2.4 KiB
2.4 KiB
Storing passwords securely with vaultwarden
Running Vaultwarden on The Wobserver isn't so hard thanks to Nixpkgs. This is a self-hosted Bitwarden server.
This is all pretty basic, set up a PostgreSQL DB, setup the service, set up an Nginx Frontend – if you set DATA_FOLDER
to something custom, however, you need to override the systemd
service definition to allow writing to that directory. It'll be pretty upset and difficult to debug if you don't do this, ask me how I know…
I also had to set up SMTP
configuration to activate my user … Eventually The Wobserver needs to support sending mails like this through AWS or SendGrid or something, but for now I just set up a roam:Fastmail app-password for my account and shoved those in the DB. Yikes.
{ pkgs, config, ... }:
let
cfg = config.services.vaultwarden;
in
{
services.postgresql.ensureDatabases = ["vaultwarden"];
services.postgresql.ensureUsers = [
{
name = "vaultwarden";
ensurePermissions = {
"DATABASE vaultwarden" = "ALL PRIVILEGES";
};
}
];
services.vaultwarden = {
enable = true;
# backupDir = "/srv/vaultwarden/backup"; # only for sqlite
dbBackend = "postgresql";
config = {
DATABASE_URL = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
DATA_FOLDER = "/srv/vaultwarden/data";
SIGNUPS_ALLOWED = false;
SIGNUPS_DOMAINS_WHITELIST = "whatthefuck.computer,rix.si";
DOMAIN = "https://vault.whatthefuck.computer";
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
};
environmentFile = "/srv/vaultwarden/private.env";
};
systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ cfg.config.DATA_FOLDER ];
services.nginx.virtualHosts."vault.whatthefuck.computer" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.config.ROCKET_PORT}";
};
};
}