mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 04:58:01 +00:00
!fixup hosts/plover: reenable vaultwarden
This commit is contained in:
parent
e7be95a0c1
commit
4ff6f1fda9
@ -10,22 +10,22 @@ let
|
|||||||
|
|
||||||
# This should be set from service module from nixpkgs.
|
# This should be set from service module from nixpkgs.
|
||||||
vaultwardenUser = config.users.users.vaultwarden.name;
|
vaultwardenUser = config.users.users.vaultwarden.name;
|
||||||
|
in {
|
||||||
# However, this is set on our own.
|
|
||||||
vaultwardenDbName = "vaultwarden";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
options.hosts.plover.services.vaultwarden.enable =
|
options.hosts.plover.services.vaultwarden.enable =
|
||||||
lib.mkEnableOption "Vaultwarden instance";
|
lib.mkEnableOption "Vaultwarden instance";
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable (lib.mkMerge [
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
||||||
{
|
{
|
||||||
state.ports.vaultwarden.value = 8222;
|
state.ports = {
|
||||||
|
vaultwarden.value = 8222;
|
||||||
sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
|
vaultwarden-webproxy.value = 3012;
|
||||||
"vaultwarden/env".owner = vaultwardenUser;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.secrets =
|
||||||
|
foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
|
||||||
|
"vaultwarden/env".owner = vaultwardenUser;
|
||||||
|
};
|
||||||
|
|
||||||
services.vaultwarden = {
|
services.vaultwarden = {
|
||||||
enable = true;
|
enable = true;
|
||||||
environmentFile = config.sops.secrets."vaultwarden/env".path;
|
environmentFile = config.sops.secrets."vaultwarden/env".path;
|
||||||
@ -52,7 +52,7 @@ in
|
|||||||
|
|
||||||
# Notifications...
|
# Notifications...
|
||||||
WEBSOCKET_ENABLED = true;
|
WEBSOCKET_ENABLED = true;
|
||||||
WEBSOCKET_PORT = 3012;
|
WEBSOCKET_PORT = config.state.ports.vaultwarden-webproxy.value;
|
||||||
WEBSOCKET_ADDRESS = "0.0.0.0";
|
WEBSOCKET_ADDRESS = "0.0.0.0";
|
||||||
|
|
||||||
# Enabling web vault with whatever nixpkgs comes in.
|
# Enabling web vault with whatever nixpkgs comes in.
|
||||||
@ -60,78 +60,29 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# We do a little service hardening. Even though the Vaultwarden NixOS
|
systemd.services.vaultwarden.path = [ pkgs.system-sendmail ];
|
||||||
# module is already doing some of those things, we'll just add some of
|
|
||||||
# them.
|
|
||||||
systemd.services.vaultwarden = {
|
|
||||||
serviceConfig = lib.mkAfter {
|
|
||||||
LockPersonality = true;
|
|
||||||
NoNewPrivileges = true;
|
|
||||||
RestrictSUIDSGID = true;
|
|
||||||
RestrictRealtime = true;
|
|
||||||
ProtectClock = true;
|
|
||||||
ProtectKernelLogs = true;
|
|
||||||
ProtectKernelTunables = true;
|
|
||||||
ProtectKernelModules = true;
|
|
||||||
ProtectHostname = true;
|
|
||||||
ProtectControlGroups = true;
|
|
||||||
ProtectProc = "invisible";
|
|
||||||
|
|
||||||
# Filtering system calls.
|
|
||||||
SystemCallFilter = [
|
|
||||||
"@system-service"
|
|
||||||
"~@privileged"
|
|
||||||
];
|
|
||||||
SystemCallErrorNumber = "EPERM";
|
|
||||||
SystemCallArchitectures = "native";
|
|
||||||
|
|
||||||
# Restricting what capabilities it has access to which it
|
|
||||||
# has none.
|
|
||||||
CapabilityBoundingSet = [ "" ];
|
|
||||||
AmbientCapabilities = lib.mkForce [ "" ];
|
|
||||||
|
|
||||||
# Restrict what address families this service can interact
|
|
||||||
# with. Since it is a web service, we expect it will only
|
|
||||||
# interact with web service stuff like IPs.
|
|
||||||
RestrictAddressFamilies = [
|
|
||||||
# It's required especially it can communicate with the local system.
|
|
||||||
"AF_LOCAL"
|
|
||||||
|
|
||||||
# The IPs.
|
|
||||||
"AF_INET"
|
|
||||||
"AF_INET6"
|
|
||||||
];
