jordan/nix-config
1
1
Fork 0
Code Issues 10 Pull Requests Actions Projects 3 Wiki Activity

hosts/vps1: add vaultwarden
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m16s
Details

Browse Source
This commit is contained in:
Jordan Holt
2025-08-24 17:24:56 +01:00
parent 91aa798243
commit f7624fa703
3 changed files with 78 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
flake.lock generated
View File

@@ -1143,11 +1143,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1755887038, "lastModified": 1756051653,
"narHash": "sha256-HoEMwFfR3rwNxwJjFCbj3rfW8k6EabHuMJAZOwsT95c=", "narHash": "sha256-JJkQliqI7zn+esLnKQP82eQEuolNz8IELm/BYGPTvEw=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "9e47b557087ebde3a30c9f97189d110c29d144fd", "rev": "01cf200f61946ac9f259f9163933ea1749cb3531",
"revCount": 40, "revCount": 41,
"type": "git", "type": "git",
"url": "ssh://git@git.vimium.com/jordan/nix-secrets.git" "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
}, },

1
hosts/vps1/default.nix
View File

@@ -12,6 +12,7 @@
./matrix.nix ./matrix.nix
./nginx.nix ./nginx.nix
./photoprism.nix ./photoprism.nix
./vaultwarden.nix
../server.nix ../server.nix
]; ];

73
hosts/vps1/vaultwarden.nix Normal file
View File

@@ -0,0 +1,73 @@
{
inputs,
config,
lib,
...
}:
let
inherit (lib)
mkForce
;
baseDomain = "vimium.com";
domain = "vaultwarden.${baseDomain}";
in
{
age.secrets."files/services/vaultwarden/envfile" = {
file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
};
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
backupDir = "/var/cache/vaultwarden-backup";
config = {
dataFolder = mkForce "/var/lib/vaultwarden";
useSysLog = true;
webVaultEnabled = true;
rocketPort = 8222;
signupsAllowed = false;
passwordIterations = 1000000;
invitationsAllowed = true;
invitationOrgName = "Vaultwarden";
domain = "https://${domain}";
};
environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
};
services.nginx.virtualHosts = {
"${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
proxyWebsockets = true;
};
};
};
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
systemd.services.vaultwarden.serviceConfig = {
StateDirectory = mkForce "vaultwarden";
RestartSec = "60";
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/vaultwarden";
user = "vaultwarden";
group = "vaultwarden";
mode = "0700";
}
];
environment.persistence."/state".directories = [
{
directory = config.services.vaultwarden.backupDir;
user = "vaultwarden";
group = "vaultwarden";
mode = "0700";
}
];
}