bebop: Add vaultwarden

flake.nix

@@ -85,6 +85,7 @@
             ./modules/monitoring/monitoring.nix
             ./modules/calibre.nix
             ./modules/wiki.nix
+            ./modules/vaultwarden.nix
 
             # Host-specific config
             nixos-hardware.nixosModules.raspberry-pi-4

hosts/hermes/secrets/agenix.nix

@@ -27,7 +27,7 @@ in
           (n: _: nameValuePair (removeSuffix ".age" n)
             {
               file = "${secretsDir}/${n}";
-              owner = payas;
+              owner = if builtins.eq n "vaultwarden" then "vaultwarden" else payas;
             })
           (import secretsFile)
       else

hosts/hermes/secrets/secrets.nix

@@ -13,4 +13,5 @@ in
   "minio.age".publicKeys = [ ageKey ];
   "minio_secret_key.age".publicKeys = [ ageKey ];
   "tunnel_bebop.json.age".publicKeys = [ ageKey ];
+  "vaultwarden.age".publicKeys = [ ageKey ];
 }

modules/vaultwarden.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+{
+  services = {
+
+    vaultwarden = {
+      enable = false;
+      dbBackend = "sqlite";
+      environmentFile = "/run/agenix/vaultwarden";
+      config = {
+        DOMAIN = "https://vault.bhankas.org";
+        SIGNUPS_ALLOWED = false;
+
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = "8222";
+        ROCKET_LOG = "critical";
+      };
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "vault.bhankas.org" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/".proxyPass = "http://127.0.0.1:8222";
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "vault.bhankas.org" = {
+        email = "relekarpayas@gmail.com";
+        dnsResolver = "1.1.1.1:53";
+      };
+    };
+  };
+}