Adding vaultwarden

2025-10-15 04:18:07 +02:00 · 2025-10-15 04:18:07 +02:00 · 331b403a74
commit 331b403a74
parent 9e23ce9d90
5 changed files with 43 additions and 0 deletions
--- a/modules/server/giovanni/default.nix
+++ b/modules/server/giovanni/default.nix
@ -0,0 +1,35 @@
+{ config, lib, ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+
+    environmentFile = config.age.secrets.giovanni-env.path;
+    config = {
+      ROCKET_PORT = 44301;
+      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
+    };
+  };
+
+  systemd.services.vaultwarden = {
+    path = [ "/run/wrappers" ];
+    serviceConfig = {
+      NoNewPrivileges = lib.mkForce false;
+      PrivateUsers = lib.mkForce false;
+      SystemCallFilter = lib.mkForce [ "@system-service" ];
+      RestrictAddressFamilies = [
+        "AF_LOCAL"
+        "AF_NETLINK"
+      ];
+      ReadWritePaths = [ "/var/spool/mail/" ];
+    };
+  };
+
+  age.secrets = {
+    giovanni-env = {
+      file = ../../../secrets/zora/services/giovanni-env.age;
+    };
+  };
+}
+