From a8061ccb3793e0f5af4b73215f57b7f4adf719bf Mon Sep 17 00:00:00 2001
From: RatCornu <balthazar.patiachvili@crans.org>
Date: Thu, 29 May 2025 19:31:47 +0200
Subject: [PATCH] vaultwarden: add nullmailer to systemd service

---
 modules/crans/nullmailer.nix     |  1 +
 modules/services/vaultwarden.nix | 21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/modules/crans/nullmailer.nix b/modules/crans/nullmailer.nix
index 23bb4ef..fdc6aaa 100644
--- a/modules/crans/nullmailer.nix
+++ b/modules/crans/nullmailer.nix
@@ -4,6 +4,7 @@
   services.nullmailer = {
     enable = true;
 
+    setSendmail = true;
     config = {
       remotes = ''
         smtp.adm.crans.org smtp
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 2b79a57..7b7367e 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 
 {
   imports = [
@@ -14,7 +14,26 @@
   services.vaultwarden = {
     enable = true;
     dbBackend = "postgresql";
+
     environmentFile = config.age.secrets.env.path;
+    config = {
+      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
+    };
+  };
+  users.users.vaultwarden.extraGroups = [ "nullmailer" ];
+
+  systemd.services.vaultwarden = {
+    path = [ "/run/wrappers" ];
+    serviceConfig = {
+      NoNewPrivileges = lib.mkForce false;
+      PrivateUsers = lib.mkForce false;
+      SystemCallFilter = lib.mkForce [ "@system-service" ];
+      RestrictAddressFamilies = [
+        "AF_LOCAL"
+        "AF_NETLINK"
+      ];
+      ReadWritePaths = [ "/var/spool/nullmailer/" ];
+    };
   };
 
   services.nginx.virtualHosts."vaultwarden.crans.org" = {