Add bitwarden

hosts/ruil/modules/vaultwarden.nix

@@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  sops.secrets.vaultwarden-env = {
+    owner = "vaultwarden";
+    mode = "0400";
+  };
+
+  # Vaultwarden on warden.hunner.dev
+  services.vaultwarden = {
+    enable = true;
+    configureNginx = true;
+    domain = "warden.hunner.dev";
+    # SMTP and admin token are sourced from the sops-managed env file.
+    environmentFile = [ config.sops.secrets.vaultwarden-env.path ];
+    config = {
+      SIGNUPS_ALLOWED = true;
+      INVITATIONS_ALLOWED = true;
+    };
+  };
+
+  # ACME certificate for Cloudflare Full (strict) origin TLS.
+  services.nginx.virtualHosts."warden.hunner.dev".enableACME = true;
+}