From f07e337a51cf3ae87c07079d4099be283c7e8e02 Mon Sep 17 00:00:00 2001
From: Romain Paquet <rpqt@rpqt.fr>
Date: Tue, 24 Feb 2026 17:53:46 +0100
Subject: [PATCH] clan: init vaultwarden service

---
 clanServices/flake-module.nix |  2 ++
 clanServices/vaultwarden.nix  | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 clanServices/vaultwarden.nix

diff --git a/clanServices/flake-module.nix b/clanServices/flake-module.nix
index 138d0f4..6bef516 100644
--- a/clanServices/flake-module.nix
+++ b/clanServices/flake-module.nix
@@ -4,4 +4,6 @@
     ./coredns/flake-module.nix
     ./prometheus/flake-module.nix
   ];
+
+  clan.modules."@rpqt/vaultwarden" = ./vaultwarden.nix;
 }
diff --git a/clanServices/vaultwarden.nix b/clanServices/vaultwarden.nix
new file mode 100644
index 0000000..16c60b6
--- /dev/null
+++ b/clanServices/vaultwarden.nix
@@ -0,0 +1,33 @@
+{
+  _class = "clan.service";
+  manifest.name = "vaultwarden";
+  manifest.description = "Bitwarden-compatible password manager";
+  manifest.exports.out = [ "endpoints" ];
+
+  roles.default = {
+    perInstance =
+      {
+        meta,
+        mkExports,
+        ...
+      }:
+      let
+        host = "vaultwarden.${meta.domain}";
+      in
+      {
+        exports = mkExports {
+          endpoints.hosts = [ host ];
+        };
+
+        nixosModule = {
+          services.vaultwarden = {
+            enable = true;
+            domain = host;
+            configureNginx = true;
+          };
+
+          clan.core.state.vaultwarden.folders = [ "/var/lib/vaultwarden" ];
+        };
+      };
+  };
+}