43 lines
1.3 KiB
Nix
43 lines
1.3 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
tools,
|
|
...
|
|
}:
|
|
let
|
|
container = "vault";
|
|
hostname = tools.build_hostname container;
|
|
db_host = tools.build_ip "db";
|
|
db_password = config.my-lxc.vault.db.password;
|
|
oidc = import ./_vw_secrets.nix;
|
|
auth_host = tools.build_hostname "auth";
|
|
in
|
|
{
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
config = {
|
|
DISABLE_ADMIN_TOKEN = true;
|
|
ROCKET_ADDRESS = "0.0.0.0";
|
|
ROCKET_PORT = config.my-lxc.vault.system.port;
|
|
DOMAIN = "https://${hostname}";
|
|
SIGNUPS_ALLOWED = false;
|
|
DATABASE_URL = "postgresql://${container}:${db_password}@${db_host}:5432/${container}";
|
|
WEB_VAULT_ENABLED = true;
|
|
INVITATIONS_ENABLED = true;
|
|
ORG_CREATION_USERS = config.globals.master.email;
|
|
|
|
SSO_ENABLED = true;
|
|
SSO_AUTH_ONLY_NOT_SESSION = true;
|
|
SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/";
|
|
SSO_CLIENT_ID = oidc.oidc_client_id;
|
|
SSO_CLIENT_SECRET = oidc.oidc_secret_id;
|
|
SSO_SCOPES = "openid profile email offline_access";
|
|
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false;
|
|
SSO_CLIENT_CACHE_EXPIRATION = 0;
|
|
SSO_ONLY = false; # Set to true to disable email and master password login and require SSO
|
|
SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email
|
|
};
|
|
dbBackend = "postgresql";
|
|
};
|
|
}
|