From af15c64ead7b34cf0cd6e275375643866892c6fe Mon Sep 17 00:00:00 2001
From: Callum Leslie <git@cleslie.uk>
Date: Tue, 15 Oct 2024 16:32:53 +0100
Subject: [PATCH] vaultwarden

---
 home/c/programs/rbw/default.nix |  2 +-
 hosts/hermes/default.nix        |  1 +
 hosts/hermes/vaultwarden.nix    | 29 +++++++++++++++++++++++++++++
 secrets/secrets.nix             |  1 +
 secrets/vaultwarden-env.age     |  7 +++++++
 5 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 hosts/hermes/vaultwarden.nix
 create mode 100644 secrets/vaultwarden-env.age

diff --git a/home/c/programs/rbw/default.nix b/home/c/programs/rbw/default.nix
index a95f30a..7a1139e 100644
--- a/home/c/programs/rbw/default.nix
+++ b/home/c/programs/rbw/default.nix
@@ -3,7 +3,7 @@
     enable = true;
     settings = {
       base_url = "https://vaultwarden.cleslie.uk";
-      email = "cal@callumleslie.me";
+      email = "vw@cleslie.uk";
       pinentry = pkgs.pinentry-gnome3;
     };
   };
diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix
index da82c9e..d6978bd 100644
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@@ -11,5 +11,6 @@
     ./media.nix
     ./headscale.nix
     ./forgejo.nix
+    ./vaultwarden.nix
   ];
 }
diff --git a/hosts/hermes/vaultwarden.nix b/hosts/hermes/vaultwarden.nix
new file mode 100644
index 0000000..5808748
--- /dev/null
+++ b/hosts/hermes/vaultwarden.nix
@@ -0,0 +1,29 @@
+{config, ...}: let
+  domain = "vaultwarden.cleslie.uk";
+in {
+  services = {
+    cloudflare-dyndns.domains = [domain];
+    vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+      config = {
+        DOMAIN = "https://${domain}";
+        SIGNUPS_ALLOWED = false;
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+        ROCKET_LOG = "critical";
+      };
+      environmentFile = "${config.age.secrets.vaultwarden-env.path}";
+    };
+
+    caddy.virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
+      }
+    '';
+  };
+
+  age.secrets."vaultwarden-env" = {
+    file = ../../secrets/vaultwarden-env.age;
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 6aed516..f66bfbb 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,4 +11,5 @@ in {
   "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
   "forgejo-password.age".publicKeys = keys.c ++ [systems.hermes];
   "cloudflare-api.age".publicKeys = keys.c ++ [systems.hermes];
+  "vaultwarden-env.age".publicKeys = keys.c ++ [systems.hermes];
 }
diff --git a/secrets/vaultwarden-env.age b/secrets/vaultwarden-env.age
new file mode 100644
index 0000000..587ca80
--- /dev/null
+++ b/secrets/vaultwarden-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg FyWjw52mFlS8j8s0hZZvu1C1jy4kFNHEMDyMer7uQjw
+5nZS6DoNscDHLmB77aRfOiG/CxRDpGmo/q+2D15MrZM
+-> ssh-ed25519 aSaoJQ yuB2O/EitRDPlpIjTQT7lz+gLBnVTaHMgJ2enexvWnk
++2BXZOWHuIDoQfZoh5X1XIuy2HJP+tJQh7ZJ6uxI48k
+--- u4zTk4QXTWj0SdzP/2aHnGsN6MHdyEAhGRzTgpIgCeE
+t8€·XRƒT ØÒv`;©];u]ó6DRzú³zl¦×[…êˆé6O´Š3õÅ—f@Ê¦•cEŒ‡X’CÌ{õ‡#[gb§¹G,›©ÀÉèîAÎp ±±nÐ‹­ÁUƒ"ä†îøä÷Éºù_‘‹©°ØÉÉ”ó%™«ÖDLŽç,4Ù&ÆÅêêoNH‹¶&…!Pwz&¶¡ýÝÃ†Ý!¸S®H—(@~Ÿ~Þ{!
\ No newline at end of file