{ config, pkgs, lib, ... }: let cfg = config.services.vaultwarden; domain = "pw.feal.no"; address = "127.0.0.1"; port = 3011; # Note! The websocket port is left as default in { sops.secrets."vaultwarden/admintoken" = { owner = "vaultwarden"; group = "vaultwarden"; }; services.vaultwarden = { enable = true; dbBackend = "postgresql"; environmentFile = config.sops.secrets."vaultwarden/admintoken".path; config = { domain = "https://${domain}"; rocketAddress = address; rocketPort = port; websocketEnabled = true; databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable"; signupsAllowed = false; rocketLog = "critical"; # This example assumes a mailserver running on localhost, # thus without transport encryption. # If you use an external mail server, follow: # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration /* SMTP_HOST = "127.0.0.1"; */ /* SMTP_PORT = 25; */ /* SMTP_SSL = false; */ /* SMTP_FROM = "admin@bitwarden.example.com"; */ /* SMTP_FROM_NAME = "example.com Bitwarden server"; */ }; }; services.nginx.virtualHosts."${domain}" = { extraConfig = '' client_max_body_size 128M; ''; locations."/" = { proxyPass = "http://${address}:${toString port}"; proxyWebsockets = true; }; locations."/notifications/hub" = { proxyPass = "http://localhost:3012"; proxyWebsockets = true; }; locations."/notifications/hub/negotiate" = { proxyPass = "http://${address}:${toString port}"; proxyWebsockets = true; }; }; services.postgresql = { ensureDatabases = [ "vaultwarden" ]; ensureUsers = [{ name = "vaultwarden"; ensurePermissions = { "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES"; }; }]; }; }