{ pkgs, ... }: { security.acme = { defaults.email = "hackens@clipper.ens.fr"; acceptTerms = true; }; services.vaultwarden = { enable = true; config = { DOMAIN = "https://pass.hackens.org"; WEBSOCKET_ENABLED = true; WEBSOCKET_PORT = 10500; SIGNUPS_DOMAINS_WHITELIST = "ens.fr,ens.psl.eu"; ROCKET_PORT = 10501; ROCKET_ADDRESS = "127.0.0.1"; LOG_FILE = "/var/lib/bitwarden_rs/logfile"; SIGNUPS_VERIFY = true; }; environmentFile = "/etc/secrets/vaultwarden.env"; }; services.nginx.enable = true; services.nginx.virtualHosts."pass.hackens.org" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:10501"; proxyWebsockets = true; }; locations."/notifications/hub" = { proxyPass = "http://localhost:10500"; proxyWebsockets = true; }; locations."/notifications/hub/negotiate" = { proxyPass = "http://localhost:10501"; proxyWebsockets = true; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; }