{ constants, config, ... }: let inherit (constants) domain; inherit (constants.hosts.rx4) ip; inherit (constants.services.vaultwarden) fqdn port; in { services.vaultwarden = { enable = true; dbBackend = "postgresql"; configurePostgres = true; configureNginx = false; domain = fqdn; environmentFile = [ config.sops.templates."vaultwarden/env-file".path ]; config = { ENABLE_WEBSOCKET = true; SIGNUPS_ALLOWED = false; SMTP_FROM = "vaultwarden@${domain}"; SMTP_FROM_NAME = "${domain} Vaultwarden server"; SMTP_HOST = constants.hosts.sid.ip; SMTP_PORT = 587; SMTP_SECURITY = "starttls"; SMTP_USERNAME = "vaultwarden@${domain}"; ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = port; ROCKET_LOG = "critical"; }; }; services.nginx.virtualHosts."${fqdn}" = { useACMEHost = "pw-custom"; forceSSL = true; listen = [ { addr = "${ip}:443"; ssl = true; } ]; locations = { "/" = { proxyPass = "http://127.0.0.1:${toString port}"; }; "= /notifications/alerts" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; "= /notifications/hub" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; }; }; }; security.acme = { acceptTerms = true; defaults.email = "admin@${domain}"; certs."pw-custom" = { domain = fqdn; dnsProvider = "hetzner"; dnsResolver = "1.1.1.1:53"; credentialFiles = { HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path; }; group = "nginx"; }; }; sops = let owner = config.users.users.vaultwarden.name; group = config.users.groups.vaultwarden.name; mode = "0400"; in { secrets = { "vaultwarden/admin-token" = { inherit owner group mode; }; "vaultwarden/smtp-password" = { inherit owner group mode; }; hetzner-api-key = { inherit mode; owner = "acme"; group = "acme"; }; }; templates = { "vaultwarden/env-file" = { inherit owner group mode; content = '' ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"} SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"} ''; }; }; }; }