Files
homelab/config/vault-vaultwarden.nix
T
Xavier Morel 7844849b1b
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
feat: add Authentik config for vaultwarden OAuth
2026-05-28 20:40:47 +02:00

43 lines
1.3 KiB
Nix

{
pkgs,
config,
tools,
...
}:
let
container = "vault";
hostname = tools.build_hostname container;
db_host = tools.build_ip "db";
db_password = config.my-lxc.vault.db.password;
oidc = import ./_vw_secrets.nix;
auth_host = tools.build_hostname "auth";
in
{
services.vaultwarden = {
enable = true;
config = {
DISABLE_ADMIN_TOKEN = true;
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = config.my-lxc.vault.system.port;
DOMAIN = "https://${hostname}";
SIGNUPS_ALLOWED = false;
DATABASE_URL = "postgresql://${container}:${db_password}@${db_host}:5432/${container}";
WEB_VAULT_ENABLED = true;
INVITATIONS_ENABLED = true;
ORG_CREATION_USERS = config.globals.master.email;
SSO_ENABLED = true;
SSO_AUTH_ONLY_NOT_SESSION = true;
SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/";
SSO_CLIENT_ID = oidc.oidc_client_id;
SSO_CLIENT_SECRET = oidc.oidc_secret_id;
SSO_SCOPES = "openid profile email offline_access";
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false;
SSO_CLIENT_CACHE_EXPIRATION = 0;
SSO_ONLY = false; # Set to true to disable email and master password login and require SSO
SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email
};
dbBackend = "postgresql";
};
}