From 64472e943db5236c00bf54b43b1f1a9f04af15e2 Mon Sep 17 00:00:00 2001
From: Filippo Berto <berto.f@protonmail.com>
Date: Thu, 23 Oct 2025 10:36:10 +0200
Subject: [PATCH] update(vaultwarden): deploy on baldur

---
 flake.nix                          |  1 +
 instances/baldur/configuration.nix |  3 ++
 nixos/vaultwarden.nix              | 46 ++++++++++++++++++++++++++++++
 secrets/secrets.nix                |  1 +
 secrets/vaultwarden_env.age        | 16 +++++++++++
 5 files changed, 67 insertions(+)
 create mode 100644 nixos/vaultwarden.nix
 create mode 100644 secrets/vaultwarden_env.age

diff --git a/flake.nix b/flake.nix
index 39fa7b7..2fa4424 100644
--- a/flake.nix
+++ b/flake.nix
@@ -374,6 +374,7 @@
 
               ./nixos/ip_forwarding.nix
               ./nixos/garage.nix
+              ./nixos/vaultwarden.nix
 
               self.nixosModules.tiziano
               {
diff --git a/instances/baldur/configuration.nix b/instances/baldur/configuration.nix
index 6b4c8f0..541b4a3 100644
--- a/instances/baldur/configuration.nix
+++ b/instances/baldur/configuration.nix
@@ -133,6 +133,9 @@
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             '';
           };
+          "bitwarden.bertof.net" = ssl // {
+            locations."/" = { proxyPass = "http://127.0.0.1:8222/"; proxyWebsockets = true; };
+          };
           "hass.bertof.net" = ssl // {
             locations."/" = {
               proxyPass = "http://heimdall.tsn:8123/";
diff --git a/nixos/vaultwarden.nix b/nixos/vaultwarden.nix
new file mode 100644
index 0000000..dcd4901
--- /dev/null
+++ b/nixos/vaultwarden.nix
@@ -0,0 +1,46 @@
+{ config, ... }: {
+  age.secrets.vaultwarden_env = {
+    file = ../secrets/vaultwarden_env.age;
+    owner = "vaultwarden";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    environmentFile = config.age.secrets.vaultwarden_env.path;
+    config = {
+      DOMAIN = "https://bitwarden.bertof.net";
+      SIGNUPS_ALLOWED = false;
+
+      # Vaultwarden currently recommends running behind a reverse proxy
+      # (nginx or similar) for TLS termination, see
+      # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
+      # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
+      # > especially if your instance is publicly accessible.
+      #
+      # A suitable NixOS nginx reverse proxy example config might be:
+      #
+      #     services.nginx.virtualHosts."bitwarden.example.com" = {
+      #       enableACME = true;
+      #       forceSSL = true;
+      #       locations."/" = {
+      #         proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      #       };
+      #     };
+      ROCKET_ADDRESS = "::";
+      ROCKET_PORT = 8222;
+
+      ROCKET_LOG = "critical";
+
+      # This example assumes a mailserver running on localhost,
+      # thus without transport encryption.
+      # If you use an external mail server, follow:
+      #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+      SMTP_HOST = "127.0.0.1";
+      SMTP_PORT = 25;
+      SMTP_SECURITY = "starttls";
+
+      SMTP_FROM = "admin@bitwarden.example.com";
+      SMTP_FROM_NAME = "Bitwarden server";
+    };
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 613ca43..17bf5b3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -28,6 +28,7 @@ let
 in
 {
   # "oauth_proxy_client_credentials.age".publicKeys = devUsers ++ systems;
+  "vaultwarden_env.age".publicKeys = devUsers ++ [ baldur ];
   "baldur_wg_priv.age".publicKeys = devUsers ++ systems;
   "kavita_token.age".publicKeys = devUsers ++ [ loki ];
   "nextcloud_admin_secret.age".publicKeys = devUsers ++ [ heimdall ];
diff --git a/secrets/vaultwarden_env.age b/secrets/vaultwarden_env.age
new file mode 100644
index 0000000..cc34c1c
--- /dev/null
+++ b/secrets/vaultwarden_env.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDRiZWhGQSB0clBa
+MGhuR0Z4MlRXaTFFZ3FrTS81eXRSY002NHZmMG9mZnI2ZzBrOUdFCnVCUGZ2NlFD
+anRWa1VkV0pNelorcmE4TjZUNVh1cytseHlBNXlaczVxRFUKLT4gc3NoLWVkMjU1
+MTkgZXZMbEl3IFZnNTV3VWxQSWE2NFFEMVduYktnbVUzRVZjTGVRWVZnMXBCbTQw
+WUp4eU0KMTVTbkpLTFVlU3pDWWNmYUpVSHhCblFsSksra3JldUFIUXFPdnd6RmRw
+TQotPiBzc2gtZWQyNTUxOSBqdjNlancgVjZWbWJwQVE2NjFUN2FmWmhLQWpNNVM5
+LzZWT0lpcmQxdEhYajl2ZmcwSQo1WStSWGFaSDhOUzNweC9SWStiNU5nYWZFM0x4
+TWFCbjVUalNhNDA2QmJNCi0+IHEycy1ncmVhc2UgJnsKa2xXSENrcC9DamZwRmhh
+bVMrWmNMWXpJMVAwdi8wNmpqcWtmbEUvUU1DT2c3Vmd2cUs5Sy9OZUZIOVlaVGJp
+UApkZ2xmWnVrTGcvMDd0RG1ReXlHd2F3Mm1pTDRuajdZWVlZWHZJQTl0d3cKLS0t
+IFcwVmJFVW9LMU9qYUJiUUd5dCtFUksyaHJZV2dHbVRlVVZydy96ZFJ4S3cK6rZd
+C0aTx9fOfF40nPz2x7p8I3LFnP+pj/C421Pq2d9PjS6QWBrX03IQ1wSlII9h/hXl
+4SAz9L3+hy4OcUIkICpDhGu/AORS/yy+O2vpKQlsplC0D9WA9U1tJwxstX1oKAca
+FySg7CHvBUN47A==
+-----END AGE ENCRYPTED FILE-----