test: vaultwarden microVM

modules/config/instances/config/vaultwarden.nix

@@ -39,7 +39,7 @@ in
     mac = "02:00:00:00:00:51";
     idUser = "vmuser-vault";
     macUser = "02:00:00:00:00:03";
-    ip = "192.168.50.51";
+    ip = "192.168.50.151";
     gate = "192.168.50.1";
     ssh = 2201;
   };

modules/nixos/services/forgejo/default.nix

@@ -236,7 +236,7 @@ in
       secrets = builtins.listToAttrs (
         map
           (secret: {
-            name = "${service.name}-${secret}";
+            name = "${service.name}/${secret}"; # it's vaultwarden/env, not vaultwarden-env
             value = sopsPath secret;
           })
           [

modules/nixos/services/vaultwarden/default.nix

@@ -1,115 +1,11 @@
-{
-  flake,
-  config,
-  lib,
-  ...
-}:
 let
-  inherit (flake.config.services) instances;
-  service = instances.vaultwarden;
-  localhost = instances.web.localhost.address0;
-  host = service.domains.url0;
-  syncthing = instances.syncthing;
-
-  backupPath = "${syncthing.paths.path1}/${service.name}";
+  inherit (import ../../../helpers.nix) directoryImport;
+  modules = directoryImport ./.;
 in
 {
-  services = {
-    vaultwarden = {
-      backupDir = backupPath;
-      enable = true;
-      environmentFile = config.sops.secrets."${service.name}/env".path;
-      config = {
-        # Domain Configuration
-        DOMAIN = "https://${host}";
-
-        # Email Configuration
-        SMTP_AUTH_MECHANISM = "Plain";
-        SMTP_EMBED_IMAGES = true;
-        SMTP_FROM = instances.smtp.email.address0;
-        SMTP_FROM_NAME = service.label;
-        SMTP_HOST = instances.smtp.hostname;
-        SMTP_PORT = instances.smtp.ports.port1;
-        SMTP_SECURITY = instances.smtp.records.record1;
-        SMTP_USERNAME = instances.smtp.email.address0;
-
-        # Security Configuration
-        DISABLE_ADMIN_TOKEN = false;
-
-        # Event and Backup Management
-        EVENTS_DAYS_RETAIN = 90;
-
-        # User Features
-        SENDS_ALLOWED = true;
-        SIGNUPS_VERIFY = true;
-        WEB_VAULT_ENABLED = true;
-
-        # Rocket (Web Server) Settings
-        ROCKET_ADDRESS = localhost;
-        ROCKET_PORT = service.ports.port0;
-      };
-    };
-    caddy = {
-      virtualHosts = {
-        "${host}" = {
-          extraConfig = ''
-            reverse_proxy ${localhost}:${toString service.ports.port0} {
-              header_up X-Real-IP {remote_host}
-            }
-
-            tls ${service.ssl.cert} ${service.ssl.key}
-
-            encode zstd gzip
-          '';
-        };
-      };
-    };
-  };
-
-  sops =
-    let
-      sopsPath = secret: {
-        path = "${service.sops.path0}/${service.name}-${secret}";
-        owner = service.name;
-        mode = "600";
-      };
-    in
-    {
-      secrets = builtins.listToAttrs (
-        map
-          (secret: {
-            name = "${service.name}/${secret}";
-            value = sopsPath secret;
-          })
-          [
-            "env"
-          ]
-      );
-    };
-
-  systemd = {
-    tmpfiles.rules = [
-      "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
-      "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
-    ];
-    services.backup-vaultwarden = {
-      serviceConfig = {
-        Group = lib.mkForce syncthing.name;
-      };
-      wantedBy = lib.mkForce [ ];
-      after = [ "${service.name}.service" ];
-    };
-  };
-
-  users.users.${service.name}.extraGroups = [
-    syncthing.name
-  ];
-
-  networking = {
-    firewall = {
-      allowedTCPPorts = [
-        service.ports.port0
-      ];
-    };
+  imports = builtins.attrValues {
+    inherit (modules)
+      vaultwardenCeres
+      ;
   };
 }

modules/nixos/services/vaultwarden/vaultwardenCeres/default.nix

@@ -0,0 +1,5 @@
+{ ... }:
+{
+  # Ensure Caddy can access the ACME certificates
+  users.users.caddy.extraGroups = [ "acme" ];
+}