rm coredns and step-ca. use hs extra dns records. resolve vaultwarden

hosts/rx4/services/vaultwarden.nix

@@ -6,6 +6,7 @@
 
 let
   inherit (constants) domain;
+  inherit (constants.hosts.rx4) ip;
   inherit (constants.services.vaultwarden) fqdn port;
 in
 {
@@ -21,6 +22,7 @@ in
     environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
 
     config = {
+      ENABLE_WEBSOCKET = true;
       SIGNUPS_ALLOWED = false;
 
       SMTP_FROM = "vaultwarden@${domain}";
@@ -30,12 +32,50 @@ in
       SMTP_SECURITY = "starttls";
       SMTP_USERNAME = "vaultwarden@${domain}";
 
-      ROCKET_ADDRESS = "0.0.0.0";
+      ROCKET_ADDRESS = "127.0.0.1";
       ROCKET_PORT = port;
       ROCKET_LOG = "critical";
     };
   };
 
+  services.nginx.virtualHosts."${fqdn}" = {
+    useACMEHost = "pw-custom";
+    forceSSL = true;
+    listen = [
+      {
+        addr = "${ip}:443";
+        ssl = true;
+      }
+    ];
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+      };
+      "= /notifications/alerts" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+      };
+      "= /notifications/hub" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${domain}";
+    certs."pw-custom" = {
+      domain = fqdn;
+      dnsProvider = "hetzner";
+      dnsResolver = "1.1.1.1:53";
+      credentialFiles = {
+        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
+      };
+      group = "nginx";
+    };
+  };
+
   sops =
     let
       owner = config.users.users.vaultwarden.name;
@@ -50,6 +90,11 @@ in
         "vaultwarden/smtp-password" = {
           inherit owner group mode;
         };
+        hetzner-api-key = {
+          inherit mode;
+          owner = "acme";
+          group = "acme";
+        };
       };
       templates = {
         "vaultwarden/env-file" = {