nixos-config/hosts/voyager/services/vaultwarden.nix

70 lines
1.8 KiB
Nix

{ config, pkgs, lib, ... }:
let
cfg = config.services.vaultwarden;
domain = "pw.feal.no";
address = "127.0.0.1";
port = 3011; # Note! The websocket port is left as default
in {
sops.secrets."vaultwarden/admintoken" = {
owner = "vaultwarden";
group = "vaultwarden";
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
config = {
domain = "https://${domain}";
rocketAddress = address;
rocketPort = port;
websocketEnabled = true;
databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";
signupsAllowed = false;
rocketLog = "critical";
# This example assumes a mailserver running on localhost,
# thus without transport encryption.
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
/* SMTP_HOST = "127.0.0.1"; */
/* SMTP_PORT = 25; */
/* SMTP_SSL = false; */
/* SMTP_FROM = "admin@bitwarden.example.com"; */
/* SMTP_FROM_NAME = "example.com Bitwarden server"; */
};
};
services.nginx.virtualHosts."${domain}" = {
extraConfig = ''
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://${address}:${toString port}";
proxyWebsockets = true;
};
};
services.postgresql = {
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [{
name = "vaultwarden";
ensurePermissions = {
"DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
};
}];
};
}