modules/common/vaultwarden.nix

{ base, pkgs, lib, config, ... }:
lib.recursiveUpdate {
  environment.systemPackages = with pkgs; [ vaultwarden ];

  services.vaultwarden.enable = true;
  services.vaultwarden.dbBackend = "postgresql";

  sops.secrets = lib.pipe [
    "ADMIN_TOKEN"
    "SMTP_PASSWORD"
    "YUBICO_SECRET_KEY"
    "HIBP_API_KEY"
  ] [
    (map (name: {
      inherit name;
      value = {
        mode = "0400";
        owner = config.users.users.root.name;
        group = config.users.users.root.group;
        sopsFile = ../../secrets/vaultwarden.json;
        format = "json";
      };
    }))
    builtins.listToAttrs
  ];
} (let isDerived = base != null;
in if isDerived
# We cannot use mkIf as both sides are evaluated no matter the condition value
# Given we use base as an attrset, mkIf will error if base is null in here
then
  with lib;
  let
    cfg = config.services.vaultwarden;

    vaultwarden_config = {
      # Server Settings
      DOMAIN = "https://vaultwarden.clicks.codes";
      ROCKET_ADDRESS = "127.0.0.255";
      ROCKET_PORT = 1028;

      # General Settings
      SIGNUPS_ALLOWED = false;
      INVITATIONS_ALLOWED = true;
      SIGNUPS_DOMAINS_WHITELIST =
        "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
      SIGNUPS_VERIFY = true;

      DISABLE_2FA_REMEMBER = true;

      # Admin Account
      ADMIN_TOKEN = "!!ADMIN_TOKEN!!";

      # Database Settings
      DATABASE_URL =
        "postgresql://vaultwarden:!!clicks_vaultwarden_db_secret!!@127.0.0.1:${
          toString config.services.postgresql.port
        }/vaultwarden";

      # Mail Settings
      SMTP_HOST = "mail.clicks.codes";
      SMTP_FROM = "vaultwarden@clicks.codes";
      SMTP_FROM_NAME = "Clicks vaultwarden";
      SMTP_SECURITY = "starttls";
      SMTP_PORT = 587;

      SMTP_USERNAME = "vaultwarden@clicks.codes";
      SMTP_PASSWORD = "!!SMTP_PASSWORD!!";

      REQUIRE_DEVICE_EMAIL = true;

      IP_HEADER = "X-Forwarded-For";

      # YubiKey Settings
      YUBICO_CLIENT_ID = "89788";
      YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";

      # HIBP Settings
      HIBP_API_KEY="!!HIBP_API_KEY!!";

      ORG_ENABLE_GROUPS = true;
      # I have looked at the risks. They seem relatively small in comparison to the utility
      # (stuff like sync issues if you don't refresh your page)
      # Also a general lack of real-world testing. Which, honestly, doesn't
      # seem too bad. Please contact me *immediately* upon noticing issues
      # as I want to make sure that as little as possible is lost if we need
      # to restore from backups (although I doubt it'll come to that)
    };

    nameToEnvVar = name:
      let
        parts = builtins.split "([A-Z0-9]+)" name;
        partsToEnvVar = parts:
          foldl' (key: x:
            let last = stringLength key - 1;
            in if isList x then
              key
              + optionalString (key != "" && substring last 1 key != "_") "_"
              + head x
            else if key != "" && elem (substring 0 1 x)
            lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
              substring 0 last key
              + optionalString (substring (last - 1) 1 key != "_") "_"
              + substring last 1 key + toUpper x
            else
              key + toUpper x) "" parts;
      in if builtins.match "[A-Z0-9_]+" name != null then
        name
      else
        partsToEnvVar parts;

    # Due to the different naming schemes allowed for config keys,
    # we can only check for values consistently after converting them to their corresponding environment variable name.
    configEnv = let
      configEnv = concatMapAttrs (name: value:
        optionalAttrs (value != null) {
          ${nameToEnvVar name} =
            if isBool value then boolToString value else toString value;
        }) vaultwarden_config;
    in {
      DATA_FOLDER = "/var/lib/bitwarden_rs";
    } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED)
      || configEnv.WEB_VAULT_ENABLED == "true") {
        WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
      } // configEnv;

    configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList
      (name: value: ''
        ${name}=${value}
      '') configEnv));
  in {
    scalpel.trafos."vaultwarden.env" = {
      source = toString configFile;
      matchers."ADMIN_TOKEN".secret = config.sops.secrets.ADMIN_TOKEN.path;
      matchers."SMTP_PASSWORD".secret = config.sops.secrets.SMTP_PASSWORD.path;
      matchers."YUBICO_SECRET_KEY".secret =
        config.sops.secrets.YUBICO_SECRET_KEY.path;
      matchers."HIBP_API_KEY".secret = config.sops.secrets.HIBP_API_KEY.path;
      matchers."clicks_vaultwarden_db_secret".secret =
        config.sops.secrets.clicks_vaultwarden_db_password.path;
      owner = config.users.users.vaultwarden.name;
      group = config.users.groups.vaultwarden.name;
      mode = "0400";
    };

    services.vaultwarden.environmentFile =
      config.scalpel.trafos."vaultwarden.env".destination;
  }
else
  { })