Christoph Heiss
b4c458e11a
All checks were successful
flake / build (push) Successful in 3m7s
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
66 lines
1.8 KiB
Nix
66 lines
1.8 KiB
Nix
{ config, lib, my, secrets, ... }:
|
|
|
|
let fqdn = "vault.${my.domain}";
|
|
in {
|
|
sops.secrets."vaultwarden/env" = {
|
|
sopsFile = ../secrets/sops/vaultwarden.yaml;
|
|
owner = "vaultwarden";
|
|
restartUnits = [ "vaultwarden.service" ];
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
environmentFile = secrets."vaultwarden/env".path;
|
|
dbBackend = "sqlite";
|
|
config = {
|
|
DOMAIN = "https://${fqdn}";
|
|
DATA_FOLDER = "/var/lib/vaultwarden";
|
|
SIGNUPS_ALLOWED = false;
|
|
INVITATIONS_ALLOWED = false;
|
|
SHOW_PASSWORD_HINT = false;
|
|
ROCKET_ADDRESS = "::1";
|
|
ROCKET_PORT = 8222;
|
|
ROCKET_WORKERS = 4; # more than enough
|
|
};
|
|
};
|
|
|
|
systemd.services.vaultwarden.serviceConfig.StateDirectory =
|
|
lib.mkForce "vaultwarden";
|
|
|
|
services.nginx.virtualHosts.${fqdn} =
|
|
let inherit (config.services.vaultwarden.config) ROCKET_ADDRESS ROCKET_PORT;
|
|
in {
|
|
forceSSL = true;
|
|
useACMEHost = my.domain;
|
|
kTLS = true;
|
|
locations."/" = {
|
|
proxyPass = "http://[${ROCKET_ADDRESS}]:${toString ROCKET_PORT}";
|
|
proxyWebsockets = true;
|
|
extraConfig = ''
|
|
client_max_body_size 256M;
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.fail2ban.jails.vaultwarden =
|
|
lib.mkIf config.services.fail2ban.enable {
|
|
filter = {
|
|
INCLUDES.before = "common.conf";
|
|
Definition = {
|
|
failregex =
|
|
"^.*?Username or password is incorrect. Try again. IP: <ADDR>. Username:.*$";
|
|
ignoreregex = "";
|
|
};
|
|
};
|
|
settings = {
|
|
enabled = true;
|
|
backend = "systemd";
|
|
journalmatch = "_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden";
|
|
port = "http,https";
|
|
filter = "vaultwarden";
|
|
bantime = "48h";
|
|
findtime = "4h";
|
|
};
|
|
};
|
|
}
|