nix-config/config/services/vaultwarden.nix

{
  config,
  lib,
  nodes,
  ...
}:
let
  vaultwardenDomain = "pw.${config.secrets.secrets.global.domains.web}";
in
{
  age.secrets.vaultwarden-env = {
    rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
    mode = "440";
    group = "vaultwarden";
  };

  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/vaultwarden";
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0700";
    }
  ];

  age.secrets.resticpasswd = {
    generator.script = "alnum";
  };
  age.secrets.vaultwardenHetznerSsh = {
    generator.script = "ssh-ed25519";
  };
  services.restic.backups = {
    main = {
      user = "root";
      timerConfig = {
        OnCalendar = "06:00";
        Persistent = true;
        RandomizedDelaySec = "3h";
      };
      initialize = true;
      passwordFile = config.age.secrets.resticpasswd.path;
      hetznerStorageBox = {
        enable = true;
        inherit (config.secrets.secrets.global.hetzner) mainUser;
        inherit (config.secrets.secrets.global.hetzner.users.vaultwarden) subUid path;
        sshAgeSecret = "vaultwardenHetznerSsh";
      };
      paths = [ config.services.vaultwarden.backupDir ];
      #pruneOpts = [
      #  "--keep-daily 10"
      #  "--keep-weekly 7"
      #  "--keep-monthly 12"
      #  "--keep-yearly 75"
      #];
    };
  };
  age.secrets.maddyPasswd = {
    generator.script = "alnum";
    group = "vaultwarden";
  };

  nodes.maddy = {
    age.secrets.vaultwardenPasswd = {
      inherit (config.age.secrets.maddyPasswd) rekeyFile;
      inherit (nodes.maddy.config.services.maddy) group;
      mode = "640";
    };
    services.maddy.ensureCredentials = {
      "vaultwarden@${config.secrets.secrets.global.domains.mail_public}".passwordFile =
        nodes.maddy.config.age.secrets.vaultwardenPasswd.path;
    };
  };
  system.activationScripts.systemd_env_smtp_passwd = {
    text = ''
      echo "SMTP_PASSWORD=$(< ${lib.escapeShellArg config.age.secrets.maddyPasswd.path})" > /run/vaultwarden_smtp_passwd
    '';
    deps = [ "agenix" ];
  };

  systemd.services.vaultwarden.serviceConfig.EnvironmentFile = [ "/run/vaultwarden_smtp_passwd" ];

  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
    backupDir = "/var/cache/backups/vaultwarden";
    config = {
      dataFolder = lib.mkForce "/var/lib/vaultwarden";
      extendedLogging = true;
      useSyslog = true;
      webVaultEnabled = true;

      rocketAddress = "0.0.0.0";
      rocketPort = 3000;

      signupsAllowed = false;
      passwordIterations = 1000000;
      invitationsAllowed = true;
      invitationOrgName = "Vaultwarden";
      domain = "https://${vaultwardenDomain}";

      smtpHost = "smtp.${config.secrets.secrets.global.domains.mail_public}";
      smtpFrom = "vaultwarden@${config.secrets.secrets.global.domains.mail_public}";
      smtpPort = 465;
      smtpSecurity = "force_tls";
      smtpUsername = "vaultwarden@${config.secrets.secrets.global.domains.mail_public}";
      smtpEmbedImages = true;
    };
    environmentFile = config.age.secrets.vaultwarden-env.path;
  };

  wireguard.elisabeth = {
    client.via = "elisabeth";
    firewallRuleForNode.elisabeth.allowedTCPPorts = [ config.services.vaultwarden.config.rocketPort ];
  };

  # Replace uses of old name
  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
  systemd.services.vaultwarden.serviceConfig = {
    StateDirectory = lib.mkForce "vaultwarden";
    RestartSec = "600"; # Retry every 10 minutes
  };
  environment.persistence."/state".directories = [
    {
      directory = config.services.vaultwarden.backupDir;
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0770";
    }
  ];
}
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`{`
			`config,`
			`lib,`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`nodes,`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`...`
reformat 2024-07-26 22:12:48 +02:00			`}:`
			`let`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`vaultwardenDomain = "pw.${config.secrets.secrets.global.domains.web}";`
reformat 2024-07-26 22:12:48 +02:00			`in`
			`{`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`age.secrets.vaultwarden-env = {`
			`rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";`
			`mode = "440";`
			`group = "vaultwarden";`
			`};`

