pyrox.dev / nix
My Nix Configuration
fork atom
nix / systems / x86_64-linux / marvin / services / vaultwarden.nix
at bdfe488370481f7df9971108794d80bac92bc38c 3.4 kB view raw
1{ 2 pkgs, 3 config, 4 lib, 5 ... 6}: 7let 8 9 d = lib.py.data.services.vaultwarden; 10 11 vaultwardenSecret = { 12 owner = "vaultwarden"; 13 group = "vaultwarden"; 14 }; 15in 16{ 17 services.vaultwarden = { 18 enable = true; 19 dbBackend = "postgresql"; 20 webVaultPackage = pkgs.vaultwarden-vault; 21 config = { 22 # Web Server Settings 23 domain = "https://${d.extUrl}"; 24 webVaultFolder = "${pkgs.vaultwarden-vault}/share/vaultwarden/vault"; 25 rocketAddress = "0.0.0.0"; 26 rocketCliColors = false; 27 rocketPort = d.port; 28 websocketEnabled = true; 29 ipHeader = "X-Real-IP"; 30 reloadTemplates = false; 31 logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f"; 32 # # Ratelimiting 33 loginRatelimitSeconds = 60; 34 loginRatelimitMaxBurst = 10; 35 adminRatelimitSeconds = 120; 36 adminRatelimitMaxBurst = 2; 37 adminSessionLifetime = 10; 38 39 # Logging 40 useSyslog = true; 41 logLevel = "info"; 42 extendedLogging = true; 43 44 # Features 45 sendsAllowed = true; 46 emailChangeAllowed = true; 47 emergencyAccessAllowed = true; 48 49 # Invitations 50 invitationsAllowed = true; 51 invitationOrgName = "PyroNet Vault"; 52 invitationExpirationHours = 168; 53 54 # Database 55 databaseUrl = "postgresql://localhost:5432/vaultwarden"; 56 57 # Signups 58 signupsAllowed = false; 59 signupsVerify = true; 60 signupsVerifyResendTime = 3600; 61 signupsVerifyResendLimit = 5; 62 signupsDomainWhitelist = "pyrox.dev"; 63 64 # Passwords 65 # # 1 Mil hash iterations by default 66 passwordIterations = 1000000; 67 passwordHintsAllowed = true; 68 showPasswordHint = true; 69 70 # Mail 71 smtpFrom = "vault@pyrox.dev"; 72 smtpFromName = "PyroNet Vault <vault@pyrox.dev>"; 73 smtpUsername = "vault@pyrox.dev"; 74 smtpSecurity = "force_tls"; 75 smtpPort = 465; 76 smtpHost = "mail.pyrox.dev"; 77 smtpAuthMechanism = "Login"; 78 smtpTimeout = 20; 79 smtpEmbedImages = true; 80 useSendmail = false; 81 smtpDebug = false; 82 smtpAcceptInvalidCerts = false; 83 smtpAcceptInvalidHostnames = false; 84 85 # Authentication 86 authenticatorDisableTimeDrift = false; 87 disable2faRemember = false; 88 incomplete2faTimeLimit = 5; 89 # # Email 2FA 90 emailAttemptsLimit = 3; 91 emailExpirationTime = 180; 92 emailTokenSize = 7; 93 requireDeviceEmail = true; 94 95 # Icons 96 disableIconDownload = false; 97 iconService = "internal"; 98 iconRedirectCode = 302; 99 iconDownloadTimeout = 10; 100 iconBlacklistNonGlobalIps = true; 101 # # 30 Day TTL 102 iconCacheTtl = 30 * 24 * 60 * 60; 103 iconCacheNegttl = 30 * 24 * 60 * 60; 104 105 # Misc Settings 106 trashAutoDeleteDays = 14; 107 }; 108 environmentFile = config.age.secrets.vaultwarden-vars.path; 109 }; 110 systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path; 111 environment.systemPackages = with pkgs; [ vaultwarden-vault ]; 112 age.secrets.vaultwarden-vars = vaultwardenSecret // { 113 file = ./secrets/vaultwarden-vars.age; 114 }; 115 age.secrets.vaultwarden-pgpass = vaultwardenSecret // { 116 file = ./secrets/vaultwarden-pgpass.age; 117 }; 118 services.anubis.instances.vaultwarden = { 119 settings = { 120 BIND = ":${toString d.anubis}"; 121 POLICY_FNAME = "${pkgs.py.anubis-files}/policies/vaultwarden.yaml"; 122 TARGET = "http://localhost:${toString d.port}"; 123 }; 124 }; 125}