gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(bw): vaultwarden

Browse source
This commit is contained in:
arcnmx 2024-05-26 14:04:19 -07:00
parent 0b0a91d506
commit 0947ca0532
15 changed files with 437 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

48
nixos/vaultwarden.nix Normal file
View file

@ -0,0 +1,48 @@
{
config,
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (config.services) postgresql;
cfg = config.services.vaultwarden;
enableAdmin = false;
in {
config.services.vaultwarden = {
enable = mkDefault true;
dbBackend = mkDefault "postgresql";
websocketPort = mkDefault 8223;
databaseUrlPath = mkIf (!postgresql.enable) (mkDefault config.sops.secrets.vaultwarden-database-url.path);
adminTokenPath = mkIf enableAdmin (mkDefault config.sops.secrets.vaultwarden-admin-token.path);
config = {
SIGNUPS_ALLOWED = mkDefault false;
ROCKET_ADDRESS = mkDefault "::";
WEBSOCKET_ADDRESS = mkDefault "::";
DATABASE_URL = mkIf postgresql.enable (mkDefault "postgresql://vaultwarden@/vaultwarden");
};
};
config.systemd.services.vaultwarden = mkIf cfg.enable {
gensokyo-zone.sharedMounts.vaultwarden.path = mkDefault cfg.config.DATA_FOLDER;
};
config.users = mkIf cfg.enable {
users.vaultwarden.uid = 915;
groups.vaultwarden.gid = config.users.users.vaultwarden.uid;
};
config.networking.firewall = mkIf cfg.enable {
interfaces.lan.allowedTCPPorts = [
cfg.port
(mkIf (cfg.websocketPort != null) cfg.websocketPort)
];
};
config.sops.secrets = let
sopsFile = mkDefault ./secrets/vaultwarden.yaml;
owner = "vaultwarden";
in {
vaultwarden-database-url = mkIf (!postgresql.enable) {
inherit sopsFile owner;
};
vaultwarden-admin-token = mkIf enableAdmin {
inherit sopsFile owner;
};
};
}