{ pkgs, config, lib, ... }: let cfg = config.modules.services.vaultwarden; ids = 2771; default_port = 7701; data_dir = "/var/lib/vaultwarden"; in { options.modules.services.vaultwarden = { enable = lib.mkEnableOption "enables vaultwarden"; # set port options port = lib.mkOption { type = lib.types.int; default = cfg.default_port; description = "set port for vaultwarden (default: ${toString default_port}"; }; backup = lib.mkOption { type = lib.types.bool; default = true; description = "enable backups for vaultwarden"; }; }; config = lib.mkIf cfg.enable { # declare vaultwarden group users.groups.vaultwarden = { gid = ids; }; # declare vaultwarden user users.users.vaultwarden = { description = "vaultwarden server user"; uid = ids; isSystemUser = true; home = "/var/lib/vaultwarden"; createHome = true; group = "vaultwarden"; extraGroups = [ "media" ]; }; # enable the vaultwarden service services.vaultwarden = { enable = true; }; # override umask to make permissions work out systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; }; # # open firewall # networking.firewall.allowedTCPPorts = [ cfg.port ]; # internal reverse proxy entry services.nginx.virtualHosts."pass.snowbelle.lan" = { enableACME = false; forceSSL = true; sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # external reverse proxy entry services.nginx.virtualHosts."vaultwarden.blakedheld.xyz" = { enableACME = false; forceSSL = true; sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # add to backups modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; }; }; }