cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity
Files
c132a6e673fdf4fbb6200d6ea53666831fd7c9fe
cnix/modules/server/vaultwarden/default.nix
cnst c132a6e673 fail2ban test 8
2025-07-16 15:42:13 +02:00

69 lines
1.6 KiB
Nix
Raw Blame History

# yanked from @fufexan
{
config,
self,
lib,
...
}: let
inherit (config.networking) domain;
inherit (lib) mkIf mkEnableOption;
vcfg = config.services.vaultwarden.config;
cfg = config.server.vaultwarden;
in {
options = {
server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
};
age.secrets.vaultwarden-env = {
file = "${self}/secrets/vaultwarden-env.age";
owner = "vaultwarden";
mode = "400";
};
config = mkIf cfg.enable {
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
services.caddy.virtualHosts."vault.cnst.dev".extraConfig = ''
encode zstd gzip
reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
server = {
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
vaultwarden = {
serviceName = "vaultwarden";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
};
};
};
};
services.vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwarden-env.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://vault.${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
showPasswordHint = false;
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink