Move vaultwarden to sops-nix

2025-06-21 15:53:31 +03:00 · 2025-06-21 15:53:31 +03:00 · 9a36134fac
commit 9a36134fac
parent ec685a2e86
3 changed files with 57 additions and 2 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,6 +1,7 @@
 keys:
  - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
  - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q
+  - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
 creation_rules:
  - path_regex: ^secrets/helium/.*\.yaml$
    key_groups:
@ -12,3 +13,8 @@ creation_rules:
    - age:
      - *vili-bw
      - *helium
+  - path_regex: ^secrets/vaultwarden.yaml$
+    key_groups:
+    - age:
+      - *vili-bw
+      - *vaultwarden
--- a/secrets/vaultwarden.yaml
+++ b/secrets/vaultwarden.yaml
@ -0,0 +1,26 @@
+smtp-pass: ENC[AES256_GCM,data:G9YdB3BoQAjxF2U2VeVq3Q==,iv:qXSL8WS2/RtjLy5kYGI5gCGqfkVv4FS0yxOn4uExIvY=,tag:BvN7PaqzWgXw0jVKaMhAjw==,type:str]
+admin-token: ENC[AES256_GCM,data:sJGZtEYKY3SzodnI6JYtDIJyDQz/Iat6QM5I8hugmQjLVN8VCgwK+n+CxlpEeCFI6jMp6+NpgKyjb0BbyixIej0lqlUMB5O+Q7QjRlEjqF1XmGIehf8dFILdjR5Uq+3+4/YDeOdgmHL9jmuPOm34XSDalDD83zBoO6R2uWkCau47gt3i4wM=,iv:uxLKxDX3b9ls86cHQM290UqdcsNaprfbOYMdvSR27bQ=,tag:vhWWkJmjl7tPGacsoSI3vA==,type:str]
+sops:
+    age:
+        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z0lZRSs3ZjN3aEUzNHk0
+            WDZlTEpmWDZSMzNaN0dTMGQxOUtnWmI1SmprCnhyZWw0dnc0VFRKVW5kSDZnY2du
+            UUJvZXNJVDVZNzBrODBHNnIwcU01YmcKLS0tIDdtS0hJM3RTSE5nN3k5VnNWQnRJ
+            NHNJSGl0eUJqRlhONjFyS3FPYTFnR00KSMkGMpGvo9TzttkLWfEAx6/dwVmoE5ku
+            5LqbhxaorIuDopJamCW1kFTDrdqrC51xsxzILoP7vjZk/X5UjNxbiQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNzk0dTdnUkF0dnNaeHJU
+            dEE3Qy9YbU10Y2kxaVBvcFdhakNFaUVZb3dVCnlLanlZS3JNRFFaQW9YdElSdVRG
+            Ukl3K0dieDZ0b21FZnRObmh4Uk54SU0KLS0tIEhKMDdGTE1OeW9MVWlMN01RdkVj
+            cGw5c2ZFeUFlNG1iVlJRSU0ybm5nak0KjDTs2Ni3X2danaXioJrkZdF/Q6367buY
+            TTBICi2pfaWBj8gsKJfh02t2dW8tnFe10bw8eg/UGtCBWR9ZTAp3cA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-21T12:35:15Z"
+    mac: ENC[AES256_GCM,data:IM827nPacOaI0sU4XzBxG0UEWxR7S3N5Frjqi4YMI9A96KHsBh6N9UYB3oSmmmKr7dlShEQUZwbNJG33KlV3AYLoJ+8FpkZx5ZB8aQZVkgk4w0YSfEO3zKDUmk9boeFP86bubzm3yU9USdy+DOtgfxRG5sCPnWooqiau8s3mjDs=,iv:ZU+Z3h7r7yjptyPahfOyw9di2+bob2EQPKPryau74gA=,tag:0CpJYkUXyKC5TxfmKpYiVQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/servers/vaultwarden.nix
+++ b/servers/vaultwarden.nix
@ -1,14 +1,37 @@
-{ ... }:
+{ config, ... }:
 {
  imports = [
    ./utils/nginx-https-server.nix
    ./utils/cert-store-client.nix
  ];

+  sops = {
+    secrets = {
+      smtp-pass = {
+        sopsFile = ../secrets/vaultwarden.yaml;
+        restartUnits = [ "vaultwarden.service" ];
+      };
+      admin-token = {
+        sopsFile = ../secrets/vaultwarden.yaml;
+        restartUnits = [ "vaultwarden.service" ];
+      };
+    };
+
+    templates."vaultwarden.env" = {
+      owner = "vaultwarden";
+      content = ''
+        SMTP_FROM=vmsskv12@gmail.com
+        SMTP_USERNAME=vmsskv12@gmail.com
+        SMTP_PASSWORD=${config.sops.placeholder.smtp-pass}
+        ADMIN_TOKEN=${config.sops.placeholder.admin-token}
+      '';
+    };
+  };
+
  services = {
    vaultwarden = {
      enable = true;
-      environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+      environmentFile = config.sops.templates."vaultwarden.env".path;
      config = {
        DOMAIN = "https://vaultwarden.vsinerva.fi";
        LOGIN_RATELIMIT_MAX_BURST = 10;