add vaultwarden

2025-08-27 15:24:12 +02:00 · 2025-08-27 15:24:12 +02:00 · 9a37316d9e
commit 9a37316d9e
parent f4ff383d28
3 changed files with 100 additions and 11 deletions
--- a/modules/nixos/services/security/vaultwarden/default.nix
+++ b/modules/nixos/services/security/vaultwarden/default.nix
@ -1,7 +1,7 @@
 { pkgs, config, lib, namespace, ... }:
 let
-  inherit (lib.modules) mkIf;
+  inherit (builtins) toString;
-  inherit (lib.options) mkEnableOption;
+  inherit (lib) mkIf mkEnableOption;
  cfg = config.${namespace}.services.security.vaultwarden;
 in
@ -11,18 +11,76 @@ in
  };
  config = mkIf cfg.enable {
-    environment.systemPackages = with pkgs; [
+    systemd.tmpfiles.rules = [
-      vaultwarden
+      "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
      vaultwarden-postgresql
    ];
-    services.vaultwarden = {
+    services = {
-      enable = true;
+      vaultwarden = {
-      dbBackend = "postgresql";
+        enable = true;
        dbBackend = "postgresql";
-      config = {
+        package = pkgs.${namespace}.vaultwarden;
-        SIGNUPS_ALLOWED = false;
+
-        DOMAIN = "https://passwords.kruining.eu";
+        config = {
          SIGNUPS_ALLOWED = false;
          DOMAIN = "https://vault.kruining.eu";
          ADMIN_TOKEN = "";
          DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable";
          WEB_VAULT_ENABLED = true;
          SSO_ENABLED = true;
          SSO_ONLY = true;
          SSO_PKCE = true;
          SSO_AUTH_ONLY_NOT_SESSION = false;
          SSO_ROLES_ENABLED = true;
          SSO_ORGANIZATIONS_ENABLED = true;
          SSO_ORGANIZATIONS_REVOCATION = true;
          SSO_AUTHORITY = "https://auth.amarth.cloud/";
          SSO_SCOPES = "email profile offline_access";
          SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
          SSO_CLIENT_ID = "335178854421299459";
          SSO_CLIENT_SECRET = "";
          ROCKET_ADDRESS = "::1";
          ROCKET_PORT = 8222;
          ROCKET_LOG = "critical";
          SMTP_HOST = "black-mail.nl";
          SMTP_PORT = 587;
          SMTP_SECURITY = "starttls";
          SMTP_USERNAME = "info@amarth.cloud";
          SMTP_PASSWORD = "";
          SMTP_FROM = "info@amarth.cloud";
          SMTP_FROM_NAME = "Chris' Vaultwarden";
        };
      };
      postgresql = {
        enable = true;
        ensureDatabases = [ "vaultwarden" ];
        ensureUsers = [
          {
            name = "vaultwarden";
            ensureDBOwnership = true;
          }
        ];
      };
      caddy = {
        enable = true;
        virtualHosts = {
          "vault.kruining.eu".extraConfig = ''
            encode zstd gzip
            reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
              header_up X-Real-IP {remote_host}
            }
          '';
        };
      };
    };
  };
--- a/packages/vaultwarden/default.nix
+++ b/packages/vaultwarden/default.nix
@ -0,0 +1,29 @@
 { lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }:
 rustPlatform.buildRustPackage rec {
  pname = "vaultwarden";
  version = "1.34.3";
  src = fetchFromGitHub {
    owner = "Timshel";
    repo = "vaultwarden";
    rev = "1.34.3";
    hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0=";
  };
  cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE=";
  # used for "Server Installed" version in admin panel
  env.VW_VERSION = version;
  nativeBuildInputs = [ pkg-config ];
  buildInputs =
    [ openssl ]
    ++ lib.optional (dbBackend == "postgresql") postgresql;
  buildFeatures = dbBackend;
  meta = with lib; {
    license = licenses.agpl3Only;
    mainProgram = "vaultwarden";
  };
 }
--- a/systems/x86_64-linux/ulmo/default.nix
+++ b/systems/x86_64-linux/ulmo/default.nix
@ -23,6 +23,8 @@
        loki.enable = true;
        promtail.enable = true;
      };
      security.vaultwarden.enable = true;
    };
    editor = {