Personal Nix setup
Review vaultwarden config
+26
-3
+5
modules/server/encrypt/vaultwarden.age
+5
modules/server/encrypt/vaultwarden.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 QwbpPw plZ+smu/E5y1fTvzLTjioQAZ/G9KCmsz7FMdq3lf/Fk
3
+
W8ye55GdzJPQOuIiJg2KbuP0/JcJstvdUSZPCjonfVo
4
+
--- ZYFukRqb02JI1+iM9xw7EzMOxBnAEE/dw7p7cZ+45/I
5
+
MV����D��^3Ӵ�
�<\(j
�L���������43�*:U�3H��*9�����Ԙ��G=�����@$�y}�
��������g�z^Y�"���Ә�$�g2�>=n:h/$�_�%ZᄦA��#�J��HG���ʢ�~���Vu((�G�:���������.y
+20
-3
modules/server/vaultwarden.nix
+20
-3
modules/server/vaultwarden.nix
···
27
27
};
28
28
29
29
config = mkIf (cfg.enable && cfg.vaultwarden.enable) {
30
+
age.secrets."vaultwarden" = {
31
+
symlink = true;
32
+
path = "/run/secrets/vaultwarden.env";
33
+
file = ./encrypt/vaultwarden.age;
34
+
};
35
+
30
36
services.vaultwarden = let
31
37
baseURL = if (cfg.caddy.enable && cfg.tailscale.enable)
32
38
then "https://${hostname}.${cfg.tailscale.domain}/vault/"
···
35
41
in {
36
42
enable = true;
37
43
dbBackend = "sqlite";
44
+
environmentFile = "/run/secrets/vaultwarden.env";
38
45
config = {
39
46
IP_HEADER = "X-Real-IP";
40
-
ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$+5A5H6YiN6OxyrFggkrft8Mm+sxgh/tL3USbaYFZ/h8$qj8NjE+COL4WXjmjkPWSQk7iLfhaBfBtV6k06Bql3CQ";
41
-
PASSWORD_HINTS_ALLOWED = "false";
42
-
SIGNUPS_ALLOWED = "false";
43
47
DOMAIN = baseURL;
44
48
WEBSOCKET_ADDRESS = "127.0.0.1";
45
49
ROCKET_ADDRESS = "127.0.0.1";
46
50
WEBSOCKET_PORT = toString cfg.vaultwarden.websocketPort;
47
51
ROCKET_PORT = toString cfg.vaultwarden.port;
48
52
ROCKET_LIMITS = "{json=10485760}";
53
+
54
+
LOGIN_RATELIMIT_SECONDS = "60";
55
+
LOGIN_RATELIMIT_MAX_BURST = "10";
56
+
ADMIN_RATELIMIT_SECONDS = "300";
57
+
ADMIN_RATELIMIT_MAX_BURST = "3";
58
+
59
+
PASSWORD_HINTS_ALLOWED = "false";
60
+
SHOW_PASSWORD_HINT = "false";
61
+
SIGNUPS_ALLOWED = "false";
62
+
INVITATIONS_ALLOWED = "false";
63
+
EMERGENCY_ACCESS_ALLOWED = "false";
64
+
SENDS_ALLOWED = "false";
65
+
ORG_CREATION_USERS = "none";
49
66
};
50
67
};
51
68
};
+1
secrets.nix
+1
secrets.nix
···
10
10
"./modules/server/encrypt/rclone.conf.age".publicKeys = keys;
11
11
"./modules/server/encrypt/tangled-knot-ssh.age".publicKeys = keys;
12
12
"./modules/server/encrypt/gitconfig.age".publicKeys = keys;
13
+
"./modules/server/encrypt/vaultwarden.age".publicKeys = keys;
13
14
14
15
"./modules/router/encrypt/pppoe-options.age".publicKeys = keys;
15
16