commit 6dbd84078872b994f2f296644f6ff19bb6961d08
parent 72e8e215b99aae7682a74fd7ac0cf1a07fc09bb2
Author: Katja (ctucx) <git@ctu.cx>
Date: Thu, 24 Apr 2025 23:48:07 +0200
parent 72e8e215b99aae7682a74fd7ac0cf1a07fc09bb2
Author: Katja (ctucx) <git@ctu.cx>
Date: Thu, 24 Apr 2025 23:48:07 +0200
configurations/nixos/websites: move vaultwarden from `vault.ctu.cx` to `vault.katja.dev` (and to node `rabbit`)
8 files changed, 96 insertions(+), 94 deletions(-)
D
|
65
-----------------------------------------------------------------
A
|
65
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/configurations/nixos/websites/vault.ctu.cx.nix b/configurations/nixos/websites/vault.ctu.cx.nix @@ -1,64 +0,0 @@ -{ secrets, pkgs, config, ... }: - -{ - - dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ]; - - age.secrets = { - resticVaultwarden.file = secrets."${config.networking.hostName}".restic.vaultwarden; - vaultwardenSecrets = { - file = secrets."${config.networking.hostName}".vaultwardenSecrets; - owner = "vaultwarden"; - group = "vaultwarden"; - }; - }; - - restic-backups.vaultwarden = { - user = "vaultwarden"; - passwordFile = config.age.secrets.resticVaultwarden.path; - paths = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"]; - }; - - systemd.services.vaultwarden.onFailure = [ "ntfysh-notify-failure@%i.service" ]; - - services = { - vaultwarden = { - enable = true; - dbBackend = "sqlite"; - backupDir = "/var/backups/vaultwarden"; - environmentFile = config.age.secrets.vaultwardenSecrets.path; - config = { - DOMAIN = "https://vault.ctu.cx"; - SIGNUPS_ALLOWED = false; - - PUSH_ENABLED = true; - - SMTP_HOST = "hector.ctu.cx"; - SMTP_FROM = "vaultwarden@ctu.cx"; - SMTP_USERNAME = "vaultwarden@ctu.cx"; - SMTP_PORT = 587; - SMTP_SECURITY = "starttls"; - - ROCKET_ADDRESS = "::1"; - ROCKET_PORT = 8582; - }; - }; - - nginx = { - enable = true; - virtualHosts."vault.ctu.cx" = { - useACMEHost = "${config.networking.fqdn}"; - forceSSL = true; - kTLS = true; - locations = { - "/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; - "/notifications/hub" = { - proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; - proxyWebsockets = true; - }; - }; - }; - }; - }; - -}- \ No newline at end of file
diff --git a/configurations/nixos/websites/vault.katja.wtf.nix b/configurations/nixos/websites/vault.katja.wtf.nix @@ -0,0 +1,64 @@ +{ secrets, pkgs, config, ... }: + +{ + + dns.zones."katja.wtf".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ]; + + age.secrets = { + resticVaultwarden.file = secrets."${config.networking.hostName}".restic.vaultwarden; + vaultwardenSecrets = { + file = secrets."