rrix
/
complete-computing-environment
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
complete-computing-environment/vaultwarden.org

61 lines
2.4 KiB
Org Mode
Raw Permalink Blame History

:PROPERTIES:
:ID: 20230201T121604.003311
:ROAM_ALIASES: vaultwarden
:END:
#+TITLE: Storing passwords securely with vaultwarden
#+ARCOLOGY_KEY: cce/vaultwarden
#+ARCOLOG_ALLOW_CRAWL: t
Running Vaultwarden on [[id:20211120T220054.226284][The Wobserver]] isn't so hard thanks to [[id:c75d20e6-8888-4c5a-ac97-5997e2f1c711][Nixpkgs]]. This is a self-hosted [[id:20230201T121135.988658][Bitwarden]] server.
This is all pretty basic, set up a [[id:cce/wobserver/postgres][PostgreSQL]] DB, setup the service, set up an [[id:e4998eda-d14a-48ee-9661-3d7d1bead53c][Nginx Frontend]] -- if you set =DATA_FOLDER= to something custom, however, you need to override the =systemd= service definition to allow writing to that directory. It'll be pretty upset and difficult to debug if you don't do this, ask me how I know...
I also had to set up =SMTP= configuration to activate my user ... Eventually [[id:20211120T220054.226284][The Wobserver]] needs to support sending mails like this through AWS or SendGrid or something, but for now I just set up a [[roam:Fastmail]] app-password for my account and shoved those in the DB. Yikes.
#+ARROYO_NIXOS_MODULE: nixos/vaultwarden.nix
#+ARROYO_SYSTEM_ROLE: server
#+AUTO_TANGLE: t
#+begin_src nix :tangle ~/arroyo-nix/nixos/vaultwarden.nix
{ pkgs, config, ... }:
let
cfg = config.services.vaultwarden;
in
{
services.postgresql.ensureDatabases = ["vaultwarden"];
services.postgresql.ensureUsers = [
{
name = "vaultwarden";
ensurePermissions = {
"DATABASE vaultwarden" = "ALL PRIVILEGES";
};
}
];
services.vaultwarden = {
enable = true;
# backupDir = "/srv/vaultwarden/backup"; # only for sqlite
dbBackend = "postgresql";
config = {
DATABASE_URL = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
DATA_FOLDER = "/srv/vaultwarden/data";
SIGNUPS_ALLOWED = false;
SIGNUPS_DOMAINS_WHITELIST = "whatthefuck.computer,rix.si";
DOMAIN = "https://vault.whatthefuck.computer";
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
};
environmentFile = "/srv/vaultwarden/private.env";
};
systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ cfg.config.DATA_FOLDER ];
services.nginx.virtualHosts."vault.whatthefuck.computer" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.config.ROCKET_PORT}";
};
};
}
#+end_src
Reference in New Issue View Git Blame Copy Permalink