153 current 2025-10-09 12:27:20 25.05.20251006.20c4598 6.12.50 *

modules/homelab/services/vaultwarden/default.nix

@@ -1,105 +0,0 @@
-{ pkgs, config, lib, ... }:
-
-let
-  cfg = config.modules.services.vaultwarden;
-  ids = 2771;
-  default_port = 8000;
-  data_dir = "/var/lib/vaultwarden";
-  domain = https://pass.blakedheld.xyz;
-in
-{
-  options.modules.services.vaultwarden = {
-    enable = lib.mkEnableOption "enables vaultwarden";
-
-    # set port options
-    port = lib.mkOption {
-      type = lib.types.int;
-      default = 7701;
-      description = "set port for vaultwarden (default: ${toString default_port}";
-    };
-
-    backup = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = "enable backups for vaultwarden";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    
-    # declare vaultwarden group
-    users.groups.vaultwarden = { gid = ids; };
-
-    # declare vaultwarden user
-    users.users.vaultwarden = {
-      description = "vaultwarden server user";
-      uid = ids;
-      isSystemUser = true;
-      home = "/var/lib/vaultwarden";
-      createHome = true;
-      group = "vaultwarden";
-      extraGroups = [ "media" ];
-    };
-
-    # enable the vaultwarden service
-    services.vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = domain;
-        ROCKET_ADDRESS = "0.0.0.0";
-        ROCKET_PORT = cfg.port;
-        SIGNUPS_ALLOWED = true;
-#        ADMIN_TOKEN = "yuh";
-        ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}";
-        EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item";
-          # The following flags are available:
-          # - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
-          # - "autofill-v2": Use the new autofill implementation.
-          # - "browser-fileless-import": Directly import credentials from other providers without a file.
-          # - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
-          # - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
-          # - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
-          # - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
-          # - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
-      };
-    };
-
-    # override umask to make permissions work out
-    systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; };
-
-#    # open firewall
-#    networking.firewall.allowedTCPPorts = [ cfg.port ];
-
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."pass.snowbelle.lan" = {
-      enableACME = false;
-      forceSSL = true;
-      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
-      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-     # external reverse proxy entry
-     services.nginx.virtualHosts."pass.blakedheld.xyz" = {
-      enableACME = false;
-      forceSSL = true;
-      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
-      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
-    sops.secrets = {
-      "vaultwarden_admin_token" = {
-        owner = "vaultwarden";
-        group = "vaultwarden";
-        path = "/home/blake/.nix/.keyring/vaultwarden_admin_token";
-      };
-    };
-
-     # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
-    };
-}