIy1C8Sg
-> R;D)YDog-grease l 5Im2tR&`
+-> Vvm6>F-grease y =5;b4O4 (%y Pp&
-/dg2cnvcyLH/LvhFQTukBOgqLv+nYrzyDJimzS9SqY2scN7q0V9lDrx/KYKVeeWi
+ULDWg4Kh5gcCpSSsi9vXqXSYkPEtyrvfoTxSaY59gA
-jUnKsIt9bq2gXAXKnT2GqnHWBbixMUrqLxax/nSTVOT4g0fjrBkWPg
+--- 95OJTatGi3+dxqaTpHfqZc4987YDyi3TNGTNEwjQe+Y
--- bkRusUuDjD0EzR2YvikUhjbFQ86HeGUluxSuf/kfbH0
+<07>*S<13><><13><>C/<2F>O<EFBFBD>!<21>S^:B*K[F<><46>A<><0C>q;<3B>昸<EFBFBD>WT<57>&s7<73>X<EFBFBD><58>M<EFBFBD><4D>τ<0C>Ԉ<EFBFBD>p;<3B><>|<7C>0SJ<>
 v<EFBFBD>!<21><><16>SL<><4C><15><><03>[<5B>^}<7D>ya+<2B>ɓ<EFBFBD>a<>I'<27><>(<28><06>+<2B>zu<7A>e<EFBFBD>#<23><>e<08>q`<60>:<0B>n<EFBFBD><0B><><EFBFBD>
--- a/secrets/jackflix-wg-privkey.txt.age
+++ b/secrets/jackflix-wg-privkey.txt.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 vf+WVg KhusLFATFrmnujHs1WV+VR+MPktHASs+Wj82s35pfig
+-> ssh-ed25519 vf+WVg 46AUsv9pdxNRa3OqRbBhNCZ4mtmeoQ2/DPBTSiEiZTQ
-IXeX1fHQ/0CbC2D22aQLY9TnaPnW0u6iMPr0aimAxvs
+Ib4PHWRKr1x9hcxjY+DQMpahA3dpTyFzYRZ9JFzcLNc
-> X25519 4hQH9z/z4JF7chKf7P3L+eorQHojuEf51YukjyKaf2Q
+-> X25519 lm03ugY8fnUPThuqOA1zkDjLgF7swWURECXYD+lXZlY
-Ce623tTN1jGwbKnHPbnDpJMGG3KdZCd3kM1fBzC+mqI
+dW9tb6Bv+7ofIhZHV0E5Hq4jhtHMDC0wgQ+trMaPLUE
-> :(-grease mxbrVm>
+-> @-grease {3]QG.2I OR(T <FkdN$|=
-rZKeB2I+ThUqHOB43Icv91gDI6J+1yYknWHul0/Uv0LDSgSKBpIhYv4Gkd/mOnPS
+3ktwWgIO8kgJ1GPY
-Ow
+--- aOCS82AO1gSIkgDRP4ISFP9Q/XVzyjzl9ShgpxPoWLk
--- bEHjGQBQ60BLD9cnDjg+oR0W3HOwLgADCqX3yqrwjHk
+%<25><>0<EFBFBD><30>_K<5F>A<EFBFBD><41><EFBFBD>p<EFBFBD><70><EFBFBD>9l<14>i<03><><EFBFBD>ޱ<03>D=3<>ڝ<EFBFBD>Ƽ<EFBFBD>?/<2F><>%<25><>]5Y<35><12>r<EFBFBD>}<7D>S<EFBFBD>a<EFBFBD><61><EFBFBD><EFBFBD>|<7C>1J<31><4A><EFBFBD>F<EFBFBD><46>
 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>y<EFBFBD>M<EFBFBD><EFBFBD>㤁<EFBFBD>X<EFBFBD>Ϛ<EFBFBD>&u(<28><><EFBFBD>Hq<48>f<EFBFBD>dzR<7A>x(G<>t<EFBFBD>{<1D><08><>r<EFBFBD> <20>v?<3F><>3<>ɷ<EFBFBD><C9B7><EFBFBD><EFBFBD>Ղ<>
--- a/secrets/middleman/cloudflare-credentials.conf.age
+++ b/secrets/middleman/cloudflare-credentials.conf.age
--- a/secrets/middleman/nginx-sso.yaml.age
+++ b/secrets/middleman/nginx-sso.yaml.age
--- a/secrets/pdns-file-records.key.age
+++ b/secrets/pdns-file-records.key.age
--- a/secrets/synapse.yaml.age
+++ b/secrets/synapse.yaml.age
--- a/secrets/user-passwd.txt.age
+++ b/secrets/user-passwd.txt.age
--- a/secrets/vaultwarden.env.age
+++ b/secrets/vaultwarden.env.age