49 lines
1.7 KiB
Nix
49 lines
1.7 KiB
Nix
{inputs, config, ...}: {
|
|
services.nginx.virtualHosts."vault.vulpecula.zone" = {
|
|
addSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
|
};
|
|
};
|
|
|
|
services.vaultwarden.enable = true;
|
|
services.bitwarden-directory-connector-cli.domain = "vault.vulpecula.zone";
|
|
|
|
services.vaultwarden.config = {
|
|
DOMAIN = "https://vault.vulpecula.zone";
|
|
SIGNUPS_ALLOWED = true;
|
|
|
|
# Vaultwarden currently recommends running behind a reverse proxy
|
|
# (nginx or similar) for TLS termination, see
|
|
# https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
|
|
# > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
|
|
# > especially if your instance is publicly accessible.
|
|
#
|
|
# A suitable NixOS nginx reverse proxy example config might be:
|
|
#
|
|
# services.nginx.virtualHosts."bitwarden.example.com" = {
|
|
# enableACME = true;
|
|
# forceSSL = true;
|
|
# locations."/" = {
|
|
# proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
|
# };
|
|
# };
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = 62107;
|
|
|
|
ROCKET_LOG = "critical";
|
|
|
|
# This example assumes a mailserver running on localhost,
|
|
# thus without transport encryption.
|
|
# If you use an external mail server, follow:
|
|
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
|
|
# SMTP_HOST = "127.0.0.1";
|
|
# SMTP_PORT = 25;
|
|
# SMTP_SSL = false;
|
|
|
|
# SMTP_FROM = "admin@bitwarden.example.com";
|
|
# SMTP_FROM_NAME = "example.com Bitwarden server";
|
|
};
|
|
}
|