mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 10:58:02 +00:00
185 lines
6.0 KiB
Nix
185 lines
6.0 KiB
Nix
# An alternative implementation of Bitwarden written in Rust. The project
|
|
# being written in Rust is a insta-self-hosting material right there.
|
|
{ config, lib, pkgs, foodogsquaredLib, ... }:
|
|
|
|
let
|
|
hostCfg = config.hosts.plover;
|
|
cfg = hostCfg.services.vaultwarden;
|
|
|
|
passwordManagerDomain = "pass.${config.networking.domain}";
|
|
|
|
# This should be set from service module from nixpkgs.
|
|
vaultwardenUser = config.users.users.vaultwarden.name;
|
|
in {
|
|
options.hosts.plover.services.vaultwarden.enable =
|
|
lib.mkEnableOption "Vaultwarden instance";
|
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
{
|
|
state.ports = {
|
|
vaultwarden.value = 8222;
|
|
vaultwarden-webproxy.value = 3012;
|
|
};
|
|
|
|
sops.secrets =
|
|
foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml {
|
|
"vaultwarden/env".owner = vaultwardenUser;
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
environmentFile = config.sops.secrets."vaultwarden/env".path;
|
|
config = {
|
|
DOMAIN = "https://${passwordManagerDomain}";
|
|
|
|
# Configuring the server.
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = config.state.ports.vaultwarden.value;
|
|
|
|
# Ehh... It's only a few (or even one) users anyways so nah. Since this
|
|
# instance will not configure SMTP server, this pretty much means
|
|
# invitation is only via email at this point.
|
|
SHOW_PASSWORD_HINT = false;
|
|
|
|
# Configuring some parts of account management which is almost
|
|
# nonexistent because this is just intended for me (at least right now).
|
|
SIGNUPS_ALLOWED = false;
|
|
SIGNUPS_VERIFY = true;
|
|
|
|
# Invitations...
|
|
INVITATIONS_ALLOWED = true;
|
|
INVITATION_ORG_NAME = "foodogsquared's Vaultwarden";
|
|
|
|
# Notifications...
|
|
WEBSOCKET_ENABLED = true;
|
|
WEBSOCKET_PORT = config.state.ports.vaultwarden-webproxy.value;
|
|
WEBSOCKET_ADDRESS = "0.0.0.0";
|
|
|
|
# Enabling web vault with whatever nixpkgs comes in.
|
|
WEB_VAULT_ENABLED = true;
|
|
};
|
|
};
|
|
|
|
systemd.services.vaultwarden.path = [ pkgs.system-sendmail ];
|
|
}
|
|
|
|
(lib.mkIf hostCfg.services.database.enable {
|
|
services.vaultwarden = {
|
|
dbBackend = "postgresql";
|
|
config.DATABASE_URL = "postgresql://";
|
|
};
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ vaultwardenUser ];
|
|
ensureUsers = lib.singleton {
|
|
name = vaultwardenUser;
|
|
ensureDBOwnership = true;
|
|
};
|
|
};
|
|
|
|
systemd.services.vaultwarden.preStart = let
|
|
psql = lib.getExe' config.services.postgresql.package "psql";
|
|
schema = config.users.users.vaultwarden.name;
|
|
in lib.mkBefore ''
|
|
${psql} -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${schema};"
|
|
'';
|
|
})
|
|
|
|
(lib.mkIf hostCfg.services.reverse-proxy.enable {
|
|
services.nginx.virtualHosts."${passwordManagerDomain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
acmeRoot = null;
|
|
kTLS = true;
|
|
locations = let
|
|
address = config.services.vaultwarden.config.ROCKET_ADDRESS;
|
|
websocketPort = config.services.vaultwarden.config.WEBSOCKET_PORT;
|
|
in {
|
|
"/" = {
|
|
proxyPass = "http://vaultwarden";
|
|
proxyWebsockets = true;
|
|
};
|
|
|
|
"/notifications/hub" = {
|
|
proxyPass = "http://${address}:${toString websocketPort}";
|
|
proxyWebsockets = true;
|
|
};
|
|
|
|
"/notifications/hub/negotiate" = {
|
|
proxyPass = "http://vaultwarden";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
extraConfig = ''
|
|
proxy_cache ${config.services.nginx.proxyCachePath.apps.keysZoneName};
|
|
'';
|
|
};
|
|
|
|
services.nginx.upstreams."vaultwarden" = {
|
|
extraConfig = ''
|
|
zone services;
|
|
keepalive 2;
|
|
'';
|
|
servers = let
|
|
address = config.services.vaultwarden.config.ROCKET_ADDRESS;
|
|
port = config.services.vaultwarden.config.ROCKET_PORT;
|
|
in { "${address}:${builtins.toString port}" = { }; };
|
|
};
|
|
})
|
|
|
|
(lib.mkIf hostCfg.services.backup.enable {
|
|
# Add the data directory to be backed up.
|
|
services.borgbackup.jobs.services-backup.paths =
|
|
[ "/var/lib/bitwarden_rs" ];
|
|
})
|
|
|
|
(lib.mkIf hostCfg.services.fail2ban.enable {
|
|
# Configuring fail2ban for this service which thankfully has a dedicated page
|
|
# at https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup.
|
|
services.fail2ban.jails = {
|
|
vaultwarden-user.settings = {
|
|
enabled = true;
|
|
backend = "systemd";
|
|
filter =
|
|
"vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
|
|
maxretry = 5;
|
|
};
|
|
|
|
vaultwarden-admin.settings = {
|
|
enabled = true;
|
|
backend = "systemd";
|
|
filter =
|
|
"vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
|
|
maxretry = 3;
|
|
};
|
|
};
|
|
|
|
environment.etc = {
|
|
"fail2ban/filter.d/vaultwarden-user.conf".text = ''
|
|
[Includes]
|
|
before = common.conf
|
|
|
|
# For more information, Vaultwarden knowledge base has a dedicated page
|
|
# for configuring fail2ban with the application (i.e.,
|
|
# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup).
|
|
[Definition]
|
|
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username: <F-USER>.*</F-USER>\.$
|
|
ignoreregex =
|
|
'';
|
|
|
|
"fail2ban/filter.d/vaultwarden-admin.conf".text = ''
|
|
[Includes]
|
|
before = common.conf
|
|
|
|
# For more information, Vaultwarden knowledge base has a dedicated page
|
|
# for configuring fail2ban with the application (i.e.,
|
|
# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup).
|
|
[Definition]
|
|
failregex = ^.*Invalid admin token\. IP: <HOST>.*$
|
|
ignoreregex =
|
|
'';
|
|
};
|
|
})
|
|
]);
|
|
}
|