From e342a4fd319d3630586051a178a423e56b785143 Mon Sep 17 00:00:00 2001
From: cnst <adam@cnst.dev>
Date: Wed, 16 Jul 2025 16:23:38 +0200
Subject: [PATCH] fail2ban test 12

---
 hosts/sobotka/server.nix               |   4 ++
 modules/server/vaultwarden/default.nix |  60 ++++++++++++++++++-------
 secrets/secrets.nix                    |   1 +
 secrets/vaultwardenCloudflared.age     | Bin 0 -> 727 bytes
 4 files changed, 49 insertions(+), 16 deletions(-)
 create mode 100644 secrets/vaultwardenCloudflared.age

diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix
index 6d6d621c..7813f575 100644
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -12,6 +12,10 @@
     };
     vaultwarden = {
       enable = true;
+      cloudflared = {
+        tunnelId = "c3f541cb-b97e-4766-ae16-a8d863a3eec8";
+        credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
+      };
     };
   };
 }
diff --git a/modules/server/vaultwarden/default.nix b/modules/server/vaultwarden/default.nix
index c2e63ee5..4e93b374 100644
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -11,7 +11,23 @@
   cfg = config.server.vaultwarden;
 in {
   options = {
-    server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
+    server.vaultwarden = {
+      enable = mkEnableOption "Enables vaultwarden";
+      cloudflared = {
+        credentialsFile = lib.mkOption {
+          type = lib.types.str;
+          example = lib.literalExpression ''
+            pkgs.writeText "cloudflare-credentials.json" '''
+            {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
+            '''
+          '';
+          tunnelId = lib.mkOption {
+            type = lib.types.str;
+            example = "00000000-0000-0000-0000-000000000000";
+          };
+        };
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -39,24 +55,36 @@ in {
       };
     };
 
-    services.vaultwarden = {
-      enable = true;
-      environmentFile = config.age.secrets.vaultwarden-env.path;
+    services = {
+      vaultwarden = {
+        enable = true;
+        environmentFile = config.age.secrets.vaultwarden-env.path;
 
-      backupDir = "/var/backup/vaultwarden";
+        backupDir = "/var/backup/vaultwarden";
 
-      config = {
-        DOMAIN = "https://vault.${domain}";
-        SIGNUPS_ALLOWED = false;
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-        IP_HEADER = "CF-Connecting-IP";
+        config = {
+          DOMAIN = "https://vault.${domain}";
+          SIGNUPS_ALLOWED = false;
+          ROCKET_ADDRESS = "127.0.0.1";
+          ROCKET_PORT = 8222;
+          IP_HEADER = "CF-Connecting-IP";
 
-        logLevel = "warn";
-        extendedLogging = true;
-        useSyslog = true;
-        invitationsAllowed = false;
-        showPasswordHint = false;
+          logLevel = "warn";
+          extendedLogging = true;
+          useSyslog = true;
+          invitationsAllowed = false;
+          showPasswordHint = false;
+        };
+      };
+      cloudflared = {
+        enable = true;
+        tunnels.${cfg.cloudflared.tunnelId} = {
+          credentialsFile = cfg.cloudflared.credentialsFile;
+          default = "http_status:404";
+          ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${
+            toString vcfg.ROCKET_PORT
+          }";
+        };
       };
     };
   };
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 76f66cd4..11e6d0f3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,4 +13,5 @@ in {
   "cloudflare-env.age".publicKeys = [cnst kima usobotka rsobotka];
   "vaultwarden-env.age".publicKeys = [cnst kima usobotka rsobotka];
   "cloudflareFirewallApiKey.age".publicKeys = [cnst kima usobotka rsobotka];
+  "vaultwardenCloudflared.age".publicKeys = [cnst kima usobotka rsobotka];
 }
diff --git a/secrets/vaultwardenCloudflared.age b/secrets/vaultwardenCloudflared.age
new file mode 100644
index 0000000000000000000000000000000000000000..522eb51edf1c3c5850c996c84037caa4822f7a2c
GIT binary patch
literal 727
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHvCQ;$O;<1}2`mfs
zc6Z6QEcDIr)6Y-$kMIsI^T;u^EY;35)(=ZDODr&TNiy~>kK~Gqa>?>>PYE(iNhvf4
ztn_dSwkS1^Dl^ZHa5c?zk4p8+EDgxCaC9^*vp~1aJ2cYQ%~2sJveL{c%`iFLJSQt8
zGqWr)(Z?(|HQUfEtjgQZ#niRHHPhR?BFE6pC6dd~w7@5`*uSL8A|*R0#4;o(JEX|h
zvar-7#URL1+b1yCI5$5c)!(wr&==h{bF-j~&_D%~^hg&=V^@o!v~q()M<buaz>vhk
zl*+6ur?Rwik0k$sa+A~wKUe?qz)-II3}2I^jQpg;6ywBnN0Y+fP?v)6suBz1)HFjk
zzoOitWD9>|ZL_Enw@`H3ywWU+3(FOfG7L;g9E*d3TwSW%Ey5~tEgiGmBh6Ett9<j#
zU9&C1O^h=$Ez1jXLzB5og8dv_LLEz^EJH0y0yC0JEDgg;i<A9>6P=8M3PN1XOe4!O
zoFl?2EKRs{b#)bj{fv@)lM2nULfpzDO{yH-o!rurQ}WERLM;P>Qr!!~qXNq#BTdaB
z(~7yiq{^=U_3hjaMK9&lyRCg^C)m|CO_=)6#p=QY52-lL57G`h)0eK)nZzC;p|IFs
zYDYoQ70r8p<XcYeJ*@Dzla*J3uaBo!XqR`s*V*_ZKO}Bm6`NA|cz5)rw)f|CA{Y!$
z?7N|J-eA>?%e!X!Z?*e&c&TA8=k%+L7Zffo64Rb2`0PgpPg-NO#c#Hc^%K}wS08q_
z>s5`J<Ig2|a@E`?A1AJ55Dq+Le{zjVhML>gRZ80$-{|&!o*ESyaD6A=kreeqJAS-c
dD!1QMbnb~4oC`d5o2)*waQ?p@D*^86)c}3Q43z)?

literal 0
HcmV?d00001