initial commit

services/vaultwarden/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./options.nix
+    ./service.nix
+  ];
+}

services/vaultwarden/options.nix

@@ -0,0 +1,17 @@
+{ lib, ... }:
+with lib;
+{
+  options.machine.vaultwarden = {
+    enable = mkEnableOption "Vaultwarden";
+    domain = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "Domain name. If not set, will be disabled, and use the localhost.";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 4534;
+      description = "Listen port.";
+    };
+  };
+}

services/vaultwarden/service.nix

@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.machine.vaultwarden)
+    enable
+    domain
+    port
+    ;
+in
+with lib; mkIf enable {
+  networking.firewall = {
+    allowedTCPPorts = [ port ];
+  };
+
+  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
+    "${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header X-Forwarded-Host $host;
+        '';
+      };
+
+      extraConfig = ''
+        add_header X-Frame-Options DENY;
+        add_header X-Content-Type-Options nosniff;
+        add_header Referrer-Policy same-origin;
+        add_header X-XSS-Protection "1; mode=block";
+      '';
+    };
+  };
+
+  services.vaultwarden = {
+    inherit enable;
+    backupDir = "/var/local/vaultwarden/backup";
+    environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+    config = {
+      DOMAIN = "https://${domain}";
+      SIGNUPS_ALLOWED = true;
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = port;
+      ROCKET_LOG = "critical";
+    };
+  };
+}