added self-hosted vaultwarden instance

hosts/Alaska/default.nix

@@ -13,6 +13,7 @@
     (import ./modules/msmtp.nix)
     (import ./modules/headscale.nix)
     (import ./modules/tailscale.nix)
+    (import ./modules/vaultwarden.nix)
   ];
 
   networking.hosts = {

hosts/Alaska/modules/dnsmasq.nix

@@ -13,9 +13,16 @@
     settings = {
       listen-address = "::1,127.0.0.1,10.0.0.183";
       port = 53;
-      server = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ];
       # Manual expection for frustrating windows devices to point at headscale server
-      address = "/headscale.nickiel.net/10.0.0.183";
+      address = [ 
+        "/files.nickiel.net/10.0.0.183"
+        "/git.nickiel.net/10.0.0.183"
+        "/headscale.nickiel.net/10.0.0.183"
+        "/irc.nickiel.net/10.0.0.183"
+        "/jellyfin.nickiel.net/10.0.0.183"
+        "/vaultwarden.nickiel.net/100.64.0.1"
+      ];
+      server = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ];
       bogus-priv = true;
       domain-needed = true;
       no-resolv = true;

hosts/Alaska/modules/vaultwarden.nix

@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+let 
+
+in 
+{
+  services.vaultwarden = {
+    enable = true;
+    # Set to sqlite to enable the default backups
+    dbBackend = "sqlite";
+    backupDir = "/Aurora/Backups/Vaultwarden";
+    environmentFile = "/home/nixolas/.passfiles/vaultwarden.env";
+    # https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
+    config = {
+      DOMAIN = "https://vaultwarden.nickiel.net";
+      ROCKET_PORT = 8022;
+
+      # for some reason, crashes when log_file is set
+      # But it logs to systemctl just fine
+      LOG_LEVEL = "trace";
+      SIGNUPS_VERIFY = true;
+      SIGNUPS_ALLOWED = false;
+
+      # You can enable this in the admin portal
+      # USE_SENDMAIL = true; # is broken rn :`(
+      SENDMAIL_COMMAND = "${pkgs.msmtp}/bin/sendmail";
+
+      WEB_VAULT_FOLDER = "${pkgs.vaultwarden.webvault}/share/vaultwarden/vault";
+      WEB_VAULT_ENABLED = true;
+      WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ADDRESS = "0.0.0.0";
+      WEBSOCKET_PORT = 3012;
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "vaultwarden.nickiel.net" = {
+      forceSSL = true;
+      enableACME = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:8022";
+          extraConfig = ''
+            allow 100.64.0.0/16;
+            allow 127.0.0.1;
+            deny all;
+          '';
+        };
+# got the below from https://github.com/hlissner/dotfiles/blob/089f1a9da9018df9e5fc200c2d7bef70f4546026/hosts/ao/modules/vaultwarden.nix#L21
+
+        "/notifications/hub/negotiate" = {
+          proxyPass = "http://127.0.0.1:8022";
+          proxyWebsockets = true;
+          extraConfig = ''
+            allow 100.64.0.0/16;
+            allow 127.0.0.1;
+            deny all;
+          '';
+        };
+        "/notifications/hub" = {
+          proxyPass = "http://127.0.0.1:3012";
+          proxyWebsockets = true;
+          extraConfig = ''
+            allow 100.64.0.0/16;
+            allow 127.0.0.1;
+            deny all;
+          '';
+        };
+      };
+    };
+  };
+}