35 lines
810 B
Nix
35 lines
810 B
Nix
{ config, lib, ... }:
|
|
|
|
{
|
|
services.vaultwarden = {
|
|
enable = true;
|
|
dbBackend = "postgresql";
|
|
|
|
environmentFile = config.age.secrets.giovanni-env.path;
|
|
config = {
|
|
ROCKET_PORT = 44301;
|
|
SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
|
|
};
|
|
};
|
|
|
|
systemd.services.vaultwarden = {
|
|
path = [ "/run/wrappers" ];
|
|
serviceConfig = {
|
|
NoNewPrivileges = lib.mkForce false;
|
|
PrivateUsers = lib.mkForce false;
|
|
SystemCallFilter = lib.mkForce [ "@system-service" ];
|
|
RestrictAddressFamilies = [
|
|
"AF_LOCAL"
|
|
"AF_NETLINK"
|
|
];
|
|
ReadWritePaths = [ "/var/spool/mail/" "/var/lib/postfix/queue/maildrop/" ];
|
|
};
|
|
};
|
|
|
|
age.secrets = {
|
|
giovanni-env = {
|
|
file = ../../../secrets/zora/services/giovanni-env.age;
|
|
};
|
|
};
|
|
}
|
|
|