Skip to content

Commit

Permalink
add vaultwarden job on new host artemis
Browse files Browse the repository at this point in the history
  • Loading branch information
RafDevX committed Sep 26, 2024
1 parent 08fdf8b commit da59240
Show file tree
Hide file tree
Showing 9 changed files with 141 additions and 2 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/tofu-apply.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ jobs:
with:
label: dsekt-infra
variables: |
ssh_user = "${{ vars.TF_SSH_USER }}"
hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}"
cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}"
ssh_user = "${{ vars.TF_SSH_USER }}"
vault_db_password = "${{ secrets.TF_VAULT_DB_PASSWORD }}"
3 changes: 2 additions & 1 deletion .github/workflows/tofu-plan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ jobs:
with:
label: dsekt-infra
variables: |
ssh_user = "${{ vars.TF_SSH_USER }}"
hcloud_token = "${{ secrets.TF_HCLOUD_TOKEN }}"
cloudflare_api_token = "${{ secrets.TF_CLOUDFLARE_TOKEN }}"
ssh_user = "${{ vars.TF_SSH_USER }}"
vault_db_password = "${{ secrets.TF_VAULT_DB_PASSWORD }}"
15 changes: 15 additions & 0 deletions aws-ses.tf
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,18 @@ resource "aws_iam_user_policy_attachment" "mattermost_smtp" {
user = aws_iam_user.mattermost_smtp.name
policy_arn = aws_iam_policy.send_email.arn
}

# Vaultwarden

resource "aws_iam_user" "vaultwarden_smtp" {
name = "vaultwarden_smtp"
}

resource "aws_iam_access_key" "vaultwarden_smtp" {
user = aws_iam_user.vaultwarden_smtp.name
}

resource "aws_iam_user_policy_attachment" "vaultwarden_smtp" {
user = aws_iam_user.vaultwarden_smtp.name
policy_arn = aws_iam_policy.send_email.arn
}
1 change: 1 addition & 0 deletions hosts.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ locals {
poseidon = { role = "server", private_ip_addr = "10.83.0.3", server_type = "cx22" }
hades = { role = "server", private_ip_addr = "10.83.0.4", server_type = "cx22" }
ares = { role = "client", private_ip_addr = "10.83.0.5", server_type = "cx21" }
artemis = { role = "client", private_ip_addr = "10.83.0.6", server_type = "cx22" }
}
}

Expand Down
22 changes: 22 additions & 0 deletions hosts/artemis.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{ profiles, ... }:
{
imports = with profiles; [
hetzner-cloud
base
nomad.client
];

services.nomad.settings.client.host_volume = {
"vault/data" = {
path = "/var/lib/nomad-volumes/vault/data";
};
};

systemd.tmpfiles.rules = [
"d /var/lib/nomad-volumes 0500 0 0"
"d /var/lib/nomad-volumes/vault/data 0700 0 0" # vaultwarden runs as root
];

# Change this if you want to lose all data on this machine!
system.stateVersion = "24.05";
}
73 changes: 73 additions & 0 deletions jobs/vaultwarden.nomad.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
variable "domain_name" {
type = string
default = "vault.datasektionen.se"
}

job "vault" {
namespace = "vault"

group "vault" {
network {
port "http" { }
}

service {
name = "vault"
port = "http"
provider = "nomad"
tags = [
"traefik.enable=true",
"traefik.http.routers.vault.rule=Host(`${var.domain_name}`)",
"traefik.http.routers.vault.tls.certresolver=default",
]
}

volume "data" {
type = "host"
source = "vault/data"
}

task "vault" {
driver = "docker"

config {
image = "vaultwarden/server:1.32.0-alpine"
ports = ["http"]
}

template {
data = <<EOF
DOMAIN=https://${var.domain_name}
ROCKET_PORT={{ env "NOMAD_PORT_http" }}
{{ with nomadVar "nomad/jobs/vault" }}
DATABASE_URL=postgres://vaultwarden:{{ .db_password }}@postgres.dsekt.internal:5432/vaultwarden?sslmode=disable&connect_timeout=10
SMTP_USERNAME={{ .smtp_username }}
SMTP_PASSWORD={{ .smtp_password }}
{{ end }}
SMTP_HOST=email-smtp.eu-north-1.amazonaws.com
SMTP_PORT=587
[email protected]
SMTP_FROM_NAME="Datasektionen Vault"
INVITATION_ORG_NAME="Datasektionen Vault"
SIGNUPS_ALLOWED=false
SIGNUPS_VERIFY=true
SIGNUPS_DOMAINS_WHITELIST=datasektionen.se
[email protected]
ORG_GROUPS_ENABLED=true
ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$Eq5XC4/9uPFrvVadxrAEBD3+cvaUjZaXWuJkxMAGiQQ$BDzKBz53KMb+e8hIaiCca42ZRak8RFW09qVCXjqgfPk
EOF
destination = "local/.env"
env = true
}

volume_mount {
volume = "data"
destination = "/data"
}

resources {
memory = 128 // MB
}
}
}
}
1 change: 1 addition & 0 deletions modules/addresses.nix
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ in
poseidon = "10.83.0.3";
hades = "10.83.0.4";
ares = "10.83.0.5";
artemis = "10.83.0.6";

self = self.${config.networking.hostName};
});
Expand Down
24 changes: 24 additions & 0 deletions nomad.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,30 @@ resource "nomad_job" "mattermost" {
jobspec = file("${path.module}/jobs/mattermost.nomad.hcl")
}

# Vault

variable "vault_db_password" {
sensitive = true
}

resource "nomad_namespace" "vault" {
name = "vault"
}

resource "nomad_job" "vault" {
jobspec = file("${path.module}/jobs/vaultwarden.nomad.hcl")
}

resource "nomad_variable" "jobs_vault" {
path = "nomad/jobs/vault"
namespace = "vault"
items = {
db_password = var.vault_db_password
smtp_username = aws_iam_access_key.vaultwarden_smtp.id
smtp_password = aws_iam_access_key.vaultwarden_smtp.ses_smtp_password_v4
}
}

# Auth

resource "nomad_namespace" "auth" {
Expand Down
1 change: 1 addition & 0 deletions profiles/traefik.nix
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
"default"
"auth"
"mattermost"
"vault"
];
};

Expand Down

0 comments on commit da59240

Please sign in to comment.