From 02eb92a4438ec1b1e695e8e9a33c925d54f89a16 Mon Sep 17 00:00:00 2001
From: KoenDR06 <koen.de.ruiter@hotmail.com>
Date: Mon, 29 Dec 2025 01:45:04 +0100
Subject: [PATCH] forgejo works now but vaultwarden is fucky

---
 machines/artemis/modules.nix       |   6 ++
 modules/containers/default.nix     |   1 +
 modules/containers/forgejo.nix     |  32 ++++++---
 modules/containers/nginx.nix       |  13 ++--
 modules/containers/vaultwarden.nix | 103 +++++++++++++++++++++++++++++
 5 files changed, 140 insertions(+), 15 deletions(-)
 create mode 100644 modules/containers/vaultwarden.nix

diff --git a/machines/artemis/modules.nix b/machines/artemis/modules.nix
index 843dc8b..8fa0ec1 100644
--- a/machines/artemis/modules.nix
+++ b/machines/artemis/modules.nix
@@ -10,6 +10,12 @@
 
     users.default.enable = true;
 
+    containers = {
+      forgejo.enable = true;
+      nginx.enable = true;
+      vaultwarden.enable = true;
+    };
+
     base = {
       nix.enable = true;
       locale.enable = true;
diff --git a/modules/containers/default.nix b/modules/containers/default.nix
index 9e61d5b..e3c6178 100644
--- a/modules/containers/default.nix
+++ b/modules/containers/default.nix
@@ -2,6 +2,7 @@
   imports = [
     ./nginx.nix
     ./forgejo.nix
+    ./vaultwarden.nix
   ];
 
   config = {
diff --git a/modules/containers/forgejo.nix b/modules/containers/forgejo.nix
index bc7333b..38bfcec 100644
--- a/modules/containers/forgejo.nix
+++ b/modules/containers/forgejo.nix
@@ -6,25 +6,35 @@
   pkgs,
   ...
 }: let
-  inherit (lib) mkEnableOption mkIf;
+  inherit (lib) types mkOption mkEnableOption mkIf;
   cfg = config.horseman.containers.forgejo;
   username = config.horseman.username;
 
-  HTTP_PORT = 3000;
-  SSH_PORT = 34916;
-  INSTANCE_URL = "http://local.git.server:3000";
   DATA_DIR = "/home/${username}/backups/volumes/forgejo";
   BACKUP_FILE = "/home/${username}/backups/forgejo.tar";
 in {
   options = {
     horseman.containers.forgejo = {
       enable = mkEnableOption "forgejo containers";
+
+      port = mkOption {
+        default = 3000;
+        type = types.int;
+      };
+
+      sshPort = mkOption {
+        default = 34916;
+        type = types.int;
+      };
+
+      url = mkOption {
+        default = "https://git.koendev.nl";
+        type = types.str;
+      };
     };
   };
 
   config = mkIf cfg.enable {
-    networking.extraHosts = "192.168.100.3 local.git.server";
-
     systemd.timers."backup-forgejo" = {
       wantedBy = ["timers.target"];
       timerConfig = {
@@ -36,7 +46,7 @@ in {
     environment.systemPackages = [pkgs.gnutar];
     systemd.services."backup-forgejo" = {
       script = ''
-        ${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR}
+        ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR}
       '';
       serviceConfig = {
         User = "root";
@@ -123,9 +133,9 @@ in {
 
           settings = {
             server = {
-              HTTP_PORT = HTTP_PORT;
-              SSH_PORT = SSH_PORT;
-              ROOT_URL = INSTANCE_URL;
+              HTTP_PORT = cfg.port;
+              SSH_PORT = cfg.sshPort;
+              ROOT_URL = cfg.url;
             };
             session = {
               COOKIE_SECURE = false; # TODO Set to true
@@ -148,7 +158,7 @@ in {
         networking = {
           firewall = {
             enable = true;
-            allowedTCPPorts = [HTTP_PORT SSH_PORT];
+            allowedTCPPorts = [cfg.port cfg.sshPort];
           };
           # Use systemd-resolved inside the container
           # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix
index 87be28c..5b24f35 100644
--- a/modules/containers/nginx.nix
+++ b/modules/containers/nginx.nix
@@ -8,6 +8,7 @@
 }: let
   inherit (lib) mkEnableOption mkIf mkOption types;
   cfg = config.horseman.containers.nginx;
+  osConfig = config;
 in {
   options = {
     horseman.containers.nginx = {
@@ -16,7 +17,7 @@ in {
   };
 
   config = mkIf cfg.enable {
-    networking.extraHosts = "192.168.100.1 koendev.nl *.koendev.nl";
+    networking.extraHosts = "192.168.100.1 koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl";
 
     containers.nginx = {
       autoStart = true;
@@ -41,15 +42,19 @@ in {
           enable = true;
 
           virtualHosts = {
-            "koendev.nl" = {
+            "koendevLocal.nl" = {
               # addSSL = false;
               # enableACME = false;
               root = "/var/www/portfolio";
+              default = true;
+              extraConfig = ''
+                error_page 404 /404.html;
+              '';
             };
 
-            "vault.koendev.nl" = {
+            "git.koendevLocal.nl" = {
               locations."/" = {
-                proxyPass = "http://172.16.0.2";
+                proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}";
               };
             };
           };
diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix
new file mode 100644
index 0000000..5d05a9f
--- /dev/null
+++ b/modules/containers/vaultwarden.nix
@@ -0,0 +1,103 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib) types mkOption mkEnableOption mkIf;
+  cfg = config.horseman.containers.vaultwarden;
+  username = config.horseman.username;
+
+  DATA_DIR = "/home/${username}/backups/volumes/vaultwarden";
+  BACKUP_FILE = "/home/${username}/backups/vaultwarden.tar";
+in {
+  options = {
+    horseman.containers.vaultwarden = {
+      enable = mkEnableOption "forgejo containers";
+
+      port = mkOption {
+        default = 3000;
+        type = types.int;
+      };
+
+      url = mkOption {
+        default = "https://vault.koendev.nl";
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.timers."backup-vaultwarden" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+    };
+
+    environment.systemPackages = [pkgs.gnutar];
+    systemd.services."backup-vaultwarden" = {
+      script = ''
+        ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR}
+      '';
+      serviceConfig = {
+        User = "root";
+      };
+    };
+
+    containers.vaultwarden = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "172.16.0.4";
+      localAddress = "192.168.100.4";
+
+      bindMounts = {
+        "/var/lib/vaultwarden" = {
+          hostPath = DATA_DIR;
+          isReadOnly = false;
+        }; # TODO set correct
+      };
+
+      config = {
+        config,
+        pkgs,
+        ...
+      }: {
+        environment.variables = {
+          ROCKET_ADDRESS = "127.0.0.1";
+          ROCKET_PORT = toString cfg.port;
+          WEB_VAULT_ENABLED = "false";
+        };
+
+        services.vaultwarden = {
+          enable = true;
+          backupDir = "/var/local/vaultwarden/backup";
+          # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
+          # be aware that this file must be created by hand (or via secrets management like sops)
+          environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+          config = {
+            DOMAIN = cfg.url;
+            SIGNUPS_ALLOWED = false;
+
+            ROCKET_ADDRESS = "127.0.0.1";
+            ROCKET_PORT = cfg.port;
+            ROCKET_LOG = "critical";
+          };
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [cfg.port];
+          };
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        system.stateVersion = "23.11";
+      };
+    };
+  };
+}