From 9a37316d9e810de22bc69eaf31f8696b048d0ecc Mon Sep 17 00:00:00 2001
From: Chris Kruining <c.kruining@4dotnet.nl>
Date: Wed, 27 Aug 2025 15:24:12 +0200
Subject: [PATCH] add vaultwarden

---
 .../services/security/vaultwarden/default.nix | 80 ++++++++++++++++---
 packages/vaultwarden/default.nix              | 29 +++++++
 systems/x86_64-linux/ulmo/default.nix         |  2 +
 3 files changed, 100 insertions(+), 11 deletions(-)
 create mode 100644 packages/vaultwarden/default.nix

diff --git a/modules/nixos/services/security/vaultwarden/default.nix b/modules/nixos/services/security/vaultwarden/default.nix
index 6870606..0bb05f7 100644
--- a/modules/nixos/services/security/vaultwarden/default.nix
+++ b/modules/nixos/services/security/vaultwarden/default.nix
@@ -1,7 +1,7 @@
 { pkgs, config, lib, namespace, ... }:
 let
-  inherit (lib.modules) mkIf;
-  inherit (lib.options) mkEnableOption;
+  inherit (builtins) toString;
+  inherit (lib) mkIf mkEnableOption;
 
   cfg = config.${namespace}.services.security.vaultwarden;
 in
@@ -11,18 +11,76 @@ in
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = with pkgs; [
-      vaultwarden
-      vaultwarden-postgresql
+    systemd.tmpfiles.rules = [
+      "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
     ];
 
-    services.vaultwarden = {
-      enable = true;
-      dbBackend = "postgresql";
+    services = {
+      vaultwarden = {
+        enable = true;
+        dbBackend = "postgresql";
 
-      config = {
-        SIGNUPS_ALLOWED = false;
-        DOMAIN = "https://passwords.kruining.eu";
+        package = pkgs.${namespace}.vaultwarden;
+
+        config = {
+          SIGNUPS_ALLOWED = false;
+          DOMAIN = "https://vault.kruining.eu";
+
+          ADMIN_TOKEN = "";
+
+          DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable";
+
+          WEB_VAULT_ENABLED = true;
+
+          SSO_ENABLED = true;
+          SSO_ONLY = true;
+          SSO_PKCE = true;
+          SSO_AUTH_ONLY_NOT_SESSION = false;
+          SSO_ROLES_ENABLED = true;
+          SSO_ORGANIZATIONS_ENABLED = true;
+          SSO_ORGANIZATIONS_REVOCATION = true;
+          SSO_AUTHORITY = "https://auth.amarth.cloud/";
+          SSO_SCOPES = "email profile offline_access";
+          SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
+          SSO_CLIENT_ID = "335178854421299459";
+          SSO_CLIENT_SECRET = "";
+
+          ROCKET_ADDRESS = "::1";
+          ROCKET_PORT = 8222;
+          ROCKET_LOG = "critical";
+
+          SMTP_HOST = "black-mail.nl";
+          SMTP_PORT = 587;
+          SMTP_SECURITY = "starttls";
+          SMTP_USERNAME = "info@amarth.cloud";
+          SMTP_PASSWORD = "";
+          SMTP_FROM = "info@amarth.cloud";
+          SMTP_FROM_NAME = "Chris' Vaultwarden";
+        };
+      };
+
+      postgresql = {
+        enable = true;
+        ensureDatabases = [ "vaultwarden" ];
+        ensureUsers = [
+          {
+            name = "vaultwarden";
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+
+      caddy = {
+        enable = true;
+        virtualHosts = {
+          "vault.kruining.eu".extraConfig = ''
+            encode zstd gzip
+
+            reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+              header_up X-Real-IP {remote_host}
+            }
+          '';
+        };
       };
     };
   };
diff --git a/packages/vaultwarden/default.nix b/packages/vaultwarden/default.nix
new file mode 100644
index 0000000..243288b
--- /dev/null
+++ b/packages/vaultwarden/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, rustPlatform, fetchFromGitHub, openssl, pkg-config, postgresql, dbBackend ? "postgresql", ... }:
+rustPlatform.buildRustPackage rec {
+  pname = "vaultwarden";
+  version = "1.34.3";
+
+  src = fetchFromGitHub {
+    owner = "Timshel";
+    repo = "vaultwarden";
+    rev = "1.34.3";
+    hash = "sha256-Dj0ySVRvBZ/57+UHas3VI8bi/0JBRqn0IW1Dq+405J0=";
+  };
+
+  cargoHash = "sha256-4sDagd2XGamBz1XvDj4ycRVJ0F+4iwHOPlj/RglNDqE=";
+
+  # used for "Server Installed" version in admin panel
+  env.VW_VERSION = version;
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs =
+    [ openssl ]
+    ++ lib.optional (dbBackend == "postgresql") postgresql;
+
+  buildFeatures = dbBackend;
+
+  meta = with lib; {
+    license = licenses.agpl3Only;
+    mainProgram = "vaultwarden";
+  };
+}
\ No newline at end of file
diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix
index e191367..9876768 100644
--- a/systems/x86_64-linux/ulmo/default.nix
+++ b/systems/x86_64-linux/ulmo/default.nix
@@ -23,6 +23,8 @@
         loki.enable = true;
         promtail.enable = true;
       };
+
+      security.vaultwarden.enable = true;
     };
 
     editor = {