45 lines
1.2 KiB
Nix
45 lines
1.2 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
{
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = "sqlite";
|
|
environmentFile = "/private/vaultwarden/vaultwarden.env";
|
|
config = {
|
|
# Keep data alongside the secret env file so we can back it up together.
|
|
DATA_FOLDER = "/private/vaultwarden/data";
|
|
PUSH_RELAY_URI = "https://api.bitwarden.eu";
|
|
PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
|
|
DOMAIN = "https://vault.ocbwoy3.dev";
|
|
ROCKET_ADDRESS = "0.0.0.0";
|
|
ROCKET_PORT = 8222;
|
|
WEBSOCKET_ENABLED = true;
|
|
WEBSOCKET_ADDRESS = "0.0.0.0";
|
|
WEBSOCKET_PORT = 3012;
|
|
SIGNUPS_ALLOWED = false;
|
|
};
|
|
};
|
|
|
|
# Allow vaultwarden to write under /private/vaultwarden and ensure the directories exist.
|
|
systemd.services.vaultwarden.serviceConfig = {
|
|
ReadWritePaths = [ "/private/vaultwarden" ];
|
|
};
|
|
|
|
# Create parent/data directories with proper ownership before startup.
|
|
systemd.tmpfiles.rules = [
|
|
"d /private/vaultwarden 0750 vaultwarden vaultwarden -"
|
|
"d /private/vaultwarden/data 0750 vaultwarden vaultwarden -"
|
|
];
|
|
|
|
# cloudflared!!
|
|
# networking.firewall.allowedTCPPorts = [
|
|
# 8222
|
|
# 3012
|
|
# ];
|
|
}
|