VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Migrate vaultwarden to disko+impermanence

Browse source
This commit is contained in:
Vili Sinervä 2025-07-01 23:30:36 +03:00
parent 717c81eeb0
commit 005fa8707e
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
10 changed files with 74 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.sops.yaml
View file

@ -8,7 +8,7 @@ keys:
- &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7 - &forgejo age1mfvue6vjj445dtly39k5vlcnhpfdf0ujumm6v8degk2lvaa9avcsl2eeg7
- &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 - &idacloud age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
- &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x - &nextcloud age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
- &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 - &vaultwarden age1d3dnansjhwtzj7pylk0nadg5jkqvzfe7zqs9rhx3yeerzwxyp4esxxsy7y
- &wg-rpi age139sl09xkjm4hd0q5e09e0w4ppu8yd65uhu7upjx5v8jn8ef62vfqg309x6 - &wg-rpi age139sl09xkjm4hd0q5e09e0w4ppu8yd65uhu7upjx5v8jn8ef62vfqg309x6
creation_rules: creation_rules:
- path_regex: ^secrets/helium/.*\.yaml$ - path_regex: ^secrets/helium/.*\.yaml$

4
hosts/cert-store/configuration.nix
View file

@ -1,14 +1,12 @@
{ ... }: { ... }:
{ {
environment.persistence."/persist".enable = true;
imports = [ imports = [
../../shared/base.nix ../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix ../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix ../../shared/hardware/vm.nix
../../shared/disko/zfs-impermanence.nix
../../servers/acme-cert-store.nix ../../servers/acme-cert-store.nix
]; ];
} }

7
hosts/siit-dc/configuration.nix
View file

@ -1,15 +1,12 @@
{ lib, ... }: { ... }:
{ {
environment.persistence."/persist".enable = true;
swapDevices = lib.mkForce [ ];
imports = [ imports = [
../../shared/base.nix ../../shared/base.nix
../../shared/disko/hetzner-zfs-impermanence.nix
../../shared/hardware/impermanence.nix ../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix ../../shared/hardware/vm.nix
../../shared/disko/hetzner-zfs-impermanence.nix
../../servers/siit-dc.nix ../../servers/siit-dc.nix
]; ];
} }

11
hosts/vaultwarden/configuration.nix
View file

@ -1,15 +1,12 @@
{ ... }: { ... }:
{ {
swapDevices = [
{
device = "/var/lib/swapfile";
size = 2 * 1024;
}
];
imports = [ imports = [
../../shared/base.nix ../../shared/base.nix
../../shared/disko/zfs-impermanence.nix
../../shared/hardware/impermanence.nix
../../shared/hardware/vm.nix ../../shared/hardware/vm.nix
../../servers/vaultwarden.nix ../../servers/vaultwarden.nix
]; ];
} }

13
hosts/vaultwarden/state.nix
View file

@ -1,14 +1,5 @@
{ ... }: { ... }:
{ {
system.stateVersion = "23.11"; networking.hostId = "2842298f";
system.stateVersion = "25.05";
fileSystems."/" = {
device = "/dev/disk/by-uuid/22f0fb39-e264-450d-b575-9dedd2a02361";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/A604-6A7B";
fsType = "vfat";
};
} }

