From c88465abcffef637b3e6bddc03f51b094ac14654 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 20 Sep 2021 12:42:18 +0200 Subject: [PATCH 01/10] vaultwarden: add nixos unstable module --- hosts/parsons/configuration.nix | 1 + modules/default.nix | 7 +++++++ pkgs/default.nix | 2 +- services/vaultwarden.nix | 13 +++++++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 services/vaultwarden.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index c41dfa0..fb75f26 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -21,6 +21,7 @@ ../../services/gitlab-runner.nix ../../services/unifi.nix ../../services/lantifa.nix + ../../services/vaultwarden.nix ./lxc.nix ]; diff --git a/modules/default.nix b/modules/default.nix index a6b276e..100b4f2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,5 +5,12 @@ in { imports = [ ./nftnat ./decklink.nix + "${sources.nixpkgs-unstable}/nixos/modules/services/security/vaultwarden" + ]; + + # disabled since vaultwarden defines a dummy bitwarden_rs option that + # shows a deprication warning, which conflicts with this module + disabledModules = [ + "services/security/bitwarden_rs/default.nix" ]; } diff --git a/pkgs/default.nix b/pkgs/default.nix index 5db2007..beb7bd8 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -60,7 +60,7 @@ let ''; }; - inherit (unstable) bottom; + inherit (unstable) bottom vaultwarden vaultwarden-vault; }; in pkgs.extend(_: _: newpkgs) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix new file mode 100644 index 0000000..67e563f --- /dev/null +++ b/services/vaultwarden.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +{ + services.vaultwarden = { + enable = true; + # TODO! + config = {}; + + dbBackend = "sqlite"; + + backupDir = "/persist/data/vaultwarden"; + }; +} From 63b900f5a5982262dd056bb4d4304e96f409a476 Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 18 Sep 2021 21:53:25 +0200 Subject: [PATCH 02/10] sources: update mattermost to 5.39 --- nix/sources.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nix/sources.json b/nix/sources.json index dae2067..79d7ff1 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -24,18 +24,18 @@ "owner": "mattermost", "repo": "mattermost-server", "rev": "28ef5856ed5f1c3cfb29a869cb6f14662f964ff3", - "sha256": "1vihpmy7253yl87arlz8y9rahk1q69blykwm3172dk1hxajr7c13", + "sha256": "0qcl32lidvwjrg8kil8a67141lnbrdx3hha0y9cwdlz8b6l8gxsz", "type": "tarball", - "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.1.tar.gz", + "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.39.0.tar.gz", "url_template": "https://github.com///archive/refs/tags/v.tar.gz", - "version": "5.37.1" + "version": "5.39.0" }, "mattermost-webapp": { - "sha256": "00q1kcfda2z69ijpw71a6cbj76p5f57nj7pym44pp4cadi2wz180", + "sha256": "1dm7zswz61p1008hkz0c4maq8382p8iv5kmc4ivzlqd2hhixbvvg", "type": "tarball", - "url": "https://releases.mattermost.com/5.37.1/mattermost-5.37.1-linux-amd64.tar.gz", + "url": "https://releases.mattermost.com/5.39.0/mattermost-5.39.0-linux-amd64.tar.gz", "url_template": "https://releases.mattermost.com//mattermost--linux-amd64.tar.gz", - "version": "5.37.1" + "version": "5.39.0" }, "mumble-website": { "branch": "master", From 7b0e0298ea19d47a98847d0452f224af5fbf1786 Mon Sep 17 00:00:00 2001 From: schweby Date: Sun, 19 Sep 2021 16:35:38 +0200 Subject: [PATCH 03/10] set timezones default is UTC no need to force it A desktop shoud be in the commonly used timezone. Forcing UTC has caused trouble multiple times. --- common/default.nix | 1 - desktop/default.