server-config/services/bitwarden.nix

{
  config,
  lib,
  pkgs,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "vaultwarden" service_configs.zpool_ssds [
      service_configs.vaultwarden.path
      config.services.vaultwarden.backupDir
    ])
    (lib.serviceMountWithZpool "backup-vaultwarden" service_configs.zpool_ssds [
      service_configs.vaultwarden.path
      config.services.vaultwarden.backupDir
    ])
    (lib.serviceFilePerms "vaultwarden" [
      "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
      "Z ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
    ])
  ];

  services.vaultwarden = {
    enable = true;
    backupDir = "/${service_configs.zpool_ssds}/bak/vaultwarden";
    config = {
      # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
      DOMAIN = "https://bitwarden.${service_configs.https.domain}";
      SIGNUPS_ALLOWED = false;

      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = service_configs.ports.vaultwarden;
      ROCKET_LOG = "critical";
    };
  };

  services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
    encode zstd gzip

    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
        header_up X-Real-IP {remote_host}
    }
  '';

  # Protect Vaultwarden login from brute force attacks
  services.fail2ban.jails.vaultwarden = {
    enabled = true;
    settings = {
      backend = "systemd";
      port = "http,https";
      # defaults: maxretry=5, findtime=10m, bantime=10m
    };
    filter.Definition = {
      failregex = ''^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$'';
      ignoreregex = "";
      journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
    };
  };
}