Initial framework: reusable modules, lib, pkgs, overlays, scripts, sample environment

2026-05-10 19:06:58 +02:00
commit c53d997d07
32 changed files with 1339 additions and 0 deletions
@@ -0,0 +1,90 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.password-manager;
+  inherit (lib) mkIf mkOption types;
+in
+
+{
+  options.services.password-manager = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable the password manager service (Vaultwarden)";
+    };
+
+    domain = mkOption {
+      type = types.str;
+      default = "pass.lagraula.fr";
+      description = "Domain name for the Vaultwarden instance";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 8080;
+      description = "HTTP port for the Vaultwarden web interface";
+    };
+
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/vaultwarden";
+      description = "Data directory for Vaultwarden persistent state";
+    };
+
+    dbBackend = mkOption {
+      type = types.enum [ "sqlite" "mysql" "postgresql" ];
+      default = "sqlite";
+      description = "Database backend type";
+    };
+
+    adminTokenFile = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        Path to a file containing the admin token for the /admin panel.
+        Use agenix or sops-nix to provide this file securely.
+      '';
+    };
+
+    signupsAllowed = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Allow new user registration";
+    };
+
+    extraConfig = mkOption {
+      type = types.attrsOf (types.nullOr (types.oneOf [ types.bool types.str types.int types.port ]));
+      default = { };
+      description = "Additional Vaultwarden config options as attribute set (mapped to env vars)";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Use the built-in NixOS vaultwarden module
+    services.vaultwarden = {
+      enable = true;
+      package = pkgs.vaultwarden;
+      webVaultPackage = pkgs.vaultwarden-webvault;
+      inherit (cfg) dbBackend;
+      config = {
+        DOMAIN = "https://${cfg.domain}";
+        PORT = cfg.port;
+        SIGNUPS_ALLOWED = cfg.signupsAllowed;
+      } // (lib.mapAttrs (name: value:
+        if value == true then "true"
+        else if value == false then "false"
+        else toString value
+      ) cfg.extraConfig);
+    } // lib.optionalAttrs (cfg.adminTokenFile != null) {
+      environmentFile = cfg.adminTokenFile;
+      config = {
+        ADMIN_TOKEN = null; # Will be read from environmentFile
+      };
+    };
+
+    # Open firewall port
+    networking.firewall = mkIf config.services.vaultwarden.enable {
+      allowedTCPPorts = [ cfg.port ];
+    };
+  };
+}