This commit is contained in:
Chris Kruining
parent
f4ff383d28
commit
9a37316d9e
3 changed files with 100 additions and 11 deletions
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs, config, lib, namespace, ... }:
|
||||
let
|
||||
inherit (lib.modules) mkIf;
|
||||
inherit (lib.options) mkEnableOption;
|
||||
inherit (builtins) toString;
|
||||
inherit (lib) mkIf mkEnableOption;
|
||||
|
||||
cfg = config.${namespace}.services.security.vaultwarden;
|
||||
in
|
||||
|
|
@ -11,18 +11,76 @@ in
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
vaultwarden
|
||||
vaultwarden-postgresql
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
|
||||
];
|
||||
|
||||
services.vaultwarden = {
|
||||
services = {
|
||||
vaultwarden = {
|
||||
enable = true;
|
||||
dbBackend = "postgresql";
|
||||
|
||||
package = pkgs.${namespace}.vaultwarden;
|
||||
|
||||
config = {
|
||||
SIGNUPS_ALLOWED = false;
|
||||
DOMAIN = "https://passwords.kruining.eu";
|
||||
DOMAIN = "https://vault.kruining.eu";
|
||||
|
||||
ADMIN_TOKEN = "";
|
||||
|
||||
DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable";
|
||||
|
||||
WEB_VAULT_ENABLED = true;
|
||||
|
||||
SSO_ENABLED = true;
|
||||
SSO_ONLY = true;
|
||||
SSO_PKCE = true;
|
||||
SSO_AUTH_ONLY_NOT_SESSION = false;
|
||||
SSO_ROLES_ENABLED = true;
|
||||
SSO_ORGANIZATIONS_ENABLED = true;
|
||||
SSO_ORGANIZATIONS_REVOCATION = true;
|
||||
SSO_AUTHORITY = "https://auth.amarth.cloud/";
|
||||
SSO_SCOPES = "email profile offline_access";
|
||||
SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
|
||||
SSO_CLIENT_ID = "335178854421299459";
|
||||
SSO_CLIENT_SECRET = "";
|
||||
|
||||
ROCKET_ADDRESS = "::1";
|
||||
ROCKET_PORT = 8222;
|
||||
ROCKET_LOG = "critical";
|
||||
|
||||
SMTP_HOST = "black-mail.nl";
|
||||
SMTP_PORT = 587;
|
||||
SMTP_SECURITY = "starttls";
|
||||
SMTP_USERNAME = "info@amarth.cloud";
|
||||
SMTP_PASSWORD = "";
|
||||
SMTP_FROM = "info@amarth.cloud";
|
||||
SMTP_FROM_NAME = "Chris' Vaultwarden";
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "vaultwarden" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "vaultwarden";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
caddy = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"vault.kruining.eu".extraConfig = ''
|
||||
encode zstd gzip
|
||||
|
||||
reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
29
packages/vaultwarden/default.nix
Normal file
29
packages/vaultwarden/default.nix
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }:
|
||||
rustPlatform.buildRustPackage rec {
|
||||
pname = "vaultwarden";
|
||||
version = "1.34.3";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "Timshel";
|
||||
repo = "vaultwarden";
|
||||
rev = "1.34.3";
|
||||
hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0=";
|
||||
};
|
||||
|
||||
cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE=";
|
||||
|
||||
# used for "Server Installed" version in admin panel
|
||||
env.VW_VERSION = version;
|
||||
|
||||
nativeBuildInputs = [ pkg-config ];
|
||||
buildInputs =
|
||||
[ openssl ]
|
||||
++ lib.optional (dbBackend == "postgresql") postgresql;
|
||||
|
||||
buildFeatures = dbBackend;
|
||||
|
||||
meta = with lib; {
|
||||
license = licenses.agpl3Only;
|
||||
mainProgram = "vaultwarden";
|
||||
};
|
||||
}
|
||||
|
|
@ -23,6 +23,8 @@
|
|||
loki.enable = true;
|
||||
promtail.enable = true;
|
||||
};
|
||||
|
||||
security.vaultwarden.enable = true;
|
||||
};
|
||||
|
||||
editor = {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue