{ lib, config, pkgs, ... }: let cfg = config.my.services.vaultwarden; rocketPort = 8222; in { options.my.services.vaultwarden = { enable = lib.mkEnableOption "Enable Vaultwarden module"; adminPasswordFile = lib.mkOption { default = ""; type = lib.types.str; description = '' Path to the file containing the admin password for Vaultwarden ''; }; proxy = { enable = lib.mkEnableOption "Set the proxy entry for this service"; domain = lib.mkOption { default = "example.com"; type = lib.types.str; description = '' The domain where Caddy is reachable ''; }; subdomain = lib.mkOption { default = "vault"; type = lib.types.str; description = '' The subdomain where Vaultwarden is reachable ''; }; host = lib.mkOption { default = "localhost"; type = lib.types.str; description = '' host name where the service is running ''; }; }; }; config = lib.mkMerge [ (lib.mkIf cfg.enable { my.services.postgresql = { enable = true; ensures = [ { username = "vaultwarden"; database = "vaultwarden"; } ]; }; services.vaultwarden = { enable = true; dbBackend = "postgresql"; environmentFile = cfg.adminPasswordFile; config = { DOMAIN = "https://vault.${cfg.proxy.domain}"; SENDS_ALLOWED = true; SIGNUPS_ALLOWED = false; WEBSOCKET_ENABLED = true; ROCKET_ADDRESS = "0.0.0.0"; ROCKET_PORT = rocketPort; DATABASE_URL = "postgresql:///vaultwarden?host=/run/postgresql"; SMTP_HOST = "smtp.tem.scaleway.com"; SMTP_FROM = "vault@${cfg.proxy.domain}"; SMTP_FROM_NAME = "Pasetto's Vault"; SMTP_SECURITY = "starttls"; }; }; networking.firewall.allowedTCPPorts = [ rocketPort ]; }) (lib.mkIf cfg.proxy.enable { services.caddy = with cfg.proxy; { virtualHosts."${subdomain}.${domain}".extraConfig = '' reverse_proxy http://${host}:${toString rocketPort} import cloudflare_${domain} ''; }; }) ]; }