b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #176903 from nh2/vaultwarden-service-better-example

Browse source 
nixos/vaultwarden: Make example more detailed.
This commit is contained in:
Niklas Hambüchen 2022-06-15 01:21:40 +02:00 committed by GitHub
parent 788d58aea6 5683c6e03b
commit 0652ef9a64
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 62 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
nixos/modules/services/security/vaultwarden/default.nix
View file

@ -62,20 +62,52 @@ in {
default = {}; default = {};
example = literalExpression '' example = literalExpression ''
{ {
domain = "https://bw.domain.tld:8443"; DOMAIN = "https://bitwarden.example.com";
signupsAllowed = true; SIGNUPS_ALLOWED = false;
rocketPort = 8222;
rocketLog = "critical"; # Vaultwarden currently recommends running behind a reverse proxy
# (nginx or similar) for TLS termination, see
# https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
# > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
# > especially if your instance is publicly accessible.
#
# A suitable NixOS nginx reverse proxy example config might be:
#
# services.nginx.virtualHosts."bitwarden.example.com" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://127.0.0.1:''${toString config.services.vaultwarden.config.ROCKET_PORT}";
# };
# };
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# This example assumes a mailserver running on localhost,
# thus without transport encryption.
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
SMTP_HOST = "127.0.0.1";
SMTP_PORT = 25;
SMTP_SSL = false;
SMTP_FROM = "admin@bitwarden.example.com";
SMTP_FROM_NAME = "example.com Bitwarden server";
} }
''; '';
description = '' description = ''
The configuration of vaultwarden is done through environment variables, The configuration of vaultwarden is done through environment variables,
therefore the names are converted from camel case (e.g. disable2FARemember) therefore it is recommended to use upper snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>).
to upper case snake case (e.g. DISABLE_2FA_REMEMBER).
However, camel case (e.g. <literal>disable2FARemember</literal>) is also supported:
The NixOS module will convert it automatically to
upper case snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>).
In this conversion digits (0-9) are handled just like upper case characters, In this conversion digits (0-9) are handled just like upper case characters,
so foo2 would be converted to FOO_2. so <literal>foo2</literal> would be converted to <envar>FOO_2</envar>.
Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such, Names already in this format remain unchanged, so <literal>FOO2</literal> remains <literal>FOO2</literal> if passed as such,
even though foo2 would have been converted to FOO_2. even though <literal>foo2</literal> would have been converted to <envar>FOO_2</envar>.
This allows working around any potential future conflicting naming conventions. This allows working around any potential future conflicting naming conventions.
Based on the attributes passed to this config option an environment file will be generated Based on the attributes passed to this config option an environment file will be generated
@ -83,13 +115,16 @@ in {
The available configuration options can be found in The available configuration options can be found in
<link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>.
See <xref linkend="opt-services.vaultwarden.environmentFile" /> for how
to set up access to the Admin UI to invite initial users.
''; '';
}; };
environmentFile = mkOption { environmentFile = mkOption {
type = with types; nullOr path; type = with types; nullOr path;
default = null; default = null;
example = "/root/vaultwarden.env"; example = "/var/lib/vaultwarden.env";
description = '' description = ''
Additional environment file as defined in <citerefentry> Additional environment file as defined in <citerefentry>
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
@ -100,6 +135,23 @@ in {
Note that this file needs to be available on the host on which Note that this file needs to be available on the host on which
<literal>vaultwarden</literal> is running. <literal>vaultwarden</literal> is running.
As a concrete example, to make the Admin UI available
(from which new users can be invited initially),
the secret <envar>ADMIN_TOKEN</envar> needs to be defined as described
<link xlink:href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page">here</link>.
Setting <literal>environmentFile</literal> to <literal>/var/lib/vaultwarden.env</literal>
and ensuring permissions with e.g.
<literal>chown vaultwarden:vaultwarden /var/lib/vaultwarden.env</literal>
(the <literal>vaultwarden</literal> user will only exist after activating with
<literal>enable = true;</literal> before this), we can set the contents of the file to have
contents such as:
<programlisting>
# Admin secret token, see
# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
ADMIN_TOKEN=...copy-paste a unique generated secret token here...
</programlisting>
''; '';
}; };