chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
Chris Kruining 2025-12-01 20:56:56 +01:00
parent f288c688d0
commit d9dff63cea
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
2 changed files with 68 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/nixos/services/media/mydia/default.nix
View file

@ -24,6 +24,7 @@ in {
package = inputs.mydia.packages.${system}.default; package = inputs.mydia.packages.${system}.default;
port = 2010; port = 2010;
listenAddress = "0.0.0.0";
openFirewall = true; openFirewall = true;
secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path; secretKeyBaseFile = config.sops.secrets."mydia/secret_key_base".path;

131
modules/nixos/services/security/vaultwarden/default.nix
View file

@ -1,25 +1,31 @@
{ pkgs, config, lib, namespace, ... }: {
let pkgs,
config,
lib,
namespace,
...
}: let
inherit (builtins) toString; inherit (builtins) toString;
inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep; inherit (lib) mkIf mkEnableOption mkOption types getAttrs toUpper concatMapAttrsStringSep;
cfg = config.${namespace}.services.security.vaultwarden; cfg = config.${namespace}.services.security.vaultwarden;
databaseProviderSqlite = types.submodule ({ ... }: { databaseProviderSqlite = types.submodule ({...}: {
options = { options = {
type = mkOption { type = mkOption {
type = types.enum [ "sqlite" ]; type = types.enum ["sqlite"];
}; };
file = mkOption { file = mkOption {
type = types.str; type = types.path;
description = ''''; description = ''
Path to sqlite database file.
'';
}; };
}; };
}); });
databaseProviderPostgresql = types.submodule ({ ... }: databaseProviderPostgresql = types.submodule ({...}: let
let
urlOptions = lib.${namespace}.options.mkUrlOptions { urlOptions = lib.${namespace}.options.mkUrlOptions {
host = { host = {
description = '' description = ''
@ -40,36 +46,36 @@ let
example = "postgres"; example = "postgres";
}; };
}; };
in in {
{ options =
options = { {
type = mkOption { type = mkOption {
type = types.enum [ "postgresql" ]; type = types.enum ["postgresql"];
}; };
sslMode = mkOption { sslMode = mkOption {
type = types.enum [ "verify-ca" "verify-full" "require" "prefer" "allow" "disabled" ]; type = types.enum ["verify-ca" "verify-full" "require" "prefer" "allow" "disabled"];
default = "verify-full"; default = "verify-full";
example = "verify-ca"; example = "verify-ca";
description = '' description = ''
How to verify the server's ssl How to verify the server's ssl
| mode | eavesdropping protection | MITM protection | Statement | | mode | eavesdropping protection | MITM protection | Statement |
|-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------| |-------------|--------------------------|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. | | disable | No | No | I don't care about security, and I don't want to pay the overhead of encryption. |
| allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. | | allow | Maybe | No | I don't care about security, but I will pay the overhead of encryption if the server insists on it. |
| prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. | | prefer | Maybe | No | I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. |
| require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. | | require | Yes | No | I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want. |
| verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. | | verify-ca | Yes | Depends on CA policy | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust. |
| verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. | | verify-full | Yes | Yes | I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. |
[Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS) [Source](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS)
''; '';
}; };
} // (urlOptions |> getAttrs [ "protocol" "host" "port" ]); }
// (urlOptions |> getAttrs ["protocol" "host" "port"]);
}); });
in in {
{
options.${namespace}.services.security.vaultwarden = { options.${namespace}.services.security.vaultwarden = {
enable = mkEnableOption "enable vaultwarden"; enable = mkEnableOption "enable vaultwarden";
@ -136,7 +142,7 @@ in
postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = [ "vaultwarden" ]; ensureDatabases = ["vaultwarden"];
ensureUsers = [ ensureUsers = [
{ {
name = "vaultwarden"; name = "vaultwarden";
@ -171,7 +177,7 @@ in
owner = config.users.users.vaultwarden.name; owner = config.users.users.vaultwarden.name;
group = config.users.users.vaultwarden.name; group = config.users.users.vaultwarden.name;
key = "email/chris_kruining_eu"; key = "email/chris_kruining_eu";
restartUnits = [ "vaultwarden.service" ]; restartUnits = ["vaultwarden.service"];
}; };
}; };
@ -183,34 +189,31 @@ in
owner = config.users.users.vaultwarden.name; owner = config.users.users.vaultwarden.name;
group = config.users.groups.vaultwarden.name; group = config.users.groups.vaultwarden.name;
}; };
temp-db-output.content = temp-db-output.content = let
let config =
config = cfg.database
cfg.database |> (
|> ({ type, ... }@db: {type, ...} @ db:
if type == "sqlite" then if type == "sqlite"
{ inherit (db) type file; } then {inherit (db) type file;}
else if type == "postgresql" then else if type == "postgresql"
{ then {
inherit (db) type; inherit (db) type;
url = lib.${namespace}.strings.toUrl { url = lib.${namespace}.strings.toUrl {
inherit (db) protocol host port; inherit (db) protocol host port;
path = "vaultwarden"; path = "vaultwarden";
query = { query = {
sslmode = db.sslMode; sslmode = db.sslMode;
};
}; };
} };
else }
{} else {}
) )
|> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}") |> concatMapAttrsStringSep "\n" (n: v: "${toUpper n}=${v}");
; in ''
in # GENERATED VALUES
'' ${config}
# GENERATED VALUES '';
${config}
'';
}; };
}; };
}; };