chore(koi): moved vaultwarden to oci-containers
This commit is contained in:
parent
4fc46f66be
commit
7aa01c52af
SSH key fingerprint:
SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
1 changed files with 31 additions and 35 deletions
|
|
@ -1,46 +1,42 @@
|
||||||
{ abs, pkgs, lib, config, ... }@inputs:
|
{ abs, pkgs, config, ... }@inputs:
|
||||||
|
|
||||||
let
|
let
|
||||||
containers = import (abs "lib/containers.nix") inputs;
|
|
||||||
secrets = import (abs "lib/secrets.nix");
|
secrets = import (abs "lib/secrets.nix");
|
||||||
|
|
||||||
env = secrets.mount config "vaultwarden-env";
|
UID = 1109;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
(secrets.declare [ "vaultwarden-env" ])
|
(secrets.declare [{
|
||||||
(containers.mkNixosContainer {
|
name = "vaultwarden-env";
|
||||||
name = "vault";
|
owner = "vaultwarden";
|
||||||
ip = ".0.7";
|
}])
|
||||||
private = true;
|
];
|
||||||
|
|
||||||
config = { ... }: {
|
virtualisation.oci-containers.containers.vaultwarden = {
|
||||||
services.vaultwarden = {
|
image = "vaultwarden/server:1.32.0";
|
||||||
enable = true;
|
volumes = [
|
||||||
config = {
|
"/srv/vaultwarden:/data"
|
||||||
SIGNUPS_ALLOWED = false;
|
];
|
||||||
|
environment = {
|
||||||
|
SIGNUPS_ALLOWED = "false";
|
||||||
DOMAIN = "https://bw.tei.su";
|
DOMAIN = "https://bw.tei.su";
|
||||||
WEBSOCKET_ENABLED = true;
|
WEBSOCKET_ENABLED = "true";
|
||||||
ROCKET_ADDRESS = "0.0.0.0";
|
ROCKET_ADDRESS = "0.0.0.0";
|
||||||
ROCKET_PORT = 80;
|
ROCKET_PORT = "80";
|
||||||
DATA_FOLDER = "/mnt/vault/data";
|
|
||||||
};
|
};
|
||||||
environmentFile = env.path;
|
environmentFiles = [
|
||||||
|
(secrets.file config "vaultwarden-env")
|
||||||
|
];
|
||||||
|
user = builtins.toString UID;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.vaultwarden.serviceConfig = {
|
users.users.vaultwarden = {
|
||||||
ReadWritePaths = [ "/mnt/vault" ];
|
isNormalUser = true;
|
||||||
|
uid = UID;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 ];
|
systemd.tmpfiles.rules = [
|
||||||
};
|
"d /srv/vaultwarden 0700 ${builtins.toString UID} ${builtins.toString UID} -"
|
||||||
|
|
||||||
mounts = {
|
|
||||||
"/mnt/vault" = {
|
|
||||||
hostPath = "/mnt/puffer/vaultwarden-vault";
|
|
||||||
isReadOnly = false;
|
|
||||||
};
|
|
||||||
} // (env.mounts);
|
|
||||||
})
|
|
||||||
];
|
];
|
||||||
|
|
||||||
services.nginx.virtualHosts."bw.tei.su" = {
|
services.nginx.virtualHosts."bw.tei.su" = {
|
||||||
|
|
@ -48,7 +44,7 @@ in {
|
||||||
useACMEHost = "tei.su";
|
useACMEHost = "tei.su";
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://vault.containers$request_uri";
|
proxyPass = "http://vaultwarden.docker$request_uri";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue