ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

updates to vault and tailscale

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-03-11 09:22:06 -05:00
parent 0635ee5954
commit 18148b03af
3 changed files with 51 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

1
components/nix/tailscale.nix
View file

@ -28,6 +28,7 @@
# https://tailscale.com/kb/1241/tailscale-up # https://tailscale.com/kb/1241/tailscale-up
extraUpFlags = lib.mkIf config.components.tailscale.useHeadscale [ extraUpFlags = lib.mkIf config.components.tailscale.useHeadscale [
"--login-server=https://headscale.joshuabell.xyz" "--login-server=https://headscale.joshuabell.xyz"
"--no-logs-support"
]; ];
}; };
networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ]; networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];

9
hosts/lio/flake.nix
View file

@ -66,6 +66,14 @@
# Allow emulation of aarch64-linux binaries for cross compiling # Allow emulation of aarch64-linux binaries for cross compiling
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
programs._1password.enable = true;
programs._1password-gui = {
enable = true;
# Certain features, including CLI integration and system authentication support,
# require enabling PolKit integration on some desktop environments (e.g. Plasma).
polkitPolicyOwners = [ "josh" ];
};
mods = { mods = {
common = { common = {
disableRemoteBuildsOnLio = true; disableRemoteBuildsOnLio = true;
@ -99,6 +107,7 @@
openscad openscad
vlc vlc
bitwarden bitwarden
vaultwarden
]; ];
}; };
}; };

98
hosts/oracle/o001/vaultwarden.nix
View file

@ -1,85 +1,69 @@
{ {
lib,
config,
... ...
}: }:
let let
name = "vaultwarden"; name = "vaultwarden";
user = name;
uid = 114;
hostDataDir = "/var/lib/${name}"; hostDataDir = "/var/lib/${name}";
hostAddress = "192.168.100.2";
localAddress = "192.168.100.111";
binds = [ v_port = 8222;
{
host = "${hostDataDir}";
container = "/data";
user = "vaultwarden";
uid = 114;
}
];
in in
{ {
users = lib.foldl ( users = {
acc: bind: users.${user} = {
{ isSystemUser = true;
users.${bind.user} = { group = user;
isSystemUser = true; inherit uid;
home = bind.host; };
createHome = true; groups.${user}.gid = uid;
group = bind.user; };
uid = bind.uid; system.activationScripts.createMediaServerDirs = ''
}; mkdir -p ${hostDataDir}/data
groups.${bind.user}.gid = bind.uid; mkdir -p ${hostDataDir}/backups
} chown -R ${toString uid}:${toString uid} ${hostDataDir}
// acc chmod -R 750 ${hostDataDir}
) { } binds; '';
containers.${name} = { containers.${name} = {
ephemeral = true; ephemeral = true;
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = false;
inherit localAddress hostAddress; bindMounts = {
bindMounts = lib.foldl ( "/var/lib/vaultwarden" = {
acc: bind: hostPath = "${hostDataDir}/data";
{ isReadOnly = false;
"${bind.container}" = { };
hostPath = bind.host; "/var/lib/backups/vaultwarden" = {
isReadOnly = false; hostPath = "${hostDataDir}/backups";
}; isReadOnly = false;
} };
// acc };
) { } binds;
config = config =
{ ... }: { ... }:
{ {
system.stateVersion = "24.11"; system.stateVersion = "24.11";
users = lib.foldl ( users = {
acc: bind: users.${user} = {
{ isSystemUser = true;
users.${bind.user} = { group = user;
isSystemUser = true; inherit uid;
home = bind.container; };
uid = bind.uid; groups.${user}.gid = uid;
group = bind.user; };
};
groups.${bind.user}.gid = bind.uid;
}
// acc
) { } binds;
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "sqlite"; dbBackend = "sqlite";
backupDir = "/data/backups"; backupDir = "/var/lib/backups/vaultwarden";
config = { config = {
DOMAIN = "https://vault.joshuabell.xyz"; DOMAIN = "https://vault.joshuabell.xyz";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
ROCKET_PORT = builtins.toString v_port;
ROCKET_ADDRESS = "127.0.0.1";
# ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$2DU5GEIKJeMoxqHrAacAYpX4BsSbOgoRmM2+4wjbAvY$9ZyWVV4xIx4M7/WGfvznOhEvrVx+4DrHcBPmeKKUMYE";
}; };
}; };
networking.firewall = {
enable = true;
allowedTCPPorts = [ 8222 ];
};
}; };
}; };
@ -89,7 +73,7 @@ in
locations = { locations = {
"/" = { "/" = {
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://${localAddress}:8222"; # vaultwarden TODO left off here the port is 8000 depsite the docs showing 8222 as default, set ecplisit proxyPass = "http://127.0.0.1:${builtins.toString v_port}";
}; };
}; };
}; };