{ pkgs, config, tools, ... }: let container = "vault"; hostname = tools.build_hostname container; db_host = tools.build_ip "db"; db_password = config.my-lxc.vault.db.password; oidc = import ./_vw_secrets.nix; auth_host = tools.build_hostname "auth"; in { services.vaultwarden = { enable = true; config = { DISABLE_ADMIN_TOKEN = true; ROCKET_ADDRESS = "0.0.0.0"; ROCKET_PORT = config.my-lxc.vault.system.port; DOMAIN = "https://${hostname}"; SIGNUPS_ALLOWED = false; DATABASE_URL = "postgresql://${container}:${db_password}@${db_host}:5432/${container}"; WEB_VAULT_ENABLED = true; INVITATIONS_ENABLED = true; ORG_CREATION_USERS = config.globals.master.email; SSO_ENABLED = true; # SSO_AUTH_ONLY_NOT_SESSION = true; SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/"; SSO_CLIENT_ID = oidc.oidc_client_id; SSO_CLIENT_SECRET = oidc.oidc_secret_id; SSO_SCOPES = "openid profile email offline_access"; SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false; SSO_CLIENT_CACHE_EXPIRATION = 0; SSO_ONLY = true; # Set to true to disable email and master password login and require SSO SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email }; dbBackend = "postgresql"; }; }