From 13d7b1da6897cdfd01a3daaa374068f5083e578a Mon Sep 17 00:00:00 2001
From: s-prechtl <stefan@tague.at>
Date: Mon, 23 Mar 2026 16:04:36 +0100
Subject: [PATCH] feat: vaultwarden init

---
 hosts/hitsugibune/vaultwarden.nix | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 hosts/hitsugibune/vaultwarden.nix

diff --git a/hosts/hitsugibune/vaultwarden.nix b/hosts/hitsugibune/vaultwarden.nix
new file mode 100644
index 0000000..143ce6d
--- /dev/null
+++ b/hosts/hitsugibune/vaultwarden.nix
@@ -0,0 +1,30 @@
+{ config, ... }:
+
+let
+  domain = "vaultwarden.sprechtl.me";
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://${domain}";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_PORT = 8222;      # internal port (nginx will proxy to this)
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}