From 5078ac7952f3eb0da8f46151bf616e6ec9d91ede Mon Sep 17 00:00:00 2001
From: fwastring <fredrik@wastring.com>
Date: Mon, 8 Sep 2025 19:40:36 +0200
Subject: [PATCH] Vaultwarden added

---
 maskiner/desktop/configuration.nix | 14 +--------
 moduler/vaultwarden.nix            | 46 ++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 13 deletions(-)
 create mode 100644 moduler/vaultwarden.nix

diff --git a/maskiner/desktop/configuration.nix b/maskiner/desktop/configuration.nix
index 0092259..0bb40a8 100644
--- a/maskiner/desktop/configuration.nix
+++ b/maskiner/desktop/configuration.nix
@@ -16,6 +16,7 @@
     ../../moduler/users.nix
     ../../moduler/nginx.nix
     ../../moduler/k3s.nix
+    ../../moduler/vaultwarden.nix
     #../../moduler/lsp.nix
   ];
 
@@ -27,19 +28,6 @@ neovim
 
   services.tailscale.enable = true;
   services.tailscale.package = pkgs.unstable.tailscale;
-  services.vaultwarden = {
-  	enable = true;
-      dbBackend = "sqlite";
-      environmentFile = "/var/lib/vaultwarden.env";
-      config = {
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-        DOMAIN = "https://vault.example.org";
-        SIGNUPS_ALLOWED = true;
-        ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$...";
-        LOG_FILE = "/var/lib/bitwarden_rs/access.log";
-      };
-    };
 
   networking.hostName = myhostname;
 
diff --git a/moduler/vaultwarden.nix b/moduler/vaultwarden.nix
new file mode 100644
index 0000000..b05c3b0
--- /dev/null
+++ b/moduler/vaultwarden.nix
@@ -0,0 +1,46 @@
+{
+  ...
+}:
+{
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "fredrik@wastring.com";
+    certs."*.wastring.com" = {
+      dnsProvider = "gandiv5";
+      environmentFile = /run/secrets/gandi_key;
+    };
+  };
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    # other Nginx options
+    virtualHosts."pass.wastring.com" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8222";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+        extraConfig =
+          # required when the target is also TLS server with multiple hosts
+          "proxy_ssl_server_name on;"
+          +
+            # required when the server wants to use HTTP Authentication
+            "proxy_pass_header Authorization;";
+      };
+    };
+  };
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    environmentFile = "/var/lib/vaultwarden.env";
+    config = {
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+      DOMAIN = "https://pass.wastring.com";
+      SIGNUPS_ALLOWED = true;
+      LOG_FILE = "/var/lib/bitwarden_rs/access.log";
+    };
+  };
+}