hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity
selfhostblocks/modules/services/vaultwarden/docs/default.md
ibizaman d2a018ceec add docs for vaultwarden service
2024-08-12 06:51:24 -07:00

2.7 KiB
Raw Blame History

Vaultwarden Service

Defined in /modules/services/vaultwarden.nix.

This NixOS module is a service that sets up a Vaultwarden Server.

Features

  • Access through subdomain using reverse proxy.
  • Access through HTTPS using reverse proxy.
  • Automatic setup of Redis database for caching.
  • Backup of the data directory through the backup block.
  • Integration Tests
    • Tests /admin can only be accessed when authenticated with SSO.
  • Access to advanced options not exposed here thanks to how NixOS modules work.

Usage

Secrets

All the secrets should be readable by the vaultwarden user.

Secrets should not be stored in the nix store. If you're using sops-nix and assuming your secrets file is located at ./secrets.yaml, you can define a secret with:

sops.secrets."vaultwarden/db" = {
  sopsFile = ./secrets.yaml;
  mode = "0400";
  owner = "vaultwarden";
  group = "postgres";
  restartUnits = [ "vaultwarden.service" ];
};

Then you can use that secret:

shb.vaultwarden.databasePasswordFile = config.sops.secrets."vaultwarden/db".path;

SSO

To protect the /admin endpoint, we use SSO. This requires the SSL, LDAP and SSO block to be configured. Follow those links first if needed.

let
  domain = <...>;
in
shb.vaultwarden = {
  enable = true;
  inherit domain;
  subdomain = "vaultwarden";
  ssl = config.shb.certs.certs.letsencrypt.${domain};
  port = 8222;
  authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
  databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
  smtp = {
    host = "smtp.eu.mailgun.org";
    port = 587;
    username = "postmaster@mg.${domain}";
    from_address = "authelia@${domain}";
    passwordFile = config.sops.secrets."vaultwarden/smtp".path;
  };
};

sops.secrets."vaultwarden/db" = {
  sopsFile = ./secrets.yaml;
  mode = "0440";
  owner = "vaultwarden";
  group = "postgres";
  restartUnits = [ "vaultwarden.service" "postgresql.service" ];
};
sops.secrets."vaultwarden/smtp" = {
  sopsFile = ./secrets.yaml;
  mode = "0400";
  owner = "vaultwarden";
  group = "vaultwarden";
  restartUnits = [ "vaultwarden.service" ];
};

ZFS

Integration with the ZFS block allows to automatically create the relevant datasets.

shb.zfs.datasets."vaultwarden" = config.shb.vaultwarden.mount;
shb.zfs.datasets."postgresql".path = "/var/lib/postgresql";