nixos/utils/modules/bitwarden/default.nix

{
  pkgs,
  config,
  ...
}: let
  ldapConfig = {
    vaultwarden_url = "https://bitwarden.cloonar.com";
    vaultwarden_admin_token = "@ADMIN_TOKEN@";
    ldap_host = "ldap.cloonar.com";
    ldap_ssl = true;
    ldap_bind_dn = "cn=bitwarden,ou=system,ou=users,dc=cloonar,dc=com";
    ldap_bind_password = "@LDAP_PASSWORD@";
    ldap_search_base_dn = "ou=users,dc=cloonar,dc=com";
    ldap_search_filter = "(&(objectClass=cloonarUser))";
    ldap_sync_interval_seconds = 3600;
  };

  ldapConfigFile =
    pkgs.runCommand "config.toml"
    {
      buildInputs = [pkgs.remarshal];
      preferLocalBuild = true;
    } ''
      remarshal -if json -of toml \
      < ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \
      > $out
    '';
in {
  imports = [
    ../nur.nix
  ];

  # environment.systemPackages = with pkgs; [
  #   nur.repos.mic92.vaultwarden_ldap
  # ];

  services.vaultwarden = {
    enable = true;
    dbBackend = "mysql";
    config = {
      domain = "https://bitwarden.cloonar.com";
      signupsAllowed = false;
      rocketPort = 3011;
      enableDbWal = "false";
      websocketEnabled = true;
      smtpHost = "mail.cloonar.com";
      smtpFrom = "bitwarden@cloonar.com";
      smtpUsername = "bitwarden@cloonar.com";
    };
  };

  systemd.services.vaultwarden.serviceConfig = {
    EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path];
  };

  # systemd.services.vaultwarden_ldap = {
  #   wantedBy = ["multi-user.target"];
  #
  #   preStart = ''
  #     sed \
  #       -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \
  #       -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \
  #       ${ldapConfigFile} \
  #       > /run/vaultwarden_ldap/config.toml
  #   '';
  #
  #   serviceConfig = {
  #     Restart = "on-failure";
  #     RestartSec = "2s";
  #     ExecStart = "${pkgs.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap";
  #     Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml";
  #
  #     RuntimeDirectory = ["vaultwarden_ldap"];
  #     User = "vaultwarden_ldap";
  #   };
  # };

  services.nginx.virtualHosts."bitwarden.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    extraConfig = ''
      client_max_body_size 128M;
    '';
    locations."/" = {
      proxyPass = "http://localhost:3011";
      proxyWebsockets = true;
    };
    locations."/notifications/hub" = {
      proxyPass = "http://localhost:3012";
      proxyWebsockets = true;
    };
    locations."/notifications/hub/negotiate" = {
      proxyPass = "http://localhost:3011";
      proxyWebsockets = true;
    };
  };

  sops.secrets = {
    bitwarden-admin-token = {
      owner = "vaultwarden_ldap";
      sopsFile = ./secrets.yaml;
    };
    bitwarden-ldap-password = {
      owner = "vaultwarden_ldap";
      sopsFile = ./secrets.yaml;
    };
    bitwarden-db-password = {
      owner = "vaultwarden";
      sopsFile = ./secrets.yaml;
    };
    bitwarden-smtp-password = {
      owner = "vaultwarden";
      sopsFile = ./secrets.yaml;
    };
  };

  users.users.vaultwarden_ldap = {
    isSystemUser = true;
    group = "vaultwarden_ldap";
  };

  users.groups.vaultwarden_ldap = {};

  services.mysqlBackup.databases = [ "bitwarden" ];
}