nixos-config/modules/nixos/services/vaultwarden.nix

{
  config,
  lib,
  secretsDir,
  ...
}:
let
  inherit (lib)
    mkEnableOption
    mkIf
    mkOption
    recursiveUpdate
    ;
  inherit (lib.types) bool str;

  cfg = config.ataraxia.services.vaultwarden;
  nginx = config.ataraxia.services.nginx;
  domain = "vw.ataraxiadev.com";
in
{
  options.ataraxia.services.vaultwarden = {
    enable = mkEnableOption "Enable vaultwarden service";
    sopsDir = mkOption {
      type = str;
      default = config.networking.hostName;
      description = ''
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
    nginxHost = mkOption {
      type = bool;
      default = config.ataraxia.services.nginx.enable;
      description = "Enable nginx vHost integration";
    };
  };

  config = mkIf cfg.enable {
    sops.secrets.vaultwarden.sopsFile = secretsDir + /${cfg.sopsDir}/vaultwarden.yaml;
    sops.secrets.vaultwarden.owner = config.users.users.vaultwarden.name;
    sops.secrets.vaultwarden.restartUnits = [ "vaultwarden.service" ];

    services.vaultwarden = {
      enable = true;
      backupDir = "/srv/vaultwarden";
      config = {
        domain = "https://${domain}";
        extendedLogging = true;
        invitationsAllowed = false;
        useSyslog = true;
        logLevel = "warn";
        rocketAddress = "127.0.0.1";
        rocketPort = 8812;
        showPasswordHint = false;
        signupsAllowed = false;
        signupsDomainsWhitelist = "ataraxiadev.com";
        signupsVerify = true;
        smtpAuthMechanism = "Login";
        smtpFrom = "vaultwarden@ataraxiadev.com";
        smtpFromName = "Vaultwarden";
        smtpHost = "mail.ataraxiadev.com";
        smtpPort = 587;
        smtpSecurity = "starttls";
        websocketAddress = "127.0.0.1";
        websocketEnabled = true;
        websocketPort = 3012;
        webVaultEnabled = true;
      };
      environmentFile = config.sops.secrets.vaultwarden.path;
    };

    services.nginx.virtualHosts = mkIf cfg.nginxHost {
      ${domain} = recursiveUpdate nginx.defaultSettings {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
        };
        locations."/notifications/hub" = {
          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.websocketPort}";
          proxyWebsockets = true;
        };
        locations."/notifications/hub/negotiate" = {
          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
        };
      };
    };

    persist.state.directories = [
      "/var/lib/vaultwarden"
      config.services.vaultwarden.backupDir
    ];

    systemd.tmpfiles.rules =
      let
        backupDir = config.services.vaultwarden.backupDir;
        user = config.systemd.services.backup-vaultwarden.serviceConfig.User;
        group = config.systemd.services.backup-vaultwarden.serviceConfig.Group;
      in
      [
        "d ${backupDir} 0700 ${user} ${group} -"
      ];
  };
}
feat: add vaultwared service to orion 2025-07-08 20:03:12 +03:00			`{`
			`config,`
			`lib,`
			`secretsDir,`
			`...`
			`}:`
			`let`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`inherit (lib)`
			`mkEnableOption`
			`mkIf`
			`mkOption`
			`recursiveUpdate`
			`;`
			`inherit (lib.types) bool str;`
feat: add vaultwared service to orion 2025-07-08 20:03:12 +03:00
			`cfg = config.ataraxia.services.vaultwarden;`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`nginx = config.ataraxia.services.nginx;`
			`domain = "vw.ataraxiadev.com";`
feat: add vaultwared service to orion 2025-07-08 20:03:12 +03:00			`in`
			`{`
			`options.ataraxia.services.vaultwarden = {`
			`enable = mkEnableOption "Enable vaultwarden service";`
			`sopsDir = mkOption {`
			`type = str;`
			`default = config.networking.hostName;`
			`description = ''`
			`Name for sops secrets directory. Defaults to hostname.`
			`'';`
			`};`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`nginxHost = mkOption {`
			`type = bool;`
			`default = config.ataraxia.services.nginx.enable;`
			`description = "Enable nginx vHost integration";`
			`};`
feat: add vaultwared service to orion 2025-07-08 20:03:12 +03:00			`};`

			`config = mkIf cfg.enable {`
			`sops.secrets.vaultwarden.sopsFile = secretsDir + /${cfg.sopsDir}/vaultwarden.yaml;`
			`sops.secrets.vaultwarden.owner = config.users.users.vaultwarden.name;`
			`sops.secrets.vaultwarden.restartUnits = [ "vaultwarden.service" ];`

			`services.vaultwarden = {`
			`enable = true;`
			`backupDir = "/srv/vaultwarden";`
			`config = {`
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`domain = "https://${domain}";`
feat: add vaultwared service to orion 2025-07-08 20:03:12 +03:00			`extendedLogging = true;`
			`invitationsAllowed = false;`
			`useSyslog = true;`
			`logLevel = "warn";`
			`rocketAddress = "127.0.0.1";`
			`rocketPort = 8812;`
			`showPasswordHint = false;`
			`signupsAllowed = false;`
			`signupsDomainsWhitelist = "ataraxiadev.com";`
			`signupsVerify = true;`
			`smtpAuthMechanism = "Login";`
			`smtpFrom = "vaultwarden@ataraxiadev.com";`
			`smtpFromName = "Vaultwarden";`
			`smtpHost = "mail.ataraxiadev.com";`
			`smtpPort = 587;`
			`smtpSecurity = "starttls";`
			`websocketAddress = "127.0.0.1";`
			`websocketEnabled = true;`
			`websocketPort = 3012;`
			`webVaultEnabled = true;`
			`};`
			`environmentFile = config.sops.secrets.vaultwarden.path;`
			`};`

feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00			`services.nginx.virtualHosts = mkIf cfg.nginxHost {`
			`${domain} = recursiveUpdate nginx.defaultSettings {`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";`
			`};`
			`locations."/notifications/hub" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.websocketPort}";`
			`proxyWebsockets = true;`
			`};`
			`locations."/notifications/hub/negotiate" = {`
			`proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";`
			`};`
			`};`
			`};`
feat: add vaultwared service to orion 2025-07-08 20:03:12 +03:00
			`persist.state.directories = [`
			`"/var/lib/vaultwarden"`
			`config.services.vaultwarden.backupDir`
			`];`

			`systemd.tmpfiles.rules =`
			`let`
			`backupDir = config.services.vaultwarden.backupDir;`
			`user = config.systemd.services.backup-vaultwarden.serviceConfig.User;`
			`group = config.systemd.services.backup-vaultwarden.serviceConfig.Group;`
			`in`
			`[`
			`"d ${backupDir} 0700 ${user} ${group} -"`
			`];`
			`};`
			`}`