feat(modules): finish Vaultwarden service configuration

2025-09-09 12:20:04 +00:00 · 2024-09-24 00:44:19 +02:00 · 2024-09-24 00:44:19 +02:00 · 4ae047afbb
commit 4ae047afbb
parent cd021bee37
4 changed files with 40 additions and 13 deletions
--- a/modules/nixos/common/kernel/default.nix
+++ b/modules/nixos/common/kernel/default.nix
@ -1,15 +1,7 @@
 {
  lib,
  pkgs,
-  inputs,
-
-  namespace, # The flake namespace, set in flake.nix. If not set, defaults to "internal".
-  system, # The system architecture for this host (eg. `x86_64-linux`).
-  target, # The Snowfall Lib target for this system (eg. `x86_64-iso`).
-  format, # A normalized name for the system target (eg. `iso`).
-  virtual, # A boolean to determine whether this system is a virtual target using nixos-generators.
-  systems, # An attribute map of your defined hosts.
-
+  namespace,
  config,
  ...
 }: with lib; with lib.${namespace};
--- a/modules/nixos/services/vaultwarden/default.nix
+++ b/modules/nixos/services/vaultwarden/default.nix
@ -8,14 +8,36 @@
 let
  cfg = config.${namespace}.services.vaultwarden;
 in {
-  options.${namespace}.services.vaultwarden = { enable = mkEnableOption "Enable the Vaultwarden service."; };
+  options.${namespace}.services.vaultwarden = { enable = mkEnableOption "Enable Vaultwarden, a self-hostable password manager."; };

  config = mkIf cfg.enable {
+    sops.secrets.vaultwarden = {
+      sopsFile = lib.snowfall.fs.get-file "secrets/vaultwarden.service.env";
+      format = "env";
+    };
+
+    # Ensure directories exists before OCI container is launched.
+    systemd.tmpfiles.rules = [
+      "d /var/lib/containers/vaultwarden/data 0700 root root -"
+    ];
+
+    # "Inspired" by BreakingTV @ github.com
    virtualisation.oci-containers.containers.vaultwarden = {
      image = "vaultwarden/server";
      autoStart = true;
      hostname = host;
-      # Todo: continue writing vaultwarden config
+      labels = {
+        "traefik.enable" = true;
+        "traefik.http.routers.vaultwarden.entrypoints" = "websecure";
+        "traefik.http.routers.vaultwarden.rule" = "Host(`vault.thevoid.cafe`)";
+      };
+      volumes = [
+        "/var/lib/containers/vaultwarden/data:/data:rw"
+      ];
+      environmentFiles = [
+        config.sops.secrets.vaultwarden.path
+      ];
+      extraOptions = ["--network=proxy"];
    };
  };
 }