nix-config/config/services/vaultwarden.nix

{
  config,
  lib,
  nodes,
  globals,
  ...
}:
{
  age.secrets.vaultwarden-env = {
    rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
    mode = "440";
    group = "vaultwarden";
  };

  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/vaultwarden";
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0700";
    }
  ];

  age.secrets.resticpasswd = {
    generator.script = "alnum";
  };
  age.secrets.vaultwardenHetznerSsh = {
    generator.script = "ssh-ed25519";
  };
  services.restic.backups = {
    main = {
      user = "root";
      timerConfig = {
        OnCalendar = "06:00";
        Persistent = true;
        RandomizedDelaySec = "3h";
      };
      initialize = true;
      passwordFile = config.age.secrets.resticpasswd.path;
      hetznerStorageBox = {
        enable = true;
        inherit (globals.hetzner) mainUser;
        inherit (globals.hetzner.users.vaultwarden) subUid path;
        sshAgeSecret = "vaultwardenHetznerSsh";
      };
      paths = [ config.services.vaultwarden.backupDir ];
      #pruneOpts = [
      #  "--keep-daily 10"
      #  "--keep-weekly 7"
      #  "--keep-monthly 12"
      #  "--keep-yearly 75"
      #];
    };
  };
  age.secrets.mailnix-passwd = {
    generator.script = "alnum";
  };

  age.secrets.mailnix-passwd-hash = {
    generator.dependencies = [ config.age.secrets.mailnix-passwd ];
    generator.script = "argon2id";
    mode = "440";
    intermediary = true;
  };
  nodes.mailnix = {
    age.secrets.idmail-vaultwarden-passwd-hash = {
      inherit (config.age.secrets.mailnix-passwd-hash) rekeyFile;
      group = "stalwart-mail";
      mode = "440";
    };
    services.idmail.provision.mailboxes."vaultwarden@${globals.domains.mail_public}" = {
      password_hash = "%{file:${nodes.mailnix.config.age.secrets.idmail-vaultwarden-passwd-hash.path}}%";
      owner = "admin";
    };
  };
  system.activationScripts.systemd_env_smtp_passwd = {
    text = ''
      echo "SMTP_PASSWORD=$(< ${lib.escapeShellArg config.age.secrets.mailnix-passwd.path})" > /run/vaultwarden_smtp_passwd
    '';
    deps = [ "agenix" ];
  };

  systemd.services.vaultwarden.serviceConfig.EnvironmentFile = [ "/run/vaultwarden_smtp_passwd" ];

  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
    backupDir = "/var/cache/backups/vaultwarden";
    config = {
      dataFolder = lib.mkForce "/var/lib/vaultwarden";
      extendedLogging = true;
      useSyslog = true;
      webVaultEnabled = true;

      rocketAddress = "0.0.0.0";
      rocketPort = 3000;

      signupsAllowed = false;
      passwordIterations = 1000000;
      invitationsAllowed = true;
      invitationOrgName = "Vaultwarden";
      domain = "https://${globals.services.vaultwarden.domain}";

      smtpHost = "smtp.${globals.domains.mail_public}";
      smtpFrom = "vaultwarden@${globals.domains.mail_public}";
      smtpPort = 465;
      smtpSecurity = "force_tls";
      smtpUsername = "vaultwarden@${globals.domains.mail_public}";
      smtpEmbedImages = true;
    };
    environmentFile = config.age.secrets.vaultwarden-env.path;
  };

  wireguard.services = {
    client.via = "nucnix";
    firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [
      config.services.vaultwarden.config.rocketPort
    ];
  };

  # Replace uses of old name
  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
  systemd.services.vaultwarden.serviceConfig = {
    StateDirectory = lib.mkForce "vaultwarden";
    RestartSec = "600"; # Retry every 10 minutes
  };
  environment.persistence."/state".directories = [
    {
      directory = config.services.vaultwarden.backupDir;
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0770";
    }
  ];
}
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`{`
			`config,`
			`lib,`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`nodes,`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`globals,`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`...`
reformat 2024-07-26 22:12:48 +02:00			`}:`
			`{`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`age.secrets.vaultwarden-env = {`
			`rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";`
			`mode = "440";`
			`group = "vaultwarden";`
			`};`

