From 7019a808835a07cd38e810dbeb3d0c0e51528bd5 Mon Sep 17 00:00:00 2001
From: KoenDR06 <koen.de.ruiter@hotmail.com>
Date: Mon, 9 Feb 2026 13:09:23 +0100
Subject: [PATCH] finally works

---
 modules/containers/nginx.nix       | 18 +++++++++++++++++-
 modules/containers/vaultwarden.nix | 21 ++++++---------------
 2 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/modules/containers/nginx.nix b/modules/containers/nginx.nix
index ad209dc..6fb29c6 100644
--- a/modules/containers/nginx.nix
+++ b/modules/containers/nginx.nix
@@ -50,18 +50,34 @@ in {
               extraConfig = ''
                 error_page 404 /404.html;
               '';
+
+              addSSL = true;
+              sslCertificate = "/var/www/portfolio/cert.pem";
+              sslCertificateKey = "/var/www/portfolio/key.pem";
             };
 
             "git.koendevLocal.nl" = {
+              # addSSL = false;
+              # enableACME = false;
               locations."/" = {
                 proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}";
               };
+
+              addSSL = true;
+              sslCertificate = "/var/www/portfolio/cert.pem";
+              sslCertificateKey = "/var/www/portfolio/key.pem";
             };
 
             "vault.koendevLocal.nl" = {
+              # addSSL = false;
+              # enableACME = false;
               locations."/" = {
                 proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}";
               };
+
+              forceSSL = true;
+              sslCertificate = "/var/www/portfolio/cert.pem";
+              sslCertificateKey = "/var/www/portfolio/key.pem";
             };
           };
         };
@@ -69,7 +85,7 @@ in {
         networking = {
           firewall = {
             enable = true;
-            allowedTCPPorts = [80];
+            allowedTCPPorts = [80 443];
           };
           useHostResolvConf = lib.mkForce false;
         };
diff --git a/modules/containers/vaultwarden.nix b/modules/containers/vaultwarden.nix
index 5d05a9f..2d5963b 100644
--- a/modules/containers/vaultwarden.nix
+++ b/modules/containers/vaultwarden.nix
@@ -15,7 +15,7 @@
 in {
   options = {
     horseman.containers.vaultwarden = {
-      enable = mkEnableOption "forgejo containers";
+      enable = mkEnableOption "Password manager";
 
       port = mkOption {
         default = 3000;
@@ -66,25 +66,16 @@ in {
         pkgs,
         ...
       }: {
-        environment.variables = {
-          ROCKET_ADDRESS = "127.0.0.1";
-          ROCKET_PORT = toString cfg.port;
-          WEB_VAULT_ENABLED = "false";
-        };
+        environment.systemPackages = with pkgs; [
+          vaultwarden.webvault
+        ];
 
         services.vaultwarden = {
           enable = true;
-          backupDir = "/var/local/vaultwarden/backup";
-          # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
-          # be aware that this file must be created by hand (or via secrets management like sops)
-          environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
           config = {
-            DOMAIN = cfg.url;
-            SIGNUPS_ALLOWED = false;
-
-            ROCKET_ADDRESS = "127.0.0.1";
             ROCKET_PORT = cfg.port;
-            ROCKET_LOG = "critical";
+            ROCKET_ADDRESS = "0.0.0.0";
+            WEB_VAULT_FOLDER = "${pkgs.vaultwarden.webvault}/share/vaultwarden/vault";
           };
         };