DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
551d43c00eadc5b0167272d4832e425182ccdc10
cyper-nix/nixos/roles/vaultwarden.nix

73 lines
2.0 KiB
Nix
Raw Blame History

{
config,
pkgs,
lib,
...
}:
let
address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
ip = builtins.elemAt (lib.splitString "/" address) 0;
port = 8222;
in
{
services.vaultwarden = {
enable = true;
environmentFile = config.sops.secrets.vaultwarden_admin_token.path;
backupDir = "/var/local/vaultwarden/backup";
config = {
DOMAIN = "http://${ip}:${toString port}";
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = port;
ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = true;
WEBSOCKET_ENABLED = true;
ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
};
};
sops.secrets.vaultwarden_admin_token = {
owner = "vaultwarden";
group = "vaultwarden";
};
networking.firewall.allowedTCPPorts = [ port ];
systemd.services.vaultwarden-backup-rotate = {
description = "Rotate old Vaultwarden backups";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
};
};
systemd.timers.vaultwarden-backup-rotate = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
# TODO: Remove for proper TLS Setup
systemd.services.vaultwarden-gen-cert = {
description = "Generate self-signed cert for Vaultwarden";
before = [ "vaultwarden.service" ];
wantedBy = [ "vaultwarden.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/lib/vaultwarden/ssl
if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
-keyout /var/lib/vaultwarden/ssl/key.pem \
-out /var/lib/vaultwarden/ssl/cert.pem \
-days 3650 \
-subj "/CN=${ip}" \
-addext "subjectAltName=IP:${ip}"
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
fi
'';
};
}
Reference in New Issue View Git Blame Copy Permalink