phase 2: promote services/, tests/, patches/, lib/, scripts/

services/bitwarden.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  pkgs,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "vaultwarden" service_configs.zpool_ssds [
+      service_configs.vaultwarden.path
+    ])
+    (lib.serviceFilePerms "vaultwarden" [
+      "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
+    ])
+    (lib.mkFail2banJail {
+      name = "vaultwarden";
+      failregex = ''^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$'';
+    })
+  ];
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    configurePostgres = true;
+    config = {
+      # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+      DOMAIN = "https://bitwarden.${service_configs.https.domain}";
+      SIGNUPS_ALLOWED = false;
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = service_configs.ports.private.vaultwarden.port;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
+    encode zstd gzip
+
+    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
+    }
+  '';
+
+}