Add vaultwarden

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

hosts/jupiter/users/storm/configs/console/podman/vaultwarden/default.nix

@@ -0,0 +1,152 @@
+{
+  user ? throw "user argument is required",
+  home ? throw "home argument is required",
+}:
+{
+  config,
+  inputs,
+  pkgs,
+  system,
+  lib,
+  ...
+}:
+let
+  selfPkgs = inputs.self.packages.${system};
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) volumes containers networks;
+  autheliaClientId = "G9g4cRccYM1tpTO8rLqziThUlZFT4BwlvittHRSbZOJK3rfkpFKUQylI7SI40KmZDzavPrQhEWXWGspS3hxrwH9PesDw5A1EECEZ";
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "vaultwarden/adminToken".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/push/installationId".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/push/installationKey".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/authelia/password".sopsFile = ../../../../../../secrets/secrets.yaml;
+        "vaultwarden/authelia/digest".sopsFile = ../../../../../../secrets/secrets.yaml;
+      };
+
+      templates = {
+        vaultwarden-postgresql-env.content = ''
+          POSTGRES_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/postgresql"}
+        '';
+
+        vaultwarden-env.content = ''
+          DATABASE_URL=postgresql://vaultwarden:${
+            hmConfig.sops.placeholder."vaultwarden/postgresql"
+          }@vaultwarden-postgresql:5432/vaultwarden
+          ADMIN_TOKEN=${hmConfig.sops.placeholder."vaultwarden/adminToken"}
+          SMTP_PASSWORD=${hmConfig.sops.placeholder."vaultwarden/smtp"}
+          PUSH_INSTALLATION_ID=${hmConfig.sops.placeholder."vaultwarden/push/installationId"}
+          PUSH_INSTALLATION_KEY=${hmConfig.sops.placeholder."vaultwarden/push/installationKey"}
+          SSO_CLIENT_SECRET=${hmConfig.sops.placeholder."vaultwarden/authelia/password"}
+        '';
+
+        authelia-vaultwarden.content = builtins.readFile (
+          (pkgs.formats.yaml { }).generate "vaultwarden.yaml" {
+            identity_providers.oidc = {
+              authorization_policies.vaultwarden = {
+                default_policy = "deny";
+                rules = [
+                  {
+                    policy = "one_factor";
+                    subject = "group:vaultwarden";
+                  }
+                ];
+              };
+
+              clients = [
+                {
+                  client_id = autheliaClientId;
+                  client_name = "Vaultwarden";
+                  client_secret = hmConfig.sops.placeholder."vaultwarden/authelia/digest";
+                  redirect_uris = [ "https://vault.karaolidis.com/identity/connect/oidc-signin" ];
+                  authorization_policy = "vaultwarden";
+                  scopes = [
+                    "openid"
+                    "email"
+                    "profile"
+                    "offline_access"
+                  ];
+                }
+              ];
+            };
+          }
+        );
+      };
+    };
+
+    virtualisation.quadlet = {
+      networks.vaultwarden.networkConfig.internal = true;
+
+      volumes = {
+        vaultwarden-postgresql = { };
+        vaultwarden = { };
+      };
+
+      containers = {
+        vaultwarden = {
+          containerConfig = {
+            image = "docker-archive:${selfPkgs.docker-oidcwarden}";
+            volumes = [ "${volumes.vaultwarden.ref}:/var/lib/vaultwarden" ];
+            networks = [
+              networks.vaultwarden.ref
+              networks.traefik.ref
+            ];
+            environments = {
+              DOMAIN = "https://vault.karaolidis.com";
+              LOG_LEVEL = "warn";
+              SIGNUPS_ALLOWED = "false";
+              INVITATIONS_ALLOWED = "false";
+              SMTP_HOST = "smtp.protonmail.ch";
+              SMTP_FROM = "jupiter@karaolidis.com";
+              SMTP_PORT = "587";
+              SMTP_SECURITY = "starttls";
+              SMTP_USERNAME = "jupiter@karaolidis.com";
+              PUSH_ENABLED = "true";
+              PUSH_RELAY_URI = "https://api.bitwarden.eu";
+              PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
+              SSO_ENABLED = "true";
+              SSO_AUTHORITY = "https://id.karaolidis.com";
+              SSO_SCOPES = "openid email profile offline_access";
+              SSO_CLIENT_ID = autheliaClientId;
+              SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = "true";
+            };
+            environmentFiles = [ hmConfig.sops.templates.vaultwarden-env.path ];
+            labels = [
+              "traefik.enable=true"
+              "traefik.http.routers.vaultwarden.rule=Host(`vault.karaolidis.com`)"
+            ];
+          };
+
+          unitConfig.After = [
+            "${containers.vaultwarden-postgresql._serviceName}.service"
+            "sops-nix.service"
+          ];
+        };
+
+        vaultwarden-postgresql = {
+          containerConfig = {
+            image = "docker-archive:${selfPkgs.docker-postgresql}";
+            networks = [ networks.vaultwarden.ref ];
+            volumes = [ "${volumes.vaultwarden-postgresql.ref}:/var/lib/postgresql/data" ];
+            environments = {
+              POSTGRES_DB = "vaultwarden";
+              POSTGRES_USER = "vaultwarden";
+            };
+            environmentFiles = [ hmConfig.sops.templates.vaultwarden-postgresql-env.path ];
+          };
+
+          unitConfig.After = [ "sops-nix.service" ];
+        };
+
+        authelia-init.containerConfig.volumes = [
+          "${hmConfig.sops.templates.authelia-vaultwarden.path}:/etc/authelia/conf.d/vaultwarden.yaml:ro"
+        ];
+      };
+    };
+  };
+}