134 lines
3.4 KiB
Nix
134 lines
3.4 KiB
Nix
{ stdenv
|
|
, pkgs
|
|
, utils
|
|
}:
|
|
{ name ? "vaultwarden"
|
|
, user ? "vaultwarden"
|
|
, group ? "vaultwarden"
|
|
, port ? 18005
|
|
, dataFolder ? "/var/lib/vaultwarden"
|
|
, hostname
|
|
, postgresDatabase ? "vaultwarden"
|
|
, postgresUser ? "vaultwarden"
|
|
, postgresPassword
|
|
, postgresHost ? x: "127.0.0.1"
|
|
|
|
, smtpFrom
|
|
, smtpFromName ? "vaultwarden"
|
|
, smtpPort ? 587
|
|
, smtpAuthMechanism ? "Login"
|
|
|
|
, webvaultEnabled ? false
|
|
, webvaultFolder ? "/usr/share/webapps/vaultwarden-web"
|
|
, signupsAllowed ? false
|
|
, signupsVerify ? true
|
|
|
|
, keys
|
|
|
|
, VaultwardenWeb
|
|
, VaultwardenPostgresDB
|
|
}:
|
|
|
|
{
|
|
inherit name;
|
|
|
|
inherit port;
|
|
|
|
pkg =
|
|
{ VaultwardenPostgresDB
|
|
, VaultwardenWeb
|
|
}: utils.systemd.mkService rec {
|
|
name = "vaultwarden";
|
|
|
|
content = ''
|
|
[Unit]
|
|
Description=Vaultwarden Server
|
|
Documentation=https://github.com/dani-garcia/vaultwarden
|
|
After=network.target
|
|
After=${utils.keyServiceDependencies keys}
|
|
Wants=${utils.keyServiceDependencies keys}
|
|
|
|
[Service]
|
|
Environment=DATA_FOLDER=${dataFolder}
|
|
Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase}
|
|
Environment=IP_HEADER=X-Real-IP
|
|
|
|
Environment=WEB_VAULT_FOLDER=${webvaultFolder}
|
|
Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
|
|
|
|
Environment=SIGNUPS_ALLOWED=${signupsAllowed}
|
|
Environment=SIGNUPS_VERIFY=${signupsVerify}
|
|
# Implies the /admin path is protected
|
|
Environment=DISABLE_ADMIN_TOKEN=true
|
|
Environment=INVITATIONS_ALLOWED=true
|
|
Environment=DOMAIN=https://${hostname}
|
|
|
|
# Assumes we're behind a reverse proxy
|
|
Environment=ROCKET_ADDRESS=127.0.0.1
|
|
Environment=ROCKET_PORT=${builtins.toString port}
|
|
Environment=USE_SYSLOG=true
|
|
Environment=EXTENDED_LOGGING=true
|
|
Environment=LOG_FILE=
|
|
Environment=LOG_LEVEL=trace
|
|
|
|
${utils.keyEnvironmentFile keys.smtpSetup}
|
|
Environment=SMTP_FROM=${smtpFrom}
|
|
Environment=SMTP_FROM_NAME=${smtpFromName}
|
|
Environment=SMTP_PORT=${builtins.toString smtpPort}
|
|
Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism}
|
|
|
|
ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
|
|
WorkingDirectory=${dataFolder}
|
|
User=${user}
|
|
Group=${group}
|
|
|
|
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
|
|
# that capability
|
|
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
#AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
|
# If vaultwarden is run at ports >1024, you should apply these options via a
|
|
# drop-in file
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
PrivateUsers=yes
|
|
|
|
NoNewPrivileges=yes
|
|
|
|
LimitNOFILE=1048576
|
|
UMask=0077
|
|
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
ReadWritePaths=${dataFolder}
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
ProtectHostname=yes
|
|
ProtectClock=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectControlGroups=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RemoveIPC=yes
|
|
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged @resources
|
|
SystemCallArchitectures=native
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
'';
|
|
};
|
|
|
|
dependsOn = {
|
|
inherit VaultwardenWeb;
|
|
inherit VaultwardenPostgresDB;
|
|
};
|
|
type = "systemd-unit";
|
|
}
|