{ flake, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services.instances) vaultwarden smtp web; service = vaultwarden; host = vaultwarden.domains.url0; secrets = service.secretPaths.path0; localhost = web.localhost.address0; sshPort = 22; in { microvm = { vms = { vaultwarden = { autostart = true; config = { config, pkgs, lib, ... }: { system.stateVersion = "25.05"; time.timeZone = "America/Winnipeg"; users.users.root = { openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; }; services = { vaultwarden = { enable = true; environmentFile = config.sops.secrets."${service.name}-env".path; config = { # Domain Configuration DOMAIN = "https://${host}"; # Email Configuration SMTP_AUTH_MECHANISM = "Plain"; SMTP_EMBED_IMAGES = true; SMTP_FROM = smtp.email.address0; SMTP_FROM_NAME = service.label; SMTP_HOST = smtp.hostname; SMTP_PORT = smtp.ports.port1; SMTP_SECURITY = smtp.records.record1; SMTP_USERNAME = smtp.email.address0; # Security Configuration DISABLE_ADMIN_TOKEN = false; # Event and Backup Management EVENTS_DAYS_RETAIN = 90; # User Features SENDS_ALLOWED = true; SIGNUPS_VERIFY = true; WEB_VAULT_ENABLED = true; # Rocket (Web Server) Settings ROCKET_ADDRESS = localhost; ROCKET_PORT = service.ports.port0; }; }; openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; }; }; }; systemd = { tmpfiles.rules = [ "d ${secrets} 0755 ${service.name} ${service.name} -" ]; network = { enable = true; networks."10-enp" = { matchConfig.Name = "enp0s4"; addresses = [ { Address = "${service.interface.ip}/24"; } ]; routes = [ { Destination = "${localhost}/0"; Gateway = service.interface.gate; } ]; dns = [ service.interface.gate ]; }; }; }; networking.firewall.allowedTCPPorts = [ sshPort service.ports.port0 ]; microvm = { vcpu = 2; mem = 2048; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = service.interface.id; mac = service.interface.mac; } { type = "user"; id = service.interface.idUser; mac = service.interface.macUser; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = service.varPaths.path0; proto = "virtiofs"; source = service.mntPaths.path0; tag = "${service.name}_data"; } { mountPoint = service.secretPaths.path0; proto = "virtiofs"; source = service.secretPaths.path0; tag = "${service.name}_secrets"; } { mountPoint = service.ssl.path; proto = "virtiofs"; source = service.ssl.path; tag = "acme_certs"; } ]; forwardPorts = [ { from = "host"; host.port = service.interface.ssh; guest.port = sshPort; } ]; }; }; }; }; }; services.caddy.virtualHosts."${host}" = { extraConfig = '' reverse_proxy ${service.interface.ip}:${toString service.ports.port0} { header_up X-Real-IP {remote_host} } tls ${service.ssl.cert} ${service.ssl.key} encode zstd gzip ''; }; sops = let sopsPath = secret: { path = "${secrets}/${service.name}-${secret}"; owner = "root"; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { name = "${service.name}-${secret}"; value = sopsPath secret; }) [ "env" ] ); }; }