From 9a36134facb0e47d8a17c12fb6c4836e5b051941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Sat, 21 Jun 2025 15:53:31 +0300 Subject: [PATCH] Move vaultwarden to sops-nix --- .sops.yaml | 6 ++++++ secrets/vaultwarden.yaml | 26 ++++++++++++++++++++++++++ servers/vaultwarden.nix | 27 +++++++++++++++++++++++++-- 3 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 secrets/vaultwarden.yaml diff --git a/.sops.yaml b/.sops.yaml index 7d14a18..88fceb6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,6 +1,7 @@ keys: - &vili-bw age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp - &helium age1xp02dggk2e6csvxg2q5nfts4tjhd05vthrcvvk2l67m3tgs3vugqshg24q + - &vaultwarden age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 creation_rules: - path_regex: ^secrets/helium/.*\.yaml$ key_groups: @@ -12,3 +13,8 @@ creation_rules: - age: - *vili-bw - *helium + - path_regex: ^secrets/vaultwarden.yaml$ + key_groups: + - age: + - *vili-bw + - *vaultwarden diff --git a/secrets/vaultwarden.yaml b/secrets/vaultwarden.yaml new file mode 100644 index 0000000..4949090 --- /dev/null +++ b/secrets/vaultwarden.yaml @@ -0,0 +1,26 @@ +smtp-pass: ENC[AES256_GCM,data:G9YdB3BoQAjxF2U2VeVq3Q==,iv:qXSL8WS2/RtjLy5kYGI5gCGqfkVv4FS0yxOn4uExIvY=,tag:BvN7PaqzWgXw0jVKaMhAjw==,type:str] +admin-token: ENC[AES256_GCM,data:sJGZtEYKY3SzodnI6JYtDIJyDQz/Iat6QM5I8hugmQjLVN8VCgwK+n+CxlpEeCFI6jMp6+NpgKyjb0BbyixIej0lqlUMB5O+Q7QjRlEjqF1XmGIehf8dFILdjR5Uq+3+4/YDeOdgmHL9jmuPOm34XSDalDD83zBoO6R2uWkCau47gt3i4wM=,iv:uxLKxDX3b9ls86cHQM290UqdcsNaprfbOYMdvSR27bQ=,tag:vhWWkJmjl7tPGacsoSI3vA==,type:str] +sops: + age: + - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Z0lZRSs3ZjN3aEUzNHk0 + WDZlTEpmWDZSMzNaN0dTMGQxOUtnWmI1SmprCnhyZWw0dnc0VFRKVW5kSDZnY2du + UUJvZXNJVDVZNzBrODBHNnIwcU01YmcKLS0tIDdtS0hJM3RTSE5nN3k5VnNWQnRJ + NHNJSGl0eUJqRlhONjFyS3FPYTFnR00KSMkGMpGvo9TzttkLWfEAx6/dwVmoE5ku + 5LqbhxaorIuDopJamCW1kFTDrdqrC51xsxzILoP7vjZk/X5UjNxbiQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1g9xu0m2wkpcrj0lr6sjcx6ak2akwtuxdxh2lct44wkkkzklgjsss5zt3r9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNzk0dTdnUkF0dnNaeHJU + dEE3Qy9YbU10Y2kxaVBvcFdhakNFaUVZb3dVCnlLanlZS3JNRFFaQW9YdElSdVRG + Ukl3K0dieDZ0b21FZnRObmh4Uk54SU0KLS0tIEhKMDdGTE1OeW9MVWlMN01RdkVj + cGw5c2ZFeUFlNG1iVlJRSU0ybm5nak0KjDTs2Ni3X2danaXioJrkZdF/Q6367buY + TTBICi2pfaWBj8gsKJfh02t2dW8tnFe10bw8eg/UGtCBWR9ZTAp3cA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-21T12:35:15Z" + mac: ENC[AES256_GCM,data:IM827nPacOaI0sU4XzBxG0UEWxR7S3N5Frjqi4YMI9A96KHsBh6N9UYB3oSmmmKr7dlShEQUZwbNJG33KlV3AYLoJ+8FpkZx5ZB8aQZVkgk4w0YSfEO3zKDUmk9boeFP86bubzm3yU9USdy+DOtgfxRG5sCPnWooqiau8s3mjDs=,iv:ZU+Z3h7r7yjptyPahfOyw9di2+bob2EQPKPryau74gA=,tag:0CpJYkUXyKC5TxfmKpYiVQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/servers/vaultwarden.nix b/servers/vaultwarden.nix index 23d5f85..f96826e 100644 --- a/servers/vaultwarden.nix +++ b/servers/vaultwarden.nix @@ -1,14 +1,37 @@ -{ ... }: +{ config, ... }: { imports = [ ./utils/nginx-https-server.nix ./utils/cert-store-client.nix ]; + sops = { + secrets = { + smtp-pass = { + sopsFile = ../secrets/vaultwarden.yaml; + restartUnits = [ "vaultwarden.service" ]; + }; + admin-token = { + sopsFile = ../secrets/vaultwarden.yaml; + restartUnits = [ "vaultwarden.service" ]; + }; + }; + + templates."vaultwarden.env" = { + owner = "vaultwarden"; + content = '' + SMTP_FROM=vmsskv12@gmail.com + SMTP_USERNAME=vmsskv12@gmail.com + SMTP_PASSWORD=${config.sops.placeholder.smtp-pass} + ADMIN_TOKEN=${config.sops.placeholder.admin-token} + ''; + }; + }; + services = { vaultwarden = { enable = true; - environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; + environmentFile = config.sops.templates."vaultwarden.env".path; config = { DOMAIN = "https://vaultwarden.vsinerva.fi"; LOGIN_RATELIMIT_MAX_BURST = 10;