mirror of
https://github.com/kittywitch/nixfiles.git
synced 2026-02-10 04:49:19 -08:00
77 lines
2.1 KiB
Nix
77 lines
2.1 KiB
Nix
{ config, pkgs, lib, tf, ... }: with lib;
|
|
|
|
{
|
|
kw.secrets.variables = mapListToAttrs (field:
|
|
nameValuePair "vaultwarden-${field}" {
|
|
path = "secrets/vaultwarden";
|
|
inherit field;
|
|
}) [ "password" "smtp" ];
|
|
|
|
secrets.files.vaultwarden-env = {
|
|
text = ''
|
|
ADMIN_TOKEN=${tf.variables.vaultwarden-password.ref}
|
|
SMTP_HOST=daiyousei.kittywit.ch
|
|
SMTP_FROM=vaultwarden@kittywit.ch
|
|
SMTP_FROM_NAME=Vaultwarden
|
|
SMTP_PORT=465
|
|
SMTP_SSL=true
|
|
SMTP_EXPLICIT_TLS=true
|
|
SMTP_USERNAME=vaultwarden@kittywit.ch
|
|
SMTP_PASSWORD=${tf.variables.vaultwarden-smtp.ref}
|
|
'';
|
|
owner = "bitwarden_rs";
|
|
group = "bitwarden_rs";
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
environmentFile = config.secrets.files.vaultwarden-env.path;
|
|
};
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ "bitwarden_rs" ];
|
|
ensureUsers = [{
|
|
name = "bitwarden_rs";
|
|
ensurePermissions = { "DATABASE bitwarden_rs" = "ALL PRIVILEGES"; };
|
|
}];
|
|
};
|
|
|
|
users.users.vaultwarden.name = "bitwarden_rs";
|
|
users.groups.vaultwarden.name = "bitwarden_rs";
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = "postgresql";
|
|
config = {
|
|
rocketPort = 4000;
|
|
websocketEnabled = true;
|
|
signupsAllowed = false;
|
|
domain = "https://vault.${config.network.dns.domain}";
|
|
databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."vault.${config.network.dns.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations = {
|
|
"/" = {
|
|
proxyPass = "http://localhost:4000";
|
|
proxyWebsockets = true;
|
|
};
|
|
"/notifications/hub" = {
|
|
proxyPass = "http://localhost:3012";
|
|
proxyWebsockets = true;
|
|
};
|
|
"/notifications/hub/negotiate" = {
|
|
proxyPass = "http://localhost:4000";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
deploy.tf.dns.records.services_vaultwarden = {
|
|
inherit (config.network.dns) zone;
|
|
domain = "vault";
|
|
cname = { inherit (config.network.addresses.public) target; };
|
|
};
|
|
}
|