nixfiles/hosts/koi/containers/vaultwarden.nix

{ abs, pkgs, lib, config, ... }@inputs:

let
  containers = import (abs "lib/containers.nix") inputs;
  secrets = import (abs "lib/secrets.nix");

  env = secrets.mount config "vaultwarden-env";
in {
  imports = [
    (secrets.declare [ "vaultwarden-env" ])
    (containers.mkNixosContainer {
      name = "vault";
      ip = ".0.7";
      private = true;

      config = { ... }: {
        services.vaultwarden = {
          enable = true;
          config = {
            SIGNUPS_ALLOWED = false;
            DOMAIN = "https://bw.tei.su";
            WEBSOCKET_ENABLED = true;
            ROCKET_ADDRESS = "0.0.0.0";
            ROCKET_PORT = 80;
            DATA_FOLDER = "/mnt/vault/data";
          };
          environmentFile = env.path;
        };

        systemd.services.vaultwarden.serviceConfig = {
          ReadWritePaths = [ "/mnt/vault" ];
        };

        networking.firewall.allowedTCPPorts = [ 80 ];
      };

      mounts = {
        "/mnt/vault" = {
          hostPath = "/mnt/puffer/vaultwarden-vault";
          isReadOnly = false;
        };
      } // (env.mounts);
    })
  ];

  services.nginx.virtualHosts."bw.tei.su" = {
    forceSSL = true;
    useACMEHost = "tei.su";

    locations."/" = {
      proxyPass = "http://vault.containers/";
      proxyWebsockets = true;
    };
  };
}
chore: initial migration off desu-arm 2024-06-06 13:10:13 +03:00			`{ abs, pkgs, lib, config, ... }@inputs:`

			`let`
			`containers = import (abs "lib/containers.nix") inputs;`
			`secrets = import (abs "lib/secrets.nix");`

			`env = secrets.mount config "vaultwarden-env";`
			`in {`
			`imports = [`
			`(secrets.declare [ "vaultwarden-env" ])`
			`(containers.mkNixosContainer {`
			`name = "vault";`
			`ip = ".0.7";`
			`private = true;`

			`config = { ... }: {`
			`services.vaultwarden = {`
			`enable = true;`
			`config = {`
			`SIGNUPS_ALLOWED = false;`
			`DOMAIN = "https://bw.tei.su";`
			`WEBSOCKET_ENABLED = true;`
			`ROCKET_ADDRESS = "0.0.0.0";`
			`ROCKET_PORT = 80;`
			`DATA_FOLDER = "/mnt/vault/data";`
			`};`
			`environmentFile = env.path;`
			`};`

			`systemd.services.vaultwarden.serviceConfig = {`
			`ReadWritePaths = [ "/mnt/vault" ];`
			`};`

			`networking.firewall.allowedTCPPorts = [ 80 ];`
			`};`

			`mounts = {`
			`"/mnt/vault" = {`
			`hostPath = "/mnt/puffer/vaultwarden-vault";`
			`isReadOnly = false;`
			`};`
			`} // (env.mounts);`
			`})`
			`];`

			`services.nginx.virtualHosts."bw.tei.su" = {`
			`forceSSL = true;`
			`useACMEHost = "tei.su";`

			`locations."/" = {`
			`proxyPass = "http://vault.containers/";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`}`