xavier/nixos-infra-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nixos-infra-framework/modules/services/password-manager/default.nix
T

90 lines
2.4 KiB
Nix
Raw Permalink Blame History

{ config, pkgs, lib, ... }:
let
cfg = config.services.password-manager;
inherit (lib) mkIf mkOption types;
in
{
options.services.password-manager = {
enable = mkOption {
type = types.bool;
default = false;
description = "Enable the password manager service (Vaultwarden)";
};
domain = mkOption {
type = types.str;
default = "pass.lagraula.fr";
description = "Domain name for the Vaultwarden instance";
};
port = mkOption {
type = types.port;
default = 8080;
description = "HTTP port for the Vaultwarden web interface";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/vaultwarden";
description = "Data directory for Vaultwarden persistent state";
};
dbBackend = mkOption {
type = types.enum [ "sqlite" "mysql" "postgresql" ];
default = "sqlite";
description = "Database backend type";
};
adminTokenFile = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Path to a file containing the admin token for the /admin panel.
Use agenix or sops-nix to provide this file securely.
'';
};
signupsAllowed = mkOption {
type = types.bool;
default = true;
description = "Allow new user registration";
};
extraConfig = mkOption {
type = types.attrsOf (types.nullOr (types.oneOf [ types.bool types.str types.int types.port ]));
default = { };
description = "Additional Vaultwarden config options as attribute set (mapped to env vars)";
};
};
config = mkIf cfg.enable {
# Use the built-in NixOS vaultwarden module
services.vaultwarden = {
enable = true;
package = pkgs.vaultwarden;
webVaultPackage = pkgs.vaultwarden-webvault;
inherit (cfg) dbBackend;
config = {
DOMAIN = "https://${cfg.domain}";
PORT = cfg.port;
SIGNUPS_ALLOWED = cfg.signupsAllowed;
} // (lib.mapAttrs (name: value:
if value == true then "true"
else if value == false then "false"
else toString value
) cfg.extraConfig);
} // lib.optionalAttrs (cfg.adminTokenFile != null) {
environmentFile = cfg.adminTokenFile;
config = {
ADMIN_TOKEN = null; # Will be read from environmentFile
};
};
# Open firewall port
networking.firewall = mkIf config.services.vaultwarden.enable {
allowedTCPPorts = [ cfg.port ];
};
};
}
Reference in New Issue View Git Blame Copy Permalink