52
secrets/cert.yaml
View file

@ -5,47 +5,47 @@ sops:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQ0huSVlESFN6dk00YnRq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTM09sR3h5Q0ZpajdYMnRl
Y2tnZWY5ckhhQm50ZkR4bVFhMm40K1RiSjIwCmpZdW8yd25DdExKdkxpSXIxenhX d0tQM09MYm1NcDdTajkzZFlNNTNnYlZuQlhVCjQzbHNHWWQ1azlVWXh5STNGRFo2
RDF3U1V0cGtyRnZyaUVENXBCb240M3cKLS0tIHJHVW1lVlphSkRUZUtDa01aazZy cFp2SStGMEJVazFkVkNiL1NoOVVyWk0KLS0tIC81aU5ybTgvN0pEUGZNVE8xdjkv
SlExRXo1SFQ5aEhMYTRpRHVOaFpaQUkKdACxrioEcvctW5aeln8moVaN+ZS0nVl/ OVlKOXJmbCtWa0NpcmtLNE41b0YrZWcKIaGGlj8JRRHfpF6Vr1fbJA4VWZCUGt/T
hB1yp+O1e1vIaafITck4+2eby1Nwrq5eowQkjaz5QyO0M12wbxCg3A== ELrYGQoxCUrcZ5o9uvI0Ki+BGCOiOJ7qOsG0hkXQl46MI3OE+UgGnQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1cws8uzhg9qyxpjnw9w0mvalvqu3ttnnrn5r3eeczk4wcj86vnqgslzmzjp - recipient: age1cws8uzhg9qyxpjnw9w0mvalvqu3ttnnrn5r3eeczk4wcj86vnqgslzmzjp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZDUweFRvOVNOZUE3MWRo YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkYlJEWXl4Ym5hNDRyOW82
QXNxc1lJRTlqcCt6SU5nRVRHZDg4QW9POFR3CjFWV21VTlBCcGRJQlVGbGpvd0Y5 WmwvbXdrQTVUVElUTGFhTmw4bFg2NThLWGdvClFqR0orNE5QSWhtancwR2NTWElz
NGFuRVZCN3JFNUN1cW1hcm5YUEJhb0UKLS0tIGlReUhFR0ZDNnJsOVJQeFEyVWtr QUN3YmpwVnNUUnZtOHAvblRER3ZGNjgKLS0tIGNFU2F6a1dxbjdCYlpwWDlUOTdp
ajJXQVVQRW84Y1owMElOZURmSnlLZDAKu0Q+Q/Pj25tp6mxKUak63S9xLN7yXQ4w TjJEUEMxeU5kczZJdGtaVlU2cVY1WVUKkK55TM6wt8mjSPs9Et/8L0uqk584KN5b
g15Ly4kU2d1dr07DXVgayLuGPtrsCUzcBkoPBhB7KR3XlOEZq1kCfQ== IETi/iTeDlSPO06KM24eybiIrKBu+S0ZgqXgRCnOLHAz0LSdJVPHEw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2 - recipient: age1actwp5rqczazhgl94npwc0phxuxzjgrk9v82e32sahanw8cyuc7stxkls2
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzR01TVlE4VTdMQmhwNDM5 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkT1JaL05GK0psYjBsVHB0
K0tWbTU1eDFUWmh6d3V4UUdkL0RNYlBDUlhvCnY1cXkzRnB2WmVKalp6N2dKU1du YlRVY1lQR2Fyck1GN3FvOStxOVRmTXE3R0dzClBRNW9YNXJWeDEwTUhPakdvTGFM
c1BHRDQ5VGZCRzdDT3VVMEoxYm16bU0KLS0tIEpzVDdrUzRWL2tRNnc2SUxzT0dz Y0p2eXBLUU5MRHl5aklWWmpaUjZEb2sKLS0tIEJrdVV6SkFWZW1uZWFybENmak42
bXRGOGJ1MUc0WnFBRlFzelVLZnFES0kKCsBBiG3dweP6DV5neaGDW6bLugHm8TIj U2RYOUNnOHdWcG0zakkxZGVrdDVTVUEKZ8sOwUBgAWVBOrqxefxvyea8fXnLfbZZ
