diff options
| author | Niklas Hambüchen <mail@nh2.me> | 2022-08-28 16:47:23 +0200 |
|---|---|---|
| committer | Niklas Hambüchen <mail@nh2.me> | 2023-07-01 15:35:28 +0200 |
| commit | 080757c6c53d748717e86ab5faf15f62fc1e42a6 (patch) | |
| tree | 48c17f22ea28ed454127b2d2ef69c866a10977f5 /nixos | |
| parent | 01e209af7890a6ab638ea9b219d603f40bccd8ce (diff) | |
nixos/vaultwarden: Bind to localhost by default. See #100192
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 2 | ||||
| -rw-r--r-- | nixos/modules/services/security/vaultwarden/default.nix | 7 |
2 files changed, 8 insertions, 1 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 50847f663f503..3bcf98f242eec 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -54,6 +54,8 @@ - `fileSystems.<name>.autoResize` now uses `systemd-growfs` to resize the file system online in stage 2. This means that `f2fs` and `ext2` can no longer be auto resized, while `xfs` and `btrfs` now can be. +- The `services.vaultwarden.config` option default value was changed to make Vaultwarden only listen on localhost, following the [secure defaults for most NixOS services](https://github.com/NixOS/nixpkgs/issues/100192). + - `services.lemmy.settings.federation` was removed in 0.17.0 and no longer has any effect. To enable federation, the hostname must be set in the configuration file and then federation must be enabled in the admin web UI. See the [release notes](https://github.com/LemmyNet/lemmy/blob/c32585b03429f0f76d1e4ff738786321a0a9df98/RELEASES.md#upgrade-instructions) for more details. - The following packages in `haskellPackages` have now a separate bin output: `cabal-fmt`, `calligraphy`, `eventlog2html`, `ghc-debug-brick`, `hindent`, `nixfmt`, `releaser`. This means you need to replace e.g. `"${pkgs.haskellPackages.nixfmt}/bin/nixfmt"` with `"${lib.getBin pkgs.haskellPackages.nixfmt}/bin/nixfmt"` or `"${lib.getExe pkgs.haskellPackages.nixfmt}"`. The binaries also won’t be in scope if you rely on them being installed e.g. via `ghcWithPackages`. `environment.packages` picks the `bin` output automatically, so for normal installation no intervention is required. Also, toplevel attributes like `pkgs.nixfmt` are not impacted negatively by this change. diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index aaa3f5507f770..98ab8595bddf6 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -59,7 +59,12 @@ in { config = mkOption { type = attrsOf (nullOr (oneOf [ bool int str ])); - default = {}; + default = { + config = { + ROCKET_ADDRESS = "::1"; # default to localhost + ROCKET_PORT = 8222; + }; + }; example = literalExpression '' { DOMAIN = "https://bitwarden.example.com"; |