sid.ovh/hosts/rx4/services/vaultwarden.nix

{
  constants,
  config,
  ...
}:

let
  inherit (constants) domain;
  inherit (constants.hosts.rx4) ip;
  inherit (constants.services.vaultwarden) fqdn port;
in
{
  services.vaultwarden = {
    enable = true;

    dbBackend = "postgresql";
    configurePostgres = true;

    configureNginx = false;
    domain = fqdn;

    environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];

    config = {
      ENABLE_WEBSOCKET = true;
      SIGNUPS_ALLOWED = false;

      SMTP_FROM = "vaultwarden@${domain}";
      SMTP_FROM_NAME = "${domain} Vaultwarden server";
      SMTP_HOST = constants.hosts.sid.ip;
      SMTP_PORT = 587;
      SMTP_SECURITY = "starttls";
      SMTP_USERNAME = "vaultwarden@${domain}";

      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = port;
      ROCKET_LOG = "critical";
    };
  };

  services.nginx.virtualHosts."${fqdn}" = {
    useACMEHost = "pw-custom";
    forceSSL = true;
    listen = [
      {
        addr = "${ip}:443";
        ssl = true;
      }
    ];
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString port}";
      };
      "= /notifications/alerts" = {
        proxyPass = "http://127.0.0.1:${toString port}";
        proxyWebsockets = true;
      };
      "= /notifications/hub" = {
        proxyPass = "http://127.0.0.1:${toString port}";
        proxyWebsockets = true;
      };
    };
  };

  security.acme.certs."pw-custom" = {
    domain = fqdn;
    postRun = "systemctl restart vaultwarden.service";
    group = "nginx";
  };

  sops =
    let
      owner = config.users.users.vaultwarden.name;
      group = config.users.groups.vaultwarden.name;
      mode = "0400";
    in
    {
      secrets = {
        "vaultwarden/admin-token" = {
          inherit owner group mode;
        };
        "vaultwarden/smtp-password" = {
          inherit owner group mode;
        };
      };
      templates = {
        "vaultwarden/env-file" = {
          inherit owner group mode;
          content = ''
            ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"}
            SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"}
          '';
        };
      };
    };
}