7eh1EpkBbxLEwEvI9sriE98EAarBmHR2n7MqTQRDZ4zN9QjkrqDtYQ== 4KkxdodeA/g7ztu6zeqpTV6pM+ltILjsEw1woG18u8RHKDspw8LarQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x - recipient: age1rf6h87qp9ckpmf7yrvkmq3faqn5fnqx4lyg83zf5v09wnew7muzsmmnx9x
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMbUwxWGtYYWg4enhta21n YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdE1hbWhTMitzUW90NmxW
LzJEMFVBN2lDUzZYT1dnNzZra3EveWNJSEVvCkJQbklhUHNyY3Evd2lXNmpDSGpl eFk2WlY0dlB4UjRQWkZzOE0zSHJLWi9NM2p3CklmV2dtZXNHWjcrTkpZZjRBRVBP
RVM5Y1VJWjZvLzJucEhteWNiRzF5M2sKLS0tIEFybW9IUHE2SENGcE1LTHE0Mmd5 R3RUREdyTDJVVGxBbGx1eUgvcEJEL1EKLS0tIGJSbFdseUY4TWZHUGREcWtFc282
RDI3V0dwR0x3UGpVdk5PV0F4Nm5TUFkK5Dh/RsDu3+/a2GIftfHrA0+xxaHg1awr Y3F3a2pWQlRSa2NlZ2hVVXpVQkZIMzgKtTzX7BR9ajpVZ/liDgBNwfsxjTCVuycd
mbPCPVZW+2mRS+J21jIcZZK5Wxm/SbSYQOfUDUSbjyORWHIugGQ3xQ== L0oLVvEyUlpWPAqVL8JgJuFLIlA5dwPzLkmxdbUlQOEdVkbc8OGJ/Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 - recipient: age1d3dnansjhwtzj7pylk0nadg5jkqvzfe7zqs9rhx3yeerzwxyp4esxxsy7y
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdjBqa3lrYmlJZ0Nzb3ZV YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTW9JZnd2dHZWT05DbHUy
eE51SmFpZjRhV2VtS1FId2xmNnl1M0VQczNjCm04Vk1EbkU1RisvczhkSXVPaU1z cnpKOU9nc0lxWVBEOFozT0xNV3J1Ukx5KzA0ClNhR3NQKzN1TlU4eDdacnBQcjJn
MVV4UTJCRmtSdHM2Q0dTaVVFMkVuTVkKLS0tIGRQV0RBMTg4NWJIUWNSMFhlbm9C SWE4TWpUR1JrZ29SUjc1akRkS0lvYWsKLS0tIFhaNktXRUR0VUZSTTd4QytKT1Jx
djh6aXpLa2NILzdoS01uYXpEbUovNEUKI4K86hhFtHQpDo7pNGocT5Iyq618y39L NmFpWVNKRENSYkNWcVk2M3RIYmtpSmMKBfzyOjjoCRsvTUX34PiGEIJ0ETJjq5ZR
0eBWGCaYgCUOF86LGPKwlkgadSFkvkCOnPrJSs1VnL+4u1332UBM8w== qsxGOTOrG9FMv9slfvWPOaMnDeJCQc2CZS0b0EqfNg/eFzFxG/jOuw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-22T22:15:42Z" lastmodified: "2025-06-22T22:15:42Z"
mac: ENC[AES256_GCM,data:BK0dsImd1ClVYdR7xHksz4FzfXcRpN5uSME0TCX9rvA0R59sGzdRjab02xVOfPkkHbAxj7WN6LRxB/nzTVNS6rk8xe004tVnbYjbc21gqqGW3sH5rdX/VqvsB2JJo5CfxXbTHRccjnzWAOzTxylfG4ILxNZvOJRX/rKFzUJKsxE=,iv:Uc8tAAhFLeXetMbgpjvmYCUftlQrU+D8fwEYtBN1KEM=,tag:v+ld334czS0hYVW7YWwB6A==,type:str] mac: ENC[AES256_GCM,data:BK0dsImd1ClVYdR7xHksz4FzfXcRpN5uSME0TCX9rvA0R59sGzdRjab02xVOfPkkHbAxj7WN6LRxB/nzTVNS6rk8xe004tVnbYjbc21gqqGW3sH5rdX/VqvsB2JJo5CfxXbTHRccjnzWAOzTxylfG4ILxNZvOJRX/rKFzUJKsxE=,iv:Uc8tAAhFLeXetMbgpjvmYCUftlQrU+D8fwEYtBN1KEM=,tag:v+ld334czS0hYVW7YWwB6A==,type:str]

