From 4891f0964aa73e81ff1cbf85eef4e3f0bbf762af Mon Sep 17 00:00:00 2001
From: pazpi <pasettodavide@gmail.com>
Date: Fri, 29 Nov 2024 16:11:55 +0100
Subject: [PATCH] WIP: Add Vaultwarden service

---
 modules/services/default.nix      |  1 +
 modules/services/vaultwarden.nix  | 69 +++++++++++++++++++++++++++++++
 secrets.nix                       |  1 +
 secrets/vaultwarden-admin-pwd.age | 11 +++++
 4 files changed, 82 insertions(+)
 create mode 100644 modules/services/vaultwarden.nix
 create mode 100644 secrets/vaultwarden-admin-pwd.age

diff --git a/modules/services/default.nix b/modules/services/default.nix
index 21fc177..679de8d 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./media-mgr.nix
     ./nextcloud.nix
+    ./vaultwarden.nix
   ];
 }
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
new file mode 100644
index 0000000..33df8af
--- /dev/null
+++ b/modules/services/vaultwarden.nix
@@ -0,0 +1,69 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.my.services.vaultwarden;
+  user = config.users.users.vaultwarden.name;
+  group = config.users.groups.vaultwarden.name;
+in
+{
+
+  options.my.services.vaultwarden = {
+    enable = lib.mkEnableOption "Enable Vaultwarden module";
+
+    proxy = {
+      enable = lib.mkEnableOption "Set the proxy entry for this service";
+
+      domain = lib.mkOption {
+        default = "example.com";
+        type = lib.types.str;
+        description = ''
+          The domain where Caddy is reachable
+        '';
+      };
+
+      host = lib.mkOption {
+        default = "localhost";
+        type = lib.types.str;
+        description = ''
+          host name where the service is running
+        '';
+      };
+
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+
+      age.secrets.vaultwarden-admin-pwd.file = ../../secrets/vaultwarden-admin-pwd.age;
+
+      services.vaultwarden = {
+        enable = true;
+        dbBackend = "postgresql";
+        environmentFile = config.age.secrets.vaultwarden-admin-pwd.path;
+        config = {
+          DOMAIN = "https://vault.${cfg.proxy.domain}";
+          SENDS_ALLOWED = true;
+          SIGNUPS_ALLOWED = false;
+          WEBSOCKET_ENABLED = true;
+          ROCKET_ADDRESS = "0.0.0.0";
+          ROCKET_PORT = 8222;
+        };
+      };
+
+    })
+
+    (lib.mkIf cfg.proxy.enable {
+      services.caddy = with cfg.proxy; {
+        virtualHosts."vault.${domain}".extraConfig = ''
+          reverse_proxy http://${host}:80
+          import cloudflare
+        '';
+      };
+    })
+  ];
+}
diff --git a/secrets.nix b/secrets.nix
index 9d9e1fa..2f1f76d 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -12,6 +12,7 @@ let
     bazarr-apiKey = [ machines.metrics ];
     grafana-admin-pwd = [ machines.metrics ];
     nextcloud-admin-pwd = [ machines.nextcloud ];
+    vaultwarden-admin-pwd = [ machines.vaultwarden ];
   };
 in
 builtins.listToAttrs (
diff --git a/secrets/vaultwarden-admin-pwd.age b/secrets/vaultwarden-admin-pwd.age
new file mode 100644
index 0000000..3531356
--- /dev/null
+++ b/secrets/vaultwarden-admin-pwd.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 wVuNWQ sEhh9IloX2y//QoLoT4EMKku9xzZHIt4ZR27OEmd6n0
+H5JKqRUVW0pPKQ9oNm3XMA8+pjmzHo/g98P4fuuyiB0
+-> ssh-ed25519 Si3UKw cTVv8lCl6k184gC/oqnrfQ+C4y2zSDG+L8GfcUMjrSs
+fgSgMm4Aeh3CI7MmpeHfioGklZ9MiprQFxSHB0hNyAw
+-> ssh-ed25519 3UG3uw ZDGGoEGY8AtPuG6XXQlR5G0EsU/73tP/C+efcXVrrBg
+ZLZeoDM6b/g0VWU4QmVaCTZMJPZpFHRrmgElN9EzP9c
+-> ssh-ed25519 JEhtoQ Qq+Kq/I1Vm3zsfWHExSqdTaBIOGnKhiS1sRwCwLqoCI
+hgeSSlvnT7/K1RPneCEqR8FB9U+WCpyBqmY1lX/HgLw
+--- dc/R679QuFt0wd/73GC2DzQP3A+dOoRCokRB73GY9sc
+~òFaBˆ;ÕFwÆå¹D³h(QŸ“¸×¿“âÆèÄ¾¯¨@ÝÊƒÂòª;Eÿ1“ÒÇÃÚ°ÞpÇ	€¼•=®~íh(Æ­}Æ·7†ñÿÓþBEé„[—ï3ÅA¶S3iT³½ÿ¶x
\ No newline at end of file