add vaultwarden

2025-08-27 15:24:12 +02:00 · 2025-08-27 15:24:12 +02:00 · 9a37316d9e
commit 9a37316d9e
parent f4ff383d28
3 changed files with 100 additions and 11 deletions
--- a/modules/nixos/services/security/vaultwarden/default.nix
+++ b/modules/nixos/services/security/vaultwarden/default.nix
@ -1,7 +1,7 @@
 { pkgs, config, lib, namespace, ... }:
 let
-  inherit (lib.modules) mkIf;
-  inherit (lib.options) mkEnableOption;
+  inherit (builtins) toString;
+  inherit (lib) mkIf mkEnableOption;

  cfg = config.${namespace}.services.security.vaultwarden;
 in
@ -11,18 +11,76 @@ in
  };

  config = mkIf cfg.enable {
-    environment.systemPackages = with pkgs; [
-      vaultwarden
-      vaultwarden-postgresql
+    systemd.tmpfiles.rules = [
+      "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
    ];

-    services.vaultwarden = {
-      enable = true;
-      dbBackend = "postgresql";
+    services = {
+      vaultwarden = {
+        enable = true;
+        dbBackend = "postgresql";

-      config = {
-        SIGNUPS_ALLOWED = false;
-        DOMAIN = "https://passwords.kruining.eu";
+        package = pkgs.${namespace}.vaultwarden;
+
+        config = {
+          SIGNUPS_ALLOWED = false;
+          DOMAIN = "https://vault.kruining.eu";
+
+          ADMIN_TOKEN = "";
+
+          DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable";
+
+          WEB_VAULT_ENABLED = true;
+
+          SSO_ENABLED = true;
+          SSO_ONLY = true;
+          SSO_PKCE = true;
+          SSO_AUTH_ONLY_NOT_SESSION = false;
+          SSO_ROLES_ENABLED = true;
+          SSO_ORGANIZATIONS_ENABLED = true;
+          SSO_ORGANIZATIONS_REVOCATION = true;
+          SSO_AUTHORITY = "https://auth.amarth.cloud/";
+          SSO_SCOPES = "email profile offline_access";
+          SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
+          SSO_CLIENT_ID = "335178854421299459";
+          SSO_CLIENT_SECRET = "";
+
+          ROCKET_ADDRESS = "::1";
+          ROCKET_PORT = 8222;
+          ROCKET_LOG = "critical";
+
+          SMTP_HOST = "black-mail.nl";
+          SMTP_PORT = 587;
+          SMTP_SECURITY = "starttls";
+          SMTP_USERNAME = "info@amarth.cloud";
+          SMTP_PASSWORD = "";
+          SMTP_FROM = "info@amarth.cloud";
+          SMTP_FROM_NAME = "Chris' Vaultwarden";
+        };
+      };
+
+      postgresql = {
+        enable = true;
+        ensureDatabases = [ "vaultwarden" ];
+        ensureUsers = [
+          {
+            name = "vaultwarden";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      caddy = {
+        enable = true;
+        virtualHosts = {
+          "vault.kruining.eu".extraConfig = ''
+            encode zstd gzip
+
+            reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+              header_up X-Real-IP {remote_host}
+            }
+          '';
+        };
      };
    };
  };