40 lines
1,009 B
Nix
40 lines
1,009 B
Nix
{ lib, my, secrets, ... }:
|
|
|
|
let fqdn = "vault.${my.domain}";
|
|
in {
|
|
sops.secrets."vaultwarden/env" = {
|
|
sopsFile = ../secrets/sops/vaultwarden.yaml;
|
|
owner = "vaultwarden";
|
|
restartUnits = [ "vaultwarden.service" ];
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
environmentFile = secrets."vaultwarden/env".path;
|
|
dbBackend = "postgresql";
|
|
config = {
|
|
DOMAIN = "https://${fqdn}";
|
|
DATA_FOLDER = "/var/lib/vaultwarden";
|
|
DATABASE_URL = "postgresql:///vaultwarden";
|
|
SIGNUPS_ALLOWED = false;
|
|
INVITATIONS_ALLOWED = false;
|
|
SHOW_PASSWORD_HINT = false;
|
|
ROCKET_ADDRESS = "::1";
|
|
ROCKET_PORT = 8222;
|
|
ROCKET_WORKERS = 4; # more than enough
|
|
};
|
|
};
|
|
|
|
systemd.services.vaultwarden.serviceConfig.StateDirectory =
|
|
lib.mkForce "vaultwarden";
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ "vaultwarden" ];
|
|
ensureUsers = [{
|
|
name = "vaultwarden";
|
|
ensureDBOwnership = true;
|
|
ensureClauses.login = true;
|
|
}];
|
|
};
|
|
}
|