aboutsummaryrefslogtreecommitdiff
path: root/modules/containers/vaultwarden
diff options
context:
space:
mode:
Diffstat (limited to 'modules/containers/vaultwarden')
-rw-r--r--modules/containers/vaultwarden/default.nix93
1 files changed, 71 insertions, 22 deletions
diff --git a/modules/containers/vaultwarden/default.nix b/modules/containers/vaultwarden/default.nix
index 7fb4ae0..c04d679 100644
--- a/modules/containers/vaultwarden/default.nix
+++ b/modules/containers/vaultwarden/default.nix
@@ -1,29 +1,78 @@
-{ ... }:
+{
+ config,
+ lib,
+ ...
+}:
+with lib;
let
- directory = "/opt/vaultwarden";
- domain = "steel-mountain.brownbread.net";
- port = "11001";
+ service = "vaultwarden";
+ cfg = config.modules.containers.${service};
in
{
- systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ];
-
- virtualisation.oci-containers.containers.vaultwarden = {
- image = "vaultwarden/server:latest";
- autoStart = true;
- ports = [ "${port}:80" ];
- volumes = [ "${directory}/data:/data" ];
- environment = {
- DOMAIN = domain;
- WEBSOCKET_ENABLED = "true";
- SIGNUPS_ALLOWED = "false";
- SHOW_PASSWORD_HINT = "false";
+ options.modules.containers.${service} = {
+ enable = mkEnableOption service;
+ user = mkOption {
+ default = "share";
+ type = types.str;
+ };
+ group = mkOption {
+ default = "share";
+ type = types.str;
+ };
+ port = mkOption {
+ default = 11001;
+ type = types.int;
+ };
+ url = mkOption {
+ default = null;
+ type = types.str;
+ };
+ configDir = mkOption {
+ default = "/opt/${service}";
+ type = types.str;
};
};
- services.caddy.virtualHosts.${domain}.extraConfig = ''
- encode zstd gzip
- reverse_proxy http://localhost:${port} {
- header_up X-Real-IP {remote_host}
- }
- '';
+ config = mkIf cfg.enable {
+ users.users.${cfg.user} = {
+ isSystemUser = true;
+ group = cfg.group;
+ };
+
+ users.groups.${cfg.group} = { };
+
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+
+ services.caddy = {
+ enable = true;
+ virtualHosts = {
+ ${cfg.url}.extraConfig = ''
+ encode zstd gzip
+ reverse_proxy http://localhost:${builtins.toString cfg.port} {
+ header_up X-Real-IP {remote_host}
+ }
+ '';
+ };
+ };
+
+ systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [
+ cfg.configDir
+ ];
+
+ virtualisation.oci-containers.containers.${service} = {
+ image = "vaultwarden/server:latest";
+ autoStart = true;
+ ports = [ "${builtins.toString cfg.port}:80" ];
+ volumes = [ "${cfg.configDir}/data:/data" ];
+ environment = {
+ DOMAIN = cfg.url;
+ WEBSOCKET_ENABLED = "true";
+ SIGNUPS_ALLOWED = "false";
+ SHOW_PASSWORD_HINT = "false";
+ };
+ };
+ };
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-31 10:52:40 +0000