summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/ahmed/configuration.nix1
-rw-r--r--hosts/ahmed/vaultwarden/default.nix39
2 files changed, 40 insertions, 0 deletions
diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index 4386460..43ce35b 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -24,6 +24,7 @@
./minecraft
./nginx
./local-dns
+ ./vaultwarden
];
# Create the main user.
diff --git a/hosts/ahmed/vaultwarden/default.nix b/hosts/ahmed/vaultwarden/default.nix
new file mode 100644
index 0000000..370f349
--- /dev/null
+++ b/hosts/ahmed/vaultwarden/default.nix
@@ -0,0 +1,39 @@
+# This module sets up a password manager. It is only available locally.
+{config, ...}: {
+ services.vaultwarden = {
+ enable = true;
+
+ config = {
+ # The domain must match the address from where you access the server It's
+ # recommended to configure this value, otherwise certain functionality
+ # might not work, like attachment downloads, email links and U2F.
+ #
+ # For U2F to work, the server must use HTTPS, you can use Let's Encrypt
+ # for free certs To use HTTPS, the recommended way is to put Vaultwarden
+ # behind a reverse proxy
+ #
+ # See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
+ # See: https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
+ DOMAIN = "https://vaultwarden.${config.linus.local-dns.domain}";
+
+ ROCKET_ADDRESS = "127.0.0.1"; # Behind reverse proxy.
+ ROCKET_PORT = 8222;
+ };
+ };
+
+ # Vaultwarden currently recommends running behind a reverse proxy
+ # (nginx or similar) for TLS termination:
+ #
+ # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
+ # > especially if your instance is publicly accessible.
+ #
+ # See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
+ services.nginx.virtualHosts."vaultwarden.${config.linus.local-dns.domain}" = {
+ locations."/" = {
+ recommendedProxySettings = true;
+ proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+ };
+ };
+
+ linus.local-dns.subdomains = ["vaultwarden"];
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 22:13:42 +0000