1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64 { secrets, pkgs, config, ... }:
{
dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ];
age.secrets = {
resticVaultwarden.file = secrets."${config.networking.hostName}".restic.vaultwarden;
vaultwardenSecrets = {
file = secrets."${config.networking.hostName}".vaultwardenSecrets;
owner = "vaultwarden";
group = "vaultwarden";
};
};
restic-backups.vaultwarden = {
user = "vaultwarden";
passwordFile = config.age.secrets.resticVaultwarden.path;
paths = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"];
};
systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ];
services = {
vaultwarden = {
enable = true;
dbBackend = "sqlite";
backupDir = "/var/backups/vaultwarden";
environmentFile = config.age.secrets.vaultwardenSecrets.path;
config = {
DOMAIN = "https://vault.ctu.cx";
SIGNUPS_ALLOWED = false;
PUSH_ENABLED = true;
SMTP_HOST = "hector.ctu.cx";
SMTP_FROM = "vaultwarden@ctu.cx";
SMTP_USERNAME = "vaultwarden@ctu.cx";
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
ROCKET_ADDRESS = "::1";
ROCKET_PORT = 8582;
};
};
nginx = {
enable = true;
virtualHosts."vault.ctu.cx" = {
useACMEHost = "${config.networking.fqdn}";
forceSSL = true;
kTLS = true;
locations = {
"/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
"/notifications/hub" = {
proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
proxyWebsockets = true;
};
};
};
};
};
}