|
|
|
@ -0,0 +1,117 @@
|
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
services.vaultwarden = {
|
|
|
|
|
enable = true;
|
|
|
|
|
config = {
|
|
|
|
|
! Do we want to use PSQL or are we fine with SQLite?
|
|
|
|
|
## Database URL
|
|
|
|
|
## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
|
|
|
|
|
# DATABASE_URL=data/db.sqlite3
|
|
|
|
|
## When using MySQL, specify an appropriate connection URI.
|
|
|
|
|
## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html
|
|
|
|
|
# DATABASE_URL=mysql://user:password@host[:port]/database_name
|
|
|
|
|
## When using PostgreSQL, specify an appropriate connection URI (recommended)
|
|
|
|
|
## or keyword/value connection string.
|
|
|
|
|
## Details:
|
|
|
|
|
## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html
|
|
|
|
|
## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
|
|
|
|
|
# DATABASE_URL=postgresql://user:password@host[:port]/database_name
|
|
|
|
|
|
|
|
|
|
## Database max connections
|
|
|
|
|
## Define the size of the connection pool used for connecting to the database.
|
|
|
|
|
# DATABASE_MAX_CONNS=10
|
|
|
|
|
|
|
|
|
|
## Enable WAL for the DB
|
|
|
|
|
## Set to false to avoid enabling WAL during startup.
|
|
|
|
|
## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
|
|
|
|
|
## this setting only prevents vaultwarden from automatically enabling it on start.
|
|
|
|
|
## Please read project wiki page about this setting first before changing the value as it can
|
|
|
|
|
## cause performance degradation or might render the service unable to start.
|
|
|
|
|
# ENABLE_DB_WAL=true
|
|
|
|
|
|
|
|
|
|
## Database connection retries
|
|
|
|
|
## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
|
|
|
|
|
# DB_CONNECTION_RETRIES=15
|
|
|
|
|
|
|
|
|
|
## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
|
|
|
|
|
## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
|
|
|
|
|
# IP_HEADER=X-Real-IP
|
|
|
|
|
|
|
|
|
|
## Controls whether users are allowed to create Bitwarden Sends.
|
|
|
|
|
## This setting applies globally to all users.
|
|
|
|
|
## To control this on a per-org basis instead, use the "Disable Send" org policy.
|
|
|
|
|
# SENDS_ALLOWED=true
|
|
|
|
|
|
|
|
|
|
## Enable extended logging, which shows timestamps and targets in the logs
|
|
|
|
|
# EXTENDED_LOGGING=true
|
|
|
|
|
|
|
|
|
|
## Logging to Syslog
|
|
|
|
|
## This requires extended logging
|
|
|
|
|
## It's recommended to also set 'ROCKET_CLI_COLORS=off'
|
|
|
|
|
# USE_SYSLOG=false
|
|
|
|
|
|
|
|
|
|
## Log level
|
|
|
|
|
## Change the verbosity of the log output
|
|
|
|
|
## Valid values are "trace", "debug", "info", "warn", "error" and "off"
|
|
|
|
|
## Setting it to "trace" or "debug" would also show logs for mounted
|
|
|
|
|
## routes and static file, websocket and alive requests
|
|
|
|
|
LOG_LEVEL=off
|
|
|
|
|
SIGNUPS_ALLOWED=false
|
|
|
|
|
SIGNUPS_VERIFY=true
|
|
|
|
|
SIGNUPS_DOMAINS_WHITELIST=hacc.space
|
|
|
|
|
ORG_CREATION_USERS=admin@hacc.space
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
! TODO: Find out how to set this via file
|
|
|
|
|
## Token for the admin interface, preferably use a long random string
|
|
|
|
|
## One option is to use 'openssl rand -base64 48'
|
|
|
|
|
## If not set, the admin panel is disabled
|
|
|
|
|
# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
|
|
|
|
|
|
|
|
|
|
## Invitations org admins to invite users, even when signups are disabled
|
|
|
|
|
INVITATIONS_ALLOWED=true
|
|
|
|
|
INVITATION_ORG_NAME=haccwarden
|
|
|
|
|
TRASH_AUTO_DELETE_DAYS=90
|
|
|
|
|
|
|
|
|
|
## Domain settings
|
|
|
|
|
## The domain must match the address from where you access the server
|
|
|
|
|
## It's recommended to configure this value, otherwise certain functionality might not work,
|
|
|
|
|
## like attachment downloads, email links and U2F.
|
|
|
|
|
## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
|
|
|
|
|
# DOMAIN=https://pw.hacc.space:8443
|
|
|
|
|
DOMAIN=https://pw.hacc.space:443
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
! do we want a nginx proxy additionally?
|
|
|
|
|
## Rocket specific settings
|
|
|
|
|
## See https://rocket.rs/v0.4/guide/configuration/ for more details.
|
|
|
|
|
ROCKET_ADDRESS=127.0.0.1
|
|
|
|
|
ROCKET_PORT=5354 # Defaults to 80 in the Docker images, or 8000 otherwise.
|
|
|
|
|
ROCKET_WORKERS=10
|
|
|
|
|
# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
|
|
|
|
|
|
|
|
|
|
! TODO: set password via file
|
|
|
|
|
## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
|
|
|
|
|
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
|
|
|
|
|
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
|
|
|
|
|
SMTP_HOST=mail.hacc.space
|
|
|
|
|
SMTP_FROM=vaultwarden@hacc.space
|
|
|
|
|
SMTP_FROM_NAME=haccwarden
|
|
|
|
|
SMTP_PORT=587 # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
|
|
|
|
|
SMTP_SSL=true # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
|
|
|
|
|
SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
|
|
|
|
|
# SMTP_USERNAME=username
|
|
|
|
|
# SMTP_PASSWORD=password
|
|
|
|
|
# SMTP_TIMEOUT=15
|
|
|
|
|
|
|
|
|
|
! TODO: do we want this?
|
|
|
|
|
## HIBP Api Key
|
|
|
|
|
## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
|
|
|
|
|
# HIBP_API_KEY=
|
|
|
|
|
};
|
|
|
|
|
dbBackend = "sqlite";
|
|
|
|
|
|
|
|
|
|
backupDir = "/persist/data/vaultwarden";
|
|
|
|
|
};
|
|
|
|
|
}
|