blob: 4f5bcb4cffb2803a9888cf596178b238b3870609 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
{
config,
inputs,
lib,
...
}:
with lib; let
cfg = config.nixfiles.modules.vaultwarden;
in {
options.nixfiles.modules.vaultwarden = {
enable = mkEnableOption "Whether to enable Vaultwarden.";
domain = mkOption {
description = "Domain name sans protocol scheme.";
type = with types; str;
default = "vaultwarden.${config.networking.domain}";
};
};
config = mkIf cfg.enable {
secrets.vaultwarden-environment = {
file = "${inputs.self}/secrets/vaultwarden-environment";
owner = "vaultwarden";
group = "vaultwarden";
};
nixfiles.modules = {
nginx = {
enable = true;
virtualHosts.${cfg.domain} = with config.services.vaultwarden.config; {
locations."/" = {
proxyPass = "http://[${ROCKET_ADDRESS}]:${toString ROCKET_PORT}";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://[${WEBSOCKET_ADDRESS}]:${toString WEBSOCKET_PORT}";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://[${ROCKET_ADDRESS}]:${toString ROCKET_PORT}";
proxyWebsockets = true;
};
};
};
postgresql.enable = true;
};
services = let
db = "vaultwarden";
in {
vaultwarden = {
enable = true;
config = {
TZ = config.time.timeZone;
WEB_VAULT_ENABLED = true;
DOMAIN = optionalString (cfg.domain != null) "http://${cfg.domain}";
SIGNUPS_ALLOWED = false;
INVITATIONS_ALLOWED = true;
ROCKET_ADDRESS = "::1";
ROCKET_PORT = 8812;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "::1";
WEBSOCKET_PORT = 8813;
LOG_LEVEL = "error";
DATABASE_URL = "postgresql://${db}@/${db}";
};
dbBackend = "postgresql";
environmentFile = config.secrets.vaultwarden-environment.path;
};
postgresql = {
ensureDatabases = [db];
ensureUsers = [
{
name = db;
ensurePermissions."DATABASE \"${db}\"" = "ALL PRIVILEGES";
}
];
};
fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable {
vaultwarden = ''
enabled = true
filter = vaultwarden
port = http,https
'';
vaultwarden-admin = ''
enabled = true
filter = vaultwarden-admin
port = http,https
'';
};
};
environment.etc = mkIf config.nixfiles.modules.fail2ban.enable {
"fail2ban/filter.d/vaultwarden.conf".text = ''
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=vaultwarden.service
'';
"fail2ban/filter.d/vaultwarden-admin.conf".text = ''
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=vaultwarden.service
'';
};
};
}
|