93 lines
2.7 KiB
Markdown
93 lines
2.7 KiB
Markdown
# Vaultwarden Service {#services-vaultwarden}
|
|
|
|
Defined in [`/modules/services/vaultwarden.nix`](@REPO@/modules/services/vaultwarden.nix).
|
|
|
|
This NixOS module is a service that sets up a [Vaultwarden Server](https://github.com/dani-garcia/vaultwarden).
|
|
|
|
## Features {#services-vaultwarden-features}
|
|
|
|
- Access through subdomain using reverse proxy.
|
|
- Access through HTTPS using reverse proxy.
|
|
- Automatic setup of Redis database for caching.
|
|
- Backup of the data directory through the [backup block](./blocks-backup.html).
|
|
- [Integration Tests](@REPO@/test/services/vaultwarden.nix)
|
|
- Tests /admin can only be accessed when authenticated with SSO.
|
|
- Access to advanced options not exposed here thanks to how NixOS modules work.
|
|
|
|
## Usage {#services-vaultwarden-usage}
|
|
|
|
### Secrets {#services-vaultwarden-secrets}
|
|
|
|
All the secrets should be readable by the vaultwarden user.
|
|
|
|
Secrets should not be stored in the nix store. If you're using
|
|
[sops-nix](https://github.com/Mic92/sops-nix) and assuming your secrets file is located at
|
|
`./secrets.yaml`, you can define a secret with:
|
|
|
|
```nix
|
|
sops.secrets."vaultwarden/db" = {
|
|
sopsFile = ./secrets.yaml;
|
|
mode = "0400";
|
|
owner = "vaultwarden";
|
|
group = "postgres";
|
|
restartUnits = [ "vaultwarden.service" ];
|
|
};
|
|
```
|
|
|
|
Then you can use that secret:
|
|
|
|
```nix
|
|
shb.vaultwarden.databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
|
|
```
|
|
|
|
### SSO {#services-vaultwarden-sso}
|
|
|
|
To protect the `/admin` endpoint, we use SSO.
|
|
This requires the SSL, LDAP and SSO block to be configured.
|
|
Follow those links first if needed.
|
|
|
|
```nix
|
|
let
|
|
domain = <...>;
|
|
in
|
|
shb.vaultwarden = {
|
|
enable = true;
|
|
inherit domain;
|
|
subdomain = "vaultwarden";
|
|
ssl = config.shb.certs.certs.letsencrypt.${domain};
|
|
port = 8222;
|
|
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
|
databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
|
|
smtp = {
|
|
host = "smtp.eu.mailgun.org";
|
|
port = 587;
|
|
username = "postmaster@mg.${domain}";
|
|
from_address = "authelia@${domain}";
|
|
passwordFile = config.sops.secrets."vaultwarden/smtp".path;
|
|
};
|
|
};
|
|
|
|
sops.secrets."vaultwarden/db" = {
|
|
sopsFile = ./secrets.yaml;
|
|
mode = "0440";
|
|
owner = "vaultwarden";
|
|
group = "postgres";
|
|
restartUnits = [ "vaultwarden.service" "postgresql.service" ];
|
|
};
|
|
sops.secrets."vaultwarden/smtp" = {
|
|
sopsFile = ./secrets.yaml;
|
|
mode = "0400";
|
|
owner = "vaultwarden";
|
|
group = "vaultwarden";
|
|
restartUnits = [ "vaultwarden.service" ];
|
|
};
|
|
```
|
|
|
|
### ZFS {#services-vaultwarden-zfs}
|
|
|
|
Integration with the ZFS block allows to automatically create the relevant datasets.
|
|
|
|
```nix
|
|
shb.zfs.datasets."vaultwarden" = config.shb.vaultwarden.mount;
|
|
shb.zfs.datasets."postgresql".path = "/var/lib/postgresql";
|
|
```
|