forked from hacc/haccfiles
ce5bb46fa8
also switch away from legacy ports
51 lines
1.4 KiB
Nix
51 lines
1.4 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
config = {
|
|
DATA_FOLDER="/persist/var/lib/vaultwarden/data";
|
|
LOG_LEVEL="error";
|
|
SIGNUPS_ALLOWED=false;
|
|
SIGNUPS_VERIFY=true;
|
|
SIGNUPS_DOMAINS_WHITELIST="hacc.space";
|
|
ORG_CREATION_USERS="admin@hacc.space";
|
|
INVITATIONS_ALLOWED=true;
|
|
INVITATION_ORG_NAME="haccwarden";
|
|
|
|
TRASH_AUTO_DELETE_DAYS=90;
|
|
|
|
DOMAIN="https://pw.hacc.space";
|
|
ROCKET_ADDRESS="127.0.0.1";
|
|
ROCKET_PORT=5354;
|
|
ROCKET_WORKERS=2;
|
|
|
|
SMTP_HOST="mail.hacc.space";
|
|
SMTP_FROM="vaultwarden@hacc.space";
|
|
SMTP_FROM_NAME="haccwarden";
|
|
SMTP_PORT=465;
|
|
SMTP_USERNAME="noreply@infra4future.de";
|
|
|
|
};
|
|
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
|
|
dbBackend = "sqlite";
|
|
backupDir = "/persist/data/vaultwarden_backups/";
|
|
};
|
|
|
|
#work around ProtectSystem=strict, cleanup
|
|
systemd.services.vaultwarden.serviceConfig = {
|
|
ReadWritePaths = [ "/persist/var/lib/vaultwarden" ];
|
|
StateDirectory = lib.mkForce "";
|
|
};
|
|
systemd.services.backup-vaultwarden.environment.DATA_FOLDER =
|
|
lib.mkForce "/persist/var/lib/vaultwarden/data";
|
|
|
|
services.nginx.virtualHosts."pw.hacc.space" = {
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:5354";
|
|
proxyWebsockets = true;
|
|
};
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
}
|