From 44e7a6fa0fd33ad37905a882149c9a39cdebf370 Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Wed, 3 Sep 2025 16:45:32 +0200
Subject: [PATCH] harden vaultwarden

---
 modules/nixos/services/security/vaultwarden/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix
index 0bb05f7..db8e162 100644
--- a/modules/nixos/services/security/vaultwarden/default.nix
+++ b/modules/nixos/services/security/vaultwarden/default.nix
@@ -76,6 +76,12 @@ in
           "vault.kruining.eu".extraConfig = ''
             encode zstd gzip
 
+            handle_path /admin {
+              respond 401 {
+                close
+              }
+            }
+
             reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
               header_up X-Real-IP {remote_host}
             }