forgejo works now but vaultwarden is fucky

2025-12-29 01:45:04 +01:00 · 2025-12-29 01:45:04 +01:00 · 02eb92a443
commit 02eb92a443
parent f1b3559434
5 changed files with 140 additions and 15 deletions
--- a/modules/containers/vaultwarden.nix
+++ b/modules/containers/vaultwarden.nix
@ -0,0 +1,103 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib) types mkOption mkEnableOption mkIf;
+  cfg = config.horseman.containers.vaultwarden;
+  username = config.horseman.username;
+
+  DATA_DIR = "/home/${username}/backups/volumes/vaultwarden";
+  BACKUP_FILE = "/home/${username}/backups/vaultwarden.tar";
+in {
+  options = {
+    horseman.containers.vaultwarden = {
+      enable = mkEnableOption "forgejo containers";
+
+      port = mkOption {
+        default = 3000;
+        type = types.int;
+      };
+
+      url = mkOption {
+        default = "https://vault.koendev.nl";
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.timers."backup-vaultwarden" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+    };
+
+    environment.systemPackages = [pkgs.gnutar];
+    systemd.services."backup-vaultwarden" = {
+      script = ''
+        ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR}
+      '';
+      serviceConfig = {
+        User = "root";
+      };
+    };
+
+    containers.vaultwarden = {
+      autoStart = true;
+      privateNetwork = true;
+      hostAddress = "172.16.0.4";
+      localAddress = "192.168.100.4";
+
+      bindMounts = {
+        "/var/lib/vaultwarden" = {
+          hostPath = DATA_DIR;
+          isReadOnly = false;
+        }; # TODO set correct
+      };
+
+      config = {
+        config,
+        pkgs,
+        ...
+      }: {
+        environment.variables = {
+          ROCKET_ADDRESS = "127.0.0.1";
+          ROCKET_PORT = toString cfg.port;
+          WEB_VAULT_ENABLED = "false";
+        };
+
+        services.vaultwarden = {
+          enable = true;
+          backupDir = "/var/local/vaultwarden/backup";
+          # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
+          # be aware that this file must be created by hand (or via secrets management like sops)
+          environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+          config = {
+            DOMAIN = cfg.url;
+            SIGNUPS_ALLOWED = false;
+
+            ROCKET_ADDRESS = "127.0.0.1";
+            ROCKET_PORT = cfg.port;
+            ROCKET_LOG = "critical";
+          };
+        };
+
+        networking = {
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [cfg.port];
+          };
+          useHostResolvConf = lib.mkForce false;
+        };
+
+        system.stateVersion = "23.11";
+      };
+    };
+  };
+}