1
0
Fork 0
selfhostblocks/vaultwarden/unit.nix

134 lines
3.4 KiB
Nix

{ stdenv
, pkgs
, utils
}:
{ name ? "vaultwarden"
, user ? "vaultwarden"
, group ? "vaultwarden"
, port ? 18005
, dataFolder ? "/var/lib/vaultwarden"
, hostname
, postgresDatabase ? "vaultwarden"
, postgresUser ? "vaultwarden"
, postgresPassword
, postgresHost ? x: "127.0.0.1"
, smtpFrom
, smtpFromName ? "vaultwarden"
, smtpPort ? 587
, smtpAuthMechanism ? "Login"
, webvaultEnabled ? false
, webvaultFolder ? "/usr/share/webapps/vaultwarden-web"
, signupsAllowed ? false
, signupsVerify ? true
, keys
, VaultwardenWeb
, VaultwardenPostgresDB
}:
{
inherit name;
inherit port;
pkg =
{ VaultwardenPostgresDB
, VaultwardenWeb
}: utils.systemd.mkService rec {
name = "vaultwarden";
content = ''
[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
After=${utils.keyServiceDependencies keys}
Wants=${utils.keyServiceDependencies keys}
[Service]
Environment=DATA_FOLDER=${dataFolder}
Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase}
Environment=IP_HEADER=X-Real-IP
Environment=WEB_VAULT_FOLDER=${webvaultFolder}
Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
Environment=SIGNUPS_ALLOWED=${signupsAllowed}
Environment=SIGNUPS_VERIFY=${signupsVerify}
# Implies the /admin path is protected
Environment=DISABLE_ADMIN_TOKEN=true
Environment=INVITATIONS_ALLOWED=true
Environment=DOMAIN=https://${hostname}
# Assumes we're behind a reverse proxy
Environment=ROCKET_ADDRESS=127.0.0.1
Environment=ROCKET_PORT=${builtins.toString port}
Environment=USE_SYSLOG=true
Environment=EXTENDED_LOGGING=true
Environment=LOG_FILE=
Environment=LOG_LEVEL=trace
${utils.keyEnvironmentFile keys.smtpSetup}
Environment=SMTP_FROM=${smtpFrom}
Environment=SMTP_FROM_NAME=${smtpFromName}
Environment=SMTP_PORT=${builtins.toString smtpPort}
Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism}
ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
WorkingDirectory=${dataFolder}
User=${user}
Group=${group}
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
# that capability
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
# If vaultwarden is run at ports >1024, you should apply these options via a
# drop-in file
CapabilityBoundingSet=
AmbientCapabilities=
PrivateUsers=yes
NoNewPrivileges=yes
LimitNOFILE=1048576
UMask=0077
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=${dataFolder}
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
'';
};
dependsOn = {
inherit VaultwardenWeb;
inherit VaultwardenPostgresDB;
};
type = "systemd-unit";
}