Add Vaultwarden deployment for premigration
This commit is contained in:
parent
f1a1ab420c
commit
9968b44962
|
@ -0,0 +1,14 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
sops.defaultSopsFile = ./secrets/services.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
|
# Vaultwarden
|
||||||
|
sops.secrets."services/vaultwarden/.env" = {
|
||||||
|
mode = "0400";
|
||||||
|
owner = config.users.users.vaultwarden.name;
|
||||||
|
group = config.users.users.vaultwarden.group;
|
||||||
|
sopsFile = ./secrets/vaultwarden.env;
|
||||||
|
format = "dotenv";
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,9 @@
|
||||||
|
ADMIN_TOKEN=ENC[AES256_GCM,data:R1mhyfHnTvnWaeKL7UFUuaA8bmpoQciLXRgLZKTDH0Zvo/M76s/NSenBEtpfpUJMbHGp1hmXqkK6jR5WVemYhg==,iv:yCdNQbQx86CZU7GvShcL9YxOlzGr/bTfTp5DDMudTDs=,tag:yPXiqasJbj2NCc5vIc2zVw==,type:str]
|
||||||
|
sops_mac=ENC[AES256_GCM,data:LkjzPt4EVD23fPtcSaAfn0zBSdHP2zo1oF3fRPS7yP+kKdsBUDVVHoS63GT4nUmzgok+AF23EyRhGRWX3TL4f7IqylU50K5NMrNwBCQw6X0DGAqrMnsrvpSCPdWkLcm8fqpo4K22I/0fZl2AXSzuMWY4NKDu2IB0j1eNpP4qILY=,iv:4pdUt5LxdaXl9CIP4lgcnQLI+IbCiEPkU3idorJput8=,tag:++XPxDInGY2f/n+7r43obw==,type:str]
|
||||||
|
sops_unencrypted_suffix=_unencrypted
|
||||||
|
sops_lastmodified=2023-04-15T07:50:09Z
|
||||||
|
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UXYrVkxHSmx1V1E1aVlW\nTVMwamo2ZnJrbERDTkJoSS8yanVXZ2pEbEJnCjExM2U5T1U3SkVrNFhIaXg5VE9K\ncnNyUDdQM2IyQ2FpenV0VEhIR1NBaTQKLS0tIEsvOTNDa1BvUlk3UE01VGZydmVG\nZDZOelphR0Nsa3c4aXZ5NDJVWlVvQmsKPxUi8Vgxe+EsHSF/33OfoEdFIUscDTzR\nzjf8rkG5BU616tudvXUGLfdncCiG+hfz7ZvmEYlTEAdGzSYSW8tuhg==\n-----END AGE ENCRYPTED FILE-----\n
|
||||||
|
sops_age__list_0__map_recipient=age17wdazshqnfe63cy7mmsmwld75e5wedgn8gngvmvlqdktlr86c4us87tjxv
|
||||||
|
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTdTRPUGxqcGowU0FjRE84\nNjhKdEJabFZEVXo3aTArQnNNRjhaMFZiKzNrCmpLbFoxTVlTUkYxOHVJdlFqa0JF\nQStIT29uSlY3SWtzZHFqbjZwTHZ1aEUKLS0tIHJlLzlCV0RJekVvOWRLV3JmZ2pv\nZ0VrUVg5NXVTWU5LRDk2M3dYWXM3bkEKA4KusPniM0pO6oJhHq1khrfcwdSvG+/A\n7rn6Ib23WSHUAquxCxOz9IXL2GDrajEFnv82lyYUgijgb7PEWC2pPQ==\n-----END AGE ENCRYPTED FILE-----\n
|
||||||
|
sops_age__list_1__map_recipient=age1vnyex6qqzwl5laxgww9xzcqy9ht85s0etgq0esry8gk7ad0eaq8qz9p5ya
|
||||||
|
sops_version=3.7.3
|
|
@ -5,6 +5,7 @@
|
||||||
UPTIME_KUMA_PORT = "8099";
|
UPTIME_KUMA_PORT = "8099";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."status.lewd.wtf" = {
|
services.nginx.virtualHosts."status.lewd.wtf" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
|
|
@ -0,0 +1,55 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ];
|
||||||
|
|
||||||
|
services.vaultwarden = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = "/run/secrets/services/vaultwarden/.env";
|
||||||
|
config = {
|
||||||
|
DOMAIN = "https://vault.lewd.wtf";
|
||||||
|
SIGNUPS_ALLOWED = false;
|
||||||
|
SIGNUPS_VERIFY = true;
|
||||||
|
INVITATIONS_ALLOWED = false;
|
||||||
|
WEBSOCKET_ENABLED = true;
|
||||||
|
WEBSOCKET_PORT = 3012;
|
||||||
|
ROCKET_PORT = 8222;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.clientMaxBodySize = "128M";
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."vault.lewd.wtf" = {
|
||||||
|
enableACME = false;
|
||||||
|
forceSSL = false;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8222";
|
||||||
|
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||||
|
extraConfig =
|
||||||
|
"proxy_set_header Host $host;" +
|
||||||
|
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||||
|
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||||
|
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||||
|
;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub/negotiate" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8222";
|
||||||
|
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||||
|
extraConfig =
|
||||||
|
"proxy_set_header Host $host;" +
|
||||||
|
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||||
|
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||||
|
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||||
|
;
|
||||||
|
};
|
||||||
|
locations."/notifications/hub" = {
|
||||||
|
proxyPass = "http://127.0.0.1:3012";
|
||||||
|
proxyWebsockets = true; # needed if you need to use WebSocket
|
||||||
|
extraConfig =
|
||||||
|
"proxy_set_header Host $host;" +
|
||||||
|
"proxy_set_header X-Real-IP $remote_addr;" +
|
||||||
|
"proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" +
|
||||||
|
"proxy_set_header X-Forwarded-Proto $scheme;"
|
||||||
|
;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue