feat: add vaultwared service to orion

2025-07-08 20:03:12 +03:00 · 2025-07-08 20:03:12 +03:00 · 8de956ae72
commit 8de956ae72
parent 56fb173b71
3 changed files with 108 additions and 0 deletions
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@ -102,6 +102,8 @@
    smartmontools
  ];
  ataraxia.services.vaultwarden.enable = true;
  ataraxia.virtualisation.guests = {
    omv = {
      autoStart = true;
--- a/modules/nixos/services/vaultwarden.nix
+++ b/modules/nixos/services/vaultwarden.nix
@ -0,0 +1,80 @@
 {
  config,
  lib,
  secretsDir,
  ...
 }:
 let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) str;
  cfg = config.ataraxia.services.vaultwarden;
 in
 {
  options.ataraxia.services.vaultwarden = {
    enable = mkEnableOption "Enable vaultwarden service";
    sopsDir = mkOption {
      type = str;
      default = config.networking.hostName;
      description = ''
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
  };
  config = mkIf cfg.enable {
    sops.secrets.vaultwarden.sopsFile = secretsDir + /${cfg.sopsDir}/vaultwarden.yaml;
    sops.secrets.vaultwarden.owner = config.users.users.vaultwarden.name;
    sops.secrets.vaultwarden.restartUnits = [ "vaultwarden.service" ];
    services.vaultwarden = {
      enable = true;
      backupDir = "/srv/vaultwarden";
      config = {
        domain = "https://vw.ataraxiadev.com";
        extendedLogging = true;
        invitationsAllowed = false;
        useSyslog = true;
        logLevel = "warn";
        rocketAddress = "127.0.0.1";
        rocketPort = 8812;
        showPasswordHint = false;
        signupsAllowed = false;
        signupsDomainsWhitelist = "ataraxiadev.com";
        signupsVerify = true;
        smtpAuthMechanism = "Login";
        smtpFrom = "vaultwarden@ataraxiadev.com";
        smtpFromName = "Vaultwarden";
        smtpHost = "mail.ataraxiadev.com";
        smtpPort = 587;
        smtpSecurity = "starttls";
        websocketAddress = "127.0.0.1";
        websocketEnabled = true;
        websocketPort = 3012;
        webVaultEnabled = true;
      };
      environmentFile = config.sops.secrets.vaultwarden.path;
    };
    # We need to do this to successufully create backup folder
    # systemd.services.backup-vaultwarden.serviceConfig = {
    #   User = "root";
    #   Group = "root";
    # };
    persist.state.directories = [
      "/var/lib/vaultwarden"
      config.services.vaultwarden.backupDir
    ];
    systemd.tmpfiles.rules =
      let
        backupDir = config.services.vaultwarden.backupDir;
        user = config.systemd.services.backup-vaultwarden.serviceConfig.User;
        group = config.systemd.services.backup-vaultwarden.serviceConfig.Group;
      in
      [
        "d ${backupDir} 0700 ${user} ${group} -"
      ];
  };
 }
--- a/secrets/orion/vaultwarden.yaml
+++ b/secrets/orion/vaultwarden.yaml
@ -0,0 +1,26 @@
 vaultwarden: ENC[AES256_GCM,data:B1qaU/1jsDgbc7wEl3Yrehez3vHCOPDQ5rjpkYPf4QgVwonOvvEf4H7doVwabhihRqoy43QXBeDRuPVaea/ZJythvZV0cez2Mr6YrhG7/BSB+AIDEa+wNQTGgY5IWkztp7j4BP1XmyRA4A42dOnfHJR6BncJGAfhNguq3FZJuf5BClvyT5aov+GKfiO81l93ig324TKsU9ClLqmVarrPCNba683ADrH8g5EkB2rw0LwKJBWVQh0TKhTTyFdMFTNaIQ17K1ueqLwd2xIfHMmN61s=,iv:H6/RxF6LSMD3OUAY3mEhof2VGOCctg6FsaoyOTI9e5Q=,tag:W+nCl/RAWpdXWbE9v/oMOg==,type:str]
 sops:
    shamir_threshold: 1
    age:
        - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNVZpRE8zUzN0RWNXT09F
            bUR0MmxMNDNybHBEN0FKY3VtTW1XREpaSkNJCnpGRmZqRlU0YlBiYkxkeEVLMzdv
            eERFc3dITG5lOTVLRkJYM2NNa1lpWDgKLS0tIEsra0ZBblhiTk9kTFJxWjZtRDhS
            NDhKY2dEVXFOL3JIZmtMVG5tVklIQXcKbLLeZOrJCGRPscw4LWsVAGk29EwQg0lK
            +YYSsQLm+cZNLxHLClsmQn/ykEvIEA5/1DjFXVvulFW+Kbk9NwSxHA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa0tPM2NiaW13Sk5rR091
            VVBVYnRoc3I2WFI3WFhETTdXUzU4ckFZbGtJCjR4em80Vm1UQk9vM3h4OER6dVNs
            RWJwazRiUHVXY01vZ1hyN3k3MlBrbUEKLS0tIDd3aEhxNDZHWDdETkd0VkMwOTZG
            MWNhelRQZTdBZGMzUk5HQklSWWVTNWMK6gunbCmYfXh4fQ3mV0kh6TlwxTpxlUI0
            Y6+pPh+Sw39KTFdirXv5OTWtCN53S6HXejIuctIOvdfrB1LYwsb7XA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-01-21T19:24:09Z"
    mac: ENC[AES256_GCM,data:+KnkQjRKq7f7gojR4TDRUahPPcOshTQUIzJOmGBD4cspjLj0Ljf9tqoMCvCzwU7CGIg2c4phUCWluyQwlUAoiRL0rM8YyN2nE0PiWOcnl3p9FHwHxV9ElWiWpVnKroVxZEz0vmj0nsabl9PRD5ipX06kDK8GRZXFw+laSCy0N1E=,iv:7DO9ML9ToedihSJA6v1hMcd4Q/PJ+JLvJQk69kQ8btA=,tag:cifnSqY1ezoHt8WHtuyakw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.8.1