Infini-SERVER: pull vaultwarden into its own module

2024-01-08 23:03:43 -05:00 · 2024-01-08 23:03:43 -05:00 · 6174326ae7
commit 6174326ae7
parent c1cacb5ed2
3 changed files with 42 additions and 29 deletions
--- a/hosts/Infini-SERVER/default.nix
+++ b/hosts/Infini-SERVER/default.nix
@ -4,6 +4,8 @@
    private.nixosModules.nitter
    ./hardware-configuration.nix
    ./filesystems.nix
+
+    ./vaultwarden.nix
  ];

  system.stateVersion = "22.05";
@ -44,7 +46,6 @@
      "/var/log"
      "/var/lib/systemd/coredump"
      "/var/lib/tailscale"
-      "/var/lib/bitwarden_rs"
      "/var/lib/thelounge"

      "/srv"
@ -65,7 +66,7 @@
    nginx =
      let
        cfg = config.services.nginx;
-        ssl = { sslCertificate = config.secrets."inx.moe.pem"; sslCertificateKey = config.secrets."inx.moe.key"; forceSSL = true; };
+        inherit (config.common.nginx) ssl;
      in
      {
        enable = true;
@ -94,11 +95,6 @@
              proxyPass = "http://localhost:8000";
            };
          };
-          "bitwarden.inx.moe" = ssl // {
-            locations."/" = {
-              proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
-            };
-          };
          "thelounge.inx.moe" = ssl // {
            locations."/" = {
              proxyPass = "http://localhost:${toString config.services.thelounge.port}";
@ -107,28 +103,6 @@
        };
      };

-    vaultwarden = {
-      enable = true;
-      environmentFile = config.secrets."vaultwarden";
-      config = {
-        DOMAIN = "https://bitwarden.inx.moe";
-        SIGNUPS_ALLOWED = false;
-
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-        ROCKET_LOG = "critical";
-
-        PUSH_ENABLED = true;
-        PUSH_RELAY_URI = "https://push.bitwarden.com";
-
-        SMTP_HOST = "live.smtp.mailtrap.io";
-        SMTP_FROM = "noreply@inx.moe";
-        SMTP_PORT = 587;
-        SMTP_SECURITY = "starttls";
-        SMTP_USERNAME = "api";
-      };
-    };
-
    nitter = rec {
      enable = true;
      server = {
--- a/hosts/Infini-SERVER/vaultwarden.nix
+++ b/hosts/Infini-SERVER/vaultwarden.nix
@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+{
+  persist.directories = [ config.services.vaultwarden.config.DATA_FOLDER ];
+
+  services.nginx.virtualHosts."bitwarden.inx.moe" = config.common.nginx.ssl // {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+    };
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.secrets."vaultwarden";
+    config = {
+      DOMAIN = "https://bitwarden.inx.moe";
+      SIGNUPS_ALLOWED = false;
+
+      DATA_FOLDER = "/var/lib/bitwarden_rs";
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+      ROCKET_LOG = "critical";
+
+      PUSH_ENABLED = true;
+      PUSH_RELAY_URI = "https://push.bitwarden.com";
+
+      SMTP_HOST = "smtp.purelymail.com";
+      SMTP_FROM = "noreply@inx.moe";
+      SMTP_PORT = 465;
+      SMTP_SECURITY = "force_tls";
+      SMTP_USERNAME = "noreply@inx.moe";
+    };
+  };
+}
--- a/modules/global/security.nix
+++ b/modules/global/security.nix
@ -51,4 +51,8 @@ with lib;
      }
    ];
  };
+
+  common = {
+    nginx.ssl = { sslCertificate = config.secrets."inx.moe.pem"; sslCertificateKey = config.secrets."inx.moe.key"; forceSSL = true; };
+  };
 }