hosts/marvin/services/vaultwarden.nix at main · pyrox.dev/nix

pyrox.dev / nix
My Nix Configuration
nix / hosts / marvin / services / vaultwarden.nix
at main 2.6 kB view raw
  1{
  2  config,
  3  self,
  4  self',
  5  ...
  6}:
  7let
  8
  9  d = self.lib.data.services.vaultwarden;
 10
 11  vaultwardenSecret = {
 12    owner = "vaultwarden";
 13    group = "vaultwarden";
 14  };
 15in
 16{
 17  services.vaultwarden = {
 18    enable = true;
 19    dbBackend = "postgresql";
 20    config = {
 21      # Web Server Settings
 22      domain = "https://${d.extUrl}";
 23      rocketAddress = "0.0.0.0";
 24      rocketCliColors = false;
 25      rocketPort = d.port;
 26      reloadTemplates = false;
 27      logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";
 28      # # Ratelimiting
 29      loginRatelimitSeconds = 60;
 30      loginRatelimitMaxBurst = 10;
 31      adminRatelimitSeconds = 120;
 32      adminRatelimitMaxBurst = 2;
 33      adminSessionLifetime = 10;
 34
 35      # Logging
 36      useSyslog = true;
 37      extendedLogging = true;
 38
 39      # Features
 40      sendsAllowed = true;
 41      emailChangeAllowed = true;
 42      emergencyAccessAllowed = true;
 43
 44      # Invitations
 45      invitationsAllowed = true;
 46      invitationOrgName = "dishNet Vault";
 47      invitationExpirationHours = 168;
 48
 49      # Database
 50      databaseUrl = "postgresql://localhost:5432/vaultwarden";
 51
 52      # Signups
 53      signupsAllowed = false;
 54      signupsVerify = true;
 55      signupsDomainWhitelist = "pyrox.dev";
 56
 57      # Passwords
 58      # # 1 Mil hash iterations by default
 59      passwordIterations = 1000000;
 60      passwordHintsAllowed = true;
 61      showPasswordHint = true;
 62
 63      # Mail
 64      smtpFrom = "vault@pyrox.dev";
 65      smtpFromName = "dishNet Vault <vault@pyrox.dev>";
 66      smtpUsername = "vault@pyrox.dev";
 67      smtpSecurity = "force_tls";
 68      smtpPort = 465;
 69      smtpHost = "mail.pyrox.dev";
 70      smtpAuthMechanism = "Login";
 71      smtpTimeout = 20;
 72      smtpEmbedImages = true;
 73      useSendmail = false;
 74
 75      # Authentication
 76      incomplete2faTimeLimit = 5;
 77      # # Email 2FA
 78      emailExpirationTime = 180;
 79      emailTokenSize = 7;
 80      requireDeviceEmail = true;
 81
 82      # Misc Settings
 83      trashAutoDeleteDays = 14;
 84    };
 85    environmentFile = config.age.secrets.vaultwarden-vars.path;
 86  };
 87  systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path;
 88  age.secrets.vaultwarden-vars = vaultwardenSecret // {
 89    file = ./secrets/vaultwarden-vars.age;
 90  };
 91  age.secrets.vaultwarden-pgpass = vaultwardenSecret // {
 92    file = ./secrets/vaultwarden-pgpass.age;
 93  };
 94  services.anubis.instances.vaultwarden = {
 95    settings = {
 96      BIND = ":${toString d.anubis}";
 97      POLICY_FNAME = "${self'.packages.anubis-files}/policies/vaultwarden.yaml";
 98      TARGET = "http://localhost:${toString d.port}";
 99    };
100  };
101}