{ config, lib, ... }: let cfg = config.custom.services.vaultwarden; in { options.custom.services.vaultwarden.enable = lib.mkOption { type = lib.types.bool; default = false; }; config = lib.mkIf cfg.enable { custom.services = { nginxHttpsServer.enable = true; certStoreClient.enable = true; }; environment.persistence."/persist".directories = [ { directory = "/var/lib/vaultwarden"; user = "vaultwarden"; group = "vaultwarden"; mode = "u=rwx,g=,o="; } ]; sops = { secrets = { smtp-pass = { sopsFile = ../../secrets/vaultwarden.yaml; restartUnits = [ "vaultwarden.service" ]; }; admin-token = { sopsFile = ../../secrets/vaultwarden.yaml; restartUnits = [ "vaultwarden.service" ]; }; }; templates."vaultwarden.env" = { owner = "vaultwarden"; content = '' SMTP_FROM=vmsskv12@gmail.com SMTP_USERNAME=vmsskv12@gmail.com SMTP_PASSWORD=${config.sops.placeholder.smtp-pass} ADMIN_TOKEN=${config.sops.placeholder.admin-token} ''; }; }; services = { vaultwarden = { enable = true; environmentFile = config.sops.templates."vaultwarden.env".path; config = { DOMAIN = "https://vaultwarden.vsinerva.fi"; LOGIN_RATELIMIT_MAX_BURST = 10; LOGIN_RATELIMIT_SECONDS = 60; ADMIN_RATELIMIT_MAX_BURST = 10; ADMIN_RATELIMIT_SECONDS = 60; SENDS_ALLOWED = true; EMERGENCY_ACCESS_ALLOWED = true; WEB_VAULT_ENABLED = true; SIGNUPS_ALLOWED = true; SIGNUPS_VERIFY = true; SIGNUPS_VERIFY_RESEND_TIME = 3600; SIGNUPS_VERIFY_RESEND_LIMIT = 5; SMTP_HOST = "smtp.gmail.com"; SMTP_FROM_NAME = "Vaultwarden"; SMTP_SECURITY = "starttls"; SMTP_PORT = 587; SMTP_AUTH_MECHANISM = "Login"; }; }; nginx = { virtualHosts."vaultwarden.vsinerva.fi" = { locations."/" = { proxyPass = "http://localhost:8000"; }; }; }; }; }; }