blob: 370f349d1c1faa3add3887bb481986c70fcd1c4c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
# This module sets up a password manager. It is only available locally.
{config, ...}: {
services.vaultwarden = {
enable = true;
config = {
# The domain must match the address from where you access the server It's
# recommended to configure this value, otherwise certain functionality
# might not work, like attachment downloads, email links and U2F.
#
# For U2F to work, the server must use HTTPS, you can use Let's Encrypt
# for free certs To use HTTPS, the recommended way is to put Vaultwarden
# behind a reverse proxy
#
# See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
# See: https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
DOMAIN = "https://vaultwarden.${config.linus.local-dns.domain}";
ROCKET_ADDRESS = "127.0.0.1"; # Behind reverse proxy.
ROCKET_PORT = 8222;
};
};
# Vaultwarden currently recommends running behind a reverse proxy
# (nginx or similar) for TLS termination:
#
# > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
# > especially if your instance is publicly accessible.
#
# See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
services.nginx.virtualHosts."vaultwarden.${config.linus.local-dns.domain}" = {
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://${toString config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
linus.local-dns.subdomains = ["vaultwarden"];
}
|
