added vaultwarden

config/services/vaultwarden.nix

@@ -0,0 +1,47 @@
+{ config, inputs, pkgs, ... }: {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+  sops.secrets."services/vaultwarden/environmentFile" = {
+    sopsFile = ../../secrets/services/vaultwarden.yaml;
+    owner = "vaultwarden";
+  };
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.sops.secrets."services/vaultwarden/environmentFile".path;
+    config = {
+      DATA_FOLDER = "/var/lib/vaultwarden";
+      DOMAIN = "staging.vault.kyouma.net";
+      DATABASE_MAX_CONNS = 15;
+      WEB_VAULT_ENABLED = true;
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = "::1";
+      WEBSOCKET_PORT = 3012;
+      SENDS_ALLOWED = true;
+      ORG_ATTACHMENT_LIMIT = 1048576;
+      USER_ATTACHMENT_LIMIT = 524288;
+      USER_SEND_LIMIT = 1048576;
+      INCOMPLETE_2FA_TIME_LIMIT = 5;
+      SIGNUPS_ALLOWED = true;
+      SIGNUPS_VERIFY = true;
+      INVITATION_ORG_NAME = "vault.kyouma.net";
+      PASSWORD_ITERATIONS = 1200000;
+      ICON_DOWNLOAD_TIMEOUT = 30;
+      SMTP_HOST = "mail.kyouma.net";
+      SMTP_FROM = "vault@kyouma.net";
+      SMTP_FROM_NAME = "vault.kyouma.net";
+      SMTP_USERNAME = "vault@kyouma.net";
+      SMTP_SECURITY = "starttls";
+      SMTP_PORT = 587;
+      ROCKET_ADDRESS = "unix:/run/vaultwarden/rocket.socket";
+      ROCKET_PORT = "";
+    };
+  };
+  kyouma.nginx.virtualHosts."staging.vault.kyouma.net" = {
+    locations."/" = {
+      proxyPass = "http://unix:/run/vaultwarden/rocket.socket";
+      proxyWebsockets = true;
+    };
+  };
+  security.acme.certs."staging.vault.kyouma.net" = {};
+}

secrets/services/vaultwarden.yaml

@@ -0,0 +1,34 @@
+services:
+    vaultwarden:
+        environmentFile: ENC[AES256_GCM,data:qCzqf1xSqKdVin18WMOkFatuL2TTpvOEl1gFQyjBHbVuauDl4IJZ6aL+APrk7ADH78CRx5SntD6hjrI6hWea/IQsvw9feTTZkp+pG5qVvLdgPdl61cnAaZCUNvvzxE2NTFOTPriNLSRxwT8We1meyNe4CAkkKsMMVFInNarY8ZxuEEIEkBr7VfhB/EHCj72FSv1kR2zTw15n9b0gNxFwBC0jkTKTfEBoQNVtU6gmFTfXSNi92cothuTQbPxsYtbALpC3Y/aAJBT6SGODuqEHZ+B+NfYemX6eRYX89pXy3Tb0r2frK2XbWLowq7IP/w0MTGOsMV+ytiAD03wa65qUlYMejkGYFX1Q,iv:F/NXvyegyvIApdYaITAgGZxLUl99yfMbN/WSUOEKDmg=,tag:1MXqbpwPqG3v9h0X57k6kQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ht2wetcyl9rzu45e02pqqwgmyfsfe6y6ygxyuxpfhnkdm62d3pqsg3uqvd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYlRnYWU0V3dOdXNYVDNP
+            akh2T1dUa3VxVDFMQW8rWURWRUxLNXkwWDJRCloyUGlRbGZFY2owWldxblAvK1l2
+            S0UrODBFK1l0Rlp4VktlNGtONHFQWmcKLS0tICtYQkxQdlBMTGgwSGJIWHBpTWN2
+            Zzc0U3JJOGJDNTViNmpsM1RGYkRSYlEK5TwOYuhhtkD3S1gJGQWTDzr7z0MX9Lwx
+            lSMz7CYrJtVM+Ec+IBIMXopBOnrQWvOeBgEhN9KYfngLGNbUaJelFw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-03T13:05:08Z"
+    mac: ENC[AES256_GCM,data:xQtCP1lRVQvr3rY/Cb3eW7tAwUSge8yFMuYSzMRUzbaNz03dHU3lhp/FGFDa1aWvbxT9YdKr4rIY2sUlMAK5ltw5uiiOXo5RA0wiC80A9bRVudnxCpF0cvwzBUZyY4I5ydAKE+peKLf76GRVE9awkZLmCu/B+P/R9AuS0GEZxKA=,iv:G3HF5py8bTnbJZBSWDHPVY6yI/ZlDaTEG0XCq0t+ykY=,tag:bs95sOcYsLn1Pls8TpqzHw==,type:str]
+    pgp:
+        - created_at: "2024-05-03T12:00:19Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4D1GtNSlou/HkSAQdA/lTtX2vY6hjiqZUniapNKZBVC7paxWONm33g8GyZgj4w
+            mAlvN+ydpKWy2MzMpJ30ZQVv9at9OzBJyUWYWC8BU3vhv9JTxua382lDhO1IvQdw
+            0l4BZayJ3woOdhIfX6BUE2jZTTBSEpdHT0hs2EVIBZSFi9fHsFpmdTGS0xAqmhra
+            l8nuCAPCImuRYkOHm1LIKL/QT7rPy7pcj4dXWVq/u9zexEEA24kdPvF32GQaPIbf
+            =bUVv
+            -----END PGP MESSAGE-----
+          fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1