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/common/default.nix b/common/default.nix index e5cd2e3..fc0375b 100644 --- a/common/default.nix +++ b/common/default.nix @@ -36,7 +36,6 @@ in { security.sudo.wheelNeedsPassword = lib.mkDefault false; i18n.defaultLocale = "en_IE.UTF-8"; - time.timeZone = "UTC"; console = { font = "Lat2-Terminus16"; keyMap = "de"; diff --git a/desktop/default.nix b/desktop/default.nix index 5fbec0e..b8d769d 100644 --- a/desktop/default.nix +++ b/desktop/default.nix @@ -20,6 +20,7 @@ ] ++ (with pkgs; [ alacritty picom feh copyq polybar cinnamon.nemo rofi arandr notepadqq nomacs bat ]); sound.enable = true; + time.timeZone = "Europe/Berlin"; hardware.pulseaudio = { enable = true; package = pkgs.pulseaudioFull; From 8ccfc80cb53e0bc7df33764ec09294e8668cd43a Mon Sep 17 00:00:00 2001 From: schweby Date: Sun, 19 Sep 2021 16:37:18 +0200 Subject: [PATCH 04/10] pkgs/companion: fix hash of nodeHeaders --- pkgs/companion/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/companion/default.nix b/pkgs/companion/default.nix index 689f179..9b39dd6 100644 --- a/pkgs/companion/default.nix +++ b/pkgs/companion/default.nix @@ -11,7 +11,7 @@ let }; nodeHeaders = fetchurl { url = "https://nodejs.org/download/release/v${nodejs.version}/node-v${nodejs.version}-headers.tar.gz"; - sha256 = "19xsyjg9y71fw7hhz2f0nsfrijlyrk8ma9gs5kiq0y824lwnmyi4"; + sha256 = "0jzczy67qgw7arq8rprxv9wwb4axjjrhx72ss6a4rw5x08w58hbq"; }; webui = mkYarnPackage rec { inherit version; From c9c4e11109280ce29d9f54b433bdcbd82302b568 Mon Sep 17 00:00:00 2001 From: schweby Date: Sun, 19 Sep 2021 16:45:18 +0200 Subject: [PATCH 05/10] sources: update --- nix/sources.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nix/sources.json b/nix/sources.json index 79d7ff1..6c196bb 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -49,10 +49,10 @@ "homepage": "https://github.com/nmattia/niv", "owner": "nmattia", "repo": "niv", - "rev": "e0ca65c81a2d7a4d82a189f1e23a48d59ad42070", - "sha256": "1pq9nh1d8nn3xvbdny8fafzw87mj7gsmp6pxkdl65w2g18rmcmzx", + "rev": "65a61b147f307d24bfd0a5cd56ce7d7b7cc61d2e", + "sha256": "17mirpsx5wyw262fpsd6n6m47jcgw8k2bwcp1iwdnrlzy4dhcgqh", "type": "tarball", - "url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz", + "url": "https://github.com/nmattia/niv/archive/65a61b147f307d24bfd0a5cd56ce7d7b7cc61d2e.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nix-hexchen": { @@ -81,10 +81,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "ebf419e737bb8154b32010a322dcdffbea596443", - "sha256": "148l27lnhw1gsi64z8fkx9q7y112dgar99igyswp4aksg7iaqrpf", + "rev": "6120ac5cd201f6cb593d1b80e861be0342495be9", + "sha256": "04mrjxr1qsdcgcryx7yy72cgcw14c0770gfcgzrdfpnvmjdgbi9i", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/ebf419e737bb8154b32010a322dcdffbea596443.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/6120ac5cd201f6cb593d1b80e861be0342495be9.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-unstable": { From a3b59b5ea6adce837a7a17dc1cb725e93922eb1e Mon Sep 17 00:00:00 2001 From: schweby Date: Thu, 23 Sep 2021 20:49:43 +0200 Subject: [PATCH 06/10] services/vaultwarden: add a bit of config and a lot more questions --- services/vaultwarden.nix | 108 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 106 insertions(+), 2 deletions(-) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 67e563f..6f5c71d 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -3,9 +3,113 @@ { services.vaultwarden = { enable = true; - # TODO! - config = {}; + config = { +! Do we want to use PSQL or are we fine with SQLite? + ## Database URL + ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 + # DATABASE_URL=data/db.sqlite3 + ## When using MySQL, specify an appropriate connection URI. + ## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html + # DATABASE_URL=mysql://user:password@host[:port]/database_name + ## When using PostgreSQL, specify an appropriate connection URI (recommended) + ## or keyword/value connection string. + ## Details: + ## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html + ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING + # DATABASE_URL=postgresql://user:password@host[:port]/database_name + + ## Database max connections + ## Define the size of the connection pool used for connecting to the database. + # DATABASE_MAX_CONNS=10 + ## Enable WAL for the DB + ## Set to false to avoid enabling WAL during startup. + ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, + ## this