56 lines
1.4 KiB
Nix
56 lines
1.4 KiB
Nix
{config, ...}: let
|
|
vaultPort = 8222;
|
|
in {
|
|
age.secrets = {
|
|
"vaultwarden.env".file = ../secrets/vaultwarden.env;
|
|
"hidden_service/vaultwarden".file = ../secrets/hidden_service/vaultwarden;
|
|
};
|
|
|
|
services = {
|
|
vaultwarden = {
|
|
enable = true;
|
|
config = {
|
|
DOMAIN = "https://vault.distrust.network";
|
|
ROCKET_PORT = vaultPort;
|
|
};
|
|
environmentFile = config.age.secrets."vaultwarden.env".path;
|
|
};
|
|
borgbackup.jobs."vaultwarden" = {
|
|
repo = "ssh://u506783@u506783.your-storagebox.de:23/./vaultwarden";
|
|
environment = {
|
|
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
|
|
};
|
|
paths = [
|
|
"/var/lib/vaultwarden"
|
|
];
|
|
encryption = {
|
|
mode = "keyfile";
|
|
passCommand = "cat ${config.age.secrets."borg_pass".path}";
|
|
};
|
|
compression = "auto,lzma";
|
|
startAt = "daily";
|
|
prune.keep = {
|
|
daily = 7;
|
|
weekly = 4;
|
|
monthly = -1;
|
|
};
|
|
};
|
|
};
|
|
|
|
distrust.services."vaultwarden" = {
|
|
url = "https://vault.distrust.network";
|
|
onion = {
|
|
url = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
|
|
secretKey = config.age.secrets."hidden_service/vaultwarden".path;
|
|
};
|
|
virtualHostConfig = ''
|
|
reverse_proxy localhost:${toString vaultPort}
|
|
'';
|
|
backup = {
|
|
enable = true;
|
|
paths = [
|
|
"/var/lib/vaultwarden"
|
|
];
|
|
};
|
|
};
|
|
}
|