cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

fail2ban test 12

Browse Source
This commit is contained in:
cnst
2025-07-16 16:23:38 +02:00
parent dbe7cc9ab1
commit e342a4fd31
4 changed files with 49 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
hosts/sobotka/server.nix
View File

@@ -12,6 +12,10 @@
};
vaultwarden = {
enable = true;
cloudflared = {
tunnelId = "c3f541cb-b97e-4766-ae16-a8d863a3eec8";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
};
};
};
}

60
modules/server/vaultwarden/default.nix
View File

@@ -11,7 +11,23 @@
cfg = config.server.vaultwarden;
in {
options = {
server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
server.vaultwarden = {
enable = mkEnableOption "Enables vaultwarden";
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
};
};
config = mkIf cfg.enable {
@@ -39,24 +55,36 @@ in {
};
};
services.vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwarden-env.path;
services = {
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwarden-env.path;
backupDir = "/var/backup/vaultwarden";
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://vault.${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
config = {
DOMAIN = "https://vault.${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
showPasswordHint = false;
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
showPasswordHint = false;
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${
toString vcfg.ROCKET_PORT
}";
};
};
};
};

1
secrets/secrets.nix
View File

@@ -13,4 +13,5 @@ in {
"cloudflare-env.age".publicKeys = [cnst kima usobotka rsobotka];
"vaultwarden-env.age".publicKeys = [cnst kima usobotka rsobotka];
"cloudflareFirewallApiKey.age".publicKeys = [cnst kima usobotka rsobotka];
"vaultwardenCloudflared.age".publicKeys = [cnst kima usobotka rsobotka];
}

BIN
secrets/vaultwardenCloudflared.age Normal file
View File

Binary file not shown.