add bitwarden

2025-08-20 05:25:29 -04:00 · 2025-08-20 05:25:29 -04:00 · d5c2a01ce1
commit d5c2a01ce1
parent 501510183c
3 changed files with 56 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -32,6 +32,8 @@
    # ./services/llama-cpp.nix

    ./services/ups.nix
+
+    ./services/bitwarden.nix
  ];

  systemd.targets = {
--- a/flake.nix
+++ b/flake.nix
@ -83,6 +83,7 @@
          soulseek_web = 5030;
          soulseek_listen = 50300;
          llama_cpp = 8991;
+          vaultwarden = 8222;
        };

        https = {
@ -132,6 +133,10 @@
          downloads = base + "/downloads";
          incomplete = base + "/incomplete";
        };
+
+        vaultwarden = {
+          path = "/var/lib/vaultwarden";
+        };
      };

      pkgs = import nixpkgs {
--- a/services/bitwarden.nix
+++ b/services/bitwarden.nix
@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  pkgs,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountDeps "vaultwarden" [
+      service_configs.vaultwarden.path
+      # config.services.vaultwarden.backupDir
+    ])
+    (lib.serviceMountDeps "backup-vaultwarden" [
+      service_configs.vaultwarden.path
+      # config.services.vaultwarden.backupDir
+    ])
+  ];
+
+  services.vaultwarden = {
+    enable = true;
+    # backupDir = "/${service_configs.zpool_ssds}/bak/vaultwarden";
+    # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
+    # be aware that this file must be created by hand (or via secrets management like sops)
+    environmentFile = service_configs.vaultwarden.path + "/vaultwarden.env";
+    config = {
+      # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+      DOMAIN = "https://bitwarden.${service_configs.https.domain}";
+      SIGNUPS_ALLOWED = false;
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = service_configs.ports.vaultwarden;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
+    encode zstd gzip
+
+    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
+    }
+  '';
+
+  systemd.tmpfiles.rules = [
+    "d ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
+    # "d ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
+  ];
+}