diff --git a/hosts/vaultwarden/default.nix b/hosts/vaultwarden/default.nix index 8ee8cfb6..85eaf676 100644 --- a/hosts/vaultwarden/default.nix +++ b/hosts/vaultwarden/default.nix @@ -18,6 +18,46 @@ ]; }; + bitwarden-directory-connector = { + enable = true; + inherit (config.services.vaultwarden) domain; + ldap = { + ad = false; + hostname = "auth.c3d2.de"; + port = 636; + rootPath = "dc=c3d2,dc=de"; + ssl = true; + startTls = false; + username = "uid=search,ou=users,dc=c3d2,dc=de"; + }; + secrets = { + bitwarden = { + client_path_id = config.sops.secrets."bwdc/client-id".path; + client_path_secret = config.sops.secrets."bwdc/client-secret".path; + }; + ldap = config.sops.secrets."bwdc/ldap-password".path; + }; + sync = { + creationDateAttribute = ""; + groups = true; + groupFilter = "(cn=vaultwarden-*)"; + groupNameAttribute = "cn"; + groupObjectClass = "groupOfNames"; + groupPath = "ou=groups"; + largeImport = false; + memberAttribute = "member"; + overwriteExisting = false; + removeDisabled = true; + revisionDateAttribute = ""; + useEmailPrefixSuffix = false; + userEmailAttribute = "mail"; + userFilter = "(isMemberOf=cn=vaultwarden-users,ou=groups,dc=c3d2,dc=de)"; + userObjectClass = "person"; + userPath = "ou=users"; + users = true; + }; + }; + nginx = { enable = true; virtualHosts."vaultwarden.c3d2.de" = { @@ -26,6 +66,8 @@ }; }; + portunus.addToHosts = true; + postgresql = { package = pkgs.postgresql_16; upgrade.stopServices = [ "vaultwarden" ]; @@ -54,6 +96,9 @@ sops = { defaultSopsFile = ./secrets.yaml; secrets = { + "bwdc/client-id".owner = "bwdc"; + "bwdc/client-secret".owner = "bwdc"; + "bwdc/ldap-password".owner = "bwdc"; "vaultwarden/environment".owner = "vaultwarden"; }; }; diff --git a/hosts/vaultwarden/secrets.yaml b/hosts/vaultwarden/secrets.yaml index 2a3ed350..44a243ea 100644 --- a/hosts/vaultwarden/secrets.yaml +++ b/hosts/vaultwarden/secrets.yaml @@ -1,3 +1,7 @@ +bwdc: + client-id: ENC[AES256_GCM,data:pFDg11xfXbx/X40z7Rs9Ps35GuK9ncBbB25VYZJMaRyv17fCbMaVJmnvlnFZOkVidg==,iv:SG7QcH/QHJtEAd6eHzakMIHVs5W6EiaPNsh+G9Zku9A=,tag:ZEL1UGJy9lR9himlbGpSoA==,type:str] + client-secret: ENC[AES256_GCM,data:41ivEval7TegKbYl+Bla2Dgs2h+P1kTBKUr39qPD,iv:BvsO1GcwGbhYCN92yjSFMZiIhX7s3KlrGd0mJEXN1hA=,tag:G2EbHWjz2N5cqOM9MWqStQ==,type:str] + ldap-password: ENC[AES256_GCM,data:DXVH3RNBH+1OguL/yAFPvFUoU1EocEi4TQBT5qVFBF4=,iv:A7IPtApfow+0mWTpNSsZVPWzBw7WjvN4NEAgn9Q8cvY=,tag:7VcvkOjpaDfdPF6fyBbZiQ==,type:str] restic: password: ENC[AES256_GCM,data:3t8PjT9cOsv4D6rhRwFSyehsQzofXaXqt/EXK7FiBPg=,iv:HlyNiUsmlma47BhNvLeuew4lx4uldDqL/O8fIsSFOPU=,tag:LBDt+WTU2+z+LfWQ8hqoIw==,type:str] repositories: @@ -28,8 +32,8 @@ sops: YVljODQybmFBaENvdlZtcGJNaXdyWjAK7TenBrprqo++EzurqXqatEJncCU5g0JH 9aUpNebhTuauCJQcObj89tjx0EKuafe7Nn2wgiV3hNPIGa4+YXnsSw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-20T22:31:55Z" - mac: ENC[AES256_GCM,data:jK6Bdee8wsTp6etUJzrwgw8yNGJ8iqYYt0aE1tPmnM4aU9mu/Fhj9kidPLIl5ghBYqapXuiFre/jivrldDfQ/xMNntSpMlYqqjgFCPlgCvDUI0auXfIdKGGB5jORzN7i3z2LPm4vX6mFTol5vdOsHzA2dg/KqOGca9zhrbbDKU8=,iv:NAKLcSGNiEjzvlU8YXAbEPpJWFn7erNQ1Lz6NeYxV/Y=,tag:+LqcZL2CUHRnYMAuAMdPpw==,type:str] + lastmodified: "2023-12-25T19:09:35Z" + mac: ENC[AES256_GCM,data:rsQw8nYs78jCTKWHhwOuU8d3SS2pCnKpCo6U3RpWCGIdKMFq8QGBgarycAZgxbGc9ErEct4K4XhZ0pcX5qJgRFPE6YhDuRnKm/kQkmgXe63wPncQhUUq0U3P9q/G1Hs3uJbMyWgnjQQ2Vo8sv9mTbseS8ettbuJUNjK6mnblzIM=,iv:476qCdupCylLCvd9tb+VIDtbbqlw1Z/tezQh/d4jjIo=,tag:azw4aUqFD6zszCCYAny/KA==,type:str] pgp: - created_at: "2023-12-20T20:48:53Z" enc: |-