Files
homelab/config/vault-vaultwarden.nix
T
2026-06-24 15:56:42 +02:00

48 lines
1.4 KiB
Nix

{
pkgs,
config,
tools,
...
}:
let
container = "vault";
hostname = tools.build_hostname container;
db_host = tools.build_ip "db";
db_password = config.my-lxc.vault.db.password;
oidc = import ./_vw_secrets.nix;
auth_host = tools.build_hostname "auth";
in
{
services.vaultwarden = {
enable = true;
config = {
DISABLE_ADMIN_TOKEN = true;
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = config.my-lxc.vault.system.port;
DOMAIN = "https://${hostname}";
SIGNUPS_ALLOWED = false;
DATABASE_URL = "postgresql://${container}:${db_password}@${db_host}:5432/${container}";
WEB_VAULT_ENABLED = true;
INVITATIONS_ENABLED = true;
ORG_CREATION_USERS = config.globals.master.email;
SSO_ENABLED = true;
# SSO_AUTH_ONLY_NOT_SESSION = true;
SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/";
SSO_CLIENT_ID = oidc.oidc_client_id;
SSO_CLIENT_SECRET = oidc.oidc_secret_id;
SSO_SCOPES = "openid profile email offline_access";
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false;
SSO_CLIENT_CACHE_EXPIRATION = 0;
SSO_ONLY = false; # Set to true to disable email and master password login and require SSO
SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email
SMTP_HOST = "192.168.68.33";
SMTP_PORT = "25";
SMTP_SECURITY = "off";
SMTP_FROM = "home@m0rel.eu";
};
dbBackend = "postgresql";
};
}