chore(koi): moved vaultwarden to oci-containers

2024-09-16 15:39:32 +03:00 · 2024-09-16 15:39:32 +03:00 · 7aa01c52af
commit 7aa01c52af
parent 4fc46f66be
1 changed files with 31 additions and 35 deletions
--- a/hosts/koi/containers/vaultwarden.nix
+++ b/hosts/koi/containers/vaultwarden.nix
@ -1,46 +1,42 @@
-{ abs, pkgs, lib, config, ... }@inputs:
+{ abs, pkgs, config, ... }@inputs:

 let
-  containers = import (abs "lib/containers.nix") inputs;
  secrets = import (abs "lib/secrets.nix");

-  env = secrets.mount config "vaultwarden-env";
+  UID = 1109;
 in {
  imports = [
-    (secrets.declare [ "vaultwarden-env" ])
-    (containers.mkNixosContainer {
-      name = "vault";
-      ip = ".0.7";
-      private = true;
+    (secrets.declare [{
+      name = "vaultwarden-env";
+      owner = "vaultwarden";
+    }])
+  ];

-      config = { ... }: {
-        services.vaultwarden = {
-          enable = true;
-          config = {
-            SIGNUPS_ALLOWED = false;
+  virtualisation.oci-containers.containers.vaultwarden = {
+    image = "vaultwarden/server:1.32.0";
+    volumes = [
+      "/srv/vaultwarden:/data"
+    ];
+    environment = {
+      SIGNUPS_ALLOWED = "false";
      DOMAIN = "https://bw.tei.su";
-            WEBSOCKET_ENABLED = true;
+      WEBSOCKET_ENABLED = "true";
      ROCKET_ADDRESS = "0.0.0.0";
-            ROCKET_PORT = 80;
-            DATA_FOLDER = "/mnt/vault/data";
+      ROCKET_PORT = "80";
    };
-          environmentFile = env.path;
+    environmentFiles = [
+      (secrets.file config "vaultwarden-env")
+    ];
+    user = builtins.toString UID;
  };

-        systemd.services.vaultwarden.serviceConfig = {
-          ReadWritePaths = [ "/mnt/vault" ];
+  users.users.vaultwarden = {
+    isNormalUser = true;
+    uid = UID;
  };

-        networking.firewall.allowedTCPPorts = [ 80 ];
-      };
-
-      mounts = {
-        "/mnt/vault" = {
-          hostPath = "/mnt/puffer/vaultwarden-vault";
-          isReadOnly = false;
-        };
-      } // (env.mounts);
-    })
+  systemd.tmpfiles.rules = [
+    "d /srv/vaultwarden 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];

  services.nginx.virtualHosts."bw.tei.su" = {
@ -48,7 +44,7 @@ in {
    useACMEHost = "tei.su";

    locations."/" = {
-      proxyPass = "http://vault.containers$request_uri";
+      proxyPass = "http://vaultwarden.docker$request_uri";
      proxyWebsockets = true;
    };
  };