sneeuwvlok/modules/nixos/services/security/vaultwarden/default.nix

{ pkgs, config, lib, namespace, ... }:
let
  inherit (builtins) toString;
  inherit (lib) mkIf mkEnableOption;

  cfg = config.${namespace}.services.security.vaultwarden;
in
{
  options.${namespace}.services.security.vaultwarden = {
    enable = mkEnableOption "enable vaultwarden";
  };

  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = [
      "d '/var/lib/vaultwarden' 0700 vaultwarden vaultwarden - -"
    ];

    services = {
      vaultwarden = {
        enable = true;
        dbBackend = "postgresql";

        package = pkgs.${namespace}.vaultwarden;

        config = {
          SIGNUPS_ALLOWED = false;
          DOMAIN = "https://vault.kruining.eu";

          ADMIN_TOKEN = "";

          DATABASE_URL = "postgres://localhost:5432/vaultwarden?sslmode=disable";

          WEB_VAULT_ENABLED = true;

          SSO_ENABLED = true;
          SSO_ONLY = true;
          SSO_PKCE = true;
          SSO_AUTH_ONLY_NOT_SESSION = false;
          SSO_ROLES_ENABLED = true;
          SSO_ORGANIZATIONS_ENABLED = true;
          SSO_ORGANIZATIONS_REVOCATION = true;
          SSO_AUTHORITY = "https://auth.amarth.cloud/";
          SSO_SCOPES = "email profile offline_access";
          SSO_AUDIENCE_TRUSTED = "^333297815511892227$";
          SSO_CLIENT_ID = "335178854421299459";
          SSO_CLIENT_SECRET = "";

          ROCKET_ADDRESS = "::1";
          ROCKET_PORT = 8222;
          ROCKET_LOG = "critical";

          SMTP_HOST = "black-mail.nl";
          SMTP_PORT = 587;
          SMTP_SECURITY = "starttls";
          SMTP_USERNAME = "info@amarth.cloud";
          SMTP_PASSWORD = "";
          SMTP_FROM = "info@amarth.cloud";
          SMTP_FROM_NAME = "Chris' Vaultwarden";
        };
      };

      postgresql = {
        enable = true;
        ensureDatabases = [ "vaultwarden" ];
        ensureUsers = [
          {
            name = "vaultwarden";
            ensureDBOwnership = true;
          }
        ];
      };

      caddy = {
        enable = true;
        virtualHosts = {
          "vault.kruining.eu".extraConfig = ''
            encode zstd gzip

            reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
              header_up X-Real-IP {remote_host}
            }
          '';
        };
      };
    };
  };
}