vaultwarden: add admin secret

flake.nix

@@ -64,6 +64,7 @@
             age.secrets.borgbackup-password.file = ./secrets/vno1-oh2/borgbackup/password.age;
             age.secrets.grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
             age.secrets.letsencrypt-account-key.file = ./secrets/letsencrypt/account.key.age;
+            age.secrets.vaultwarden-admin-env.file = ./secrets/vaultwarden/admin.env.age;
 
             age.secrets.synapse-jakstys-signing-key.file = ./secrets/synapse/jakstys_lt_signing_key.age;
             age.secrets.synapse-registration-shared-secret.file = ./secrets/synapse/registration_shared_secret.age;

hosts/vno1-oh2/configuration.nix

@@ -412,12 +412,13 @@
 
     vaultwarden = {
       enable = true;
+
       config = {
         ROCKET_ADDRESS = "127.0.0.1";
         ROCKET_PORT = myData.ports.vaultwarden;
-        DOMAIN = "https://bitwarden.jakstys.lt";
-        SIGNUPS_ALLOWED = false;
         ROCKET_LOG = "critical";
+        DOMAIN = "https://bitwarden.jakstys.lt";
+        SIGNUPS_ALLOWED = true;
 
         # TODO remove after 1.29.0
         WEBSOCKET_ENABLED = true;
@@ -472,6 +473,15 @@
       requires = ["nsd-acme-irc.jakstys.lt.service"];
     };
 
+    vaultwarden = {
+      serviceConfig = {
+        environmentFile = ["$CREDENTIALS_DIRECTORY/admin.env"];
+        LoadCredential = [
+          "admin.env:${config.age.secrets.vaultwarden-admin-env.path}"
+        ];
+      };
+    };
+
     grafana = {
       preStart = "ln -sf $CREDENTIALS_DIRECTORY/oidc /run/grafana/oidc-secret";
       serviceConfig = {

secrets.nix

@@ -26,6 +26,7 @@ in
     "secrets/grafana.jakstys.lt/oidc.age"
     "secrets/letsencrypt/account.key.age"
     "secrets/headscale/oidc_client_secret2.age"
+    "secrets/vaultwarden/admin.env.age"
 
     "secrets/synapse/jakstys_lt_signing_key.age"
     "secrets/synapse/registration_shared_secret.age"