Jordan Holt
f7624fa703
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m16s
74 lines
1.7 KiB
Nix
74 lines
1.7 KiB
Nix
{
|
|
inputs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
mkForce
|
|
;
|
|
baseDomain = "vimium.com";
|
|
domain = "vaultwarden.${baseDomain}";
|
|
in
|
|
{
|
|
age.secrets."files/services/vaultwarden/envfile" = {
|
|
file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = "sqlite";
|
|
backupDir = "/var/cache/vaultwarden-backup";
|
|
config = {
|
|
dataFolder = mkForce "/var/lib/vaultwarden";
|
|
useSysLog = true;
|
|
webVaultEnabled = true;
|
|
|
|
rocketPort = 8222;
|
|
|
|
signupsAllowed = false;
|
|
passwordIterations = 1000000;
|
|
invitationsAllowed = true;
|
|
invitationOrgName = "Vaultwarden";
|
|
domain = "https://${domain}";
|
|
};
|
|
environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
"${domain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
|
|
systemd.services.vaultwarden.serviceConfig = {
|
|
StateDirectory = mkForce "vaultwarden";
|
|
RestartSec = "60";
|
|
};
|
|
|
|
environment.persistence."/persist".directories = [
|
|
{
|
|
directory = "/var/lib/vaultwarden";
|
|
user = "vaultwarden";
|
|
group = "vaultwarden";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
|
|
environment.persistence."/state".directories = [
|
|
{
|
|
directory = config.services.vaultwarden.backupDir;
|
|
user = "vaultwarden";
|
|
group = "vaultwarden";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
}
|