diff options
| author | Linnnus <[email protected]> | 2025-03-16 15:51:15 +0100 |
|---|---|---|
| committer | Linnnus <[email protected]> | 2025-03-16 15:51:15 +0100 |
| commit | 94743c25a092fa9aa19182542b2d2026c6f88b1e (patch) | |
| tree | 169a0562401888af9bc5debf391e7f4069e4824f | |
| parent | 10fb59d94cd7b5d4480cd195ec84c1b8faffbdb6 (diff) | |
ahmed: Add vaultwarden
| -rw-r--r-- | hosts/ahmed/configuration.nix | 1 | ||||
| -rw-r--r-- | hosts/ahmed/vaultwarden/default.nix | 39 |
2 files changed, 40 insertions, 0 deletions
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix index 4386460..43ce35b 100644 --- a/hosts/ahmed/configuration.nix +++ b/hosts/ahmed/configuration.nix @@ -24,6 +24,7 @@ ./minecraft ./nginx ./local-dns + ./vaultwarden ]; # Create the main user. diff --git a/hosts/ahmed/vaultwarden/default.nix b/hosts/ahmed/vaultwarden/default.nix new file mode 100644 index 0000000..370f349 --- /dev/null +++ b/hosts/ahmed/vaultwarden/default.nix @@ -0,0 +1,39 @@ +# This module sets up a password manager. It is only available locally. +{config, ...}: { + services.vaultwarden = { + enable = true; + + config = { + # The domain must match the address from where you access the server It's + # recommended to configure this value, otherwise certain functionality + # might not work, like attachment downloads, email links and U2F. + # + # For U2F to work, the server must use HTTPS, you can use Let's Encrypt + # for free certs To use HTTPS, the recommended way is to put Vaultwarden + # behind a reverse proxy + # + # See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS + # See: https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples + DOMAIN = "https://vaultwarden.${config.linus.local-dns.domain}"; + + ROCKET_ADDRESS = "127.0.0.1"; # Behind reverse proxy. + ROCKET_PORT = 8222; + }; + }; + + # Vaultwarden currently recommends running behind a reverse proxy + # (nginx or similar) for TLS termination: + # + # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support, + # > especially if your instance is publicly accessible. + # + # See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying + services.nginx.virtualHosts."vaultwarden.${config.linus.local-dns.domain}" = { + locations."/" = { + recommendedProxySettings = true; + proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + }; + }; + + linus.local-dns.subdomains = ["vaultwarden"]; +} |