Jordan Holt
e02f846b5c
All checks were successful
Check flake / build-amd64-linux (push) Successful in 1m22s
78 lines
1.8 KiB
Nix
78 lines
1.8 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
mkForce
|
|
;
|
|
baseDomain = "vimium.com";
|
|
domain = "vaultwarden.${baseDomain}";
|
|
in
|
|
{
|
|
age.secrets.vaultwarden-env = {
|
|
rekeyFile = ./secrets/vaultwarden-env.age;
|
|
mode = "0440";
|
|
group = "vaultwarden";
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = "sqlite";
|
|
backupDir = "/var/cache/vaultwarden-backup";
|
|
config = {
|
|
dataFolder = mkForce "/var/lib/vaultwarden";
|
|
useSysLog = true;
|
|
webVaultEnabled = true;
|
|
|
|
rocketPort = 8222;
|
|
|
|
ssoEnabled = true;
|
|
ssoAuthority = "https://auth.vimium.com/oauth2/openid/vaultwarden";
|
|
ssoClientId = "vaultwarden";
|
|
signupsAllowed = false;
|
|
passwordIterations = 1000000;
|
|
invitationsAllowed = true;
|
|
invitationOrgName = "Vaultwarden";
|
|
domain = "https://${domain}";
|
|
};
|
|
environmentFile = config.age.secrets.vaultwarden-env.path;
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
"${domain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
|
|
systemd.services.vaultwarden.serviceConfig = {
|
|
StateDirectory = mkForce "vaultwarden";
|
|
RestartSec = "60";
|
|
};
|
|
|
|
environment.persistence."/persist".directories = [
|
|
{
|
|
directory = "/var/lib/vaultwarden";
|
|
user = "vaultwarden";
|
|
group = "vaultwarden";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
|
|
environment.persistence."/state".directories = [
|
|
{
|
|
directory = config.services.vaultwarden.backupDir;
|
|
user = "vaultwarden";
|
|
group = "vaultwarden";
|
|
mode = "0700";
|
|
}
|
|
];
|
|
}
|