diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index c41dfa0..fb75f26 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -21,6 +21,7 @@ ../../services/gitlab-runner.nix ../../services/unifi.nix ../../services/lantifa.nix + ../../services/vaultwarden.nix ./lxc.nix ]; diff --git a/modules/default.nix b/modules/default.nix index a6b276e..100b4f2 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -5,5 +5,12 @@ in { imports = [ ./nftnat ./decklink.nix + "${sources.nixpkgs-unstable}/nixos/modules/services/security/vaultwarden" + ]; + + # disabled since vaultwarden defines a dummy bitwarden_rs option that + # shows a deprication warning, which conflicts with this module + disabledModules = [ + "services/security/bitwarden_rs/default.nix" ]; } diff --git a/pkgs/default.nix b/pkgs/default.nix index 5db2007..beb7bd8 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -60,7 +60,7 @@ let ''; }; - inherit (unstable) bottom; + inherit (unstable) bottom vaultwarden vaultwarden-vault; }; in pkgs.extend(_: _: newpkgs) diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix new file mode 100644 index 0000000..0749199 --- /dev/null +++ b/services/vaultwarden.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +{ + services.vaultwarden = { + enable = true; + config = { + DATA_FOLDER="/persist/var/lib/vaultwarden/data"; + LOG_LEVEL="error"; + SIGNUPS_ALLOWED=false; + SIGNUPS_VERIFY=true; + SIGNUPS_DOMAINS_WHITELIST="hacc.space"; + ORG_CREATION_USERS="admin@hacc.space"; + INVITATIONS_ALLOWED=true; + INVITATION_ORG_NAME="haccwarden"; + + TRASH_AUTO_DELETE_DAYS=90; + + DOMAIN="https://pw.hacc.space"; + ROCKET_ADDRESS="127.0.0.1"; + ROCKET_PORT=5354; + ROCKET_WORKERS=2; + + SMTP_HOST="mail.hacc.space"; + SMTP_FROM="vaultwarden@hacc.space"; + SMTP_FROM_NAME="haccwarden"; + SMTP_PORT=587; + SMTP_USERNAME="noreply@infra4future.de"; + + }; + environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD + dbBackend = "sqlite"; + backupDir = "/persist/data/vaultwarden_backups/"; + }; + + #work around ProtectSystem=strict, cleanup + systemd.services.vaultwarden.serviceConfig = { + ReadWritePaths = [ "/persist/var/lib/vaultwarden" ]; + StateDirectory = lib.mkForce ""; + }; + + services.nginx.virtualHosts."pw.hacc.space" = { + locations."/" = { + proxyPass = "http://127.0.0.1:5354"; + proxyWebsockets = true; + }; + forceSSL = true; + enableACME = true; + }; +}