stuebinm
003f2f7e44
this only concerns secrets which are in a raw file. Some of our services (e.g. nextclouds) keeps secrets in its database; these remain untouched. Not yet deployed because of shitty train internet.
55 lines
1.4 KiB
Nix
55 lines
1.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
sops.secrets = {
|
|
"vaultwarden/env" = {};
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
config = {
|
|
DATA_FOLDER="/persist/var/lib/vaultwarden/data";
|
|
LOG_LEVEL="error";
|
|
SIGNUPS_ALLOWED=false;
|
|
SIGNUPS_VERIFY=true;
|
|
SIGNUPS_DOMAINS_WHITELIST="hacc.space";
|
|
ORG_CREATION_USERS="admin@hacc.space";
|
|
INVITATIONS_ALLOWED=true;
|
|
INVITATION_ORG_NAME="haccwarden";
|
|
|
|
TRASH_AUTO_DELETE_DAYS=90;
|
|
|
|
DOMAIN="https://pw.hacc.space";
|
|
ROCKET_ADDRESS="127.0.0.1";
|
|
ROCKET_PORT=5354;
|
|
ROCKET_WORKERS=2;
|
|
|
|
SMTP_HOST="mail.hacc.space";
|
|
SMTP_FROM="vaultwarden@hacc.space";
|
|
SMTP_FROM_NAME="haccwarden";
|
|
SMTP_PORT=587;
|
|
SMTP_USERNAME="noreply@infra4future.de";
|
|
|
|
};
|
|
environmentFile = "/run/secrets/vaultwarden/env";
|
|
dbBackend = "sqlite";
|
|
backupDir = "/persist/data/vaultwarden_backups/";
|
|
};
|
|
|
|
#work around ProtectSystem=strict, cleanup
|
|
systemd.services.vaultwarden.serviceConfig = {
|
|
ReadWritePaths = [ "/persist/var/lib/vaultwarden" ];
|
|
StateDirectory = lib.mkForce "";
|
|
};
|
|
systemd.services.backup-vaultwarden.environment.DATA_FOLDER =
|
|
lib.mkForce "/persist/var/lib/vaultwarden/data";
|
|
|
|
services.nginx.virtualHosts."pw.hacc.space" = {
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:5354";
|
|
proxyWebsockets = true;
|
|
};
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
}
|