			`environment.persistence."/persist".directories = [`
			`{`
			`directory = "/var/lib/vaultwarden";`
			`user = "vaultwarden";`
			`group = "vaultwarden";`
			`mode = "0700";`
			`}`
			`];`

feat: added remote backups 2024-01-15 02:13:46 +01:00			`age.secrets.resticpasswd = {`
			`generator.script = "alnum";`
			`};`
			`age.secrets.vaultwardenHetznerSsh = {`
			`generator.script = "ssh-ed25519";`
			`};`
			`services.restic.backups = {`
			`main = {`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`user = "root";`
feat: added remote backups 2024-01-15 02:13:46 +01:00			`timerConfig = {`
			`OnCalendar = "06:00";`
			`Persistent = true;`
			`RandomizedDelaySec = "3h";`
			`};`
			`initialize = true;`
			`passwordFile = config.age.secrets.resticpasswd.path;`
			`hetznerStorageBox = {`
			`enable = true;`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`inherit (globals.hetzner) mainUser;`
			`inherit (globals.hetzner.users.vaultwarden) subUid path;`
feat: added remote backups 2024-01-15 02:13:46 +01:00			`sshAgeSecret = "vaultwardenHetznerSsh";`
			`};`
reformat 2024-07-26 22:12:48 +02:00			`paths = [ config.services.vaultwarden.backupDir ];`
feat: append only backups 2024-08-08 20:08:01 +02:00			`#pruneOpts = [`
			`# "--keep-daily 10"`
			`# "--keep-weekly 7"`
			`# "--keep-monthly 12"`
			`# "--keep-yearly 75"`
			`#];`
feat: added remote backups 2024-01-15 02:13:46 +01:00			`};`
			`};`
feat: switch mails 2024-12-07 15:06:07 +01:00			`age.secrets.mailnix-passwd = {`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`generator.script = "alnum";`
			`};`

feat: switch mails 2024-12-07 15:06:07 +01:00			`age.secrets.mailnix-passwd-hash = {`
			`generator.dependencies = [ config.age.secrets.mailnix-passwd ];`
			`generator.script = "argon2id";`
			`mode = "440";`
			`intermediary = true;`
			`};`
			`nodes.mailnix = {`
			`age.secrets.idmail-vaultwarden-passwd-hash = {`
			`inherit (config.age.secrets.mailnix-passwd-hash) rekeyFile;`
			`group = "stalwart-mail";`
			`mode = "440";`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`};`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`services.idmail.provision.mailboxes."vaultwarden@${globals.domains.mail_public}" = {`
feat: switch mails 2024-12-07 15:06:07 +01:00			`password_hash = "%{file:${nodes.mailnix.config.age.secrets.idmail-vaultwarden-passwd-hash.path}}%";`
			`owner = "admin";`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`};`
			`};`
			`system.activationScripts.systemd_env_smtp_passwd = {`
			`text = ''`
feat: switch mails 2024-12-07 15:06:07 +01:00			`echo "SMTP_PASSWORD=$(< ${lib.escapeShellArg config.age.secrets.mailnix-passwd.path})" > /run/vaultwarden_smtp_passwd`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`'';`
reformat 2024-07-26 22:12:48 +02:00			`deps = [ "agenix" ];`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`};`

reformat 2024-07-26 22:12:48 +02:00			`systemd.services.vaultwarden.serviceConfig.EnvironmentFile = [ "/run/vaultwarden_smtp_passwd" ];`
feat: added remote backups 2024-01-15 02:13:46 +01:00
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`services.vaultwarden = {`
			`enable = true;`
			`dbBackend = "sqlite";`
fix: update fucked shit 2024-01-15 20:46:53 +01:00			`backupDir = "/var/cache/backups/vaultwarden";`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`config = {`
			`dataFolder = lib.mkForce "/var/lib/vaultwarden";`
			`extendedLogging = true;`
			`useSyslog = true;`
			`webVaultEnabled = true;`

			`rocketAddress = "0.0.0.0";`
			`rocketPort = 3000;`

			`signupsAllowed = false;`
			`passwordIterations = 1000000;`
			`invitationsAllowed = true;`
			`invitationOrgName = "Vaultwarden";`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`domain = "https://${globals.services.vaultwarden.domain}";`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`smtpHost = "smtp.${globals.domains.mail_public}";`
			`smtpFrom = "vaultwarden@${globals.domains.mail_public}";`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`smtpPort = 465;`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`smtpSecurity = "force_tls";`
feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`smtpUsername = "vaultwarden@${globals.domains.mail_public}";`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`smtpEmbedImages = true;`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`};`
			`environmentFile = config.age.secrets.vaultwarden-env.path;`
			`};`

feat: globals feat: more vlan config 2024-12-20 20:40:27 +01:00			`wireguard.services = {`
			`client.via = "nucnix";`
			`firewallRuleForNode.nucnix-nginx.allowedTCPPorts = [`
			`config.services.vaultwarden.config.rocketPort`
			`];`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`};`
feat: ddclient container 2024-01-13 19:23:51 +01:00
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`# Replace uses of old name`
			`systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";`
			`systemd.services.vaultwarden.serviceConfig = {`
			`StateDirectory = lib.mkForce "vaultwarden";`
			`RestartSec = "600"; # Retry every 10 minutes`
			`};`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`environment.persistence."/state".directories = [`
			`{`
			`directory = config.services.vaultwarden.backupDir;`
			`user = "vaultwarden";`
			`group = "vaultwarden";`
			`mode = "0770";`
			`}`
			`];`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`}`