From 8de956ae726a2a85d09a4d3443630448218afbe4 Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Tue, 8 Jul 2025 20:03:12 +0300
Subject: [PATCH] feat: add vaultwared service to orion

---
 hosts/orion/default.nix                |  2 +
 modules/nixos/services/vaultwarden.nix | 80 ++++++++++++++++++++++++++
 secrets/orion/vaultwarden.yaml         | 26 +++++++++
 3 files changed, 108 insertions(+)
 create mode 100644 modules/nixos/services/vaultwarden.nix
 create mode 100644 secrets/orion/vaultwarden.yaml

diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix
index 4e33f76..f81e433 100644
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@@ -102,6 +102,8 @@
     smartmontools
   ];
 
+  ataraxia.services.vaultwarden.enable = true;
+
   ataraxia.virtualisation.guests = {
     omv = {
       autoStart = true;
diff --git a/modules/nixos/services/vaultwarden.nix b/modules/nixos/services/vaultwarden.nix
new file mode 100644
index 0000000..506f38b
--- /dev/null
+++ b/modules/nixos/services/vaultwarden.nix
@@ -0,0 +1,80 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (lib.types) str;
+
+  cfg = config.ataraxia.services.vaultwarden;
+in
+{
+  options.ataraxia.services.vaultwarden = {
+    enable = mkEnableOption "Enable vaultwarden service";
+    sopsDir = mkOption {
+      type = str;
+      default = config.networking.hostName;
+      description = ''
+        Name for sops secrets directory. Defaults to hostname.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.vaultwarden.sopsFile = secretsDir + /${cfg.sopsDir}/vaultwarden.yaml;
+    sops.secrets.vaultwarden.owner = config.users.users.vaultwarden.name;
+    sops.secrets.vaultwarden.restartUnits = [ "vaultwarden.service" ];
+
+    services.vaultwarden = {
+      enable = true;
+      backupDir = "/srv/vaultwarden";
+      config = {
+        domain = "https://vw.ataraxiadev.com";
+        extendedLogging = true;
+        invitationsAllowed = false;
+        useSyslog = true;
+        logLevel = "warn";
+        rocketAddress = "127.0.0.1";
+        rocketPort = 8812;
+        showPasswordHint = false;
+        signupsAllowed = false;
+        signupsDomainsWhitelist = "ataraxiadev.com";
+        signupsVerify = true;
+        smtpAuthMechanism = "Login";
+        smtpFrom = "vaultwarden@ataraxiadev.com";
+        smtpFromName = "Vaultwarden";
+        smtpHost = "mail.ataraxiadev.com";
+        smtpPort = 587;
+        smtpSecurity = "starttls";
+        websocketAddress = "127.0.0.1";
+        websocketEnabled = true;
+        websocketPort = 3012;
+        webVaultEnabled = true;
+      };
+      environmentFile = config.sops.secrets.vaultwarden.path;
+    };
+
+    # We need to do this to successufully create backup folder
+    # systemd.services.backup-vaultwarden.serviceConfig = {
+    #   User = "root";
+    #   Group = "root";
+    # };
+
+    persist.state.directories = [
+      "/var/lib/vaultwarden"
+      config.services.vaultwarden.backupDir
+    ];
+
+    systemd.tmpfiles.rules =
+      let
+        backupDir = config.services.vaultwarden.backupDir;
+        user = config.systemd.services.backup-vaultwarden.serviceConfig.User;
+        group = config.systemd.services.backup-vaultwarden.serviceConfig.Group;
+      in
+      [
+        "d ${backupDir} 0700 ${user} ${group} -"
+      ];
+  };
+}
diff --git a/secrets/orion/vaultwarden.yaml b/secrets/orion/vaultwarden.yaml
new file mode 100644
index 0000000..6b91f36
--- /dev/null
+++ b/secrets/orion/vaultwarden.yaml
@@ -0,0 +1,26 @@
+vaultwarden: ENC[AES256_GCM,data:B1qaU/1jsDgbc7wEl3Yrehez3vHCOPDQ5rjpkYPf4QgVwonOvvEf4H7doVwabhihRqoy43QXBeDRuPVaea/ZJythvZV0cez2Mr6YrhG7/BSB+AIDEa+wNQTGgY5IWkztp7j4BP1XmyRA4A42dOnfHJR6BncJGAfhNguq3FZJuf5BClvyT5aov+GKfiO81l93ig324TKsU9ClLqmVarrPCNba683ADrH8g5EkB2rw0LwKJBWVQh0TKhTTyFdMFTNaIQ17K1ueqLwd2xIfHMmN61s=,iv:H6/RxF6LSMD3OUAY3mEhof2VGOCctg6FsaoyOTI9e5Q=,tag:W+nCl/RAWpdXWbE9v/oMOg==,type:str]
+sops:
+    shamir_threshold: 1
+    age:
+        - recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNVZpRE8zUzN0RWNXT09F
+            bUR0MmxMNDNybHBEN0FKY3VtTW1XREpaSkNJCnpGRmZqRlU0YlBiYkxkeEVLMzdv
+            eERFc3dITG5lOTVLRkJYM2NNa1lpWDgKLS0tIEsra0ZBblhiTk9kTFJxWjZtRDhS
+            NDhKY2dEVXFOL3JIZmtMVG5tVklIQXcKbLLeZOrJCGRPscw4LWsVAGk29EwQg0lK
+            +YYSsQLm+cZNLxHLClsmQn/ykEvIEA5/1DjFXVvulFW+Kbk9NwSxHA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa0tPM2NiaW13Sk5rR091
+            VVBVYnRoc3I2WFI3WFhETTdXUzU4ckFZbGtJCjR4em80Vm1UQk9vM3h4OER6dVNs
+            RWJwazRiUHVXY01vZ1hyN3k3MlBrbUEKLS0tIDd3aEhxNDZHWDdETkd0VkMwOTZG
+            MWNhelRQZTdBZGMzUk5HQklSWWVTNWMK6gunbCmYfXh4fQ3mV0kh6TlwxTpxlUI0
+            Y6+pPh+Sw39KTFdirXv5OTWtCN53S6HXejIuctIOvdfrB1LYwsb7XA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-21T19:24:09Z"
+    mac: ENC[AES256_GCM,data:+KnkQjRKq7f7gojR4TDRUahPPcOshTQUIzJOmGBD4cspjLj0Ljf9tqoMCvCzwU7CGIg2c4phUCWluyQwlUAoiRL0rM8YyN2nE0PiWOcnl3p9FHwHxV9ElWiWpVnKroVxZEz0vmj0nsabl9PRD5ipX06kDK8GRZXFw+laSCy0N1E=,iv:7DO9ML9ToedihSJA6v1hMcd4Q/PJ+JLvJQk69kQ8btA=,tag:cifnSqY1ezoHt8WHtuyakw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1