{ constants, config, ... }: let inherit (constants) domain; inherit (constants.hosts.rx4) ip; inherit (constants.services.vaultwarden) fqdn port; in { services.vaultwarden = { enable = true; dbBackend = "postgresql"; configurePostgres = true; configureNginx = false; domain = fqdn; environmentFile = [ config.sops.templates."vaultwarden/env-file".path ]; config = { ENABLE_WEBSOCKET = true; SIGNUPS_ALLOWED = false; SMTP_FROM = "vaultwarden@${domain}"; SMTP_FROM_NAME = "${domain} Vaultwarden server"; SMTP_HOST = constants.hosts.sid.ip; SMTP_PORT = 587; SMTP_SECURITY = "starttls"; SMTP_USERNAME = "vaultwarden@${domain}"; ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = port; ROCKET_LOG = "critical"; }; }; services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "pw-custom"; forceSSL = true; listen = [ { addr = "${ip}:443"; ssl = true; } ]; locations = { "/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; "= /notifications/alerts" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; "= /notifications/hub" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; }; }; security.acme.certs."pw-custom" = { domain = fqdn; postRun = "systemctl restart vaultwarden.service"; group = "nginx"; }; sops = let owner = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; mode = "0400"; in { secrets = { "vaultwarden/admin-token" = { inherit owner group mode; }; "vaultwarden/smtp-password" = { inherit owner group mode; }; }; templates = { "vaultwarden/env-file" = { inherit owner group mode; content = '' ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"} SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"} ''; }; }; }; }