Merge pull request #176903 from nh2/vaultwarden-service-better-example
nixos/vaultwarden: Make example more detailed.
This commit is contained in:
commit
0652ef9a64
|
@ -62,20 +62,52 @@ in {
|
||||||
default = {};
|
default = {};
|
||||||
example = literalExpression ''
|
example = literalExpression ''
|
||||||
{
|
{
|
||||||
domain = "https://bw.domain.tld:8443";
|
DOMAIN = "https://bitwarden.example.com";
|
||||||
signupsAllowed = true;
|
SIGNUPS_ALLOWED = false;
|
||||||
rocketPort = 8222;
|
|
||||||
rocketLog = "critical";
|
# Vaultwarden currently recommends running behind a reverse proxy
|
||||||
|
# (nginx or similar) for TLS termination, see
|
||||||
|
# https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
|
||||||
|
# > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
|
||||||
|
# > especially if your instance is publicly accessible.
|
||||||
|
#
|
||||||
|
# A suitable NixOS nginx reverse proxy example config might be:
|
||||||
|
#
|
||||||
|
# services.nginx.virtualHosts."bitwarden.example.com" = {
|
||||||
|
# enableACME = true;
|
||||||
|
# forceSSL = true;
|
||||||
|
# locations."/" = {
|
||||||
|
# proxyPass = "http://127.0.0.1:''${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
ROCKET_ADDRESS = "127.0.0.1";
|
||||||
|
ROCKET_PORT = 8222;
|
||||||
|
|
||||||
|
ROCKET_LOG = "critical";
|
||||||
|
|
||||||
|
# This example assumes a mailserver running on localhost,
|
||||||
|
# thus without transport encryption.
|
||||||
|
# If you use an external mail server, follow:
|
||||||
|
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
|
||||||
|
SMTP_HOST = "127.0.0.1";
|
||||||
|
SMTP_PORT = 25;
|
||||||
|
SMTP_SSL = false;
|
||||||
|
|
||||||
|
SMTP_FROM = "admin@bitwarden.example.com";
|
||||||
|
SMTP_FROM_NAME = "example.com Bitwarden server";
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
description = ''
|
description = ''
|
||||||
The configuration of vaultwarden is done through environment variables,
|
The configuration of vaultwarden is done through environment variables,
|
||||||
therefore the names are converted from camel case (e.g. disable2FARemember)
|
therefore it is recommended to use upper snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>).
|
||||||
to upper case snake case (e.g. DISABLE_2FA_REMEMBER).
|
|
||||||
|
However, camel case (e.g. <literal>disable2FARemember</literal>) is also supported:
|
||||||
|
The NixOS module will convert it automatically to
|
||||||
|
upper case snake case (e.g. <envar>DISABLE_2FA_REMEMBER</envar>).
|
||||||
In this conversion digits (0-9) are handled just like upper case characters,
|
In this conversion digits (0-9) are handled just like upper case characters,
|
||||||
so foo2 would be converted to FOO_2.
|
so <literal>foo2</literal> would be converted to <envar>FOO_2</envar>.
|
||||||
Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such,
|
Names already in this format remain unchanged, so <literal>FOO2</literal> remains <literal>FOO2</literal> if passed as such,
|
||||||
even though foo2 would have been converted to FOO_2.
|
even though <literal>foo2</literal> would have been converted to <envar>FOO_2</envar>.
|
||||||
This allows working around any potential future conflicting naming conventions.
|
This allows working around any potential future conflicting naming conventions.
|
||||||
|
|
||||||
Based on the attributes passed to this config option an environment file will be generated
|
Based on the attributes passed to this config option an environment file will be generated
|
||||||
|
@ -83,13 +115,16 @@ in {
|
||||||
|
|
||||||
The available configuration options can be found in
|
The available configuration options can be found in
|
||||||
<link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>.
|
<link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>.
|
||||||
|
|
||||||
|
See <xref linkend="opt-services.vaultwarden.environmentFile" /> for how
|
||||||
|
to set up access to the Admin UI to invite initial users.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
environmentFile = mkOption {
|
environmentFile = mkOption {
|
||||||
type = with types; nullOr path;
|
type = with types; nullOr path;
|
||||||
default = null;
|
default = null;
|
||||||
example = "/root/vaultwarden.env";
|
example = "/var/lib/vaultwarden.env";
|
||||||
description = ''
|
description = ''
|
||||||
Additional environment file as defined in <citerefentry>
|
Additional environment file as defined in <citerefentry>
|
||||||
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
|
<refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum>
|
||||||
|
@ -100,6 +135,23 @@ in {
|
||||||
|
|
||||||
Note that this file needs to be available on the host on which
|
Note that this file needs to be available on the host on which
|
||||||
<literal>vaultwarden</literal> is running.
|
<literal>vaultwarden</literal> is running.
|
||||||
|
|
||||||
|
As a concrete example, to make the Admin UI available
|
||||||
|
(from which new users can be invited initially),
|
||||||
|
the secret <envar>ADMIN_TOKEN</envar> needs to be defined as described
|
||||||
|
<link xlink:href="https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page">here</link>.
|
||||||
|
Setting <literal>environmentFile</literal> to <literal>/var/lib/vaultwarden.env</literal>
|
||||||
|
and ensuring permissions with e.g.
|
||||||
|
<literal>chown vaultwarden:vaultwarden /var/lib/vaultwarden.env</literal>
|
||||||
|
(the <literal>vaultwarden</literal> user will only exist after activating with
|
||||||
|
<literal>enable = true;</literal> before this), we can set the contents of the file to have
|
||||||
|
contents such as:
|
||||||
|
|
||||||
|
<programlisting>
|
||||||
|
# Admin secret token, see
|
||||||
|
# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
|
||||||
|
ADMIN_TOKEN=...copy-paste a unique generated secret token here...
|
||||||
|
</programlisting>
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue