move vaultwarden to fwminex

2024-08-03 06:53:37 +03:00
parent 70d2833fa0
commit 8c74bdca64
8 changed files with 84 additions and 58 deletions
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -20,6 +20,7 @@
    ./sshguard
    ./syncthing
    ./tailscale
+    ./vaultwarden
    ./wifibackup
    ./zfsunlock
  ];
--- a/modules/services/vaultwarden/default.nix
+++ b/modules/services/vaultwarden/default.nix
@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  myData,
+  ...
+}:
+let
+  cfg = config.mj.services.vaultwarden;
+in
+{
+  options.mj.services.vaultwarden = with lib.types; {
+    enable = lib.mkEnableOption "Enable vautwarden";
+    port = lib.mkOption { type = port; };
+    secretsEnvFile = lib.mkOption { type = path; };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+
+      config = {
+        # TODO http migration
+        ROCKET_ADDRESS = "0.0.0.0";
+        ROCKET_PORT = cfg.port;
+        LOG_LEVEL = "warn";
+        DOMAIN = "https://bitwarden.jakstys.lt";
+        SIGNUPS_ALLOWED = false;
+        INVITATION_ORG_NAME = "jakstys";
+        PUSH_ENABLED = true;
+
+        SMTP_HOST = "localhost";
+        SMTP_PORT = 25;
+        SMTP_SECURITY = "off";
+        SMTP_FROM = "admin@jakstys.lt";
+        SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
+      };
+    };
+
+    systemd.services.vaultwarden = {
+      preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
+      serviceConfig = {
+        EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
+        RuntimeDirectory = "vaultwarden";
+        LoadCredential = [ "secrets.env:${cfg.secretsEnvFile}" ];
+      };
+    };
+
+    mj.services.friendlyport.ports = [
+      {
+        subnets = [ myData.subnets.tailscale.cidr ];
+        tcp = [ cfg.port ];
+      }
+    ];
+
+  };
+
+}