fail2ban test 12

2025-07-16 16:23:38 +02:00
parent dbe7cc9ab1
commit e342a4fd31
4 changed files with 49 additions and 16 deletions
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -12,6 +12,10 @@
    };
    vaultwarden = {
      enable = true;
      cloudflared = {
        tunnelId = "c3f541cb-b97e-4766-ae16-a8d863a3eec8";
        credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
      };
    };
  };
 }
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -11,7 +11,23 @@
  cfg = config.server.vaultwarden;
 in {
  options = {
-    server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
+    server.vaultwarden = {
      enable = mkEnableOption "Enables vaultwarden";
      cloudflared = {
        credentialsFile = lib.mkOption {
          type = lib.types.str;
          example = lib.literalExpression ''
            pkgs.writeText "cloudflare-credentials.json" '''
            {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
            '''
          '';
          tunnelId = lib.mkOption {
            type = lib.types.str;
            example = "00000000-0000-0000-0000-000000000000";
          };
        };
      };
    };
  };
  config = mkIf cfg.enable {
@@ -39,24 +55,36 @@ in {
      };
    };
-    services.vaultwarden = {
+    services = {
-      enable = true;
+      vaultwarden = {
-      environmentFile = config.age.secrets.vaultwarden-env.path;
+        enable = true;
        environmentFile = config.age.secrets.vaultwarden-env.path;
-      backupDir = "/var/backup/vaultwarden";
+        backupDir = "/var/backup/vaultwarden";
-      config = {
+        config = {
-        DOMAIN = "https://vault.${domain}";
+          DOMAIN = "https://vault.${domain}";
-        SIGNUPS_ALLOWED = false;
+          SIGNUPS_ALLOWED = false;
-        ROCKET_ADDRESS = "127.0.0.1";
+          ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
+          ROCKET_PORT = 8222;
-        IP_HEADER = "CF-Connecting-IP";
+          IP_HEADER = "CF-Connecting-IP";
-        logLevel = "warn";
+          logLevel = "warn";
-        extendedLogging = true;
+          extendedLogging = true;
-        useSyslog = true;
+          useSyslog = true;
-        invitationsAllowed = false;
+          invitationsAllowed = false;
-        showPasswordHint = false;
+          showPasswordHint = false;
        };
      };
      cloudflared = {
        enable = true;
        tunnels.${cfg.cloudflared.tunnelId} = {
          credentialsFile = cfg.cloudflared.credentialsFile;
          default = "http_status:404";
          ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${
            toString vcfg.ROCKET_PORT
          }";
        };
      };
    };
  };
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,4 +13,5 @@ in {
  "cloudflare-env.age".publicKeys = [cnst kima usobotka rsobotka];
  "vaultwarden-env.age".publicKeys = [cnst kima usobotka rsobotka];
  "cloudflareFirewallApiKey.age".publicKeys = [cnst kima usobotka rsobotka];
  "vaultwardenCloudflared.age".publicKeys = [cnst kima usobotka rsobotka];
 }
--- a/secrets/vaultwardenCloudflared.age
+++ b/secrets/vaultwardenCloudflared.age