services/vaultwarden: init

modules/default.nix

@@ -20,6 +20,7 @@ in {
     ./services/synapse.nix
     ./services/tmptsync.nix
     ./services/unbound.nix
+    ./services/vaultwarden.nix
   ];
   system = mkAttrsFromPaths [
     ./system/audio.nix

modules/services/unbound.nix

@@ -28,6 +28,11 @@ in {
           "10.0.0.0/8       allow"
           "192.168.100.0/24 allow"
         ];
+        domain-insecure = [ "local.lava.moe" ];
+        local-zone = [ "local.lava.moe. redirect" ];
+        local-data = [
+          "warden.local.lava.moe. IN A 192.168.100.15"
+        ];
       };
 
       include = "${inputs.hosts-blocklists}/unbound/unbound.blacklist.conf";

modules/services/vaultwarden.nix

@@ -0,0 +1,31 @@
+{ config, ... }:
+let
+  dir = "/persist/vaultwarden";
+  user = config.users.users.vaultwarden.name;
+  group = config.users.groups.vaultwarden.name;
+in {
+  systemd.tmpfiles.rules = [
+    "d ${dir} 700 ${user} ${group}"
+    "d ${dir}_backup 700 ${user} ${group}"
+  ];
+  services.vaultwarden = {
+    backupDir = "${dir}_backup";
+    config = {
+      dataFolder = dir;
+      signupsAllowed = false;
+      rocketPort = 8002;
+    };
+    domain = "warden.local.lava.moe";
+    environmentFile = config.age.secrets.warden_admin.path;
+  };
+
+  services.nginx.virtualHosts."warden.local.lava.moe" = {
+    forceSSL = true;
+    useACMEHost = "lava.moe";
+
+    locations."/".proxyPass = "http://[::1]:8002";
+  };
+
+  systemd.services.vaultwarden.serviceConfig.ReadWritePaths = [ dir ];
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = dir;
+}