mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-06-17 02:25:12 -05:00
96 lines
2.1 KiB
Nix
96 lines
2.1 KiB
Nix
|
{
|
||
|
|
flake,
|
||
|
|
config,
|
||
|
|
...
|
||
|
|
}: let
|
||
|
|
inherit (flake.config.people) user0;
|
||
|
|
inherit (flake.config.people.user.${user0}) domain email;
|
||
|
|
inherit (flake.config.system.device) wildcard;
|
||
|
|
inherit (flake.config.service.instance.vaultwarden) paths ports subdomain name sops ssl;
|
||
|
|
localhost = wildcard.ip.address0;
|
||
|
|
host = "${subdomain}.${domain.url0}";
|
||
|
|
in {
|
||
|
|
services = {
|
||
|
|
vaultwarden = {
|
||
|
|
backupDir = paths.path0;
|
||
|
|
enable = true;
|
||
|
|
environmentFile = config.sops.secrets."${name}/env".path;
|
||
|
|
config = {
|
||
|
|
# Domain Configuration
|
||
|
|
DOMAIN = "https://${host}";
|
||
|
|
|
||
|
|
# Email Configuration
|
||
|
|
SMTP_AUTH_MECHANISM = "Plain";
|
||
|
|
SMTP_EMBED_IMAGES = true;
|
||
|
|
SMTP_FROM = email.address3;
|
||
|
|
SMTP_FROM_NAME = "Vaultwarden";
|
||
|
|
SMTP_HOST = "smtp.protonmail.ch";
|
||
|
|
SMTP_PORT = 587;
|
||
|
|
SMTP_SECURITY = "starttls";
|
||
|
|
SMTP_USERNAME = email.address3;
|
||
|
|
|
||
|
|
# Security Configuration
|
||
|
|
DISABLE_ADMIN_TOKEN = false;
|
||
|
|
|
||
|
|
# Event and Backup Management
|
||
|
|
EVENTS_DAYS_RETAIN = 90;
|
||
|
|
|
||
|
|
# User Features
|
||
|
|
SENDS_ALLOWED = true;
|
||
|
|
SIGNUPS_VERIFY = true;
|
||
|
|
WEB_VAULT_ENABLED = true;
|
||
|
|
|
||
|
|
# Rocket (Web Server) Settings
|
||
|
|
ROCKET_ADDRESS = localhost;
|
||
|
|
ROCKET_PORT = ports.port0;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
caddy = {
|
||
|
|
virtualHosts = {
|
||
|
|
"${host}" = {
|
||
|
|
extraConfig = ''
|
||
|
|
reverse_proxy ${localhost}:${toString ports.port0} {
|
||
|
|
header_up X-Real-IP {remote_host}
|
||
|
|
}
|
||
|
|
|
||
|
|
tls ${ssl.cert} ${ssl.key}
|
||
|
|
|
||
|
|
encode zstd gzip
|
||
|
|
'';
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
sops = let
|
||
|
|
sopsSecrets = ["env"];
|
||
|
|
sopsPath = secret: {
|
||
|
|
path = "${sops.path0}/${name}-${secret}";
|
||
|
|
owner = name;
|
||
|
|
mode = "600";
|
||
|
|
};
|
||
|
|
in {
|
||
|
|
secrets = builtins.listToAttrs (
|
||
|
|
map
|
||
|
|
(secret: {
|
||
|
|
name = "${name}/${secret}";
|
||
|
|
value = sopsPath secret;
|
||
|
|
})
|
||
|
|
sopsSecrets
|
||
|
|
);
|
||
|
|
};
|
||
|
|
|
||
|
|
systemd.tmpfiles.rules = [
|
||
|
|
"Z ${paths.path0} 0755 ${name} ${name} -"
|
||
|
|
"Z ${sops.path0} 755 ${name} ${name} -"
|
||
|
|
];
|
||
|
|
|
||
|
|
networking = {
|
||
|
|
firewall = {
|
||
|
|
allowedTCPPorts = [
|
||
|
|
ports.port0
|
||
|
|
];
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|