{ flake, config, lib, ... }: let inherit (flake.config.services) instances; service = instances.vaultwarden; localhost = instances.web.localhost.address0; host = service.domains.url0; syncthing = instances.syncthing; backupPath = "${syncthing.paths.path1}/${service.name}"; in { services = { vaultwarden = { backupDir = backupPath; enable = true; environmentFile = config.sops.secrets."${service.name}/env".path; config = { # Domain Configuration DOMAIN = "https://${host}"; # Email Configuration SMTP_AUTH_MECHANISM = "Plain"; SMTP_EMBED_IMAGES = true; SMTP_FROM = service.email.address0; SMTP_FROM_NAME = service.label; SMTP_HOST = instances.smtp.hostname; SMTP_PORT = instances.smtp.ports.port0; SMTP_SECURITY = "starttls"; SMTP_USERNAME = service.email.address0; # Security Configuration DISABLE_ADMIN_TOKEN = false; # Event and Backup Management EVENTS_DAYS_RETAIN = 90; # User Features SENDS_ALLOWED = true; SIGNUPS_VERIFY = true; WEB_VAULT_ENABLED = true; # Rocket (Web Server) Settings ROCKET_ADDRESS = localhost; ROCKET_PORT = service.ports.port0; }; }; caddy = { virtualHosts = { "${host}" = { extraConfig = '' reverse_proxy ${localhost}:${toString service.ports.port0} { header_up X-Real-IP {remote_host} } tls ${service.ssl.cert} ${service.ssl.key} encode zstd gzip ''; }; }; }; }; sops = let sopsPath = secret: { path = "${service.sops.path0}/${service.name}-${secret}"; owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { name = "${service.name}/${secret}"; value = sopsPath secret; }) [ "env" ] ); }; systemd = { tmpfiles.rules = [ "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; services.backup-vaultwarden = { serviceConfig = { Group = lib.mkForce syncthing.name; }; wantedBy = lib.mkForce [ ]; after = [ "${service.name}.service" ]; }; }; users.users.${service.name}.extraGroups = [ syncthing.name ]; networking = { firewall = { allowedTCPPorts = [ service.ports.port0 ]; }; }; }