nixos-config/services/bitwarden_rs.nix

98 lines
2.4 KiB
Nix

{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.my.services.bitwarden_rs;
my = config.my;
domain = config.networking.domain;
in {
options.my.services.bitwarden_rs = {
enable = mkEnableOption "Bitwarden";
privatePort = mkOption {
type = types.int;
default = 8081;
example = 8081;
description = "Port used internally for rocket server";
};
websocketPort = mkOption {
type = types.int;
default = 3012;
example = 3012;
description = "Port used for websocket connections";
};
};
config = mkIf cfg.enable {
services.postgresql = {
enable = true;
initialScript = pkgs.writeText "bitwarden_rs-init.sql" ''
CREATE ROLE "bitwarden_rs" WITH LOGIN;
CREATE DATABASE "bitwarden_rs" WITH OWNER "bitwarden_rs";
'';
};
services.postgresqlBackup = mkIf my.services.postgresql-backup.enable {
databases = [ "bitwarden_rs" ];
};
services.bitwarden_rs = {
enable = true;
dbBackend = "postgresql";
config = {
TZ = "Europe/Paris";
WEB_VAULT_ENABLED = true;
WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = cfg.websocketPort;
ROCKET_PORT = cfg.privatePort;
SIGNUPS_ALLOWED = false;
INVITATIONS_ALLOWED = false;
DOMAIN = "https://pass.${domain}";
DATABASE_URL = "postgresql://bitwarden_rs@/bitwarden_rs";
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"pass.${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://127.0.0.1:${toString cfg.websocketPort}";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
proxyWebsockets = true;
};
};
};
};
systemd.services.matrix-synapse = {
after = [ "postgresql.service" ];
};
# needed for bitwarden to find files to serve for the vault
environment.systemPackages = with pkgs; [
bitwarden_rs-vault
];
};
}