22
secrets/vaultwarden.yaml
View file

@ -5,20 +5,20 @@ sops:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z0lZRSs3ZjN3aEUzNHk0 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVTNtWE05aW5kcWtaRjJ5
WDZlTEpmWDZSMzNaN0dTMGQxOUtnWmI1SmprCnhyZWw0dnc0VFRKVW5kSDZnY2du dmFvcGkvZmNRaTNsUVlXb1lSWDdHZEJJR25FCkIxRlA2U2dQdDBvMklOaWJDVlYw
UUJvZXNJVDVZNzBrODBHNnIwcU01YmcKLS0tIDdtS0hJM3RTSE5nN3k5VnNWQnRJ WUNBN1BOZjlLYU56UldxaDNBRTN0NEEKLS0tIEJ1NGV0TXlOSmJseEo3MlJyN2JO
NHNJSGl0eUJqRlhONjFyS3FPYTFnR00KSMkGMpGvo9TzttkLWfEAx6/dwVmoE5ku cjk2eWlCSzliLzhiSU9QYzFnb1k2ajgKxGiG5M29Vk/c14LxaHMkZbqSjGTiQ3+8
5LqbhxaorIuDopJamCW1kFTDrdqrC51xsxzILoP7vjZk/X5UjNxbiQ== Z1IN6hRY58lM1cPtsF9cn8pVuWssE3Rr1FLw8QhNpGJ6uxdkS6yH2Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 - recipient: age1d3dnansjhwtzj7pylk0nadg5jkqvzfe7zqs9rhx3yeerzwxyp4esxxsy7y
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNzk0dTdnUkF0dnNaeHJU YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwT2JLK0dSVVFXWGN3RlEy
dEE3Qy9YbU10Y2kxaVBvcFdhakNFaUVZb3dVCnlLanlZS3JNRFFaQW9YdElSdVRG aldWbmRyenRkTDVJTzlOUWQ2TnZ3M3lkekRVCkxrRXdpdGpCSlgrNENScXFoelNq
Ukl3K0dieDZ0b21FZnRObmh4Uk54SU0KLS0tIEhKMDdGTE1OeW9MVWlMN01RdkVj bzJvSHhwaU5GVSs3NzgrQVRGTDdhVWcKLS0tIEw2UXdsL1NDdkVTZjNleUVYQmZM
cGw5c2ZFeUFlNG1iVlJRSU0ybm5nak0KjDTs2Ni3X2danaXioJrkZdF/Q6367buY Wkl3M1NKOHF6Q1F2d2JRWExRS2VkcU0KD9RVjY6Wu0bwmujR5F6aHCSRupX+8E/t
TTBICi2pfaWBj8gsKJfh02t2dW8tnFe10bw8eg/UGtCBWR9ZTAp3cA== Wl4dgo0xcj8SHz4WdkDynKwpZvfuB0+t3vtcFg3r1O2JEVDtkdBCpA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-21T12:35:15Z" lastmodified: "2025-06-21T12:35:15Z"
mac: ENC[AES256_GCM,data:IM827nPacOaI0sU4XzBxG0UEWxR7S3N5Frjqi4YMI9A96KHsBh6N9UYB3oSmmmKr7dlShEQUZwbNJG33KlV3AYLoJ+8FpkZx5ZB8aQZVkgk4w0YSfEO3zKDUmk9boeFP86bubzm3yU9USdy+DOtgfxRG5sCPnWooqiau8s3mjDs=,iv:ZU+Z3h7r7yjptyPahfOyw9di2+bob2EQPKPryau74gA=,tag:0CpJYkUXyKC5TxfmKpYiVQ==,type:str] mac: ENC[AES256_GCM,data:IM827nPacOaI0sU4XzBxG0UEWxR7S3N5Frjqi4YMI9A96KHsBh6N9UYB3oSmmmKr7dlShEQUZwbNJG33KlV3AYLoJ+8FpkZx5ZB8aQZVkgk4w0YSfEO3zKDUmk9boeFP86bubzm3yU9USdy+DOtgfxRG5sCPnWooqiau8s3mjDs=,iv:ZU+Z3h7r7yjptyPahfOyw9di2+bob2EQPKPryau74gA=,tag:0CpJYkUXyKC5TxfmKpYiVQ==,type:str]

9
servers/vaultwarden.nix
View file

@ -5,6 +5,15 @@
./utils/cert-store-client.nix ./utils/cert-store-client.nix
]; ];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/vaultwarden";
user = "vaultwarden";
group = "vaultwarden";
mode = "u=rwx,g=,o=";
}
];
sops = { sops = {
secrets = { secrets = {
smtp-pass = { smtp-pass = {

18
shared/base.nix
View file

@ -34,24 +34,6 @@
ssss ssss
]; ];
######################################## Impermanence ###########################################
environment.persistence."/persist" = {
enable = lib.mkDefault false;
hideMounts = true;
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_ed25519_key"
];
directories = [
"/var/lib/systemd/timers"
"/var/lib/nixos"
"/var/log"
];
};
######################################## ZSH configuration ###################################### ######################################## ZSH configuration ######################################
users.defaultUserShell = pkgs.zsh; users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ]; environment.shells = with pkgs; [ zsh ];

18
shared/hardware/impermanence.nix
View file

@ -1,5 +1,23 @@
{ lib, ... }: { lib, ... }:
{ {
# Default set of directories we always want to persist
environment.persistence."/persist" = {
enable = true;
hideMounts = true;
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_ed25519_key"
];
directories = [
"/var/lib/systemd/timers"
"/var/lib/nixos"
"/var/log"
];
};
fileSystems."/persist".neededForBoot = true; fileSystems."/persist".neededForBoot = true;
services.zfs = { services.zfs = {