setting only prevents vaultwarden from automatically enabling it on start. + ## Please read project wiki page about this setting first before changing the value as it can + ## cause performance degradation or might render the service unable to start. + # ENABLE_DB_WAL=true + + ## Database connection retries + ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely + # DB_CONNECTION_RETRIES=15 + + ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" + ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP + # IP_HEADER=X-Real-IP + + ## Controls whether users are allowed to create Bitwarden Sends. + ## This setting applies globally to all users. + ## To control this on a per-org basis instead, use the "Disable Send" org policy. + # SENDS_ALLOWED=true + + ## Enable extended logging, which shows timestamps and targets in the logs + # EXTENDED_LOGGING=true + + ## Logging to Syslog + ## This requires extended logging + ## It's recommended to also set 'ROCKET_CLI_COLORS=off' + # USE_SYSLOG=false + + ## Log level + ## Change the verbosity of the log output + ## Valid values are "trace", "debug", "info", "warn", "error" and "off" + ## Setting it to "trace" or "debug" would also show logs for mounted + ## routes and static file, websocket and alive requests + LOG_LEVEL=off + SIGNUPS_ALLOWED=false + SIGNUPS_VERIFY=true + SIGNUPS_DOMAINS_WHITELIST=hacc.space + ORG_CREATION_USERS=admin@hacc.space + + +! TODO: Find out how to set this via file + ## Token for the admin interface, preferably use a long random string + ## One option is to use 'openssl rand -base64 48' + ## If not set, the admin panel is disabled + # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp + + ## Invitations org admins to invite users, even when signups are disabled + INVITATIONS_ALLOWED=true + INVITATION_ORG_NAME=haccwarden + TRASH_AUTO_DELETE_DAYS=90 + + ## Domain settings + ## The domain must match the address from where you access the server + ## It's recommended to configure this value, otherwise certain functionality might not work, + ## like attachment downloads, email links and U2F. + ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs + # DOMAIN=https://pw.hacc.space:8443 + DOMAIN=https://pw.hacc.space:443 + + +! do we want a nginx proxy additionally? + ## Rocket specific settings + ## See https://rocket.rs/v0.4/guide/configuration/ for more details. + ROCKET_ADDRESS=127.0.0.1 + ROCKET_PORT=5354 # Defaults to 80 in the Docker images, or 8000 otherwise. + ROCKET_WORKERS=10 + # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} + +! TODO: set password via file + ## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service. + ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. + ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory + SMTP_HOST=mail.hacc.space + SMTP_FROM=vaultwarden@hacc.space + SMTP_FROM_NAME=haccwarden + SMTP_PORT=587 # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS. + SMTP_SSL=true # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default. + SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here. + # SMTP_USERNAME=username + # SMTP_PASSWORD=password + # SMTP_TIMEOUT=15 + +! TODO: do we want this? + ## HIBP Api Key + ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key + # HIBP_API_KEY= + }; dbBackend = "sqlite"; backupDir = "/persist/data/vaultwarden"; From 74f1111aef31f39894e1b08951ffeba9c4a19a39 Mon Sep 17 00:00:00 2001 From: schweby Date: Thu, 23 Sep 2021 21:06:44 +0200 Subject: [PATCH 07/10] services/vaultwarden: nixify config SMTP_PASSWORD and ADMIN_TOKEN need to be set in env file Exact file location also needs to be determined DATA_DIR potentially needs to be set because #nopersist other than that, this ~should be working --- services/vaultwarden.nix | 130 +++++++++------------------------------ 1 file changed, 28 insertions(+), 102 deletions(-) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 6f5c71d..8b90c9d 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -4,114 +4,40 @@ services.vaultwarden = { enable = true; config = { -! Do we want to use PSQL or are we fine with SQLite? - ## Database URL - ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 - # DATABASE_URL=data/db.sqlite3 - ## When using MySQL, specify an appropriate connection URI. - ## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html - # DATABASE_URL=mysql://user:password@host[:port]/database_name - ## When using PostgreSQL, specify an appropriate connection URI (recommended) - ## or keyword/value connection string. - ## Details: - ## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html - ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING - # DATABASE_URL=postgresql://user:password@host[:port]/database_name - - ## Database max connections - ## Define the size of the connection pool used for connecting to the database. - # DATABASE_MAX_CONNS=10 + LOG_LEVEL="off"; + SIGNUPS_ALLOWED=false; + SIGNUPS_VERIFY=true; + SIGNUPS_DOMAINS_WHITELIST="hacc.space"; + ORG_CREATION_USERS="admin@hacc.space"; + INVITATIONS_ALLOWED=true; + INVITATION_ORG_NAME="haccwarden"; - ## Enable WAL for the DB - ## Set to false to avoid enabling WAL during startup. - ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, - ## this setting only prevents vaultwarden from automatically enabling it on start. - ## Please read project wiki page about this setting first before changing the value as it can - ## cause performance degradation or might render the service unable to start. - # ENABLE_DB_WAL=true + TRASH_AUTO_DELETE_DAYS=90; - ## Database connection retries - ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely - # DB_CONNECTION_RETRIES=15 + DOMAIN="https://pw.hacc.space"; + ROCKET_ADDRESS="127.0.0.1"; + ROCKET_PORT=5354; + ROCKET_WORKERS=10; - ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" - ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP - # IP_HEADER=X-Real-IP - - ## Controls whether users are allowed to create Bitwarden Sends. - ## This setting applies globally to all users. - ## To control this on a per-org basis instead, use the "Disable Send" org policy. - # SENDS_ALLOWED=true - - ## Enable extended logging, which shows timestamps and targets in the logs - # EXTENDED_LOGGING=true - - ## Logging to Syslog - ## This requires extended logging - ## It's recommended to also set 'ROCKET_CLI_COLORS=off' - # USE_SYSLOG=false - - ## Log level - ## Change the verbosity of the log output - ## Valid values are "trace", "debug", "info", "warn", "error" and "off" - ## Setting it to "trace" or "debug" would also show logs for mounted - ## routes and static file, websocket and alive requests - LOG_LEVEL=off - SIGNUPS_ALLOWED=false - SIGNUPS_VERIFY=true - SIGNUPS_DOMAINS_WHITELIST=hacc.space - ORG_CREATION_USERS=admin@hacc.space - - -! TODO: Find out how to set this via file - ## Token for the admin interface, preferably use a long random string - ## One option is to use 'openssl rand -base64 48' - ## If not set, the admin panel is disabled - # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp - - ## Invitations org admins to invite users, even when signups are disabled - INVITATIONS_ALLOWED=true - INVITATION_ORG_NAME=haccwarden - TRASH_AUTO_DELETE_DAYS=90 - - ## Domain settings - ## The domain must match the address from where you access the server - ## It's recommended to configure this value, otherwise certain functionality might not work, - ## like attachment downloads, email links and U2F. - ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs - # DOMAIN=https://pw.hacc.space:8443 - DOMAIN=https://pw.hacc.space:443 - - -! do we want a nginx proxy additionally? - ## Rocket specific settings - ## See https://rocket.rs/v0.4/guide/configuration/ for more details. - ROCKET_ADDRESS=127.0.0.1 - ROCKET_PORT=5354 # Defaults to 80 in the Docker images, or 8000 otherwise. - ROCKET_WORKERS=10 - # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} - -! TODO: set password via file - ## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service. - ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. - ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory - SMTP_HOST=mail.hacc.space - SMTP_FROM=vaultwarden@hacc.space - SMTP_FROM_NAME=haccwarden - SMTP_PORT=587 # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS. - SMTP_SSL=true # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default. - SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here. - # SMTP_USERNAME=username - # SMTP_PASSWORD=password - # SMTP_TIMEOUT=15 - -! TODO: do we want this? - ## HIBP Api Key - ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key - # HIBP_API_KEY= + SMTP_HOST="mail.hacc.space"; + SMTP_FROM="vaultwarden@hacc.space"; + SMTP_FROM_NAME="haccwarden"; + SMTP_PORT=587; + SMTP_USERNAME="noreply@infra4future.de"; }; + # currently missing ADMIN_TOKEN and SMPT_PASSWORD + environmentFile = "/persist/secrets/something"; dbBackend = "sqlite"; backupDir = "/persist/data/vaultwarden"; }; + + services.nginx.virtualHosts."pw.hacc.space" = { + locations."/" = { + proxyPass = "http://127.0.0.1:5354"; + proxyWebsockets = true; + }; + forceSSL = true; + enableACME = true; + }; } From 342962859b301200ba303e6e3b823bdec5e3b7b8 Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 25 Sep 2021 09:41:41 +0200 Subject: [PATCH 08/10] services/vaultwarden: set some dirs --- services/vaultwarden.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 8b90c9d..56a218a 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -17,7 +17,7 @@ DOMAIN="https://pw.hacc.space"; ROCKET_ADDRESS="127.0.0.1"; ROCKET_PORT=5354; - ROCKET_WORKERS=10; + ROCKET_WORKERS=2; SMTP_HOST="mail.hacc.space"; SMTP_FROM="vaultwarden@hacc.space"; @@ -25,11 +25,11 @@ SMTP_PORT=587; SMTP_USERNAME="noreply@infra4future.de"; }; - # currently missing ADMIN_TOKEN and SMPT_PASSWORD - environmentFile = "/persist/secrets/something"; + # currently missing SMPT_PASSWORD + environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; dbBackend = "sqlite"; - backupDir = "/persist/data/vaultwarden"; + backupDir = "/persist/data/vaultwarden_backups/"; }; services.nginx.virtualHosts."pw.hacc.space" = { From 48a255860ae90a62e89394808d4a6c5fff2159fa Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sat, 25 Sep 2021 14:42:36 +0200 Subject: [PATCH 09/10] services/vaultwarden: maybe not (technically) hardcoded? (see my comment on gitlab MR 80) --- services/vaultwarden.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 56a218a..8bcc213 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -24,6 +24,8 @@ SMTP_FROM_NAME="haccwarden"; SMTP_PORT=587; SMTP_USERNAME="noreply@infra4future.de"; + + DATA_FOLDER="/persist/var/lib/vaultwarden/data"; }; # currently missing SMPT_PASSWORD environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; @@ -32,6 +34,9 @@ backupDir = "/persist/data/vaultwarden_backups/"; }; + systemd.services.backup-vaultwarden.environment.DATA_FOLDER = + lib.mkForce "/persist/var/lib/vaultwarden/data"; + services.nginx.virtualHosts."pw.hacc.space" = { locations."/" = { proxyPass = "http://127.0.0.1:5354"; From 684f2fa19ebd181a623132012ab269c75c3265ef Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sat, 25 Sep 2021 17:56:48 +0200 Subject: [PATCH 10/10] services/vaultwarden: fix /persist issues --- services/vaultwarden.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix index 8bcc213..5879495 100644 --- a/services/vaultwarden.nix +++ b/services/vaultwarden.nix @@ -4,7 +4,7 @@ services.vaultwarden = { enable = true; config = { - LOG_LEVEL="off"; + LOG_LEVEL="error"; SIGNUPS_ALLOWED=false; SIGNUPS_VERIFY=true; SIGNUPS_DOMAINS_WHITELIST="hacc.space"; @@ -37,6 +37,13 @@ systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/persist/var/lib/vaultwarden/data"; + systemd.services.vaultwarden.serviceConfig = { + StateDirectory = + lib.mkForce "vaultwarden"; + ReadWritePaths = [ "/persist/var/lib/vaultwarden" ]; + }; + + services.nginx.virtualHosts."pw.hacc.space" = { locations."/" = { proxyPass = "http://127.0.0.1:5354";