mirror of https://gitlab.crans.org/nounous/nixos
47 lines
1.0 KiB
Nix
47 lines
1.0 KiB
Nix
{ config, lib, ... }:
|
|
|
|
{
|
|
imports = [
|
|
./nginx.nix
|
|
];
|
|
|
|
age.secrets = {
|
|
env = {
|
|
file = ../../secrets/vaultwarden/env.age;
|
|
};
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = "postgresql";
|
|
|
|
environmentFile = config.age.secrets.env.path;
|
|
config = {
|
|
ROCKET_PORT = 8222;
|
|
SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
|
|
};
|
|
};
|
|
users.users.vaultwarden.extraGroups = [ "nullmailer" ];
|
|
|
|
systemd.services.vaultwarden = {
|
|
path = [ "/run/wrappers" ];
|
|
serviceConfig = {
|
|
NoNewPrivileges = lib.mkForce false;
|
|
PrivateUsers = lib.mkForce false;
|
|
SystemCallFilter = lib.mkForce [ "@system-service" ];
|
|
RestrictAddressFamilies = [
|
|
"AF_LOCAL"
|
|
"AF_NETLINK"
|
|
];
|
|
ReadWritePaths = [ "/var/spool/nullmailer/" ];
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."vaultwarden.crans.org" = {
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
}
|