misc

Author: IogaMaster

hosts/equinox/config.nix

@@ -22,10 +22,13 @@ in {
       };
     };
     services = {
-      vaultwarden.enable = true;
+      vaultwarden = {
+        enable = true;
+        consulServerAddresses = [ "192.168.25.131" ];
+      };
       vault = {
         enable = true;
-        consulServerAddress = "192.168.25.131";
+        consulServerAddresses = [ "192.168.25.131" ];
       };
     };
     apps.tools.git.enable = true;

modules/services/vault.nix

@@ -1,6 +1,8 @@
 { lib, pkgs, secrets, ... }@args:
 lib.mkModule args "ioga.services.vault" {
-  options = with lib; { consulServerAddress = mkOpt' types.str ""; };
+  options = with lib; {
+    consulServerAddresses = mkOpt' (types.listOf types.str) [ ];
+  };
   config = { cfg }: {
     systemd.services.vault.serviceConfig.EnvironmentFile =
       "/run/secrets/vault/environment"; # only way to get the secret into the service
@@ -35,7 +37,7 @@ lib.mkModule args "ioga.services.vault" {
       enable = true;
       extraConfig = {
         server = false;
-        retry_join = [ cfg.consulServerAddress ];
+        retry_join = cfg.consulServerAddresses;
         bind_addr = ''{{ GetPrivateInterfaces | attr "address" }}'';
         services = [{
           name = "vault";

modules/services/vaultwarden.nix

@@ -1,13 +1,47 @@
-{ lib, colors, pkgs, ... }@args:
+{ lib, colors, pkgs, secrets, ... }@args:
 lib.mkModule args "ioga.services.vaultwarden" {
+  options = with lib; {
+    consulServerAddresses = mkOpt' (types.listOf types.str) [ ];
+  };
   config = { cfg }: {
-    services.vaultwarden = {
-      enable = true;
-      # Use the full URL for the domain, including the protocol
-      config = {
-        DOMAIN = "http://192.168.25.145:8222";
-        ROCKET_ADDRESS = "0.0.0.0"; # Listen on all network interfaces
-        ROCKET_PORT = 8222; # Default NixOS port for Vaultwarden
+    secrets.vaultwarden = { };
+    services = {
+      vaultwarden = {
+        enable = true;
+        config = {
+          DOMAIN = "http://192.168.25.145:8222";
+          ROCKET_ADDRESS = "0.0.0.0"; # Listen on all network interfaces
+          ROCKET_PORT = 8222; # Default NixOS port for Vaultwarden
+        };
+      };
+
+      consul = {
+        enable = true;
+        extraConfig = {
+          server = false;
+          retry_join = cfg.consulServerAddresses;
+          bind_addr = ''{{ GetPrivateInterfaces | attr "address" }}'';
+          services = [{
+            name = "vaultwarden";
+            port = 8222;
+            tags = [ "public" ];
+            check = {
+              http = "http://127.0.0.1:8222/alive";
+              interval = "10s";
+              timeout = "1s";
+            };
+          }];
+        };
+      };
+
+      restic.backups.vaultwarden = {
+        initialize = true;
+        environmentFile = "${secrets.vaultwarden}/environment";
+        passwordFile = "${secrets.vaultwarden}/password";
+        paths = [ "/var/lib/vaultwarden" ];
+
+        timerConfig.OnCalendar = "hourly";
+        pruneOpts = [ "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 6" ];
       };
     };