{ pkgs, config, lib, ... }: let service = "vaultwarden"; cfg = config.modules.services.${service}; sec = config.sops.secrets; homelab = config.modules.homelab; domain = "https://pass.blakedheld.xyz"; in { options.modules.services.${service} = { enable = lib.mkEnableOption "enables ${service}"; # set port options port = lib.mkOption { type = lib.types.int; default = 7701; description = "set port for ${service} (default: ${toString cfg.port}"; }; url = lib.mkOption { type = lib.types.str; default = "pass.${homelab.base_domain}"; description = "set domain for ${service}"; }; data_dir = lib.mkOption { type = lib.types.str; default = "/var/lib/${service}"; description = "set data directory for ${service}"; }; ids = lib.mkOption { type = lib.types.int; default = cfg.port; description = "set uid and pid of ${service} user (matches port by default)"; }; backup = lib.mkOption { type = lib.types.bool; default = true; description = "enable backups for ${service}"; }; }; config = lib.mkIf cfg.enable { # declare ${service} group users.groups.${service} = { gid = lib.mkForce cfg.ids; }; # declare ${service} user users.users.${service} = { description = "${service} server user"; uid = lib.mkForce cfg.ids; isSystemUser = true; home = cfg.data_dir; createHome = true; group = "${service}"; extraGroups = []; }; # enable the vaultwarden service services.${service} = { enable = true; config = { DOMAIN = domain; ROCKET_ADDRESS = "0.0.0.0"; ROCKET_PORT = cfg.port; SIGNUPS_ALLOWED = true; # ADMIN_TOKEN = "yuh"; ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}"; EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item"; # The following flags are available: # - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. # - "autofill-v2": Use the new autofill implementation. # - "browser-fileless-import": Directly import credentials from other providers without a file. # - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) # - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. # - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. # - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) # - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) }; }; # override umask to make permissions work out systemd.services.${service}.serviceConfig = { UMask = lib.mkForce "0007"; }; # open firewall networking.firewall.allowedTCPPorts = [ cfg.port ]; # internal reverse proxy entry services.nginx.virtualHosts."${cfg.url}" = { forceSSL = true; sslCertificate = sec."ssl_blakedheld_crt".path; sslCertificateKey = sec."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # external reverse proxy entry services.nginx.virtualHosts."pass.blakedheld.xyz" = { forceSSL = true; sslCertificate = sec."ssl_blakedheld_crt".path; sslCertificateKey = sec."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # add to caddy for reverse proxy services.caddy.virtualHosts."${cfg.url}" = { serverAliases = [ "pass.blakedheld.xyz" ]; extraConfig = '' tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path} reverse_proxy http://127.0.0.1:${toString cfg.port} ''; }; # add to glance modules.services.glance.links.services = [{ title = service; url = "https://pass.${homelab.public_domain}"; error-url = "http://${homelab.host_ip}:${toString cfg.port}"; check-url = "http://${homelab.host_ip}:${toString cfg.port}"; icon = "di:${service}"; }]; sops.secrets = { "${service}_admin_token" = { owner = "${service}"; group = "${service}"; }; }; # add to backups modules.system.backups.baks = { ${service} = { paths = [ cfg.data_dir ]; }; }; }; }