forgejo works now but vaultwarden is fucky

2025-12-29 01:45:04 +01:00 · 2025-12-29 01:45:04 +01:00 · 02eb92a443
commit 02eb92a443
parent f1b3559434
5 changed files with 140 additions and 15 deletions
--- a/modules/containers/default.nix
+++ b/modules/containers/default.nix
@ -2,6 +2,7 @@
  imports = [
    ./nginx.nix
    ./forgejo.nix
+    ./vaultwarden.nix
  ];

  config = {
--- a/modules/containers/forgejo.nix
+++ b/modules/containers/forgejo.nix
@ -6,25 +6,35 @@
  pkgs,
  ...
 }: let
-  inherit (lib) mkEnableOption mkIf;
+  inherit (lib) types mkOption mkEnableOption mkIf;
  cfg = config.horseman.containers.forgejo;
  username = config.horseman.username;

-  HTTP_PORT = 3000;
-  SSH_PORT = 34916;
-  INSTANCE_URL = "http://local.git.server:3000";
  DATA_DIR = "/home/${username}/backups/volumes/forgejo";
  BACKUP_FILE = "/home/${username}/backups/forgejo.tar";
 in {
  options = {
    horseman.containers.forgejo = {
      enable = mkEnableOption "forgejo containers";
+
+      port = mkOption {
+        default = 3000;
+        type = types.int;
+      };
+
+      sshPort = mkOption {
+        default = 34916;
+        type = types.int;
+      };
+
+      url = mkOption {
+        default = "https://git.koendev.nl";
+        type = types.str;
+      };
    };
  };

  config = mkIf cfg.enable {
-    networking.extraHosts = "192.168.100.3 local.git.server";
-
    systemd.timers."backup-forgejo" = {
      wantedBy = ["timers.target"];
      timerConfig = {
@ -36,7 +46,7 @@ in {
    environment.systemPackages = [pkgs.gnutar];
    systemd.services."backup-forgejo" = {
      script = ''
-        ${pkgs.gnutar} -cf ${BACKUP_FILE} ${DATA_DIR}
+        ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR}
      '';
      serviceConfig = {
        User = "root";
@ -123,9 +133,9 @@ in {

          settings = {
            server = {
-              HTTP_PORT = HTTP_PORT;
-              SSH_PORT = SSH_PORT;
-              ROOT_URL = INSTANCE_URL;
+              HTTP_PORT = cfg.port;
+              SSH_PORT = cfg.sshPort;
+              ROOT_URL = cfg.url;
            };
            session = {
              COOKIE_SECURE = false; # TODO Set to true
@ -148,7 +158,7 @@ in {
        networking = {
          firewall = {
            enable = true;
-            allowedTCPPorts = [HTTP_PORT SSH_PORT];
+            allowedTCPPorts = [cfg.port cfg.sshPort];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
--- a/modules/containers/nginx.nix
+++ b/modules/containers/nginx.nix
@ -8,6 +8,7 @@
 }: let
  inherit (lib) mkEnableOption mkIf mkOption types;
  cfg = config.horseman.containers.nginx;
+  osConfig = config;
 in {
  options = {
    horseman.containers.nginx = {
@ -16,7 +17,7 @@ in {
  };

  config = mkIf cfg.enable {
-    networking.extraHosts = "192.168.100.1 koendev.nl *.koendev.nl";
+    networking.extraHosts = "192.168.100.1 koendevLocal.nl git.koendevLocal.nl vault.koendevLocal.nl";

    containers.nginx = {
      autoStart = true;
@ -41,15 +42,19 @@ in {
          enable = true;

          virtualHosts = {
-            "koendev.nl" = {
+            "koendevLocal.nl" = {
              # addSSL = false;
              # enableACME = false;
              root = "/var/www/portfolio";
+              default = true;
+              extraConfig = ''
+                error_page 404 /404.html;
+              '';
            };

-            "vault.koendev.nl" = {
+            "git.koendevLocal.nl" = {
              locations."/" = {
-                proxyPass = "http://172.16.0.2";
+                proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}";
              };
            };
          };
--- a/modules/containers/vaultwarden.nix
+++ b/modules/containers/vaultwarden.nix
@ -0,0 +1,103 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib) types mkOption mkEnableOption mkIf;
+  cfg = config.horseman.containers.vaultwarden;
+  username = config.horseman.username;
+
+  DATA_DIR = "/home/${username}/backups/volumes/vaultwarden";
+  BACKUP_FILE = "/home/${username}/backups/vaultwarden.tar";
+in {
+  options = {
+    horseman.containers.vaultwarden = {
+      enable = mkEnableOption "forgejo containers";
+
+      port = mkOption {
+        default = 3000;
+        type = types.int;
+      };
+
+      url = mkOption {
+        default = "https://vault.koendev.nl";
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.timers."backup-vaultwarden" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+    };
+
+    environment.systemPackages = [pkgs.gnutar];
+    systemd.services."backup-vaultwarden" = {
+      script = ''
+        ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR}
+      '';
+      serviceConfig = {
+        User = "root";
+      };
+    };
+
+    containers.vaultwarden = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "172.16.0.4";
+      localAddress = "192.168.100.4";
+
+      bindMounts = {
+        "/var/lib/vaultwarden" = {
+          hostPath = DATA_DIR;
+          isReadOnly = false;
+        }; # TODO set correct
+      };
+
+      config = {
+        config,
+        pkgs,
+        ...
+      }: {
+        environment.variables = {
+          ROCKET_ADDRESS = "127.0.0.1";
+          ROCKET_PORT = toString cfg.port;
+          WEB_VAULT_ENABLED = "false";
+        };
+
+        services.vaultwarden = {
+          enable = true;
+          backupDir = "/var/local/vaultwarden/backup";
+          # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
+          # be aware that this file must be created by hand (or via secrets management like sops)
+          environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+          config = {
+            DOMAIN = cfg.url;
+            SIGNUPS_ALLOWED = false;
+
+            ROCKET_ADDRESS = "127.0.0.1";
+            ROCKET_PORT = cfg.port;
+            ROCKET_LOG = "critical";
+          };
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [cfg.port];
+          };
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        system.stateVersion = "23.11";
+      };
+    };
+  };
+}