diff options
| author | Azat Bahawi <azat@bahawi.net> | 2022-10-20 01:36:00 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2022-10-20 01:36:00 +0300 |
| commit | 2161e67026139fe91ef0e38c255d2fc63e739be3 (patch) | |
| tree | 1d8c5d276614d2045c5dea429de0f61d0602b37d /modules/nixfiles/vaultwarden.nix | |
| parent | 2022-10-08 (diff) | |
2022-10-20
Diffstat (limited to '')
| -rw-r--r-- | modules/nixfiles/vaultwarden.nix | 173 |
1 files changed, 93 insertions, 80 deletions
diff --git a/modules/nixfiles/vaultwarden.nix b/modules/nixfiles/vaultwarden.nix index dc8bb84..7d51667 100644 --- a/modules/nixfiles/vaultwarden.nix +++ b/modules/nixfiles/vaultwarden.nix @@ -17,105 +17,118 @@ in { }; }; - config = mkIf cfg.enable { - secrets.vaultwarden-environment = { - file = "${inputs.self}/secrets/vaultwarden-environment"; - owner = "vaultwarden"; - group = "vaultwarden"; - }; + config = let + db = "vaultwarden"; + in + mkIf cfg.enable { + secrets.vaultwarden-environment = { + file = "${inputs.self}/secrets/vaultwarden-environment"; + owner = "vaultwarden"; + group = "vaultwarden"; + }; - nixfiles.modules = { - nginx = { - enable = true; - upstreams = with config.services.vaultwarden.config; { - vaultwarden_rocket.servers."${ROCKET_ADDRESS}:${toString ROCKET_PORT}" = {}; - vaultwarden_websocket.servers."${WEBSOCKET_ADDRESS}:${toString WEBSOCKET_PORT}" = {}; - }; - virtualHosts.${cfg.domain} = { - locations."/" = { - proxyPass = "http://vaultwarden_rocket"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://vaultwarden_websocket"; - proxyWebsockets = true; + nixfiles.modules = { + nginx = { + enable = true; + upstreams = with config.services.vaultwarden.config; { + vaultwarden_rocket.servers."${ROCKET_ADDRESS}:${toString ROCKET_PORT}" = {}; + vaultwarden_websocket.servers."${WEBSOCKET_ADDRESS}:${toString WEBSOCKET_PORT}" = {}; }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://vaultwarden_rocket"; - proxyWebsockets = true; + virtualHosts.${cfg.domain} = { + locations."/" = { + proxyPass = "http://vaultwarden_rocket"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://vaultwarden_websocket"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://vaultwarden_rocket"; + proxyWebsockets = true; + }; }; }; + postgresql = { + enable = true; + extraPostStart = [ + '' + $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' + '' + ]; + }; }; - postgresql.enable = true; - }; - services = let - db = "vaultwarden"; - in { - vaultwarden = { - enable = true; - config = { - TZ = config.time.timeZone; + services = { + vaultwarden = { + enable = true; + config = { + TZ = config.time.timeZone; + + WEB_VAULT_ENABLED = true; + + DOMAIN = optionalString (cfg.domain != null) "http://${cfg.domain}"; - WEB_VAULT_ENABLED = true; + SIGNUPS_ALLOWED = false; + INVITATIONS_ALLOWED = false; - DOMAIN = optionalString (cfg.domain != null) "http://${cfg.domain}"; + ORG_CREATION_USERS = "none"; - SIGNUPS_ALLOWED = false; - INVITATIONS_ALLOWED = true; + PASSWORD_HINTS_ALLOWED = false; + SHOW_PASSWORD_HINT = false; - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8812; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8812; - WEBSOCKET_ENABLED = true; - WEBSOCKET_ADDRESS = "127.0.0.1"; - WEBSOCKET_PORT = 8813; + WEBSOCKET_ENABLED = true; + WEBSOCKET_ADDRESS = "127.0.0.1"; + WEBSOCKET_PORT = 8813; - LOG_LEVEL = "error"; + LOG_LEVEL = "error"; - DATABASE_URL = "postgresql://${db}@/${db}"; + DATABASE_URL = "postgresql://${db}@/${db}"; + }; + dbBackend = "postgresql"; + environmentFile = config.secrets.vaultwarden-environment.path; + }; + + postgresql = { + ensureDatabases = [db]; + ensureUsers = [ + { + name = db; + ensurePermissions."DATABASE \"${db}\"" = "ALL"; + } + ]; }; - dbBackend = "postgresql"; - environmentFile = config.secrets.vaultwarden-environment.path; - }; - postgresql = { - ensureDatabases = [db]; - ensureUsers = [ - { - name = db; - ensurePermissions."DATABASE \"${db}\"" = "ALL PRIVILEGES"; - } - ]; + fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable { + vaultwarden = '' + enabled = true + filter = vaultwarden + port = http,https + ''; + vaultwarden-admin = '' + enabled = true + filter = vaultwarden-admin + port = http,https + ''; + }; }; - fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable { - vaultwarden = '' - enabled = true - filter = vaultwarden - port = http,https + environment.etc = mkIf config.nixfiles.modules.fail2ban.enable { + "fail2ban/filter.d/vaultwarden.conf".text = '' + [Definition] + failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$ + ignoreregex = + journalmatch = _SYSTEMD_UNIT=vaultwarden.service ''; - vaultwarden-admin = '' - enabled = true - filter = vaultwarden-admin - port = http,https + "fail2ban/filter.d/vaultwarden-admin.conf".text = '' + [Definition] + failregex = ^.*Invalid admin token\. IP: <ADDR>.*$ + ignoreregex = + journalmatch = _SYSTEMD_UNIT=vaultwarden.service ''; }; }; - - environment.etc = mkIf config.nixfiles.modules.fail2ban.enable { - "fail2ban/filter.d/vaultwarden.conf".text = '' - [Definition] - failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; - "fail2ban/filter.d/vaultwarden-admin.conf".text = '' - [Definition] - failregex = ^.*Invalid admin token\. IP: <ADDR>.*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; - }; - }; } |