infra/nix/modules/vaultwarden.nix

{
  config,
  ...
}:
let

  p = config.sops.placeholder;
in
{
  sops = {
    secrets = {
      "vaultwarden/adminToken" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [
          "vaultwarden.service"
        ];
      };
      "vaultwarden/smtp_host" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_from" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_from_name" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_security" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_port" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_username" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_password" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_timeout" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/smtp_auth_mechs" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
      "vaultwarden/use_sendmail" = {
        owner = "vaultwarden";
        group = "vaultwarden";
        restartUnits = [ "vaultwarden.service" ];
      };
    };
    templates = {
      vaultwardenEnv.content = ''
        ADMIN_TOKEN='${p."vaultwarden/adminToken"}'
        DOMAIN="https://waldemar.${p.domainName}"

        SMTP_HOST='${p."vaultwarden/smtp_host"}'
        SMTP_FROM='${p."vaultwarden/smtp_from"}'
        SMTP_FROM_NAME='${p."vaultwarden/smtp_from_name"}'
        # ("starttls", "force_tls", "off") Enable a secure connection. Default is "starttls" (Explicit - ports 587 or 25), "force_tls" (Implicit - port 465) or "off", no encryption (port 25)
        SMTP_SECURITY="${p."vaultwarden/smtp_security"}"
        SMTP_PORT=${p."vaultwarden/smtp_port"}          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
        SMTP_USERNAME='${p."vaultwarden/smtp_username"}'
        SMTP_PASSWORD='${p."vaultwarden/smtp_password"}'
        SMTP_TIMEOUT=${p."vaultwarden/smtp_timeout"}
        SMTP_AUTH_MECHANISMS='${p."vaultwarden/smtp_auth_mechs"}'

        # Whether to send mail via the `sendmail` command
        USE_SENDMAIL=${p."vaultwarden/use_sendmail"}
      '';
    };
  };
  services = {

    sanoid.datasets = {
      "zroot/userdata/services/vaultwarden" = {
        useTemplate = [ "frequent" ];
        # recursive = "zfs";
        recursive = true;
      };
      "zroot/userdata/services/vaultwarden-backup" = {
        useTemplate = [ "frequent" ];
        # recursive = "zfs";
        recursive = true;
      };
    };

    vaultwarden = {
      enable = true;
      environmentFile = config.sops.templates.vaultwardenEnv.path;
      dbBackend = "sqlite";
      backupDir = "/var/backup/vaultwarden";
      config = {
        ROCKET_ADDRESS = "::1";
        ROCKET_PORT = 8222;

        LOG_LEVEL = "debug";

        REQUIRE_DEVICE_EMAIL = false;
        SIGNUPS_VERIFY = true;

        SMTP_DEBUG = true;
        SMTP_EMBED_IMAGES = true;
        SMTP_ACCEPT_INVALID_CERTS = false;
        SMTP_ACCEPT_INVALID_HOSTNAMES = false;
        HELO_NAME = "wyse";

        ICON_BLACKLIST_NON_GLOBAL_IPS = false;
      };
    };
  };
}