hosts/marvin/services/vaultwarden.nix at f1574eeedac18e4583faa72b01a361af2292e029 · pyrox.dev/nix

pyrox.dev / nix
My Nix Configuration
nix / hosts / marvin / services / vaultwarden.nix
at f1574eeedac18e4583faa72b01a361af2292e029 3.3 kB view raw
  1{
  2  config,
  3  self,
  4  self',
  5  ...
  6}:
  7let
  8
  9  d = self.lib.data.services.vaultwarden;
 10
 11  vaultwardenSecret = {
 12    owner = "vaultwarden";
 13    group = "vaultwarden";
 14  };
 15in
 16{
 17  services.vaultwarden = {
 18    enable = true;
 19    dbBackend = "postgresql";
 20    config = {
 21      # Web Server Settings
 22      domain = "https://${d.extUrl}";
 23      rocketAddress = "0.0.0.0";
 24      rocketCliColors = false;
 25      rocketPort = d.port;
 26      websocketEnabled = true;
 27      ipHeader = "X-Real-IP";
 28      reloadTemplates = false;
 29      logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";
 30      # # Ratelimiting
 31      loginRatelimitSeconds = 60;
 32      loginRatelimitMaxBurst = 10;
 33      adminRatelimitSeconds = 120;
 34      adminRatelimitMaxBurst = 2;
 35      adminSessionLifetime = 10;
 36
 37      # Logging
 38      useSyslog = true;
 39      logLevel = "info";
 40      extendedLogging = true;
 41
 42      # Features
 43      sendsAllowed = true;
 44      emailChangeAllowed = true;
 45      emergencyAccessAllowed = true;
 46
 47      # Invitations
 48      invitationsAllowed = true;
 49      invitationOrgName = "PyroNet Vault";
 50      invitationExpirationHours = 168;
 51
 52      # Database
 53      databaseUrl = "postgresql://localhost:5432/vaultwarden";
 54
 55      # Signups
 56      signupsAllowed = false;
 57      signupsVerify = true;
 58      signupsVerifyResendTime = 3600;
 59      signupsVerifyResendLimit = 5;
 60      signupsDomainWhitelist = "pyrox.dev";
 61
 62      # Passwords
 63      # # 1 Mil hash iterations by default
 64      passwordIterations = 1000000;
 65      passwordHintsAllowed = true;
 66      showPasswordHint = true;
 67
 68      # Mail
 69      smtpFrom = "vault@pyrox.dev";
 70      smtpFromName = "PyroNet Vault <vault@pyrox.dev>";
 71      smtpUsername = "vault@pyrox.dev";
 72      smtpSecurity = "force_tls";
 73      smtpPort = 465;
 74      smtpHost = "mail.pyrox.dev";
 75      smtpAuthMechanism = "Login";
 76      smtpTimeout = 20;
 77      smtpEmbedImages = true;
 78      useSendmail = false;
 79      smtpDebug = false;
 80      smtpAcceptInvalidCerts = false;
 81      smtpAcceptInvalidHostnames = false;
 82
 83      # Authentication
 84      authenticatorDisableTimeDrift = false;
 85      disable2faRemember = false;
 86      incomplete2faTimeLimit = 5;
 87      # # Email 2FA
 88      emailAttemptsLimit = 3;
 89      emailExpirationTime = 180;
 90      emailTokenSize = 7;
 91      requireDeviceEmail = true;
 92
 93      # Icons
 94      disableIconDownload = false;
 95      iconService = "internal";
 96      iconRedirectCode = 302;
 97      iconDownloadTimeout = 10;
 98      iconBlacklistNonGlobalIps = true;
 99      # # 30 Day TTL
100      iconCacheTtl = 30 * 24 * 60 * 60;
101      iconCacheNegttl = 30 * 24 * 60 * 60;
102
103      # Misc Settings
104      trashAutoDeleteDays = 14;
105    };
106    environmentFile = config.age.secrets.vaultwarden-vars.path;
107  };
108  systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path;
109  age.secrets.vaultwarden-vars = vaultwardenSecret // {
110    file = ./secrets/vaultwarden-vars.age;
111  };
112  age.secrets.vaultwarden-pgpass = vaultwardenSecret // {
113    file = ./secrets/vaultwarden-pgpass.age;
114  };
115  services.anubis.instances.vaultwarden = {
116    settings = {
117      BIND = ":${toString d.anubis}";
118      POLICY_FNAME = "${self'.packages.anubis-files}/policies/vaultwarden.yaml";
119      TARGET = "http://localhost:${toString d.port}";
120    };
121  };
122}