forked from hacc/haccfiles
services/vaultwarden: init vaultwarden
This commit is contained in:
parent
2044b77401
commit
56cbb7601b
4 changed files with 58 additions and 1 deletions
|
@ -21,6 +21,7 @@
|
||||||
../../services/gitlab-runner.nix
|
../../services/gitlab-runner.nix
|
||||||
../../services/unifi.nix
|
../../services/unifi.nix
|
||||||
../../services/lantifa.nix
|
../../services/lantifa.nix
|
||||||
|
../../services/vaultwarden.nix
|
||||||
|
|
||||||
./lxc.nix
|
./lxc.nix
|
||||||
];
|
];
|
||||||
|
|
|
@ -5,5 +5,12 @@ in {
|
||||||
imports = [
|
imports = [
|
||||||
./nftnat
|
./nftnat
|
||||||
./decklink.nix
|
./decklink.nix
|
||||||
|
"${sources.nixpkgs-unstable}/nixos/modules/services/security/vaultwarden"
|
||||||
|
];
|
||||||
|
|
||||||
|
# disabled since vaultwarden defines a dummy bitwarden_rs option that
|
||||||
|
# shows a deprication warning, which conflicts with this module
|
||||||
|
disabledModules = [
|
||||||
|
"services/security/bitwarden_rs/default.nix"
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -60,7 +60,7 @@ let
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
inherit (unstable) bottom;
|
inherit (unstable) bottom vaultwarden vaultwarden-vault;
|
||||||
};
|
};
|
||||||
|
|
||||||
in pkgs.extend(_: _: newpkgs)
|
in pkgs.extend(_: _: newpkgs)
|
||||||
|
|
49
services/vaultwarden.nix
Normal file
49
services/vaultwarden.nix
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.vaultwarden = {
|
||||||
|
enable = true;
|
||||||
|
config = {
|
||||||
|
DATA_FOLDER="/persist/var/lib/vaultwarden/data";
|
||||||
|
LOG_LEVEL="error";
|
||||||
|
SIGNUPS_ALLOWED=false;
|
||||||
|
SIGNUPS_VERIFY=true;
|
||||||
|
SIGNUPS_DOMAINS_WHITELIST="hacc.space";
|
||||||
|
ORG_CREATION_USERS="admin@hacc.space";
|
||||||
|
INVITATIONS_ALLOWED=true;
|
||||||
|
INVITATION_ORG_NAME="haccwarden";
|
||||||
|
|
||||||
|
TRASH_AUTO_DELETE_DAYS=90;
|
||||||
|
|
||||||
|
DOMAIN="https://pw.hacc.space";
|
||||||
|
ROCKET_ADDRESS="127.0.0.1";
|
||||||
|
ROCKET_PORT=5354;
|
||||||
|
ROCKET_WORKERS=2;
|
||||||
|
|
||||||
|
SMTP_HOST="mail.hacc.space";
|
||||||
|
SMTP_FROM="vaultwarden@hacc.space";
|
||||||
|
SMTP_FROM_NAME="haccwarden";
|
||||||
|
SMTP_PORT=587;
|
||||||
|
SMTP_USERNAME="noreply@infra4future.de";
|
||||||
|
|
||||||
|
};
|
||||||
|
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
|
||||||
|
dbBackend = "sqlite";
|
||||||
|
backupDir = "/persist/data/vaultwarden_backups/";
|
||||||
|
};
|
||||||
|
|
||||||
|
#work around ProtectSystem=strict, cleanup
|
||||||
|
systemd.services.vaultwarden.serviceConfig = {
|
||||||
|
ReadWritePaths = [ "/persist/var/lib/vaultwarden" ];
|
||||||
|
StateDirectory = lib.mkForce "";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."pw.hacc.space" = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:5354";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue