From b665d7cffefae54963b5e95b3fd142ceb097f2e3 Mon Sep 17 00:00:00 2001
From: Nettika <git@nettika.cat>
Date: Wed, 8 Oct 2025 21:45:43 -0700
Subject: [PATCH] Setup vaultwarden on astral

---
 hosts/astral/default.nix                      |  29 ++++++++++++++++--
 hosts/astral/secrets/vaultwarden-env.age      | Bin 0 -> 370 bytes
 hosts/default.nix                             |  19 ++++++------
 hosts/marauder/secrets/restic-env.age         |   9 +++---
 hosts/marauder/secrets/restic-password.age    | Bin 246 -> 246 bytes
 hosts/quasar/default.nix                      |   2 +-
 .../quasar/secrets/matrix-synapse-secrets.age | Bin 426 -> 536 bytes
 secrets.nix                                   |  14 ++++++---
 8 files changed, 51 insertions(+), 22 deletions(-)
 create mode 100644 hosts/astral/secrets/vaultwarden-env.age

diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix
index 421f5e0..4e019e7 100644
--- a/hosts/astral/default.nix
+++ b/hosts/astral/default.nix
@@ -1,9 +1,10 @@
-{ nixosModules, modulesPath, lib, pkgs, ... }: {
+{ modulesPath, nixosModules, agenix, lib, pkgs, config, ... }: {
   imports = [
     "${modulesPath}/virtualisation/amazon-image.nix"
     nixosModules.nano
     nixosModules.nettika
     nixosModules.promptmoji
+    agenix.nixosModules.default
   ];
 
   boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
@@ -14,7 +15,10 @@
       dates = "weekly";
       options = "--delete-older-than 30d";
     };
-    settings.trusted-users = [ "@wheel" ];
+    settings = {
+      trusted-users = [ "@wheel" ];
+      experimental-features = [ "nix-command" "flakes" ];
+    };
   };
 
   networking = {
@@ -22,6 +26,8 @@
     firewall.allowedTCPPorts = [ 80 443 ];
   };
 
+  age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;
+
   users.defaultUserShell = pkgs.fish;
 
   security.sudo.wheelNeedsPassword = false;
@@ -33,9 +39,28 @@
         respond "astral is online"
         header Strict-Transport-Security: "max-age=63072000; includeSubDomains"
       '';
+      "vault.leaf.ninja".extraConfig = ''
+        reverse_proxy localhost:8222
+      '';
     };
   };
 
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      domain = "https://vault.leaf.ninja";
+      signupsAllowed = false;
+      rocketAddress = "0.0.0.0";
+      rocketPort = 8222;
+      smtpHost = "smtp.migadu.com";
+      smtpFrom = "vaultwarden@leaf.ninja";
+      smtpPort = 587;
+      smtpSecurity = "starttls";
+      smtpUsername = "vaultwarden@leaf.ninja";
+    };
+    environmentFile = config.age.secrets.vaultwarden-env.path;
+  };
+
   programs.fish.enable = true;
 
   documentation.man.generateCaches = false;
diff --git a/hosts/astral/secrets/vaultwarden-env.age b/hosts/astral/secrets/vaultwarden-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..83accd1590e1f22e60cbfb11a1212f09d5aa6142
GIT binary patch
literal 370
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSn(+=<|3RFmR_jfLG
zODrmOEY1%NOG^z;kMu~jG;}R-HH`50k4)D#FDZ+N^eznzGvUfe^mNa2D-VhA^GVhZ
z^Ybf-^esv+3Jgi9%<?jEO*Jh@EiW^6^9fBcNk_LWuS&lxuUx^`z#}{<w<;$hEz=^>
zIM^lIEwP}?&pA2JG9}o;xxy>JsHEJ$*f-BN+=9zjKddA%AS$mk#I4fAEiX9V-6uTC
zJ>M_DB)h`LJhwb2)g#ryJX60Y)s;(ES63m&ATOoFJ<K=9v@ok6*SjcO+uPNxs-hq-
zDJ?a~(m66DvpgfbI3h4I)PienQa}`+nVP|J=cx2Uhc2zsofpFD#Q!-p-qmb!1IGi4
zbH`O<wm9Bc+oor-b3&IuK#!y3Z&BX)I+ls{Y|px{yQj`zShgU0rjl)=^R`*5#rFUJ
Dza)UX

literal 0
HcmV?d00001

diff --git a/hosts/default.nix b/hosts/default.nix
index 23f9596..2c19793 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -1,25 +1,24 @@
 { self, nixpkgs, phps, agenix, ... }:
-let inherit (nixpkgs.lib) nixosSystem;
+let
+  baseSpecialArgs = {
+    inherit (self) nixosModules;
+    inherit agenix;
+  };
+  nixosSystem = args:
+    nixpkgs.lib.nixosSystem
+    (nixpkgs.lib.recursiveUpdate args { specialArgs = baseSpecialArgs; });
 in {
   marauder = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./marauder ];
-    specialArgs = {
-      inherit (self) nixosModules;
-      inherit phps agenix;
-    };
+    specialArgs = { inherit phps; };
   };
   astral = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./astral ];
-    specialArgs = { inherit (self) nixosModules; };
   };
   quasar = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./quasar ];
-    specialArgs = {
-      inherit (self) nixosModules;
-      inherit agenix;
-    };
   };
 }
diff --git a/hosts/marauder/secrets/restic-env.age b/hosts/marauder/secrets/restic-env.age
index 1d93a5d..55e4f77 100644
--- a/hosts/marauder/secrets/restic-env.age
+++ b/hosts/marauder/secrets/restic-env.age
@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk
-I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y
---- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc
-L£æÎšÈ[¤Nî<#Õ]ˆŸüBÄ}–×fË%P„ôxK±Û¨þkI½©”<§VŸ…¶YÄ5#å±ð÷û”qE³4’­®¶l—ËøF¾“8ukÈ¨ûÂ%À´U53yìû"g\îƒ©ªZæÙC®õW¥²g­z
\ No newline at end of file
+-> ssh-ed25519 f+PJrQ VJshLBSbF93anR9fOJ3Kwhxh1AOdvsS0hoJ86Bw9oBQ
+It8hELrRN+EYt9nv75lVHha+ZDUhCDNQVczDZVlDCBs
+--- xzJ/50+WOA+IWRXiAvBbJLUlsgsSztQrzbimng2QdlU
+´Ï¬jÒÿ8K7$ðwÃbÔ²Ç°€Ì~]NBª]QÐM+cw
+þþÔJ•o—Í”ÔSîØš!N¨Du¦OÈnçZnNâæÍÑµV¬:ŒŸ®¬kúÝcó)|æŒJ…opÇSÎH˜«f§ùØu1šã9Çå
\ No newline at end of file
diff --git a/hosts/marauder/secrets/restic-password.age b/hosts/marauder/secrets/restic-password.age
index 58bbd5c66d43e5ccf66e1e1bcd8d3e55b07de816..6722ce542f8ef776c9fd8e734eac4e732a2a1d31 100644
GIT binary patch
delta 210
zcmeyy_>FObPJMcEg^5S9U!HfWk#A5^j(bFsi&17uM43lUYJ{Ufh+9d4XL>-0M`l#G
zCzq*FmWOv<R;j0Xp+$*jfM-fjgr{X>W^k2zmZ?v0iE(a0vU6IgW06~sBbTnOu7X)g
zvOz$$Nn%Brfsa#gP*J6KU`Ux$S!rHsQc<LfhjVCogtv#Qhoxa=YCczp_{ZNnQxzW-
z*{!%7Ihp@;b4T2R)r!+rFAh=tcj%@_Uv|n<&9Ibcos8P2zIii#aqhRDkttgu?<93_
N<6ie&8yxrd0sy$NP~!jq

delta 210
zcmeyy_>FObPQ7oKv%W!CWTvxMvQc(aNI`^4akiUzx?ypSab8%iQJ6`weom1=VYZ2T
zI+t5cX}Z6kkDEtEqN#6ENU=w0aZa#LiFuHBdVaW*iF>$dX-;9Gm!Gzy374*}u0n>p
zn@^OhTe!Jfl)ryeRe5+|MOI3IYoSMuc}{Vpo3XKPqIYqqg^Ou<N;cPlfA_DKzUB2}
z;#86gk~*25vSjK~%cEV1UMV-sFUX{YWhQe9>AzCCAkMR%LGpDwgZqx8S$BTivO81v
NW7kr>xv5Xq0sz0LPIv$S

diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix
index 289cf4b..c4d5809 100644
--- a/hosts/quasar/default.nix
+++ b/hosts/quasar/default.nix
@@ -28,7 +28,7 @@
     matrix-synapse-secrets.file = ./secrets/matrix-synapse-secrets.age;
   };
 
