nixos-conf/servers/vaultwarden.nix

{ config, ... }:
{
  imports = [
    ./utils/nginx-https-server.nix
    ./utils/cert-store-client.nix
  ];

  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/vaultwarden";
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "u=rwx,g=,o=";
    }
  ];

  sops = {
    secrets = {
      smtp-pass = {
        sopsFile = ../secrets/vaultwarden.yaml;
        restartUnits = [ "vaultwarden.service" ];
      };
      admin-token = {
        sopsFile = ../secrets/vaultwarden.yaml;
        restartUnits = [ "vaultwarden.service" ];
      };
    };

    templates."vaultwarden.env" = {
      owner = "vaultwarden";
      content = ''
        SMTP_FROM=vmsskv12@gmail.com
        SMTP_USERNAME=vmsskv12@gmail.com
        SMTP_PASSWORD=${config.sops.placeholder.smtp-pass}
        ADMIN_TOKEN=${config.sops.placeholder.admin-token}
      '';
    };
  };

  services = {
    vaultwarden = {
      enable = true;
      environmentFile = config.sops.templates."vaultwarden.env".path;
      config = {
        DOMAIN = "https://vaultwarden.vsinerva.fi";
        LOGIN_RATELIMIT_MAX_BURST = 10;
        LOGIN_RATELIMIT_SECONDS = 60;
        ADMIN_RATELIMIT_MAX_BURST = 10;
        ADMIN_RATELIMIT_SECONDS = 60;
        SENDS_ALLOWED = true;
        EMERGENCY_ACCESS_ALLOWED = true;
        WEB_VAULT_ENABLED = true;
        SIGNUPS_ALLOWED = true;
        SIGNUPS_VERIFY = true;
        SIGNUPS_VERIFY_RESEND_TIME = 3600;
        SIGNUPS_VERIFY_RESEND_LIMIT = 5;
        SMTP_HOST = "smtp.gmail.com";
        SMTP_FROM_NAME = "Vaultwarden";
        SMTP_SECURITY = "starttls";
        SMTP_PORT = 587;
        SMTP_AUTH_MECHANISM = "Login";
      };
    };

    nginx = {
      virtualHosts."vaultwarden.vsinerva.fi" = {
        locations."/" = {
          proxyPass = "http://localhost:8000";
        };
      };
    };
  };
}
Move vaultwarden to sops-nix 2025-06-21 15:53:31 +03:00			`{ config, ... }:`
Init 2024-05-23 13:39:48 +03:00			`{`
Migrate vaultwarden to flakes 2025-06-05 00:09:04 +03:00			`imports = [`
			`./utils/nginx-https-server.nix`
			`./utils/cert-store-client.nix`
			`];`
Add acme-dns to vaultwarden. Refactor conf 2025-01-08 13:10:43 +02:00
Migrate vaultwarden to disko+impermanence 2025-07-01 23:30:36 +03:00			`environment.persistence."/persist".directories = [`
			`{`
			`directory = "/var/lib/vaultwarden";`
			`user = "vaultwarden";`
			`group = "vaultwarden";`
			`mode = "u=rwx,g=,o=";`
			`}`
			`];`

Move vaultwarden to sops-nix 2025-06-21 15:53:31 +03:00			`sops = {`
			`secrets = {`
			`smtp-pass = {`
			`sopsFile = ../secrets/vaultwarden.yaml;`
			`restartUnits = [ "vaultwarden.service" ];`
			`};`
			`admin-token = {`
			`sopsFile = ../secrets/vaultwarden.yaml;`
			`restartUnits = [ "vaultwarden.service" ];`
			`};`
			`};`

			`templates."vaultwarden.env" = {`
			`owner = "vaultwarden";`
			`content = ''`
			`SMTP_FROM=vmsskv12@gmail.com`
			`SMTP_USERNAME=vmsskv12@gmail.com`
			`SMTP_PASSWORD=${config.sops.placeholder.smtp-pass}`
			`ADMIN_TOKEN=${config.sops.placeholder.admin-token}`
			`'';`
			`};`
			`};`

Auto-indent every file 2024-06-02 05:53:39 +03:00			`services = {`
			`vaultwarden = {`
			`enable = true;`
Move vaultwarden to sops-nix 2025-06-21 15:53:31 +03:00			`environmentFile = config.sops.templates."vaultwarden.env".path;`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`config = {`
			`DOMAIN = "https://vaultwarden.vsinerva.fi";`
			`LOGIN_RATELIMIT_MAX_BURST = 10;`
			`LOGIN_RATELIMIT_SECONDS = 60;`
			`ADMIN_RATELIMIT_MAX_BURST = 10;`
			`ADMIN_RATELIMIT_SECONDS = 60;`
			`SENDS_ALLOWED = true;`
			`EMERGENCY_ACCESS_ALLOWED = true;`
			`WEB_VAULT_ENABLED = true;`
			`SIGNUPS_ALLOWED = true;`
			`SIGNUPS_VERIFY = true;`
			`SIGNUPS_VERIFY_RESEND_TIME = 3600;`
			`SIGNUPS_VERIFY_RESEND_LIMIT = 5;`
			`SMTP_HOST = "smtp.gmail.com";`
			`SMTP_FROM_NAME = "Vaultwarden";`
Vaultwarden SMTP fix 2025-01-15 03:55:09 +02:00			`SMTP_SECURITY = "starttls";`
Vaultwarden SMTP fix 2025-01-15 03:47:37 +02:00			`SMTP_PORT = 587;`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`SMTP_AUTH_MECHANISM = "Login";`
			`};`
			`};`
Init 2024-05-23 13:39:48 +03:00
Auto-indent every file 2024-06-02 05:53:39 +03:00			`nginx = {`
			`virtualHosts."vaultwarden.vsinerva.fi" = {`
			`locations."/" = {`
Adjust nginx settings 2025-01-15 00:29:25 +02:00			`proxyPass = "http://localhost:8000";`
Auto-indent every file 2024-06-02 05:53:39 +03:00			`};`
			`};`
			`};`
			`};`
Init 2024-05-23 13:39:48 +03:00			`}`