feat: vaultwarden microVM works!

2025-12-06 21:17:14 -06:00 · 2025-11-08 02:25:01 -06:00 · 2025-11-08 02:25:01 -06:00 · 90a6524759
commit 90a6524759
parent 6086fc1d99
6 changed files with 186 additions and 198 deletions
--- a/systems/ceres/default.nix
+++ b/systems/ceres/default.nix
@ -1,26 +1,17 @@
 { lib, ... }:
 let
  configPath = ./config;
-  microVMsPath = ./microvms;

-  ceresImports =
+  deimosImports =
    let
      files = builtins.attrNames (builtins.readDir configPath);
    in
    map (name: configPath + "/${name}") (
      builtins.filter (name: builtins.match ".*\\.nix$" name != null) files
    );
-
-  microVMImports =
-    let
-      files = builtins.attrNames (builtins.readDir microVMsPath);
-    in
-    map (name: microVMsPath + "/${name}") (
-      builtins.filter (name: builtins.match ".*\\.nix$" name != null) files
-    );
 in
 {
-  imports = ceresImports ++ microVMImports;
+  imports = deimosImports;
  nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
  system.stateVersion = lib.mkForce "24.05";
 }
--- a/systems/ceres/microvms/vaultwarden.nix
+++ b/systems/ceres/microvms/vaultwarden.nix
@ -1,172 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  flake,
-  ...
-}:
-let
-  vaultwardenCfg = flake.config.services.instances.vaultwarden;
-  smtpCfg = flake.config.services.instances.smtp;
-  inherit (flake.config.people) user0;
-in
-{
-  microvm.vms.vaultwarden = {
-    autostart = true;
-    restartIfChanged = true;
-
-    config = {
-      system.stateVersion = "24.05";
-      time.timeZone = "America/Winnipeg";
-
-      users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
-
-      # Vaultwarden service configuration
-      services.vaultwarden = {
-        enable = true;
-        dbBackend = "sqlite";
-
-        config = {
-          # Domain Configuration
-          DOMAIN = "https://${vaultwardenCfg.domains.url0}";
-
-          # Email Configuration
-          SMTP_AUTH_MECHANISM = "Plain";
-          SMTP_EMBED_IMAGES = true;
-          SMTP_FROM = vaultwardenCfg.email.address0;
-          SMTP_FROM_NAME = vaultwardenCfg.label;
-          SMTP_HOST = smtpCfg.hostname;
-          SMTP_PORT = smtpCfg.ports.port1;
-          SMTP_SECURITY = smtpCfg.records.record1;
-          SMTP_USERNAME = smtpCfg.email.address0;
-
-          # Security Configuration
-          DISABLE_ADMIN_TOKEN = false;
-
-          # Event and Backup Management
-          EVENTS_DAYS_RETAIN = 90;
-
-          # User Features
-          SENDS_ALLOWED = true;
-          SIGNUPS_VERIFY = true;
-          WEB_VAULT_ENABLED = true;
-
-          # Rocket (Web Server) Settings
-          ROCKET_ADDRESS = "0.0.0.0";
-          ROCKET_PORT = vaultwardenCfg.ports.port0;
-        };
-
-        # Environment file with secrets (mounted from host)
-        environmentFile = "/run/secrets/vaultwarden/env";
-      };
-
-      # SSH access
-      services.openssh = {
-        enable = true;
-        settings = {
-          PasswordAuthentication = false;
-          PermitRootLogin = "prohibit-password";
-        };
-      };
-
-      networking.firewall.allowedTCPPorts = [
-        22
-        vaultwardenCfg.ports.port0
-      ];
-
-      systemd.network = {
-        enable = true;
-        networks."20-lan" = {
-          matchConfig.Name = "enp0s5";
-          addresses = [ { Address = "${vaultwardenCfg.interface.ip}/24"; } ];
-          routes = [
-            {
-              Destination = "0.0.0.0/0";
-              Gateway = vaultwardenCfg.interface.gate;
-            }
-          ];
-          dns = [
-            "1.1.1.1"
-            "8.8.8.8"
-          ];
-        };
-      };
-
-      # Actually start systemd-networkd service
-      systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];
-
-      microvm = {
-        vcpu = 2;
-        mem = 1024;
-        hypervisor = "qemu";
-
-        interfaces = [
-          {
-            type = "tap";
-            id = vaultwardenCfg.interface.id;
-            mac = vaultwardenCfg.interface.mac;
-          }
-          {
-            type = "user";
-            id = vaultwardenCfg.interface.idUser;
-            mac = vaultwardenCfg.interface.macUser;
-          }
-        ];
-
-        forwardPorts = [
-          {
-            from = "host";
-            host.port = vaultwardenCfg.interface.ssh;
-            guest.port = 22;
-          }
-        ];
-
-        shares = [
-          {
-            mountPoint = "/nix/.ro-store";
-            proto = "virtiofs";
-            source = "/nix/store";
-            tag = "read_only_nix_store";
-          }
-          {
-            mountPoint = "/var/lib/bitwarden_rs";
-            proto = "virtiofs";
-            source = vaultwardenCfg.mntPaths.path0;
-            tag = "vaultwarden_data";
-          }
-          {
-            mountPoint = "/run/secrets";
-            proto = "virtiofs";
-            source = "/run/secrets";
-            tag = "host_secrets";
-          }
-        ];
-
-      };
-    };
-  };
-
-  # Host-side configuration
-  systemd.tmpfiles.rules = [
-    "d ${vaultwardenCfg.mntPaths.path0} 0755 root root -"
-  ];
-
-  services.caddy.virtualHosts."${vaultwardenCfg.domains.url0}" = {
-    extraConfig = ''
-      reverse_proxy ${vaultwardenCfg.interface.ip}:${toString vaultwardenCfg.ports.port0} {
-        header_up X-Real-IP {remote_host}
-      }
-
-      tls ${vaultwardenCfg.ssl.cert} ${vaultwardenCfg.ssl.key}
-
-      encode zstd gzip
-    '';
-  };
-
-  sops.secrets = {
-    "vaultwarden/env" = {
-      owner = "root";
-      mode = "0600";
-    };
-  };
-}