recipes.nix/modules/vaultwarden.nix
Adithya Nair 7238eee1c2
Some checks failed
Build and Push to Cachix / Push to Binary Cache (aarch64) (push) Failing after 1m19s
Build and Push to Cachix / Push to Binary Cache (X86-64) (push) Successful in 5m37s
add vaultwarden recipe
2024-11-29 22:59:50 +05:30

97 lines
2.9 KiB
Nix

{ config, lib, pkgs, ... }:
let
cfg = config.recipes.vaultwarden;
in
{
meta.maintainers = with lib.maintainers; [ adtya ];
options.recipes.vaultwarden = {
enable = lib.mkEnableOption "vaultwarden";
environment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = "Vaultwarden is configured using environment variables";
default = { };
example = { RUST_BACKTRACE = true; };
};
environmentFiles = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = null;
example = [ "/etc/vaultwarden/env_file" ];
description = "Files containing additional environment variables in the form KEY=VALUE";
};
package = lib.mkPackageOption pkgs "vaultwarden" { };
};
config = lib.mkIf (cfg.enable == true) {
systemd.services.vaultwarden = {
description = "Vaultwarden Server";
documentation = [ "https://github.com/dani-garcia/vaultwarden" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = cfg.environment;
serviceConfig = {
Type = "notify";
DynamicUser = true;
EnvironmentFile = cfg.environmentFiles;
AmbientCapabilities = [ "" ];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateIPC = true;
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "@resources" ] ++ [
"~@clock"
"~@debug"
"~@module"
"~@mount"
"~@reboot"
"~@swap"
"~@cpu-emulation"
"~@obsolete"
"~@timer"
"~@chown"
"~@setuid"
"~@privileged"
"~@keyring"
"~@ipc"
];
SystemCallErrorNumber = "EPERM";
StateDirectory = "vaultwarden";
StateDirectoryMode = "0700";
RuntimeDirectory = "vaultwarden";
RuntimeDirectoryMode = "0700";
UMask = "0077";
ExecStart = lib.getExe cfg.package;
Restart = "on-failure";
RestartSec = 10;
StartLimitBurst = 5;
};
};
};
}