{ secrets, pkgs, config, ... }: { dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ]; age.secrets = { resticVaultwarden.file = secrets."${config.networking.hostName}".restic.vaultwarden; vaultwardenSecrets = { file = secrets."${config.networking.hostName}".vaultwardenSecrets; owner = "vaultwarden"; group = "vaultwarden"; }; }; restic-backups.vaultwarden = { user = "vaultwarden"; passwordFile = config.age.secrets.resticVaultwarden.path; paths = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"]; }; systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ]; services = { vaultwarden = { enable = true; dbBackend = "sqlite"; backupDir = "/var/backups/vaultwarden"; environmentFile = config.age.secrets.vaultwardenSecrets.path; config = { DOMAIN = "https://vault.ctu.cx"; SIGNUPS_ALLOWED = false; PUSH_ENABLED = true; SMTP_HOST = "hector.ctu.cx"; SMTP_FROM = "vaultwarden@ctu.cx"; SMTP_USERNAME = "vaultwarden@ctu.cx"; SMTP_PORT = 587; SMTP_SECURITY = "starttls"; ROCKET_ADDRESS = "::1"; ROCKET_PORT = 8582; }; }; nginx = { enable = true; virtualHosts."vault.ctu.cx" = { useACMEHost = "${config.networking.fqdn}"; forceSSL = true; kTLS = true; locations = { "/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; "/notifications/hub" = { proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; proxyWebsockets = true; }; }; }; }; }; }