diff options
| author | tdback <tyler@tdback.net> | 2025-01-26 11:31:39 -0500 |
|---|---|---|
| committer | tdback <tyler@tdback.net> | 2025-01-26 11:31:39 -0500 |
| commit | 1b40ddcb978dec8cf52a82319f1f8b4e4eedd3f8 (patch) | |
| tree | af7b6b2ff316e42fa8c59ff772970a16a3b8c4cb /modules/containers/vaultwarden/default.nix | |
| parent | a7c3d07078d0ca67afadd6fb24ab4b60b38c1109 (diff) | |
containers: reworked each container to be a standalone module
Diffstat (limited to 'modules/containers/vaultwarden/default.nix')
| -rw-r--r-- | modules/containers/vaultwarden/default.nix | 93 |
1 files changed, 71 insertions, 22 deletions
diff --git a/modules/containers/vaultwarden/default.nix b/modules/containers/vaultwarden/default.nix index 7fb4ae0..c04d679 100644 --- a/modules/containers/vaultwarden/default.nix +++ b/modules/containers/vaultwarden/default.nix @@ -1,29 +1,78 @@ -{ ... }: +{ + config, + lib, + ... +}: +with lib; let - directory = "/opt/vaultwarden"; - domain = "steel-mountain.brownbread.net"; - port = "11001"; + service = "vaultwarden"; + cfg = config.modules.containers.${service}; in { - systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ]; - - virtualisation.oci-containers.containers.vaultwarden = { - image = "vaultwarden/server:latest"; - autoStart = true; - ports = [ "${port}:80" ]; - volumes = [ "${directory}/data:/data" ]; - environment = { - DOMAIN = domain; - WEBSOCKET_ENABLED = "true"; - SIGNUPS_ALLOWED = "false"; - SHOW_PASSWORD_HINT = "false"; + options.modules.containers.${service} = { + enable = mkEnableOption service; + user = mkOption { + default = "share"; + type = types.str; + }; + group = mkOption { + default = "share"; + type = types.str; + }; + port = mkOption { + default = 11001; + type = types.int; + }; + url = mkOption { + default = null; + type = types.str; + }; + configDir = mkOption { + default = "/opt/${service}"; + type = types.str; }; }; - services.caddy.virtualHosts.${domain}.extraConfig = '' - encode zstd gzip - reverse_proxy http://localhost:${port} { - header_up X-Real-IP {remote_host} - } - ''; + config = mkIf cfg.enable { + users.users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; + + users.groups.${cfg.group} = { }; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.caddy = { + enable = true; + virtualHosts = { + ${cfg.url}.extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:${builtins.toString cfg.port} { + header_up X-Real-IP {remote_host} + } + ''; + }; + }; + + systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [ + cfg.configDir + ]; + + virtualisation.oci-containers.containers.${service} = { + image = "vaultwarden/server:latest"; + autoStart = true; + ports = [ "${builtins.toString cfg.port}:80" ]; + volumes = [ "${cfg.configDir}/data:/data" ]; + environment = { + DOMAIN = cfg.url; + WEBSOCKET_ENABLED = "true"; + SIGNUPS_ALLOWED = "false"; + SHOW_PASSWORD_HINT = "false"; + }; + }; + }; } |