109 lines
2.5 KiB
Nix
109 lines
2.5 KiB
Nix
{
|
|
constants,
|
|
config,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (constants) domain;
|
|
inherit (constants.hosts.rx4) ip;
|
|
inherit (constants.services.vaultwarden) fqdn port;
|
|
in
|
|
{
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
|
|
dbBackend = "postgresql";
|
|
configurePostgres = true;
|
|
|
|
configureNginx = false;
|
|
domain = fqdn;
|
|
|
|
environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
|
|
|
|
config = {
|
|
ENABLE_WEBSOCKET = true;
|
|
SIGNUPS_ALLOWED = false;
|
|
|
|
SMTP_FROM = "vaultwarden@${domain}";
|
|
SMTP_FROM_NAME = "${domain} Vaultwarden server";
|
|
SMTP_HOST = constants.hosts.sid.ip;
|
|
SMTP_PORT = 587;
|
|
SMTP_SECURITY = "starttls";
|
|
SMTP_USERNAME = "vaultwarden@${domain}";
|
|
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = port;
|
|
ROCKET_LOG = "critical";
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."${fqdn}" = {
|
|
useACMEHost = "pw-custom";
|
|
forceSSL = true;
|
|
listen = [
|
|
{
|
|
addr = "${ip}:443";
|
|
ssl = true;
|
|
}
|
|
];
|
|
locations = {
|
|
"/" = {
|
|
proxyPass = "http://127.0.0.1:${toString port}";
|
|
};
|
|
"= /notifications/alerts" = {
|
|
proxyPass = "http://127.0.0.1:${toString port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
"= /notifications/hub" = {
|
|
proxyPass = "http://127.0.0.1:${toString port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "admin@${domain}";
|
|
certs."pw-custom" = {
|
|
domain = fqdn;
|
|
dnsProvider = "hetzner";
|
|
dnsResolver = "1.1.1.1:53";
|
|
credentialFiles = {
|
|
HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
|
|
};
|
|
group = "nginx";
|
|
};
|
|
};
|
|
|
|
sops =
|
|
let
|
|
owner = config.users.users.vaultwarden.name;
|
|
group = config.users.groups.vaultwarden.name;
|
|
mode = "0400";
|
|
in
|
|
{
|
|
secrets = {
|
|
"vaultwarden/admin-token" = {
|
|
inherit owner group mode;
|
|
};
|
|
"vaultwarden/smtp-password" = {
|
|
inherit owner group mode;
|
|
};
|
|
hetzner-api-key = {
|
|
inherit mode;
|
|
owner = "acme";
|
|
group = "acme";
|
|
};
|
|
};
|
|
templates = {
|
|
"vaultwarden/env-file" = {
|
|
inherit owner group mode;
|
|
content = ''
|
|
ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"}
|
|
SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|