diff --git a/flake.nix b/flake.nix index a740401..197bcf7 100755 --- a/flake.nix +++ b/flake.nix @@ -43,6 +43,7 @@ ./modules/matrix.nix ./modules/mautrix-telegram.nix ./modules/sogo.nix + ./modules/vaultwarden.nix ./modules/course-management.nix { fsr.enable_office_bloat = false; diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix new file mode 100644 index 0000000..4ea4116 --- /dev/null +++ b/modules/vaultwarden.nix @@ -0,0 +1,43 @@ +{ config, ... }: +let + domain = "vault.${config.fsr.domain}"; +in +{ + sops.secrets."vaultwarden_env".owner = "vaultwarden"; + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = config.sops.secrets."vaultwarden_env".path; + config = { + domain = "https://${domain}"; + signupsAllowed = false; + # somehow this works + databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden"; + rocketPort = 8000; + smtpHost = "127.0.0.1"; + smtpPort = 25; + smtpSSL = false; + smtpFrom = "noreply@${config.fsr.domain}"; + smtpFromName = "iFSR Vaultwarden"; + }; + }; + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "vaultwarden"; + ensurePermissions = { + "DATABASE vaultwarden" = "ALL PRIVILEGES"; + }; + } + ]; + ensureDatabases = [ "vaultwarden" ]; + }; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}"; + }; + }; +} diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 91111d1..02adff1 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -14,9 +14,10 @@ rspamd-password: ENC[AES256_GCM,data:bOW6eAwr18Guq+BQt68It6O6i3aAthDv1ANZ02Q8zAZ mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] - ldapprovider: ENC[AES256_GCM,data:CPsrWmUviUpFIVVN/2a1lRjJCoZCWR9zrHm3T5Tv/YuXSYXStZGfBgXN96zhJUUpZcwiJq95o1sajyit+6itZCcGAPu0BTHSnNXRu1fgifonXE0ghw6rvzwkYpfBS+rfmBcG2wxX+7uZG3ulANYpvvGMxpKgM5IzQjE1sAytRDir6QeMGcFHP2gV4xQAdTNUZK2V+EKOlrcV5vTSzDSy3eXg18TVUgZqdxaQFfwnr2UN0eEEZ4Dn83G3QWsROZ0A7R3tuEmdAzmR8AdWBxfqCcOA8vZaOIOWb1AyobLCUaqQOj/SbGdgehMOQn1UcbRHpYQ2E9mvxD572uc/U5kzy/TbOLM34pkvckNrGfxwvqwbvXZrVP3gONY5CnJpk5XfVdT5Au/uwE5ZRs83ZEx31+85mpK3HecyBWRfWID0z2XS8PAU6G7ASQsXCh6sd5LFhL7zhxBQ4ENjT8pDi0OLYvw9VzPhPrdzooULeMytGitVWRtLsSzCn/D+U4x6EJLivLW6jv9SAIKg54fAjNEBYHh7GuHbr/VGtmiWKj6av2e3/BLgPOIyINzNv+X5QSsopZ2/yamPs+ARTOqAZvSyRgqereYoLZ5ZV15jIWiGc7HVfj/+Bk7cN4+VwFhzSuttp1DmvNNIWueeX69rdSqe41Y2lqKZ4ajOSIJ+YLP/dR0wvrVbd7QSP2OVRAnMugmeekbIuyIKPNsNJ183Z4y1m/ihIdRAzLnjSYuYCdWw3LXl5gM0ZTtGb7K+cIYcyJrS3fcaErDmqyI/LJoXNTo5CJI=,iv:ycKt8/awCo3HoO6Oa8H77GH9+m+xgR4kiXb7Cbf0wSY=,tag:b6pBoZs+E4CP+V9oZXrcoQ==,type:str] + ldapprovider: ENC[AES256_GCM,data:ant/hUgh5hZLC/tNidAGfszlQz6CNlFwAG2JdsGG+2yW99MAd2vGiim4ApFZ0Ios42jXjzFYO1/xepCu67gFCIX7qvhRiBTFCPNe7j3SrnWa4x8KPLNBmz72A7Slk4pKBRSTyQJGm/8S6cLqlU3ieUB7gBUiDGFKpgLk+j0WV4PSie6TFy/9G1S6hs6PI5ZUnbogtj+9x03Anv/7Nc68EUtrAVAtZ4V9QYJjoNV88LRZhAe3Pe9pLEBKUsv6ve9CH1EtYBRY3e2ptWhBxaO7a/JN6WBlWTfRAe5xT7u+f8JHQz3Th7HSnOuTyJbGJmdVqRK6ajFsNl8NN26x5SfU33cS97FuAdpy6PXATC5z8w+sBIyF4qLeW+pJ/vG9RE5aRXmiy/iI5AYw2kA2o/fqq0cVT6LJR2Oa+yeLiXxA5S2LHVrA3F9UXXgI3udROGGyl/17FKJTuwlPc4Rw61ByUS1FBoP8pL0HuXN4se0bwK4Sj/LNHKVserwCE+dzv3Sir2zFzCoY0TmaVVu606BB5FVmvnpizzD87DRR8leEz/fl55IHfcAKQ9llnjbE+PDNCIlT2MSbQGhqUTtoylPZP5GchgaAsrimigNLPb5nHaLeKNuo9hcQGsMzNZSTzrS5R10Ra+xgef5SjY3xkHZiMO4meEuVytLiJAVxwSVvOxgR9HEkZpWvyI6tmObuQRIvEzM8hCTVlVC/C4x/q/k/I8Hx3SUI+M/O7kjrVJunuXsa5z4cdoshpHyEA1dJosjDvQh3i8rcXzn3fIWuxwM0Xx8=,iv:n2XOs6F7kuMmjPCc14s2MQl37vjVTtmAVkYQp7kqjgc=,tag:vBOfDoOjnoBzzSdwC7yDDA==,type:str] postfix_ldap_aliases: ENC[AES256_GCM,data:kpffdciWI08Of2fm2B1lZ4rOYIhWtoBTnpU1N0iwiStA81Yl/NMDgHDCVv79XY6SuFTCBd6npKNz/0ibBy1WDSrDQymV5MIUmWVPwLcBSNMjD0d69PJYdUDVLmyhNkjB2hEL9JaH1PiO4iBM5y9yZx1LT+zlauAZEJPFgO/MvjkMknHZPKnRpBtT8wKTWTYUtBvzQtlACLKdIF0t37Q2DZAMtWrAgsrH811zUbsxJbYDInvNDPDHZHS+ZfF0Q1vXDLWUm+zZij6KRAJdOuEU9dyzhU/t93+LO9zKADwyF1Xk+2Uh,iv:cEui6fcDDINpUUcLZxGwPBMP1PjQVNMdScgaWdnIJ80=,tag:/7/mZckPJ7YLuJMp/BqbOQ==,type:str] mautrix-telegram_env: ENC[AES256_GCM,data:2p5vYV+/vEDrrZItTcT1vxddv2tM7dLGBUmG+OXHccTzJ2UhyYpDGgUMr5KgObxvyssYBZTsvbV7QFN3sjcU/jVPx1qEUn6zyKO0HBQjrviVU3urx5zNOnCEHwDKyDrZ1Hu/CE6lpGNrtGlpewgOs/+84JZIZhC9qSuzDhN38sr4OGfMr29fMzafYC+TGHoZyA64GI9xz0KvXhwg6ci1hLtVWYEOFW2Nf8uLY8qkNLuDzA6bYx8rn3CEXoxiv0n4,iv:jmcWTyVkqu9nDc1ws2NxkMKrHPZ13i3jqDkk4Y0kejw=,tag:BjhmPc4lSbsZBmZ/q2CqGg==,type:str] +vaultwarden_env: ENC[AES256_GCM,data:X8wdQSieXfgNUqtoFRgz43jsWyrUQ1wxsM9L5iHoE8YFR5O6SzfAcjMsr4I0r2t5by/C4YorVsN5GQKyyVWS4SwelTT3UmFX89/pAUnAsUqeBZENOPEWiLNJnC3R3Xic6B1tu0OsX1X9RxR/X9EQJf/MIEdiNfhXKBxy7gZ0tDsDyze5/ZGVJX8=,iv:foByTYQw1KnB1MmwSQqmwza9PJJmdYdZbIHKrZ9vog4=,tag:8VTcOSefWmyd8ozGXHbklw==,type:str] course-management: secret-key: ENC[AES256_GCM,data:3WwhgZ+ElLOdEgdy/EoOL1vqkcXfnOnUZMKUsD9rd7I=,iv:eMo7HeOkSPGpCbLMi/6XoD4MXd27OageRsz70lyXNf0=,tag:u3H9BSv+7lasnBl29l8o3Q==,type:str] adminpass: ENC[AES256_GCM,data:WUDsz3S88y590oStJinwukT8hJ+0dJ9/To1pDUWEN6o=,iv:5VSZohH2l/RNTNaWqMd9Y0JlSs7Cg1TRbeTR+OKhedA=,tag:LagNEUEKhNXIRKNwjmizbQ==,type:str] @@ -35,8 +36,8 @@ sops: NEJBTHE2end1RDlHRTNFYlZjTjhib2cKmQRHpBKZ2DbQ5CfOwcSPfZAm9fnnpxUk +LcR8haK//O3N2uNf9etDW3VsT5ipPucCdFU1m/v9L5tcN6ZP8WP+w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-11T22:22:39Z" - mac: ENC[AES256_GCM,data:5H6TIgrD0hTICCzo+nOlwbF1wjtFNiLYcW3QBkzQpFPgz3VwHV436kHnu6ns3IJIzpMdxEHDFxN6xKaYBtwiAdHwZLrP05H3443/jr6+z0EseQ0IG2Jq6bbhro1z1W+/165xKV6AYMxulQ1d4CyMD1/u1hqoVtd5KXUNJdJwSDw=,iv:OlFokFfHGMBy2aTB73kPf2TohuOkCT6mdBelvLaEOCQ=,tag:JUyj7wjBY3HUw9Nug/Iqgg==,type:str] + lastmodified: "2023-07-12T13:54:25Z" + mac: ENC[AES256_GCM,data:RM7WaIdA96ou62K5/oCqa74+F6PmYqRfOgNwdH5oDULwCj8ZLkn9VUVKuLWLbxbg5BqDJLDqquzelHJfftekSfwIqbpKSFrXpUKmic108OxE311t52Wu4wE4ieFii5c32A+E5Iu8/EbW95xQBZwKG24aZEJz9GvIdRShzF478h0=,iv:zHx2CL5Malq5cWPEqy2PZA9pkOWPBpRPAVnldlAzN60=,tag:RQo0BD/0vHnS2tH+ODIUZw==,type:str] pgp: - created_at: "2023-04-23T17:48:54Z" enc: |