{ config, ... }: { users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ]; services.vaultwarden = { enable = true; environmentFile = "/run/secrets/services/vaultwarden/.env"; config = { DOMAIN = "https://vault.lewd.wtf"; SIGNUPS_ALLOWED = false; SIGNUPS_VERIFY = true; INVITATIONS_ALLOWED = false; WEBSOCKET_ENABLED = true; WEBSOCKET_PORT = 3012; ROCKET_PORT = 8222; }; }; services.nginx.clientMaxBodySize = "128M"; services.nginx.virtualHosts."vault.lewd.wtf" = { enableACME = false; forceSSL = false; locations."/" = { proxyPass = "http://127.0.0.1:8222"; proxyWebsockets = true; # needed if you need to use WebSocket extraConfig = "proxy_set_header Host $host;" + "proxy_set_header X-Real-IP $remote_addr;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + "proxy_set_header X-Forwarded-Proto $scheme;" ; }; locations."/notifications/hub/negotiate" = { proxyPass = "http://127.0.0.1:8222"; proxyWebsockets = true; # needed if you need to use WebSocket extraConfig = "proxy_set_header Host $host;" + "proxy_set_header X-Real-IP $remote_addr;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + "proxy_set_header X-Forwarded-Proto $scheme;" ; }; locations."/notifications/hub" = { proxyPass = "http://127.0.0.1:3012"; proxyWebsockets = true; # needed if you need to use WebSocket extraConfig = "proxy_set_header Host $host;" + "proxy_set_header X-Real-IP $remote_addr;" + "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;" + "proxy_set_header X-Forwarded-Proto $scheme;" ; }; }; }