Added vault warden

2025-03-03 12:36:42 +01:00 · 2025-03-03 12:36:42 +01:00 · 5832a92555
parent 85ec8190f9
commit 5832a92555
4 changed files with 58 additions and 17 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -2,6 +2,7 @@
  imports = [
    ./services/openssh.nix
    ./services/forgejo.nix
+    ./services/vaultwarden.nix
    ./services/misc.nix

    ./modules/git.nix
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -1,19 +1,23 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];

-  boot.initrd.availableKernelModules = [ "vmd" "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.availableKernelModules = ["vmd" "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];

-  swapDevices = [ ];
+  swapDevices = [];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/modules/networking.nix
+++ b/modules/networking.nix
@ -1,19 +1,21 @@
-{ hostname ? "server" }: { ... }: {
+{hostname ? "server"}: {...}: {
  networking.hostName = hostname;
  networking.hostId = "2ead098f";
  networking.networkmanager.enable = true;
  networking.firewall = {
    enable = true;
-    allowedTCPPorts = [ ];
-    allowedUDPPorts = [ ];
+    allowedTCPPorts = [];
+    allowedUDPPorts = [];
  };

  # Static ip
  networking.interfaces.enp2s0 = {
-    ipv4.addresses = [{
-      address = "10.0.201.83";
-      prefixLength = 24;
-    }];
+    ipv4.addresses = [
+      {
+        address = "10.0.201.83";
+        prefixLength = 24;
+      }
+    ];
  };
  networking.defaultGateway = {
    address = "10.0.201.1";
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -0,0 +1,34 @@
+{...}: let
+  host = "127.0.0.1";
+  port = 8222;
+in {
+  services.vaultwarden = {
+    enable = true;
+
+    config = {
+      DOMAIN = "https://bitwarden.spoodythe.one";
+      SIGNUPS_ALLOWED = false;
+
+      ROCKET_ADDRESS = host;
+      ROCKET_PORT = port;
+      ROCKET_LOG = "critical";
+
+      SMTP_HOST = host;
+      SMTP_PORT = 25;
+      SMTP_SSL = false;
+
+      SMTP_FROM = "admin@bitwarden.spoodythe.one";
+      SMTP_FROM_NAME = "SpoodyThe.One Bitwarden Server";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [port];
+  networking.firewall.allowedUDPPorts = [port];
+
+  services.caddy = {
+    enable = true;
+    virtualHosts."bitwarden.spoodythe.one".extraConfig = ''
+      reverse_proxy * ${host}:${toString port}
+    '';
+  };
+}