2022-04-10 11:54:58 +02:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
inherit
|
|
|
|
(lib)
|
2022-01-11 16:08:21 +01:00
|
|
|
mkEnableOption
|
|
|
|
mkIf
|
|
|
|
mkOption
|
2022-04-10 11:54:58 +02:00
|
|
|
;
|
2022-01-11 16:08:21 +01:00
|
|
|
|
2021-08-20 00:59:28 +02:00
|
|
|
cfg = config.my.services.vaultwarden;
|
2021-01-31 00:31:43 +01:00
|
|
|
my = config.my;
|
|
|
|
|
|
|
|
domain = config.networking.domain;
|
2022-06-12 17:18:58 +02:00
|
|
|
hostname = config.networking.hostName;
|
|
|
|
fqdn = "${hostname}.${domain}";
|
2021-01-31 00:31:43 +01:00
|
|
|
in {
|
2022-04-10 11:54:58 +02:00
|
|
|
options.my.services.vaultwarden = let
|
|
|
|
inherit (lib) types;
|
|
|
|
in {
|
2021-08-20 00:59:28 +02:00
|
|
|
enable = mkEnableOption "Vaultwarden";
|
2021-01-31 00:31:43 +01:00
|
|
|
|
|
|
|
privatePort = mkOption {
|
2021-02-02 18:24:28 +01:00
|
|
|
type = types.port;
|
2021-01-31 00:31:43 +01:00
|
|
|
default = 8081;
|
|
|
|
example = 8081;
|
|
|
|
description = "Port used internally for rocket server";
|
|
|
|
};
|
|
|
|
|
|
|
|
websocketPort = mkOption {
|
2021-02-02 18:24:28 +01:00
|
|
|
type = types.port;
|
2021-01-31 00:31:43 +01:00
|
|
|
default = 3012;
|
|
|
|
example = 3012;
|
|
|
|
description = "Port used for websocket connections";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
2023-11-15 10:56:04 +01:00
|
|
|
|
|
|
|
ensureDatabases = ["vaultwarden"];
|
|
|
|
ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "vaultwarden";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE vaultwarden" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
2021-01-31 00:31:43 +01:00
|
|
|
};
|
|
|
|
|
2021-03-23 22:24:12 +01:00
|
|
|
services.postgresqlBackup = {
|
2022-04-10 11:54:58 +02:00
|
|
|
databases = ["vaultwarden"];
|
2021-01-31 00:31:43 +01:00
|
|
|
};
|
|
|
|
|
2021-08-20 00:59:28 +02:00
|
|
|
services.vaultwarden = {
|
2021-01-31 00:31:43 +01:00
|
|
|
enable = true;
|
|
|
|
dbBackend = "postgresql";
|
|
|
|
config = {
|
|
|
|
TZ = "Europe/Paris";
|
|
|
|
WEB_VAULT_ENABLED = true;
|
|
|
|
WEBSOCKET_ENABLED = true;
|
2021-07-13 13:34:26 +02:00
|
|
|
WEBSOCKET_ADDRESS = "127.0.0.1";
|
2021-01-31 00:31:43 +01:00
|
|
|
WEBSOCKET_PORT = cfg.websocketPort;
|
2021-07-13 13:34:26 +02:00
|
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
2021-01-31 00:31:43 +01:00
|
|
|
ROCKET_PORT = cfg.privatePort;
|
|
|
|
SIGNUPS_ALLOWED = false;
|
|
|
|
INVITATIONS_ALLOWED = false;
|
|
|
|
DOMAIN = "https://pass.${domain}";
|
2021-08-20 00:59:28 +02:00
|
|
|
# FIXME: should be renamed to vaultwarden eventually
|
|
|
|
DATABASE_URL = "postgresql://vaultwarden@/vaultwarden";
|
2021-01-31 00:31:43 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx = {
|
|
|
|
virtualHosts = {
|
|
|
|
"pass.${domain}" = {
|
|
|
|
forceSSL = true;
|
2022-06-12 17:18:58 +02:00
|
|
|
useACMEHost = fqdn;
|
2021-01-31 00:31:43 +01:00
|
|
|
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
locations."/notifications/hub" = {
|
|
|
|
proxyPass = "http://127.0.0.1:${toString cfg.websocketPort}";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
locations."/notifications/hub/negotiate" = {
|
|
|
|
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-06-12 17:18:58 +02:00
|
|
|
security.acme.certs.${fqdn}.extraDomainNames = ["pass.${domain}"];
|
|
|
|
|
2021-08-20 00:59:28 +02:00
|
|
|
# FIXME: should be renamed to vaultwarden eventually
|
2021-08-09 20:19:27 +02:00
|
|
|
my.services.restic-backup = mkIf cfg.enable {
|
2022-04-10 11:54:58 +02:00
|
|
|
paths = ["/var/lib/bitwarden_rs"];
|
|
|
|
exclude = ["/var/lib/bitwarden_rs/icon_cache"];
|
2021-01-31 13:00:04 +01:00
|
|
|
};
|
2021-02-22 15:56:01 +01:00
|
|
|
|
|
|
|
services.fail2ban.jails = {
|
2021-08-20 00:59:28 +02:00
|
|
|
vaultwarden = ''
|
2021-02-22 15:56:01 +01:00
|
|
|
enabled = true
|
2021-08-20 00:59:28 +02:00
|
|
|
filter = vaultwarden
|
2021-02-22 15:56:01 +01:00
|
|
|
port = http,https
|
|
|
|
maxretry = 5
|
|
|
|
'';
|
|
|
|
|
|
|
|
# Admin page isn't enabled by default, but just in case...
|
2021-08-20 00:59:28 +02:00
|
|
|
vaultwarden-admin = ''
|
2021-02-22 15:56:01 +01:00
|
|
|
enabled = true
|
2021-08-20 00:59:28 +02:00
|
|
|
filter = vaultwarden-admin
|
2021-02-22 15:56:01 +01:00
|
|
|
port = http,https
|
|
|
|
maxretry = 2
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
environment.etc = {
|
2021-08-20 00:59:28 +02:00
|
|
|
"fail2ban/filter.d/vaultwarden.conf".text = ''
|
2021-02-22 15:56:01 +01:00
|
|
|
[Definition]
|
|
|
|
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
|
|
|
|
ignoreregex =
|
2021-08-20 00:59:28 +02:00
|
|
|
journalmatch = _SYSTEMD_UNIT=vaultwarden.service
|
2021-02-22 15:56:01 +01:00
|
|
|
'';
|
|
|
|
|
2021-08-20 00:59:28 +02:00
|
|
|
"fail2ban/filter.d/vaultwarden-admin.conf".text = ''
|
2021-02-22 15:56:01 +01:00
|
|
|
[Definition]
|
|
|
|
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
|
|
|
|
ignoreregex =
|
2021-08-20 00:59:28 +02:00
|
|
|
journalmatch = _SYSTEMD_UNIT=vaultwarden.service
|
2021-02-22 15:56:01 +01:00
|
|
|
'';
|
|
|
|
};
|
2021-01-31 00:31:43 +01:00
|
|
|
};
|
|
|
|
}
|