From d5c2a01ce14e46d26a592e195c5323b0de829ca3 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Wed, 20 Aug 2025 05:25:29 -0400
Subject: [PATCH] add bitwarden

---
 configuration.nix      |  2 ++
 flake.nix              |  5 +++++
 services/bitwarden.nix | 49 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)
 create mode 100644 services/bitwarden.nix

diff --git a/configuration.nix b/configuration.nix
index faeb946..086c9ca 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -32,6 +32,8 @@
     # ./services/llama-cpp.nix
 
     ./services/ups.nix
+
+    ./services/bitwarden.nix
   ];
 
   systemd.targets = {
diff --git a/flake.nix b/flake.nix
index 6b4496a..b18b27f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -83,6 +83,7 @@
           soulseek_web = 5030;
           soulseek_listen = 50300;
           llama_cpp = 8991;
+          vaultwarden = 8222;
         };
 
         https = {
@@ -132,6 +133,10 @@
           downloads = base + "/downloads";
           incomplete = base + "/incomplete";
         };
+
+        vaultwarden = {
+          path = "/var/lib/vaultwarden";
+        };
       };
 
       pkgs = import nixpkgs {
diff --git a/services/bitwarden.nix b/services/bitwarden.nix
new file mode 100644
index 0000000..fb52493
--- /dev/null
+++ b/services/bitwarden.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountDeps "vaultwarden" [
+      service_configs.vaultwarden.path
+      # config.services.vaultwarden.backupDir
+    ])
+    (lib.serviceMountDeps "backup-vaultwarden" [
+      service_configs.vaultwarden.path
+      # config.services.vaultwarden.backupDir
+    ])
+  ];
+
+  services.vaultwarden = {
+    enable = true;
+    # backupDir = "/${service_configs.zpool_ssds}/bak/vaultwarden";
+    # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
+    # be aware that this file must be created by hand (or via secrets management like sops)
+    environmentFile = service_configs.vaultwarden.path + "/vaultwarden.env";
+    config = {
+      # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+      DOMAIN = "https://bitwarden.${service_configs.https.domain}";
+      SIGNUPS_ALLOWED = false;
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = service_configs.ports.vaultwarden;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
+    encode zstd gzip
+
+    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
+    }
+  '';
+
+  systemd.tmpfiles.rules = [
+    "d ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
+    # "d ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
+  ];
+}