			`environment.persistence."/persist".directories = [`
			`{`
			`directory = "/var/lib/vaultwarden";`
			`user = "vaultwarden";`
			`group = "vaultwarden";`
			`mode = "0700";`
			`}`
			`];`

feat: added remote backups 2024-01-15 02:13:46 +01:00			`age.secrets.resticpasswd = {`
			`generator.script = "alnum";`
			`};`
			`age.secrets.vaultwardenHetznerSsh = {`
			`generator.script = "ssh-ed25519";`
			`};`
			`services.restic.backups = {`
			`main = {`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`user = "root";`
feat: added remote backups 2024-01-15 02:13:46 +01:00			`timerConfig = {`
			`OnCalendar = "06:00";`
			`Persistent = true;`
			`RandomizedDelaySec = "3h";`
			`};`
			`initialize = true;`
			`passwordFile = config.age.secrets.resticpasswd.path;`
			`hetznerStorageBox = {`
			`enable = true;`
			`inherit (config.secrets.secrets.global.hetzner) mainUser;`
			`inherit (config.secrets.secrets.global.hetzner.users.vaultwarden) subUid path;`
			`sshAgeSecret = "vaultwardenHetznerSsh";`
			`};`
reformat 2024-07-26 22:12:48 +02:00			`paths = [ config.services.vaultwarden.backupDir ];`
feat: append only backups 2024-08-08 20:08:01 +02:00			`#pruneOpts = [`
			`# "--keep-daily 10"`
			`# "--keep-weekly 7"`
			`# "--keep-monthly 12"`
			`# "--keep-yearly 75"`
			`#];`
feat: added remote backups 2024-01-15 02:13:46 +01:00			`};`
			`};`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`age.secrets.maddyPasswd = {`
			`generator.script = "alnum";`
			`group = "vaultwarden";`
			`};`

			`nodes.maddy = {`
			`age.secrets.vaultwardenPasswd = {`
			`inherit (config.age.secrets.maddyPasswd) rekeyFile;`
			`inherit (nodes.maddy.config.services.maddy) group;`
			`mode = "640";`
			`};`
			`services.maddy.ensureCredentials = {`
reformat 2024-07-26 22:12:48 +02:00			`"vaultwarden@${config.secrets.secrets.global.domains.mail_public}".passwordFile =`
			`nodes.maddy.config.age.secrets.vaultwardenPasswd.path;`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`};`
			`};`
			`system.activationScripts.systemd_env_smtp_passwd = {`
			`text = ''`
			`echo "SMTP_PASSWORD=$(< ${lib.escapeShellArg config.age.secrets.maddyPasswd.path})" > /run/vaultwarden_smtp_passwd`
			`'';`
reformat 2024-07-26 22:12:48 +02:00			`deps = [ "agenix" ];`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`};`

reformat 2024-07-26 22:12:48 +02:00			`systemd.services.vaultwarden.serviceConfig.EnvironmentFile = [ "/run/vaultwarden_smtp_passwd" ];`
feat: added remote backups 2024-01-15 02:13:46 +01:00
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`services.vaultwarden = {`
			`enable = true;`
			`dbBackend = "sqlite";`
fix: update fucked shit 2024-01-15 20:46:53 +01:00			`backupDir = "/var/cache/backups/vaultwarden";`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`config = {`
			`dataFolder = lib.mkForce "/var/lib/vaultwarden";`
			`extendedLogging = true;`
			`useSyslog = true;`
			`webVaultEnabled = true;`

			`rocketAddress = "0.0.0.0";`
			`rocketPort = 3000;`

			`signupsAllowed = false;`
			`passwordIterations = 1000000;`
			`invitationsAllowed = true;`
			`invitationOrgName = "Vaultwarden";`
			`domain = "https://${vaultwardenDomain}";`

feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`smtpHost = "smtp.${config.secrets.secrets.global.domains.mail_public}";`
			`smtpFrom = "vaultwarden@${config.secrets.secrets.global.domains.mail_public}";`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`smtpPort = 465;`
feat: distributed config feat: vaultwarden smtp config 2024-01-29 17:27:42 +01:00			`smtpSecurity = "force_tls";`
			`smtpUsername = "vaultwarden@${config.secrets.secrets.global.domains.mail_public}";`
			`smtpEmbedImages = true;`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`};`
			`environmentFile = config.age.secrets.vaultwarden-env.path;`
			`};`

feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`wireguard.elisabeth = {`
			`client.via = "elisabeth";`
reformat 2024-07-26 22:12:48 +02:00			`firewallRuleForNode.elisabeth.allowedTCPPorts = [ config.services.vaultwarden.config.rocketPort ];`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`};`
feat: ddclient container 2024-01-13 19:23:51 +01:00
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`# Replace uses of old name`
			`systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";`
			`systemd.services.vaultwarden.serviceConfig = {`
			`StateDirectory = lib.mkForce "vaultwarden";`
			`RestartSec = "600"; # Retry every 10 minutes`
			`};`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`environment.persistence."/state".directories = [`
			`{`
			`directory = config.services.vaultwarden.backupDir;`
			`user = "vaultwarden";`
			`group = "vaultwarden";`
			`mode = "0770";`
			`}`
			`];`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`}`