hosts/marvin/services/vaultwarden.nix at d7042743d510332d8afd75d623e96849c9b9d3c7 · pyrox.dev/nix

pyrox.dev / nix
My Nix Configuration
nix / hosts / marvin / services / vaultwarden.nix
at d7042743d510332d8afd75d623e96849c9b9d3c7 3.3 kB view raw
  1{
  2  pkgs,
  3  config,
  4  self,
  5  self',
  6  ...
  7}:
  8let
  9
 10  d = self.lib.data.services.vaultwarden;
 11
 12  vaultwardenSecret = {
 13    owner = "vaultwarden";
 14    group = "vaultwarden";
 15  };
 16in
 17{
 18  services.vaultwarden = {
 19    enable = true;
 20    dbBackend = "postgresql";
 21    config = {
 22      # Web Server Settings
 23      domain = "https://${d.extUrl}";
 24      rocketAddress = "0.0.0.0";
 25      rocketCliColors = false;
 26      rocketPort = d.port;
 27      websocketEnabled = true;
 28      ipHeader = "X-Real-IP";
 29      reloadTemplates = false;
 30      logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";
 31      # # Ratelimiting
 32      loginRatelimitSeconds = 60;
 33      loginRatelimitMaxBurst = 10;
 34      adminRatelimitSeconds = 120;
 35      adminRatelimitMaxBurst = 2;
 36      adminSessionLifetime = 10;
 37
 38      # Logging
 39      useSyslog = true;
 40      logLevel = "info";
 41      extendedLogging = true;
 42
 43      # Features
 44      sendsAllowed = true;
 45      emailChangeAllowed = true;
 46      emergencyAccessAllowed = true;
 47
 48      # Invitations
 49      invitationsAllowed = true;
 50      invitationOrgName = "PyroNet Vault";
 51      invitationExpirationHours = 168;
 52
 53      # Database
 54      databaseUrl = "postgresql://localhost:5432/vaultwarden";
 55
 56      # Signups
 57      signupsAllowed = false;
 58      signupsVerify = true;
 59      signupsVerifyResendTime = 3600;
 60      signupsVerifyResendLimit = 5;
 61      signupsDomainWhitelist = "pyrox.dev";
 62
 63      # Passwords
 64      # # 1 Mil hash iterations by default
 65      passwordIterations = 1000000;
 66      passwordHintsAllowed = true;
 67      showPasswordHint = true;
 68
 69      # Mail
 70      smtpFrom = "vault@pyrox.dev";
 71      smtpFromName = "PyroNet Vault <vault@pyrox.dev>";
 72      smtpUsername = "vault@pyrox.dev";
 73      smtpSecurity = "force_tls";
 74      smtpPort = 465;
 75      smtpHost = "mail.pyrox.dev";
 76      smtpAuthMechanism = "Login";
 77      smtpTimeout = 20;
 78      smtpEmbedImages = true;
 79      useSendmail = false;
 80      smtpDebug = false;
 81      smtpAcceptInvalidCerts = false;
 82      smtpAcceptInvalidHostnames = false;
 83
 84      # Authentication
 85      authenticatorDisableTimeDrift = false;
 86      disable2faRemember = false;
 87      incomplete2faTimeLimit = 5;
 88      # # Email 2FA
 89      emailAttemptsLimit = 3;
 90      emailExpirationTime = 180;
 91      emailTokenSize = 7;
 92      requireDeviceEmail = true;
 93
 94      # Icons
 95      disableIconDownload = false;
 96      iconService = "internal";
 97      iconRedirectCode = 302;
 98      iconDownloadTimeout = 10;
 99      iconBlacklistNonGlobalIps = true;
100      # # 30 Day TTL
101      iconCacheTtl = 30 * 24 * 60 * 60;
102      iconCacheNegttl = 30 * 24 * 60 * 60;
103
104      # Misc Settings
105      trashAutoDeleteDays = 14;
106    };
107    environmentFile = config.age.secrets.vaultwarden-vars.path;
108  };
109  systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path;
110  age.secrets.vaultwarden-vars = vaultwardenSecret // {
111    file = ./secrets/vaultwarden-vars.age;
112  };
113  age.secrets.vaultwarden-pgpass = vaultwardenSecret // {
114    file = ./secrets/vaultwarden-pgpass.age;
115  };
116  services.anubis.instances.vaultwarden = {
117    settings = {
118      BIND = ":${toString d.anubis}";
119      POLICY_FNAME = "${self'.packages.anubis-files}/policies/vaultwarden.yaml";
120      TARGET = "http://localhost:${toString d.port}";
121    };
122  };
123}