Adding vaultwarden

hosts/zora/default.nix

@@ -16,6 +16,7 @@
       ../../modules/server
       ../../modules/server/link
       ../../modules/server/taf
+      ../../modules/server/giovanni
 
       # disko.nixosModules.disko
       agenix.nixosModules.default

hosts/zora/reverse-proxy.nix

@@ -19,6 +19,12 @@
           proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
         };
       };
+      "vault.lyes.eu" = {
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+          proxyWebsockets = true;
+        };
+      };
     };
   };
 }

modules/server/giovanni/default.nix

@@ -0,0 +1,35 @@
+{ config, lib, ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+
+    environmentFile = config.age.secrets.giovanni-env.path;
+    config = {
+      ROCKET_PORT = 44301;
+      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
+    };
+  };
+
+  systemd.services.vaultwarden = {
+    path = [ "/run/wrappers" ];
+    serviceConfig = {
+      NoNewPrivileges = lib.mkForce false;
+      PrivateUsers = lib.mkForce false;
+      SystemCallFilter = lib.mkForce [ "@system-service" ];
+      RestrictAddressFamilies = [
+        "AF_LOCAL"
+        "AF_NETLINK"
+      ];
+      ReadWritePaths = [ "/var/spool/mail/" ];
+    };
+  };
+
+  age.secrets = {
+    giovanni-env = {
+      file = ../../../secrets/zora/services/giovanni-env.age;
+    };
+  };
+}
+

secrets.nix

@@ -13,4 +13,5 @@ in
   "secrets/zora/services/kanidm-admin-password.age".publicKeys = all;
   "secrets/zora/services/kanidm-idm-admin-password.age".publicKeys = all;
   "secrets/zora/services/taf-token.age".publicKeys = all;
+  "secrets/zora/services/giovanni-env.age".publicKeys = all;
 }