{ config, pkgs, lib, ... }: let cfg = config.services.vaultwarden; domain = "pw.feal.no"; address = "127.0.0.1"; port = 3011; # Note: The websocket port is left as default(3012) in { sops.secrets."vaultwarden/admintoken" = { owner = "vaultwarden"; group = "vaultwarden"; }; services.vaultwarden = { enable = true; dbBackend = "postgresql"; environmentFile = config.sops.secrets."vaultwarden/admintoken".path; config = { domain = "https://${domain}"; rocketAddress = address; rocketPort = port; websocketEnabled = true; # databaseUrl = "postgresql://vaultwarden:@localhost/vaultwarden?sslmode=disable"; databaseUrl = "postgresql://vaultwarden@/vaultwarden"; signupsAllowed = false; }; }; services.postgresql = { ensureDatabases = [ "vaultwarden" ]; ensureUsers = [{ name = "vaultwarden"; ensureDBOwnership = true; }]; }; services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; extraConfig = '' client_max_body_size 128M; ''; locations."/" = { proxyPass = "http://${address}:${toString port}"; proxyWebsockets = true; }; locations."/notifications/hub" = { proxyPass = "http://localhost:3012"; proxyWebsockets = true; }; locations."/notifications/hub/negotiate" = { proxyPass = "http://${address}:${toString port}"; proxyWebsockets = true; }; }; }