47 lines
1.6 KiB
Nix
47 lines
1.6 KiB
Nix
{ config, unstable, ... }: {
|
|
age.secrets.vaultwarden_env = {
|
|
file = ../secrets/vaultwarden_env.age;
|
|
owner = "vaultwarden";
|
|
};
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
package = unstable.vaultwarden;
|
|
environmentFile = config.age.secrets.vaultwarden_env.path;
|
|
config = {
|
|
DOMAIN = "https://bitwarden.bertof.net";
|
|
SIGNUPS_ALLOWED = false;
|
|
|
|
# Vaultwarden currently recommends running behind a reverse proxy
|
|
# (nginx or similar) for TLS termination, see
|
|
# https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
|
|
# > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
|
|
# > especially if your instance is publicly accessible.
|
|
#
|
|
# A suitable NixOS nginx reverse proxy example config might be:
|
|
#
|
|
# services.nginx.virtualHosts."bitwarden.example.com" = {
|
|
# enableACME = true;
|
|
# forceSSL = true;
|
|
# locations."/" = {
|
|
# proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
|
# };
|
|
# };
|
|
ROCKET_ADDRESS = "::";
|
|
ROCKET_PORT = 8222;
|
|
|
|
ROCKET_LOG = "critical";
|
|
|
|
# This example assumes a mailserver running on localhost,
|
|
# thus without transport encryption.
|
|
# If you use an external mail server, follow:
|
|
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
|
|
SMTP_HOST = "smtp.gmail.com";
|
|
SMTP_PORT = 587;
|
|
SMTP_SECURITY = "starttls";
|
|
|
|
SMTP_FROM = "filippoberto95@gmail.com";
|
|
SMTP_FROM_NAME = "Bitwarden server";
|
|
};
|
|
};
|
|
}
|