working vaultwarden

haven't tested websockets
This commit is contained in:
Noah Masur 2022-10-16 18:10:11 +00:00
parent 7bca2775d1
commit 6f67e31723
3 changed files with 45 additions and 4 deletions

View File

@ -22,6 +22,7 @@ nixpkgs.lib.nixosSystem {
nextcloudServer = "cloud.masu.rs"; nextcloudServer = "cloud.masu.rs";
transmissionServer = "download.masu.rs"; transmissionServer = "download.masu.rs";
metricsServer = "metrics.masu.rs"; metricsServer = "metrics.masu.rs";
vaultwardenServer = "vault.masu.rs";
# Disable passwords, only use SSH key # Disable passwords, only use SSH key
passwordHash = null; passwordHash = null;
@ -80,6 +81,7 @@ nixpkgs.lib.nixosSystem {
../../modules/services/cloudflare.nix ../../modules/services/cloudflare.nix
../../modules/services/transmission.nix ../../modules/services/transmission.nix
../../modules/services/prometheus.nix ../../modules/services/prometheus.nix
../../modules/services/vaultwarden.nix
../../modules/gaming/minecraft-server.nix ../../modules/gaming/minecraft-server.nix
]; ];
} }

View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { { config, lib, ... }: {
options = { options = {
@ -13,12 +13,40 @@
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
config = { config = {
DOMAIN = config.vaultwardenServer; DOMAIN = "https://${config.vaultwardenServer}";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = true;
WEB_VAULT_ENABLED = true;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "0.0.0.0";
WEBSOCKET_PORT = 3012;
LOGIN_RATELIMIT_SECONDS = 60;
LOGIN_RATELIMIT_MAX_BURST = 10;
ADMIN_RATELIMIT_SECONDS = 300;
ADMIN_RATELIMIT_MAX_BURST = 3;
}; };
environmentFile = null; environmentFile = config.secrets.vaultwarden.dest;
dbBackend = "sqlite"; dbBackend = "sqlite";
}; };
secrets.vaultwarden = {
source = ../../private/vaultwarden.age;
dest = "${config.secretsDirectory}/vaultwarden";
owner = "vaultwarden";
group = "vaultwarden";
}; };
networking.firewall.allowedTCPPorts = [ 3012 ];
caddyRoutes = [{
match = [{ host = [ config.vaultwardenServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:8222"; }];
}];
}];
} }

11
private/vaultwarden.age Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBqNm0x
YVc0bXp6eldNdkp1QWk2cEI0WFBhVVd3cHhDODNwMS9UUTBPN25JCmxXZnRIcFZr
SFJrQnI3R1BTUk1BcVl3RjlUaXMzSXpqaGdTMi9reno1eHcKLT4gc3NoLWVkMjU1
MTkgWXlTVU1RIFlKWCtsWGtWdTI4L0ZFTVRHNFN5by9vTE95MXFoMVZGYlYrM1I2
alREaE0Kd251SGRDdE96VmZqblhEWXFkZDhvRUZsZ1pnZ3NqdEdJSlBvaXhoOHVB
WQotLS0gaGJNRm14SkdXcTFmYlJUell1WUZUeEllT3ZwMkNaejF3eWJ5U1ZSdno1
MAqQIT8vvUro+C+avm6lCPfrX9yigKzx/gtKfMB//1Ie7BUo1+o5iYoA+R0luMU8
/zVX1yGAzDPqas/HfYclIPg3bdjm2dnpz0ltOrOvjA4x3nEzzrmS96zo3Fy1d8oX
oAMw2l/p2QDHI60cyhvC
-----END AGE ENCRYPTED FILE-----