encode42.dev
Personal-use NixOS configuration
1{
2 hosts ? [ ],
3}:
4
5{ flakeLib, ... }:
6
7let
8 socket = "/run/vaultwarden/vaultwarden.sock";
9in
10{
11 imports = [
12 ../databases/postgresql.nix
13 ];
14
15 services.postgresql = {
16 ensureUsers = [
17 {
18 name = "vaultwarden";
19 ensureDBOwnership = true;
20 }
21 ];
22
23 ensureDatabases = [ "vaultwarden" ];
24 };
25
26 services.vaultwarden = {
27 enable = true;
28
29 dbBackend = "postgresql";
30
31 config = {
32 ICON_SERVICE = "internal";
33 ICON_REDIRECT_CODE = 301;
34
35 SIGNUPS_VERIFY = true;
36 REQUIRE_DEVICE_EMAIL = true;
37 SMTP_EMBED_IMAGES = false;
38
39 EMERGENCY_ACCESS_ALLOWED = false;
40 PASSWORD_HINTS_ALLOWED = false;
41 AUTHENTICATOR_DISABLE_TIME_DRIFT = true;
42
43 INVITATIONS_ALLOWED = true;
44 SIGNUPS_ALLOWED = false;
45
46 TRASH_AUTO_DELETE_DAYS = 7;
47
48 USER_ATTACHMENT_LIMIT = 51200;
49
50 # TODO: look into websockets
51 # TODO: look into push
52 # TODO: HaveIBeenPwned API Key
53
54 EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,simple-login-self-host-alias";
55
56 EXTENDED_LOGGING = false;
57
58 ROCKET_ADDRESS = "127.0.0.1"; # "unix:${socket}"; Supposedly, this is supported. However, it is not.
59 DATABASE_URL = "postgresql:///vaultwarden?host=/run/postgresql";
60 };
61 };
62
63 # Caddy reverse proxy configuration
64 services.caddy.virtualHosts = flakeLib.mkProxies hosts ''
65 reverse_proxy :8000 # unix/${socket}
66 '';
67}