nixos-config/services/vaultwarden.nix

141 lines
3.4 KiB
Nix
Raw Permalink Normal View History

2022-04-10 11:54:58 +02:00
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
2022-01-11 16:08:21 +01:00
mkEnableOption
mkIf
mkOption
2022-04-10 11:54:58 +02:00
;
2022-01-11 16:08:21 +01:00
cfg = config.my.services.vaultwarden;
2021-01-31 00:31:43 +01:00
my = config.my;
domain = config.networking.domain;
hostname = config.networking.hostName;
fqdn = "${hostname}.${domain}";
2021-01-31 00:31:43 +01:00
in {
2022-04-10 11:54:58 +02:00
options.my.services.vaultwarden = let
inherit (lib) types;
in {
enable = mkEnableOption "Vaultwarden";
2021-01-31 00:31:43 +01:00
privatePort = mkOption {
2021-02-02 18:24:28 +01:00
type = types.port;
2021-01-31 00:31:43 +01:00
default = 8081;
example = 8081;
description = "Port used internally for rocket server";
};
websocketPort = mkOption {
2021-02-02 18:24:28 +01:00
type = types.port;
2021-01-31 00:31:43 +01:00
default = 3012;
example = 3012;
description = "Port used for websocket connections";
};
};
config = mkIf cfg.enable {
services.postgresql = {
enable = true;
ensureDatabases = ["vaultwarden"];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
2021-01-31 00:31:43 +01:00
};
2021-03-23 22:24:12 +01:00
services.postgresqlBackup = {
2022-04-10 11:54:58 +02:00
databases = ["vaultwarden"];
2021-01-31 00:31:43 +01:00
};
services.vaultwarden = {
2021-01-31 00:31:43 +01:00
enable = true;
dbBackend = "postgresql";
config = {
TZ = "Europe/Paris";
WEB_VAULT_ENABLED = true;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "127.0.0.1";
2021-01-31 00:31:43 +01:00
WEBSOCKET_PORT = cfg.websocketPort;
ROCKET_ADDRESS = "127.0.0.1";
2021-01-31 00:31:43 +01:00
ROCKET_PORT = cfg.privatePort;
SIGNUPS_ALLOWED = false;
INVITATIONS_ALLOWED = false;
DOMAIN = "https://pass.${domain}";
# FIXME: should be renamed to vaultwarden eventually
DATABASE_URL = "postgresql://vaultwarden@/vaultwarden";
2021-01-31 00:31:43 +01:00
};
};
services.nginx = {
virtualHosts = {
"pass.${domain}" = {
forceSSL = true;
useACMEHost = fqdn;
2021-01-31 00:31:43 +01:00
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://127.0.0.1:${toString cfg.websocketPort}";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
proxyWebsockets = true;
};
};
};
};
security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"];
# FIXME: should be renamed to vaultwarden eventually
my.services.restic-backup = mkIf cfg.enable {
2022-04-10 11:54:58 +02:00
paths = ["/var/lib/bitwarden_rs"];
exclude = ["/var/lib/bitwarden_rs/icon_cache"];
};
2021-02-22 15:56:01 +01:00
services.fail2ban.jails = {
vaultwarden = ''
2021-02-22 15:56:01 +01:00
enabled = true
filter = vaultwarden
2021-02-22 15:56:01 +01:00
port = http,https
maxretry = 5
'';
# Admin page isn't enabled by default, but just in case...
vaultwarden-admin = ''
2021-02-22 15:56:01 +01:00
enabled = true
filter = vaultwarden-admin
2021-02-22 15:56:01 +01:00
port = http,https
maxretry = 2
'';
};
environment.etc = {
"fail2ban/filter.d/vaultwarden.conf".text = ''
2021-02-22 15:56:01 +01:00
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=vaultwarden.service
2021-02-22 15:56:01 +01:00
'';
"fail2ban/filter.d/vaultwarden-admin.conf".text = ''
2021-02-22 15:56:01 +01:00
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
journalmatch = _SYSTEMD_UNIT=vaultwarden.service
2021-02-22 15:56:01 +01:00
'';
};
2021-01-31 00:31:43 +01:00
};
}