{ inputs, outputs, lib, config, pkgs, ... }: let inherit (lib) types mkOption mkEnableOption mkIf; cfg = config.horseman.containers.vaultwarden; username = config.horseman.username; DATA_DIR = "/home/${username}/backups/volumes/vaultwarden"; BACKUP_FILE = "/home/${username}/backups/vaultwarden.tar"; in { options = { horseman.containers.vaultwarden = { enable = mkEnableOption "forgejo containers"; port = mkOption { default = 3000; type = types.int; }; url = mkOption { default = "https://vault.koendev.nl"; type = types.str; }; }; }; config = mkIf cfg.enable { systemd.timers."backup-vaultwarden" = { wantedBy = ["timers.target"]; timerConfig = { OnCalendar = "daily"; Persistent = true; }; }; environment.systemPackages = [pkgs.gnutar]; systemd.services."backup-vaultwarden" = { script = '' ${pkgs.gnutar}/bin/tar -cf ${BACKUP_FILE} ${DATA_DIR} ''; serviceConfig = { User = "root"; }; }; containers.vaultwarden = { autoStart = true; privateNetwork = true; hostAddress = "172.16.0.4"; localAddress = "192.168.100.4"; bindMounts = { "/var/lib/vaultwarden" = { hostPath = DATA_DIR; isReadOnly = false; }; # TODO set correct }; config = { config, pkgs, ... }: { environment.variables = { ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = toString cfg.port; WEB_VAULT_ENABLED = "false"; }; services.vaultwarden = { enable = true; backupDir = "/var/local/vaultwarden/backup"; # in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file # be aware that this file must be created by hand (or via secrets management like sops) environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; config = { DOMAIN = cfg.url; SIGNUPS_ALLOWED = false; ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = cfg.port; ROCKET_LOG = "critical"; }; }; networking = { firewall = { enable = true; allowedTCPPorts = [cfg.port]; }; useHostResolvConf = lib.mkForce false; }; system.stateVersion = "23.11"; }; }; }; }