diff options
Diffstat (limited to 'modules/nixos/vaultwarden.nix')
| -rw-r--r-- | modules/nixos/vaultwarden.nix | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix deleted file mode 100644 index 2cacb6c..0000000 --- a/modules/nixos/vaultwarden.nix +++ /dev/null @@ -1,145 +0,0 @@ -{ - config, - inputs, - lib, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.vaultwarden; -in -{ - options.nixfiles.modules.vaultwarden = { - enable = mkEnableOption "Vaultwarden"; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; str; - default = "vaultwarden.${config.networking.domain}"; - }; - }; - - config = - let - db = "vaultwarden"; - in - mkIf cfg.enable { - ark.directories = [ "/var/lib/bitwarden_rs" ]; - - secrets.vaultwarden-environment = { - file = "${inputs.self}/secrets/vaultwarden-environment"; - owner = "vaultwarden"; - group = "vaultwarden"; - }; - - nixfiles.modules = { - nginx = { - enable = true; - upstreams = with config.services.vaultwarden.config; { - vaultwarden_rocket.servers."${ROCKET_ADDRESS}:${toString ROCKET_PORT}" = { }; - vaultwarden_websocket.servers."${WEBSOCKET_ADDRESS}:${toString WEBSOCKET_PORT}" = { }; - }; - virtualHosts.${cfg.domain}.locations = { - "/" = { - proxyPass = "http://vaultwarden_rocket"; - proxyWebsockets = true; - }; - "/notifications/hub" = { - proxyPass = "http://vaultwarden_websocket"; - proxyWebsockets = true; - }; - "/notifications/hub/negotiate" = { - proxyPass = "http://vaultwarden_rocket"; - proxyWebsockets = true; - }; - }; - }; - postgresql = { - enable = true; - extraPostStart = [ - '' - $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' - '' - ]; - }; - }; - - services = { - vaultwarden = { - enable = true; - config = { - TZ = config.time.timeZone; - - WEB_VAULT_ENABLED = true; - - DOMAIN = optionalString (cfg.domain != null) "http://${cfg.domain}"; - - SIGNUPS_ALLOWED = false; - INVITATIONS_ALLOWED = false; - - ORG_CREATION_USERS = "none"; - - PASSWORD_HINTS_ALLOWED = false; - SHOW_PASSWORD_HINT = false; - - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8812; - - WEBSOCKET_ENABLED = true; - WEBSOCKET_ADDRESS = "127.0.0.1"; - WEBSOCKET_PORT = 8813; - - LOG_LEVEL = "error"; - - DATABASE_URL = "postgresql://${db}@/${db}"; - }; - dbBackend = "postgresql"; - environmentFile = config.secrets.vaultwarden-environment.path; - }; - - postgresql = { - ensureDatabases = [ db ]; - ensureUsers = [ - { - name = db; - ensureDBOwnership = true; - } - ]; - }; - - fail2ban.jails = { - vaultwarden = { - enabled = true; - settings = { - filter = "vaultwarden"; - port = "http,https"; - }; - }; - vaultwarden-admin = { - enabled = true; - settings = { - filter = "vaultwarden-admin"; - port = "http,https"; - }; - }; - }; - }; - - environment.etc = { - "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI { } { - Definition = { - failregex = "^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$"; - ignoreregex = ""; - journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; - }; - }; - "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI { } { - Definition = { - failregex = "^.*Invalid admin token\. IP: <ADDR>.*$"; - ignoreregex = ""; - journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; - }; - }; - }; - }; -} |