feat: refactored abstractions

2025-06-16 18:15:13 -05:00 · 2024-10-19 18:22:29 -05:00 · 2024-10-19 18:22:29 -05:00 · 2e0ba5f89e
commit 2e0ba5f89e
parent f3897c1e0c
23 changed files with 324 additions and 310 deletions
--- a/nixos/modules/services/vaultwarden.nix
+++ b/nixos/modules/services/vaultwarden.nix
@ -3,18 +3,16 @@
  config,
  ...
 }: let
-  inherit (flake.config.people) user0;
-  inherit (flake.config.people.user.${user0}) domain email;
-  inherit (flake.config.system.device) wildcard;
-  inherit (flake.config.service.instance.vaultwarden) paths ports subdomain name sops ssl;
-  localhost = wildcard.ip.address0;
-  host = "${subdomain}.${domain.url0}";
+  inherit (flake.config.service.instance) vaultwarden web;
+  service = vaultwarden;
+  localhost = web.localhost.address0;
+  host = "${service.subdomain}.${web.domains.url0}";
 in {
  services = {
    vaultwarden = {
-      backupDir = paths.path0;
+      backupDir = service.paths.path0;
      enable = true;
-      environmentFile = config.sops.secrets."${name}/env".path;
+      environmentFile = config.sops.secrets."${service.name}/env".path;
      config = {
        # Domain Configuration
        DOMAIN = "https://${host}";
@ -22,12 +20,12 @@ in {
        # Email Configuration
        SMTP_AUTH_MECHANISM = "Plain";
        SMTP_EMBED_IMAGES = true;
-        SMTP_FROM = email.address3;
+        SMTP_FROM = service.email.address0;
        SMTP_FROM_NAME = "Vaultwarden";
        SMTP_HOST = "smtp.protonmail.ch";
        SMTP_PORT = 587;
        SMTP_SECURITY = "starttls";
-        SMTP_USERNAME = email.address3;
+        SMTP_USERNAME = service.email.address0;

        # Security Configuration
        DISABLE_ADMIN_TOKEN = false;
@ -42,18 +40,18 @@ in {

        # Rocket (Web Server) Settings
        ROCKET_ADDRESS = localhost;
-        ROCKET_PORT = ports.port0;
+        ROCKET_PORT = service.ports.port0;
      };
    };
    caddy = {
      virtualHosts = {
        "${host}" = {
          extraConfig = ''
-            reverse_proxy ${localhost}:${toString ports.port0} {
+            reverse_proxy ${localhost}:${toString service.ports.port0} {
              header_up X-Real-IP {remote_host}
            }

-            tls ${ssl.cert} ${ssl.key}
+            tls ${service.ssl.cert} ${service.ssl.key}

            encode zstd gzip
          '';
@ -65,15 +63,15 @@ in {
  sops = let
    sopsSecrets = ["env"];
    sopsPath = secret: {
-      path = "${sops.path0}/${name}-${secret}";
-      owner = name;
+      path = "${service.sops.path0}/${service.name}-${secret}";
+      owner = service.name;
      mode = "600";
    };
  in {
    secrets = builtins.listToAttrs (
      map
      (secret: {
-        name = "${name}/${secret}";
+        name = "${service.name}/${secret}";
        value = sopsPath secret;
      })
      sopsSecrets
@ -81,14 +79,14 @@ in {
  };

  systemd.tmpfiles.rules = [
-    "Z ${paths.path0} 0755 ${name} ${name} -"
-    "Z ${sops.path0} 755 ${name} ${name} -"
+    "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
+    "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
  ];

  networking = {
    firewall = {
      allowedTCPPorts = [
-        ports.port0
+        service.ports.port0
      ];
    };
  };