cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity
Files
850905050307f96a83c47e72358e589c2f2ab763
cnix/modules/server/vaultwarden/default.nix
cnst 8509050503 derp 3
2025-07-16 16:50:12 +02:00

83 lines
2.1 KiB
Nix
Raw Blame History

# yanked from @fufexan
{
config,
self,
lib,
...
}: let
inherit (config.networking) domain;
inherit (lib) mkIf mkEnableOption;
vcfg = config.services.vaultwarden.config;
cfg = config.server.vaultwarden;
in {
options = {
server.vaultwarden = {
enable = mkEnableOption "Enables vaultwarden";
url = lib.mkOption {
type = lib.types.str;
default = "vault.${cfg.domain}";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
};
config = mkIf cfg.enable {
server = {
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
vaultwarden = {
serviceName = "vaultwarden";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
};
};
};
};
services = {
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwarden-env.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://vault.${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
showPasswordHint = false;
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${
toString vcfg.ROCKET_PORT
}";
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink