pyrox.dev / nix
My Nix Configuration
fork atom
nix / hosts / marvin / services / vaultwarden.nix
at dc503dfb275f70603f9d184eab6f231a54afcac6 3.5 kB view raw
1{ 2 pkgs, 3 config, 4 self, 5 self', 6 ... 7}: 8let 9 10 d = self.lib.data.services.vaultwarden; 11 12 vaultwardenSecret = { 13 owner = "vaultwarden"; 14 group = "vaultwarden"; 15 }; 16in 17{ 18 services.vaultwarden = { 19 enable = true; 20 dbBackend = "postgresql"; 21 webVaultPackage = pkgs.vaultwarden-vault; 22 config = { 23 # Web Server Settings 24 domain = "https://${d.extUrl}"; 25 webVaultFolder = "${pkgs.vaultwarden-vault}/share/vaultwarden/vault"; 26 rocketAddress = "0.0.0.0"; 27 rocketCliColors = false; 28 rocketPort = d.port; 29 websocketEnabled = true; 30 ipHeader = "X-Real-IP"; 31 reloadTemplates = false; 32 logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f"; 33 # # Ratelimiting 34 loginRatelimitSeconds = 60; 35 loginRatelimitMaxBurst = 10; 36 adminRatelimitSeconds = 120; 37 adminRatelimitMaxBurst = 2; 38 adminSessionLifetime = 10; 39 40 # Logging 41 useSyslog = true; 42 logLevel = "info"; 43 extendedLogging = true; 44 45 # Features 46 sendsAllowed = true; 47 emailChangeAllowed = true; 48 emergencyAccessAllowed = true; 49 50 # Invitations 51 invitationsAllowed = true; 52 invitationOrgName = "PyroNet Vault"; 53 invitationExpirationHours = 168; 54 55 # Database 56 databaseUrl = "postgresql://localhost:5432/vaultwarden"; 57 58 # Signups 59 signupsAllowed = false; 60 signupsVerify = true; 61 signupsVerifyResendTime = 3600; 62 signupsVerifyResendLimit = 5; 63 signupsDomainWhitelist = "pyrox.dev"; 64 65 # Passwords 66 # # 1 Mil hash iterations by default 67 passwordIterations = 1000000; 68 passwordHintsAllowed = true; 69 showPasswordHint = true; 70 71 # Mail 72 smtpFrom = "vault@pyrox.dev"; 73 smtpFromName = "PyroNet Vault <vault@pyrox.dev>"; 74 smtpUsername = "vault@pyrox.dev"; 75 smtpSecurity = "force_tls"; 76 smtpPort = 465; 77 smtpHost = "mail.pyrox.dev"; 78 smtpAuthMechanism = "Login"; 79 smtpTimeout = 20; 80 smtpEmbedImages = true; 81 useSendmail = false; 82 smtpDebug = false; 83 smtpAcceptInvalidCerts = false; 84 smtpAcceptInvalidHostnames = false; 85 86 # Authentication 87 authenticatorDisableTimeDrift = false; 88 disable2faRemember = false; 89 incomplete2faTimeLimit = 5; 90 # # Email 2FA 91 emailAttemptsLimit = 3; 92 emailExpirationTime = 180; 93 emailTokenSize = 7; 94 requireDeviceEmail = true; 95 96 # Icons 97 disableIconDownload = false; 98 iconService = "internal"; 99 iconRedirectCode = 302; 100 iconDownloadTimeout = 10; 101 iconBlacklistNonGlobalIps = true; 102 # # 30 Day TTL 103 iconCacheTtl = 30 * 24 * 60 * 60; 104 iconCacheNegttl = 30 * 24 * 60 * 60; 105 106 # Misc Settings 107 trashAutoDeleteDays = 14; 108 }; 109 environmentFile = config.age.secrets.vaultwarden-vars.path; 110 }; 111 systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path; 112 environment.systemPackages = with pkgs; [ vaultwarden-vault ]; 113 age.secrets.vaultwarden-vars = vaultwardenSecret // { 114 file = ./secrets/vaultwarden-vars.age; 115 }; 116 age.secrets.vaultwarden-pgpass = vaultwardenSecret // { 117 file = ./secrets/vaultwarden-pgpass.age; 118 }; 119 services.anubis.instances.vaultwarden = { 120 settings = { 121 BIND = ":${toString d.anubis}"; 122 POLICY_FNAME = "${self'.packages.anubis-files}/policies/vaultwarden.yaml"; 123 TARGET = "http://localhost:${toString d.port}"; 124 }; 125 }; 126}