50 lines
1.5 KiB
Nix
50 lines
1.5 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
service_configs,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(lib.serviceMountDeps "vaultwarden" [
|
|
service_configs.vaultwarden.path
|
|
# config.services.vaultwarden.backupDir
|
|
])
|
|
(lib.serviceMountDeps "backup-vaultwarden" [
|
|
service_configs.vaultwarden.path
|
|
# config.services.vaultwarden.backupDir
|
|
])
|
|
];
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
# backupDir = "/${service_configs.zpool_ssds}/bak/vaultwarden";
|
|
# in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
|
|
# be aware that this file must be created by hand (or via secrets management like sops)
|
|
environmentFile = service_configs.vaultwarden.path + "/vaultwarden.env";
|
|
config = {
|
|
# Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
|
|
DOMAIN = "https://bitwarden.${service_configs.https.domain}";
|
|
SIGNUPS_ALLOWED = false;
|
|
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = service_configs.ports.vaultwarden;
|
|
ROCKET_LOG = "critical";
|
|
};
|
|
};
|
|
|
|
services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
|
|
encode zstd gzip
|
|
|
|
reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
|
|
header_up X-Real-IP {remote_host}
|
|
}
|
|
'';
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
|
|
# "d ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
|
|
];
|
|
}
|