Table of Contents
Defined in /modules/services/vaultwarden.nix.
This NixOS module is a service that sets up a Vaultwarden Server.
Access through subdomain using reverse proxy.
Access through HTTPS using reverse proxy.
Automatic setup of Redis database for caching.
Backup of the data directory through the backup contract.
Tests /admin can only be accessed when authenticated with SSO.
Access to advanced options not exposed here thanks to how NixOS modules work.
All the secrets should be readable by the vaultwarden user.
Secrets should not be stored in the nix store. If you’re using
sops-nix and assuming your secrets file is located at
./secrets.yaml, you can define a secret with:
sops.secrets."vaultwarden/db" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = "vaultwarden";
group = "postgres";
restartUnits = [ "vaultwarden.service" ];
};
Then you can use that secret:
shb.vaultwarden.databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
To protect the /admin endpoint, we use SSO.
This requires the SSL, LDAP and SSO block to be configured.
Follow those links first if needed.
let
domain = <...>;
in
shb.vaultwarden = {
enable = true;
inherit domain;
subdomain = "vaultwarden";
ssl = config.shb.certs.certs.letsencrypt.${domain};
port = 8222;
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
smtp = {
host = "smtp.eu.mailgun.org";
port = 587;
username = "postmaster@mg.${domain}";
from_address = "authelia@${domain}";
passwordFile = config.sops.secrets."vaultwarden/smtp".path;
};
};
sops.secrets."vaultwarden/db" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "vaultwarden";
group = "postgres";
restartUnits = [ "vaultwarden.service" "postgresql.service" ];
};
sops.secrets."vaultwarden/smtp" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = "vaultwarden";
group = "vaultwarden";
restartUnits = [ "vaultwarden.service" ];
};
Integration with the ZFS block allows to automatically create the relevant datasets.
shb.zfs.datasets."vaultwarden" = config.shb.vaultwarden.mount;
shb.zfs.datasets."postgresql".path = "/var/lib/postgresql";
Backing up Vaultwarden using the Restic block is done like so:
shb.restic.instances."vaultwarden" = {
request = config.shb.vaultwarden.backup;
settings = {
enable = true;
};
};
The name "vaultwarden" in the instances can be anything.
The config.shb.vaultwarden.backup option provides what directories to backup.
You can define any number of Restic instances to backup Vaultwarden multiple times.
No command-line tool is provided to administer Vaultwarden.
Instead, the admin section can be found at the /admin endpoint.
In case of an issue, check the logs of the vaultwarden.service systemd service.
Enable verbose logging by setting the shb.vaultwarden.debug boolean to true.
Access the database with sudo -u vaultwarden psql.
shb.vaultwarden.enable
Whether to enable selfhostblocks.vaultwarden.
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.authEndpoint
OIDC endpoint for SSO
Type: null or string
Default:
null
Example:
"https://authelia.example.com"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.backup
Backup configuration. This is an output option.
Use it to initialize a block implementing the “backup” contract. For example, with the restic block:
shb.restic.instances."vaultwarden" = {
request = config.shb.vaultwarden.backup;
settings = {
enable = true;
};
};
Type: submodule (read only)
Default:
{
sourceDirectories = [
"/var/lib/vaultwarden"
];
user = "vaultwarden";
}
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.backup.excludePatterns
File patterns to exclude.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.backup.hooks
Hooks to run around the backup.
Type: submodule
Default:
{ }
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.backup.hooks.after_backup
Hooks to run after backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.backup.hooks.before_backup
Hooks to run before backup.
Type: list of string
Default:
[ ]
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.backup.sourceDirectories
Directories to backup.
Type: non-empty (list of string)
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.backup.user
Unix user doing the backups.
Type: string
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword
File containing the Vaultwarden database password.
Type: submodule
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword.request.group
Linux group owning the secret file.
Type: string
Default:
"postgres"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword.request.mode
Mode of the secret file.
Type: string
Default:
"0440"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword.request.owner
Linux user owning the secret file.
Type: string
Default:
"vaultwarden"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"vaultwarden.service"
"postgresql.service"
]
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.databasePassword.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.debug
Set to true to enable debug logging.
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.domain
domain under which Authelia will be served.
Type: string
Example:
"mydomain.com"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.mount
Mount configuration. This is an output option.
Use it to initialize a block implementing the “mount” contract. For example, with a zfs dataset:
shb.zfs.datasets."vaultwarden" = {
poolName = "root";
} // config.shb.vaultwarden.mount;
Type: anything (read only)
Default:
{
path = "/var/lib/vaultwarden";
}
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.mount.path
Path to be mounted.
Type: string
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.port
Port on which vaultwarden service listens.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8222
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp
SMTP options.
Type: null or (submodule)
Default:
null
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.auth_mechanism
Auth mechanism.
Type: value “Login” (singular enum)
Default:
"Login"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.from_address
SMTP address from which the emails originate.
Type: string
Example:
"vaultwarden@mydomain.com"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.from_name
SMTP name from which the emails originate.
Type: string
Default:
"Vaultwarden"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.host
SMTP host to send the emails to.
Type: string
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password
File containing the password to connect to the SMTP host.
Type: submodule
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password.request.owner
Linux user owning the secret file.
Type: string
Default:
"vaultwarden"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"vaultwarden.service"
]
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.password.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.port
SMTP port to send the emails to.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
25
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.security
Security expected by SMTP host.
Type: one of “starttls”, “force_tls”, “off”
Default:
"starttls"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.smtp.username
Username to connect to the SMTP host.
Type: string
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.ssl
Path to SSL files
Type: null or (anything)
Default:
null
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.ssl.paths
Paths where the files for the certificate will be located.
This option is the contract output of the shb.certs.certs SSL block.
Type: anything
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.ssl.paths.cert
Path to the cert file.
Type: path
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.ssl.paths.key
Path to the key file.
Type: path
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.ssl.systemdService
Systemd oneshot service used to generate the certificate. Ends with the .service suffix.
Use this if downstream services must wait for the certificates to be generated before starting.
Type: string
Example:
"cert-generator.service"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|
shb.vaultwarden.subdomain
Subdomain under which Authelia will be served.
Type: string
Example:
"ha"
Declared by:
<selfhostblocks/modules/services/vaultwarden.nix>
|