complete-computing-environment/vaultwarden.org

Storing passwords securely with vaultwarden

Running Vaultwarden on The Wobserver isn't so hard thanks to Nixpkgs. This is a self-hosted Bitwarden server.

This is all pretty basic, set up a PostgreSQL DB, setup the service, set up an Nginx Frontend – if you set DATA_FOLDER to something custom, however, you need to override the systemd service definition to allow writing to that directory. It'll be pretty upset and difficult to debug if you don't do this, ask me how I know…

I also had to set up SMTP configuration to activate my user … Eventually The Wobserver needs to support sending mails like this through AWS or SendGrid or something, but for now I just set up a roam:Fastmail app-password for my account and shoved those in the DB. Yikes.

{ pkgs, config, ... }:

let
  cfg = config.services.vaultwarden;
in
{
  services.postgresql.ensureDatabases = ["vaultwarden"];
  services.postgresql.ensureUsers = [
    {
      name = "vaultwarden";
      ensurePermissions = {
        "DATABASE vaultwarden" = "ALL PRIVILEGES";
      };
    }
  ];

  services.vaultwarden = {
    enable = true;
    # backupDir = "/srv/vaultwarden/backup"; # only for sqlite
    dbBackend = "postgresql";
    config = {
      DATABASE_URL = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
      DATA_FOLDER = "/srv/vaultwarden/data";
      SIGNUPS_ALLOWED = false;
      SIGNUPS_DOMAINS_WHITELIST = "whatthefuck.computer,rix.si";
      DOMAIN = "https://vault.whatthefuck.computer";
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;
    };
    environmentFile = "/srv/vaultwarden/private.env";
  };
  systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ cfg.config.DATA_FOLDER ];

  services.nginx.virtualHosts."vault.whatthefuck.computer" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString cfg.config.ROCKET_PORT}";
    };
  };
}