vaultwarden: enable SSO

This commit is contained in:
wo2wz 2026-01-12 19:13:39 -05:00
parent 586af7a61f
commit 3a9c4c11d4
3 changed files with 43 additions and 23 deletions

View file

@ -1,7 +1,10 @@
{ config, ... }:
{
sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
sops.secrets = {
"vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
"kanidm/oauth2/vaultwarden".restartUnits = [ "vaultwarden.service" ];
};
services.caddy.virtualHosts."vaultwarden.taild5f7e6.ts.net".extraConfig =
assert config.services.caddy.enable;
@ -23,6 +26,12 @@
IP_HEADER = "X-Forwarded-For";
SIGNUPS_ALLOWED = false;
SSO_ENABLED = true;
SSO_ONLY = true;
SSO_CLIENT_ID = "vaultwarden";
SSO_AUTHORITY = "https://kanidm.wo2wz.fyi/oauth2/openid/vaultwarden";
SSO_SCOPES = "openid email profile offline_access";
SSO_CLIENT_CACHE_EXPIRATION = 600;
TRASH_AUTO_DELETE_DAYS = 30;
};