infrastructure/nixos-modules/vault/default.nix

{
  config,
  pkgs,
  lib,
  ...
}:

let
  cfg = config.qois.vault;
in
with lib;
{
  options.qois.vault = {
    enable = mkEnableOption "Enable qois vault service";

    domain = mkOption {
      type = types.str;
      default = "vault.qo.is";
      description = "Domain, under which the service is served.";
    };
  };

  config = mkIf cfg.enable {

    services.vaultwarden = {
      enable = true;
      dbBackend = "postgresql";
      environmentFile = config.sops.secrets."vaultwarden/environment-file".path;
      config = {
        DATA_FOLDER = "/var/lib/bitwarden_rs";
        DATABASE_URL = "postgresql:///vaultwarden";

        DOMAIN = "https://${cfg.domain}";
        ROCKET_PORT = 8222;

        USE_SENDMAIL = true;
        SMTP_FROM = "vault@qo.is";
        SMTP_FROM_NAME = cfg.domain;

        SIGNUPS_ALLOWED = false;
        INVITATIONS_ALLOWED = false;
        SIGNUPS_DOMAINS_WHITELIST = "qo.is";
        SIGNUPS_VERIFY = true;

        EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials";
        SHOW_PASSWORD_HINT = false;
        TRASH_AUTO_DELETE_DAYS = 30;
      };
    };

    qois.backup-client.includePaths = [ config.services.vaultwarden.config.DATA_FOLDER ];

    services.postgresql =
      let
        name = config.users.users.vaultwarden.name;
      in
      {
        enable = true;
        ensureUsers = [
          {
            inherit name;
            ensureDBOwnership = true;
          }
        ];
        ensureDatabases = [ name ];
      };

    # See https://search.nixos.org/options?channel=unstable&show=services.vaultwarden.environmentFile
    sops.secrets."vaultwarden/environment-file".restartUnits = [ "vaultwarden.service" ];

    systemd.services.vaultwarden.path = [ pkgs.msmtp ];
    users.users.vaultwarden.extraGroups = [ "postdrop" ];

    networking.hosts."127.0.0.1" = [ cfg.domain ];
    services.nginx = {
      enable = true;

      virtualHosts.${cfg.domain} = {
        kTLS = true;
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
          proxyWebsockets = true;
        };
      };
    };
  };
}