add vaultwarden

hosts/rx4/services/default.nix

@@ -19,9 +19,10 @@
     ./print-server.nix
     ./rss-bridge.nix
     ./rsshub-oci.nix
-    # ./webdav.nix # FIXME
+    ./vaultwarden.nix
 
     # ./alditalk-extender.nix # FIXME
+    # ./webdav.nix # FIXME
   ];
 
   # bootstrap

hosts/rx4/services/vaultwarden.nix

@@ -0,0 +1,68 @@
+{
+  constants,
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (constants) domain;
+  inherit (constants.services.vaultwarden) fqdn port;
+  inherit (lib) mkForce;
+in
+{
+  services.vaultwarden = {
+    enable = true;
+
+    dbBackend = "postgresql";
+    configurePostgres = true;
+
+    configureNginx = true;
+    domain = fqdn;
+
+    environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
+
+    config = {
+      SIGNUPS_ALLOWED = false;
+
+      SMTP_FROM = "vaultwarden@${domain}";
+      SMTP_FROM_NAME = "${domain} Vaultwarden server";
+      SMTP_HOST = "mail@${domain}";
+      SMTP_PORT = 587;
+      SMTP_SECURITY = "starttls";
+      SMTP_USERNAME = "vaultwarden@${domain}";
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = port;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx.virtualHosts."${fqdn}".forceSSL = mkForce false; # let Tailnet handle SSL
+
+  sops =
+    let
+      owner = config.users.users.vaultwarden.name;
+      group = config.users.groups.vaultwarden.name;
+      mode = "0400";
+    in
+    {
+      secrets = {
+        "vaultwarden/admin-token" = {
+          inherit owner group mode;
+        };
+        "vaultwarden/smtp-password" = {
+          inherit owner group mode;
+        };
+      };
+      templates = {
+        "vaultwarden/env-file" = {
+          inherit owner group mode;
+          content = ''
+            ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"}
+            SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"}
+          '';
+        };
+      };
+    };
+}