61 lines
2.4 KiB
Org Mode
61 lines
2.4 KiB
Org Mode
:PROPERTIES:
|
|
:ID: 20230201T121604.003311
|
|
:ROAM_ALIASES: vaultwarden
|
|
:END:
|
|
#+TITLE: Storing passwords securely with vaultwarden
|
|
|
|
#+ARCOLOGY_KEY: cce/vaultwarden
|
|
#+ARCOLOG_ALLOW_CRAWL: t
|
|
|
|
Running Vaultwarden on [[id:20211120T220054.226284][The Wobserver]] isn't so hard thanks to [[id:c75d20e6-8888-4c5a-ac97-5997e2f1c711][Nixpkgs]]. This is a self-hosted [[id:20230201T121135.988658][Bitwarden]] server.
|
|
|
|
This is all pretty basic, set up a [[id:cce/wobserver/postgres][PostgreSQL]] DB, setup the service, set up an [[id:e4998eda-d14a-48ee-9661-3d7d1bead53c][Nginx Frontend]] -- if you set =DATA_FOLDER= to something custom, however, you need to override the =systemd= service definition to allow writing to that directory. It'll be pretty upset and difficult to debug if you don't do this, ask me how I know...
|
|
|
|
I also had to set up =SMTP= configuration to activate my user ... Eventually [[id:20211120T220054.226284][The Wobserver]] needs to support sending mails like this through AWS or SendGrid or something, but for now I just set up a [[roam:Fastmail]] app-password for my account and shoved those in the DB. Yikes.
|
|
|
|
#+ARROYO_NIXOS_MODULE: nixos/vaultwarden.nix
|
|
#+ARROYO_SYSTEM_ROLE: server
|
|
#+AUTO_TANGLE: t
|
|
|
|
#+begin_src nix :tangle ~/arroyo-nix/nixos/vaultwarden.nix
|
|
{ pkgs, config, ... }:
|
|
|
|
let
|
|
cfg = config.services.vaultwarden;
|
|
in
|
|
{
|
|
services.postgresql.ensureDatabases = ["vaultwarden"];
|
|
services.postgresql.ensureUsers = [
|
|
{
|
|
name = "vaultwarden";
|
|
ensurePermissions = {
|
|
"DATABASE vaultwarden" = "ALL PRIVILEGES";
|
|
};
|
|
}
|
|
];
|
|
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
# backupDir = "/srv/vaultwarden/backup"; # only for sqlite
|
|
dbBackend = "postgresql";
|
|
config = {
|
|
DATABASE_URL = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
|
|
DATA_FOLDER = "/srv/vaultwarden/data";
|
|
SIGNUPS_ALLOWED = false;
|
|
SIGNUPS_DOMAINS_WHITELIST = "whatthefuck.computer,rix.si";
|
|
DOMAIN = "https://vault.whatthefuck.computer";
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
ROCKET_PORT = 8222;
|
|
};
|
|
environmentFile = "/srv/vaultwarden/private.env";
|
|
};
|
|
systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ cfg.config.DATA_FOLDER ];
|
|
|
|
services.nginx.virtualHosts."vault.whatthefuck.computer" = {
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString cfg.config.ROCKET_PORT}";
|
|
};
|
|
};
|
|
}
|
|
#+end_src
|