|
|
||||||
|
|
||||||
# Restrict what namespaces it can create which is none.
|
|
||||||
RestrictNamespaces = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
||||||
(lib.mkIf hostCfg.services.database.enable {
|
(lib.mkIf hostCfg.services.database.enable {
|
||||||
services.vaultwarden = {
|
services.vaultwarden = {
|
||||||
dbBackend = "postgresql";
|
dbBackend = "postgresql";
|
||||||
config.DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}";
|
config.DATABASE_URL = "postgresql://";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
ensureDatabases = [ vaultwardenDbName ];
|
ensureDatabases = [ vaultwardenUser ];
|
||||||
ensureUsers = lib.singleton {
|
ensureUsers = lib.singleton {
|
||||||
name = vaultwardenUser;
|
name = vaultwardenUser;
|
||||||
ensureDBOwnership = true;
|
ensureDBOwnership = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.vaultwarden = {
|
systemd.services.vaultwarden.preStart = let
|
||||||
path = [ config.services.postgresql.package ];
|
psql = lib.getExe' config.services.postgresql.package "psql";
|
||||||
|
schema = config.users.users.vaultwarden.name;
|
||||||
# Making it comply with PostgreSQL secure schema usage pattern.
|
in lib.mkBefore ''
|
||||||
preStart = lib.mkAfter ''
|
${psql} -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${schema};"
|
||||||
# Setting up the appropriate schema for PostgreSQL secure schema usage.
|
'';
|
||||||
psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${vaultwardenUser}';" \
|
|
||||||
| grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${vaultwardenUser};"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
})
|
})
|
||||||
|
|
||||||
(lib.mkIf hostCfg.services.reverse-proxy.enable {
|
(lib.mkIf hostCfg.services.reverse-proxy.enable {
|
||||||
@ -140,27 +91,25 @@ in
|
|||||||
enableACME = true;
|
enableACME = true;
|
||||||
acmeRoot = null;
|
acmeRoot = null;
|
||||||
kTLS = true;
|
kTLS = true;
|
||||||
locations =
|
locations = let
|
||||||
let
|
address = config.services.vaultwarden.config.ROCKET_ADDRESS;
|
||||||
address = config.services.vaultwarden.config.ROCKET_ADDRESS;
|
websocketPort = config.services.vaultwarden.config.WEBSOCKET_PORT;
|
||||||
websocketPort = config.services.vaultwarden.config.WEBSOCKET_PORT;
|
in {
|
||||||
in
|
"/" = {
|
||||||
{
|
proxyPass = "http://vaultwarden";
|
||||||
"/" = {
|
proxyWebsockets = true;
|
||||||
proxyPass = "http://vaultwarden";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
"/notifications/hub" = {
|
|
||||||
proxyPass = "http://${address}:${toString websocketPort}";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
"/notifications/hub/negotiate" = {
|
|
||||||
proxyPass = "http://vaultwarden";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"/notifications/hub" = {
|
||||||
|
proxyPass = "http://${address}:${toString websocketPort}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
"/notifications/hub/negotiate" = {
|
||||||
|
proxyPass = "http://vaultwarden";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_cache ${config.services.nginx.proxyCachePath.apps.keysZoneName};
|
proxy_cache ${config.services.nginx.proxyCachePath.apps.keysZoneName};
|
||||||
'';
|
'';
|
||||||
@ -171,20 +120,17 @@ in
|
|||||||
zone services;
|
zone services;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
'';
|
'';
|
||||||
servers =
|
servers = let
|
||||||
let
|
address = config.services.vaultwarden.config.ROCKET_ADDRESS;
|
||||||
address = config.services.vaultwarden.config.ROCKET_ADDRESS;
|
port = config.services.vaultwarden.config.ROCKET_PORT;
|
||||||
port = config.services.vaultwarden.config.ROCKET_PORT;
|
in { "${address}:${builtins.toString port}" = { }; };
|
||||||
in
|
|
||||||
{
|
|
||||||
"${address}:${builtins.toString port}" = { };
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
|
|
||||||
(lib.mkIf hostCfg.services.backup.enable {
|
(lib.mkIf hostCfg.services.backup.enable {
|
||||||
# Add the data directory to be backed up.
|
# Add the data directory to be backed up.
|
||||||
services.borgbackup.jobs.services-backup.paths = [ "/var/lib/bitwarden_rs" ];
|
services.borgbackup.jobs.services-backup.paths =
|
||||||
|
[ "/var/lib/bitwarden_rs" ];
|
||||||
})
|
})
|
||||||
|
|
||||||
(lib.mkIf hostCfg.services.fail2ban.enable {
|
(lib.mkIf hostCfg.services.fail2ban.enable {
|
||||||
@ -194,14 +140,16 @@ in
|
|||||||
vaultwarden-user.settings = {
|
vaultwarden-user.settings = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
backend = "systemd";
|
backend = "systemd";
|
||||||
filter = "vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
|
filter =
|
||||||
|
"vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
|
||||||
maxretry = 5;
|
maxretry = 5;
|
||||||
};
|
};
|
||||||
|
|
||||||
vaultwarden-admin.settings = {
|
vaultwarden-admin.settings = {
|
||||||
enabled = true;
|
enabled = true;
|
||||||
backend = "systemd";
|
backend = "systemd";
|
||||||
filter = "vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
|
filter =
|
||||||
|
"vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
|
||||||
maxretry = 3;
|
maxretry = 3;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -215,7 +163,7 @@ in
|
|||||||
# for configuring fail2ban with the application (i.e.,
|
# for configuring fail2ban with the application (i.e.,
|
||||||
# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup).
|
# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup).
|
||||||
[Definition]
|
[Definition]
|
||||||
failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
|
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username: <F-USER>.*</F-USER>\.$
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user