services/vaultwarden: init vaultwarden

This commit is contained in:
stuebinm 2021-09-28 11:13:25 +00:00 committed by schweby
parent 2044b77401
commit 56cbb7601b
4 changed files with 58 additions and 1 deletions

View file

@ -21,6 +21,7 @@
../../services/gitlab-runner.nix ../../services/gitlab-runner.nix
../../services/unifi.nix ../../services/unifi.nix
../../services/lantifa.nix ../../services/lantifa.nix
../../services/vaultwarden.nix
./lxc.nix ./lxc.nix
]; ];

View file

@ -5,5 +5,12 @@ in {
imports = [ imports = [
./nftnat ./nftnat
./decklink.nix ./decklink.nix
"${sources.nixpkgs-unstable}/nixos/modules/services/security/vaultwarden"
];
# disabled since vaultwarden defines a dummy bitwarden_rs option that
# shows a deprication warning, which conflicts with this module
disabledModules = [
"services/security/bitwarden_rs/default.nix"
]; ];
} }

View file

@ -60,7 +60,7 @@ let
''; '';
}; };
inherit (unstable) bottom; inherit (unstable) bottom vaultwarden vaultwarden-vault;
}; };
in pkgs.extend(_: _: newpkgs) in pkgs.extend(_: _: newpkgs)

49
services/vaultwarden.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
{
services.vaultwarden = {
enable = true;
config = {
DATA_FOLDER="/persist/var/lib/vaultwarden/data";
LOG_LEVEL="error";
SIGNUPS_ALLOWED=false;
SIGNUPS_VERIFY=true;
SIGNUPS_DOMAINS_WHITELIST="hacc.space";
ORG_CREATION_USERS="admin@hacc.space";
INVITATIONS_ALLOWED=true;
INVITATION_ORG_NAME="haccwarden";
TRASH_AUTO_DELETE_DAYS=90;
DOMAIN="https://pw.hacc.space";
ROCKET_ADDRESS="127.0.0.1";
ROCKET_PORT=5354;
ROCKET_WORKERS=2;
SMTP_HOST="mail.hacc.space";
SMTP_FROM="vaultwarden@hacc.space";
SMTP_FROM_NAME="haccwarden";
SMTP_PORT=587;
SMTP_USERNAME="noreply@infra4future.de";
};
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
dbBackend = "sqlite";
backupDir = "/persist/data/vaultwarden_backups/";
};
#work around ProtectSystem=strict, cleanup
systemd.services.vaultwarden.serviceConfig = {
ReadWritePaths = [ "/persist/var/lib/vaultwarden" ];
StateDirectory = lib.mkForce "";
};
services.nginx.virtualHosts."pw.hacc.space" = {
locations."/" = {
proxyPass = "http://127.0.0.1:5354";
proxyWebsockets = true;
};
forceSSL = true;
enableACME = true;
};
}