vaultwarden

sys/machines/hopper/lab/default.nix

@@ -136,6 +136,16 @@ in {
           reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}
         '';
       };
+      vw = {
+        useACMEHost = domain;
+        hostName = "vw.${domain}:${toString caddyPort}";
+        extraConfig = ''
+          reverse_proxy {
+            header_up X-Real-Ip {http.request.header.CF-Connecting-IP}
+            to localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}
+          }
+        '';
+      };
       other = {
         useACMEHost = domain;
         hostName = ":${toString caddyPort}";
@@ -219,6 +229,12 @@ in {
               icon = "prometheus";
             };
           }
+          {
+            "vaultwarden" = {
+              href = "https://vw.${domain}";
+              icon = "vaultwarden";
+            };
+          }
         ];
       }
     ];
@@ -364,6 +380,25 @@ in {
   };
   systemd.services.navidrome.serviceConfig.EnvironmentFile = config.sops.secrets.navidrome.path;
 
+  systemd.services.vaultwarden = {
+    serviceConfig.EnvironmentFile = config.sops.secrets.vaultwarden-env.path;
+    vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+  };
+  # NOTE send doesnt work, probably due to my cloudflare port rewriting rules
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://${domain}:${toString caddyPort}";
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 35381;
+      ROCKET_LOG = "critical";
+      SIGNUPS_ALLOWED = false;
+    };
+  };
+
   services.restic.backups.hopper = {
     initialize = true;
     inhibitsSleep = true;
@@ -384,6 +419,7 @@ in {
       "/var/lib/navidrome"
       "/var/lib/jellyfin/data"
       "/var/lib/jellyfin/config"
+      "/var/lib/bitwarden_rs"
       "/media/library/music"
     ];
     exclude = [

sys/profiles/secrets/hopper/default.nix

@@ -25,5 +25,9 @@
       format = "binary";
       sopsFile = ./restic-password;
     };
+    vaultwarden-env = {
+      format = "binary";
+      sopsFile = ./vaultwarden-env;
+    };
   };
 }

sys/profiles/secrets/hopper/vaultwarden-env

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:MXWMfRtc6Im1Bs0AnOWLegE9Ld0jA3KyX5YSJ0+atOV6,iv:e9bOkz4Ml0Cwyppvwm7IZL6AmHE3r5SsJk2C9BLYGbk=,tag:Nm7F7i3rKs7JeT8w+NrAPg==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIU0ljQkk3Y3N0WVVLRElD\nYmFpVHMwVU5jMWdsT0dBdlVLTFQ4OUI3cDF3ClNPZUJRb3cwRk5ub2lMZTlUa0k5\nN2xCZ1RKeGJPWnlRM3plMEdjY3JNeUUKLS0tIFoyVnpBQW1ESEUyS1U4aGlpM1hM\ndFl4ZVpFSlkwL3BPUmpjSnltUG00U28KYgimIR5pc7WQMCBDStL49ZhjR1lGnwUO\nWKJaSQtGggaTwSPg8xJ1YyZadqVZ7GD00LtW2UWMJqAvpgdKEEJsAw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwa0pGalI3VHdsNlRpd0hM\nK090S0M5YmRvUkNCbWFibHBrY0grNFFzNDBzCjNYMDBBcjFMa29EZ1oyd1dodU1U\neDE5YUlXZDduRUZETDdyemRQRTJQdkEKLS0tIHRzTkE3RGRRVGZ3RE0xMFRnKzYz\nMUpzazVWUzR1akc0SEplTTM0TVlPSFEKpHDK/odhvqBu2DcTxcJwnGUwR7FsiyE6\nGdXimYyPi3wErwnQ6L5XG8x/8l3OHTuCHvvHd+l2cpKVE+dgfFrFDQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-02-21T00:05:37Z",
+		"mac": "ENC[AES256_GCM,data:573XYHkMRvztUh9OCt6l7sYzgicQyhQhftad2AZPtFR2vfkIiDcWKY8HQWkaqSzzy5m4qBCFnShy08iQLkTSZ+snga6aNExM7r1GZgDt1tKnRBgv1POykK0e43PCTxcbHSzm3Xnu68C96vIlvMN4FKOEcMYVNXA8OQqhXu+X6I0=,iv:nsisfOGyV4iAkMRQEEnV7EVSpqGBgQfE1DQgwuHIjMg=,tag:GpBBXcp71uK2SVsKLqgt7Q==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.4"
+	}
+}