diff options
Diffstat (limited to 'nixos/modules/services/security/vaultwarden/default.nix')
-rw-r--r-- | nixos/modules/services/security/vaultwarden/default.nix | 72 |
1 files changed, 62 insertions, 10 deletions
diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index 8277f493639c2..756e0ee93b219 100644 --- a/nixos/modules/services/security/vaultwarden/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -62,20 +62,52 @@ in { default = {}; example = literalExpression '' { - domain = "https://bw.domain.tld:8443"; - signupsAllowed = true; - rocketPort = 8222; - rocketLog = "critical"; + DOMAIN = "https://bitwarden.example.com"; + SIGNUPS_ALLOWED = false; + + # Vaultwarden currently recommends running behind a reverse proxy + # (nginx or similar) for TLS termination, see + # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying + # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support, + # > especially if your instance is publicly accessible. + # + # A suitable NixOS nginx reverse proxy example config might be: + # + # services.nginx.virtualHosts."bitwarden.example.com" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "http://127.0.0.1:''${toString config.services.vaultwarden.config.ROCKET_PORT}"; + # }; + # }; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + ROCKET_LOG = "critical"; + + # This example assumes a mailserver running on localhost, + # thus without transport encryption. + # If you use an external mail server, follow: + # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration + SMTP_HOST = "127.0.0.1"; + SMTP_PORT = 25; + SMTP_SSL = false; + + SMTP_FROM = "admin@bitwarden.example.com"; + SMTP_FROM_NAME = "example.com Bitwarden server"; } ''; description = '' The configuration of vaultwarden is done through environment variables, - therefore the names are converted from camel case (e.g. disable2FARemember) - to upper case snake case (e.g. DISABLE_2FA_REMEMBER). + therefore it is recommended to use upper snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>). + + However, camel case (e.g. <literal>disable2FARemember</literal>) is also supported: + The NixOS module will convert it automatically to + upper case snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>). In this conversion digits (0-9) are handled just like upper case characters, - so foo2 would be converted to FOO_2. - Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such, - even though foo2 would have been converted to FOO_2. + so <literal>foo2</literal> would be converted to <envar>FOO_2</envar>. + Names already in this format remain unchanged, so <literal>FOO2</literal> remains <literal>FOO2</literal> if passed as such, + even though <literal>foo2</literal> would have been converted to <envar>FOO_2</envar>. This allows working around any potential future conflicting naming conventions. Based on the attributes passed to this config option an environment file will be generated @@ -83,13 +115,16 @@ in { The available configuration options can be found in <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. + + See <xref linkend="opt-services.vaultwarden.environmentFile" /> for how + to set up access to the Admin UI to invite initial users. ''; }; environmentFile = mkOption { type = with types; nullOr path; default = null; - example = "/root/vaultwarden.env"; + example = "/var/lib/vaultwarden.env"; description = '' Additional environment file as defined in <citerefentry> <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> @@ -100,6 +135,23 @@ in { Note that this file needs to be available on the host on which <literal>vaultwarden</literal> is running. + + As a concrete example, to make the Admin UI available + (from which new users can be invited initially), + the secret <envar>ADMIN_TOKEN</envar> needs to be defined as described + <link xlink:href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page">here</link>. + Setting <literal>environmentFile</literal> to <literal>/var/lib/vaultwarden.env</literal> + and ensuring permissions with e.g. + <literal>chown vaultwarden:vaultwarden /var/lib/vaultwarden.env</literal> + (the <literal>vaultwarden</literal> user will only exist after activating with + <literal>enable = true;</literal> before this), we can set the contents of the file to have + contents such as: + +<programlisting> +# Admin secret token, see +# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page +ADMIN_TOKEN=...copy-paste a unique generated secret token here... +</programlisting> ''; }; |