-  services.postgresql = { enable = true; };
+  services.postgresql.enable = true;
 
   services.caddy = {
     enable = true;
diff --git a/hosts/quasar/secrets/matrix-synapse-secrets.age b/hosts/quasar/secrets/matrix-synapse-secrets.age
index f8716bd7dc792c563d7f3a82ae069701e209c31c..5fba68282a14bb27a4c678752c43893479363b7b 100644
GIT binary patch
delta 502
zcmZ3*JcDI|PJKaGk&AzzenD79m9MvBnoCAjaB@hMsj**VnR${=W@Ju5u1k(vMW|zN
zGM8~+Mw&&qOK_57MxsZBkBh#3ain`jMR0nEk8irSb4o#$mrt0pfw^Ou0hg|wLUD11
zZfc5=si~o*LW-ApQof^tp;>u`NpWOET4Yi|zHv%URlUE7Z$^ZLMSeh_f0n7KlfPk#
zyKi}FS#XvwSCq4hmq~_eNLpx6XhB|}iFRgSc1lsck&C;bL55LQfmdp>rI(pwQCU<m
zm#(g^LS<P_si~KCzPUw6s7Z*qhf7L`L9uI<X=PHrUy`AVW2tk2YlL=wVT5rq*Qz<D
zs+BkXPpyBZ&|tMUn<v@x@zrB%Z`CX;5MO+ZVV-f!zSM8iHRdQ@KAw9k+fH7=DN}cP
zw8wX@8#69eaX)eoj?#L$C99zRcQUiOOi6guG)JS8x}G0?ChD{wX6Kl4za;kC{93!W
zhuK=seq6d!%{is<bBEh=4eq~6U&`$Nb~>!^-n(63`s^;AeDg2z2g6_dQ(OG6OQGND
z-@Tn~ZVS@_9^JNom3dF5&+#q)0k6}gTU;$}ZQfaXL3_`WM*rW@r}}T_7-z7(EA17{
z++BY9xa9jt(d2E50wOIpMCIM~`KO}rHL^`sJnNK_!j4HR#cTBn=0E?p)?UG3{W}0Y
Cy3PIo

delta 392
zcmbQivWj_vPQ7QDWpRqXv2mhtfQfHmd2wNwWtzKTK~%m`VOmaZj(22{QND|(etKzn
zAXk29sHam(x}|HSX;6rhi(80yNSR|wpnHXPcu7i*Q%<Rqt5IlCesQvSB$uwPu0nxh
zVU>YlfPuf4zk5cGex9#^WxiXecAANaxwgN#w_%Q3P<>8zMsk_Ci2>Kb_1{;1W?JJ>
znzTdWQ{4kCt9h1H%b0Rnzw0-wj+4!2Ql5LX!&r6^2lth_<!h@nOwE>TJ*>Un<{w{3
z#RFf{1h<4}-Nnmfjg_vSU!lvDVXyGi!6cpM-ewV%hG)gUUl_HVPkI~8d@Az$pU3qQ
z+ch666yIr%um4>?C(?8M$F|nD)h1gvy=IYIHs5(}&|Sw37rv;pXFr-B_(6wjUcK~;
zWfMN<cOA-1KU}o)wT*htyyhmAFQ<Zy_7<<}J=ky2-1=Z%t?SRr+Am}DwiUgoRLbVt
waj3TM%37Vv&t6UFFtBAVv8g;)!y5fqyJAlDsm+ZXS8ix@2b+|>Ue7280LRm*H2?qr

diff --git a/secrets.nix b/secrets.nix
index 1e8ad6a..48f0c4b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,10 +1,14 @@
 let
-  marauder.nettika =
+  marauder =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid";
+  astral =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRJf6qsNoITXPBdiFsmZuLR0dyP/D6WYNP/RQynl3kf";
+  quasar =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoVsKoMEiA2G0WIC/6gFsNE09yhumWf4xnDuoRcD2Px";
 in {
-  "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder.nettika ];
-  "hosts/marauder/secrets/restic-password.age".publicKeys =
-    [ marauder.nettika ];
+  "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder ];
+  "hosts/marauder/secrets/restic-password.age".publicKeys = [ marauder ];
   "hosts/quasar/secrets/matrix-synapse-secrets.age".publicKeys =
-    [ marauder.nettika ];
+    [ marauder quasar ];
+  "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ];
 }