finally works

2026-02-09 13:09:23 +01:00 · 2026-02-09 13:09:23 +01:00 · 7019a80883
commit 7019a80883
parent 18f05807d2
2 changed files with 23 additions and 16 deletions
--- a/modules/containers/nginx.nix
+++ b/modules/containers/nginx.nix
@ -50,18 +50,34 @@ in {
              extraConfig = ''
                error_page 404 /404.html;
              '';
+
+              addSSL = true;
+              sslCertificate = "/var/www/portfolio/cert.pem";
+              sslCertificateKey = "/var/www/portfolio/key.pem";
            };

            "git.koendevLocal.nl" = {
+              # addSSL = false;
+              # enableACME = false;
              locations."/" = {
                proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}";
              };
+
+              addSSL = true;
+              sslCertificate = "/var/www/portfolio/cert.pem";
+              sslCertificateKey = "/var/www/portfolio/key.pem";
            };

            "vault.koendevLocal.nl" = {
+              # addSSL = false;
+              # enableACME = false;
              locations."/" = {
                proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}";
              };
+
+              forceSSL = true;
+              sslCertificate = "/var/www/portfolio/cert.pem";
+              sslCertificateKey = "/var/www/portfolio/key.pem";
            };
          };
        };
@ -69,7 +85,7 @@ in {
        networking = {
          firewall = {
            enable = true;
-            allowedTCPPorts = [80];
+            allowedTCPPorts = [80 443];
          };
          useHostResolvConf = lib.mkForce false;
        };
--- a/modules/containers/vaultwarden.nix
+++ b/modules/containers/vaultwarden.nix
@ -15,7 +15,7 @@
 in {
  options = {
    horseman.containers.vaultwarden = {
-      enable = mkEnableOption "forgejo containers";
+      enable = mkEnableOption "Password manager";

      port = mkOption {
        default = 3000;
@ -66,25 +66,16 @@ in {
        pkgs,
        ...
      }: {
-        environment.variables = {
-          ROCKET_ADDRESS = "127.0.0.1";
-          ROCKET_PORT = toString cfg.port;
-          WEB_VAULT_ENABLED = "false";
-        };
+        environment.systemPackages = with pkgs; [
+          vaultwarden.webvault
+        ];

        services.vaultwarden = {
          enable = true;
-          backupDir = "/var/local/vaultwarden/backup";
-          # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
-          # be aware that this file must be created by hand (or via secrets management like sops)
-          environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
          config = {
-            DOMAIN = cfg.url;
-            SIGNUPS_ALLOWED = false;
-
-            ROCKET_ADDRESS = "127.0.0.1";
            ROCKET_PORT = cfg.port;
-            ROCKET_LOG = "critical";
+            ROCKET_ADDRESS = "0.0.0.0";
+            WEB_VAULT_FOLDER = "${pkgs.vaultwarden.webvault}/share/vaultwarden/vault";
          };
        };