${config.networking.hostName}".vaultwardenSecrets; + owner = "vaultwarden"; + group = "vaultwarden"; + }; + }; + + restic-backups.vaultwarden = { + user = "vaultwarden"; + passwordFile = config.age.secrets.resticVaultwarden.path; + paths = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"]; + }; + + systemd.services.vaultwarden.onFailure = [ "ntfysh-notify-failure@%i.service" ]; + + services = { + vaultwarden = { + enable = true; + dbBackend = "sqlite"; + backupDir = "/var/backups/vaultwarden"; + environmentFile = config.age.secrets.vaultwardenSecrets.path; + config = { + DOMAIN = "https://vault.katja.wtf"; + SIGNUPS_ALLOWED = false; + + PUSH_ENABLED = true; + + SMTP_HOST = "hector.ctu.cx"; + SMTP_FROM = "vaultwarden@ctu.cx"; + SMTP_USERNAME = "vaultwarden@ctu.cx"; + SMTP_PORT = 587; + SMTP_SECURITY = "starttls"; + + ROCKET_ADDRESS = "::1"; + ROCKET_PORT = 8582; + }; + }; + + nginx = { + enable = true; + virtualHosts."vault.katja.wtf" = { + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + locations = { + "/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + "/notifications/hub" = { + proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; + proxyWebsockets = true; + }; + }; + }; + }; + }; + +}+ \ No newline at end of file
diff --git a/nodes/hector/default.nix b/nodes/hector/default.nix @@ -31,8 +31,6 @@ # cal-/card-dav server (radicale) ctucxConfig.websites."dav.ctu.cx" - # vaultwarden password-store - ctucxConfig.websites."vault.ctu.cx" # git server (gitolite+stagit) ctucxConfig.websites."git.ctu.cx"
diff --git a/nodes/rabbit/default.nix b/nodes/rabbit/default.nix @@ -33,6 +33,9 @@ ctucxConfig.websites."oeffi.katja.wtf" ctucxConfig.websites."things.katja.wtf" + # password-store (vaultwarden) + ctucxConfig.websites."vault.katja.wtf" + # fediverse server (gotosocial) ctucxConfig.websites."fedi.ctu.cx"
diff --git a/secrets/hector/restic/vaultwarden.age b/secrets/hector/restic/vaultwarden.age @@ -1,11 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQ1VkQjB4SlBUV0ZKZXZI -czdVSVJ1VVJVTG1NSHE4QzFxUmJYTEt1R1RRCm1uOWE4RVlLcG5WM1pQMmtmcjhr -RStWblVHR0dqeFN6UDNBMGh0ZVVxSjAKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIEhu -OUNEYmxNOHZaL2M4ajVDQXRUcnArOHphUDZNbFJIWk5XLzNpK3VkMm8KajA1bFFD -bU80VkFEMzc1MldCMkpwR3g5S1A4bEc4UU9HTlRmYjNqeGJHRQotPiBtRjpdLWdy -ZWFzZSB2cWt8KGRBIF0gdCAqOk8yXCUsZQpydTNFZHVnc1VHVG5UZTdLdktHR2JV -QQotLS0gazFkK2RJZHJuSnNUQUpZdklOcVgxd3RjN1JjN21qelpBczhEVmY1cjkz -UQqEXY4d6+Z6F2cREq4ewm2PosSIAUNNW93h7YF3OPdDLJ2luTwgX09ZWrRW718a -mjg= ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/hector/vaultwardenSecrets.age b/secrets/hector/vaultwardenSecrets.age @@ -1,16 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWlMrNzFFcjF1YURMNGxY -Q3ZmNDZqcUpsbUd6dnc2WHBGdkJJOVIvK25nCmoxaSsvN0RwbGtZMHhOY3lyZDZ6 -aVMvaGNFZkhlV2Q0Z285THFBZG5Va1EKLT4gc3NoLWVkMjU1MTkgeWFMSFNRIFJQ -Q2t0eXR2ZHdRSjFoMXpDeStVK0sybDdVamhJWHMvTHFjUjVncVMweUUKOWhUZDJo -N20wTTNxYmJoNmg2QUk5ZVZiVXRRUFdIdXVKY1d6clVSajEzYwotPiBZJWlUL3ln -LWdyZWFzZQpQZEJ2TmdGN09VUHo3SjkyTUpHVVVTK0FhWFdlVWxEazdDRDN5bkVv -dWpEVVpiREQ1TVN3cG9Oa0l4K1pzL2tyCk9IYwotLS0gdjBjM1lsTUxGWXFtck1o -RVRSSlFhWFRjOUlmOG5nanVlYkJlTzRjVktwdwriVc16cfrAyR+SXCRf+62O2/yH -wtOqTQDxs3sOOyTcl8Rj8MPtz1bjoY+xnU/VQx/Anfmuyn7f6DYUDOg7p6bcQ0s/ -EuhvDH2AdcgZZyV8ODxwGFqAJM9KFnC7lFDd8MDutBuu18ku7UKtGA9qpFkArkkV -rA/lncbS+wWgkLtZqSuJoqV8/5LfqM58vJz9jfJtAH0zlyyH7+WG+eJv3gApDbng -89ooWFHueQcB5B1p0N+TUluymvGBfNATwjSX4Q0CJZKaED2SGUctGMJVnnaSPdTG -q2mqOzFMeoWe221ltilqPGYej37519N8KTkreOT+Dex0VpRpel0INv8NFMzfLnIg -KnUkBQVbPjrOEwrBlUTE5ySWtctIoPbaauciNvluMQkwFNEkG3vT9zMUwda7/vvN ------END AGE ENCRYPTED FILE-----
diff --git a/secrets/rabbit/restic/vaultwarden.age b/secrets/rabbit/restic/vaultwarden.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeFNKRUlHL3BnWG9MN1dV +Rk1vazRaRm9jQnUwTnJxaXZlOHdjbnAxUVZZCjJPVWlNd3NJdTd4MGlycUhuS0NG +Q0ozdWFvQlJudzFHK0pyS25JQXRsK1UKLT4gc3NoLWVkMjU1MTkgaGtMdUVnIHUy +Q2lXelNXbXRwYTZWaUFTMmJ2aG9ZVy9KM3dMZnBzSk9VY3lYd2VXUjAKbmV3blJV +bXRCQlEwK05lcU16YVhWWnJ5c2ZxSml4V2o3dzVxQ3NqbFh0MAotPiB7RTctZ3Jl +YXNlIHRtICQgUF8KY2tzeGpTZUc2V0kxb0RQNVZaNmc1bEttaVVST1FVRFlvWW56 +N3lRRFdVL2I1cXMKLS0tIDFhMmFKemFEZUI2bFlDTGNQTXpBSDk4VUd6b2FUeWVa +b1NoMEFJZ0w5dncKuS9kxwiJ8hUqc4NBtBljSEEwKamwP59awngNDbJfb0lTD34B +f75G+YI7/vFTdxCq +-----END AGE ENCRYPTED FILE-----
diff --git a/secrets/rabbit/vaultwardenSecrets.age b/secrets/rabbit/vaultwardenSecrets.age @@ -0,0 +1,17 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajUvRVdpbUxqM0RURnVj +blhpbGNRTWE3MUF0dlJTb2ZqRU1ZWFFid2ljCm0rUlN6c3Evd1htQWQwSFVDaTJY +NWNTZWZHOGRSeWJsaTcyS0IremdLTWMKLT4gc3NoLWVkMjU1MTkgaGtMdUVnIHdz +WnpubldvQXpBekhUcHRoRGhqcFZBek1CZEFLcmh5WDZua3RVTUxLaGcKVTlxa2Rx +bzhnYWllRW5FZEVqOXVkRkY0RWxZVitTWHM0ODRQaGI5bHpVcwotPiAsdystZ3Jl +YXNlICFbWmZ1PEg6IDUnXSBcOz9bQFgKVlRiRGNhcXRzV3owd1V3TjlwN2xsQVRC +bE05amllRlQxYTVBTDUvU2p2b05DdGF0eDFkZVhVRTRXeHRTUzVJNQpOWERUCi0t +LSBwZ01pb1VOOWljcFBxeUhCQXQ1MWIzenJyY0l0czRTSk91enF1WlBZbDlRCqUl +MXDb0ISSe6seMsADmz2n10D/MdJGlrBKreG/tcn7ZLoQYRgXJD73Dwkh1jTBE5yC +kWwolK1u0iSkLHkXtnsM4bqLlNEDc2LBXn6L2pYlKp5xj8650o9xfNZHqpv4MEUd +8/Lu33+2MZ3KGx6wsF+DExy+FpmNP1yFYK1pzy1hwipNUhw75WlQ0UpMam/QV+HA +8K+WQBqGPcD4TTmIQ50c9djDoCDMBf5wVFj7RB1LOB+Hkpc93ortoxn0XUkupA6u +tLB82bWSKcLo7h76N6xiv13hbQM6+uHEXsUX1KsMXkT7uDhpAsjX9i9Se1FacWwh +ftRQE6CS0CU+ye+bwRzwpjSIXGvxlbOsLy4aU/YjEjVvCGHc470bH064yKQiHmlE +XOK97vBWDaKSXa0uEmJVwX4= +-----END AGE ENCRYPTED FILE-----