nix/modules/services/vaultwarden.nix

{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.services.vaultwarden;
  rocketPort = 8222;
in
{

  options.my.services.vaultwarden = {
    enable = lib.mkEnableOption "Enable Vaultwarden module";

    adminPasswordFile = lib.mkOption {
      default = "";
      type = lib.types.str;
      description = ''
        Path to the file containing the admin password for Vaultwarden
      '';
    };

    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";

      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };

      subdomain = lib.mkOption {
        default = "vault";
        type = lib.types.str;
        description = ''
          The subdomain where Vaultwarden is reachable
        '';
      };

      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          host name where the service is running
        '';
      };

    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {

      my.services.postgresql = {
        enable = true;
        ensures = [
          {
            username = "vaultwarden";
            database = "vaultwarden";
          }
        ];
      };

      services.vaultwarden = {
        enable = true;
        dbBackend = "postgresql";
        environmentFile = cfg.adminPasswordFile;
        config = {
          DOMAIN = "https://vault.${cfg.proxy.domain}";
          SENDS_ALLOWED = true;
          SIGNUPS_ALLOWED = false;
          WEBSOCKET_ENABLED = true;
          ROCKET_ADDRESS = "0.0.0.0";
          ROCKET_PORT = rocketPort;
          DATABASE_URL = "postgresql:///vaultwarden?host=/run/postgresql";
          SMTP_HOST = "smtp.tem.scaleway.com";
          SMTP_FROM = "vault@${cfg.proxy.domain}";
          SMTP_FROM_NAME = "Pasetto's Vault";
          SMTP_SECURITY = "starttls";
        };
      };

      networking.firewall.allowedTCPPorts = [ rocketPort ];

    })

    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."${subdomain}.${domain}".extraConfig = ''
          reverse_proxy http://${host}:${toString rocketPort}
          import cloudflare_${domain}
        '';
      };
    })
  ];
}