From 2e984daca084a9af04632deaf4511795800051a0 Mon Sep 17 00:00:00 2001
From: Sam <samual.shop@proton.me>
Date: Fri, 7 Feb 2025 15:07:25 +0000
Subject: [PATCH] add vaultwarden and semitamaps containers

---
 .../optional/nixos-containers/semitamaps.nix  |  75 ++++++++++++
 .../optional/nixos-containers/vaultwarden.nix | 110 ++++++++++++++++++
 2 files changed, 185 insertions(+)
 create mode 100644 hosts/common/optional/nixos-containers/semitamaps.nix
 create mode 100644 hosts/common/optional/nixos-containers/vaultwarden.nix

diff --git a/hosts/common/optional/nixos-containers/semitamaps.nix b/hosts/common/optional/nixos-containers/semitamaps.nix
new file mode 100644
index 0000000..993deec
--- /dev/null
+++ b/hosts/common/optional/nixos-containers/semitamaps.nix
@@ -0,0 +1,75 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  containerName = "semitamaps";
+  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
+  hostAddress = configVars.networking.addresses.semitamaps.hostAddress;
+  localAddress = configVars.networking.addresses.semitamaps.localAddress;
+in {
+
+  networking = {
+    nat = {
+      enable = true;
+      internalInterfaces = ["ve-+"];
+      externalInterface = "enp1s0";
+    };
+  };
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos-containers/${containerName}"
+    ];
+  };
+
+  containers."${containerName}" = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostAddress;
+    localAddress = localAddress;
+    nixpkgs = pkgs.path;
+
+    config = {
+      pkgs,
+      lib,
+      ...
+    }: {
+
+      networking = {
+        firewall = {
+          enable = true;
+          rejectPackets = true;
+          allowedTCPPorts = [
+            80 443
+          ];
+        };
+        useHostResolvConf = lib.mkForce false;
+      };
+
+      services.resolved.enable = true;
+
+      imports = [
+      ];
+
+      environment.systemPackages = [
+        pkgs.vim
+        pkgs.git
+      ];
+
+      services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+      };
+
+      users.users = {
+        root = {
+          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+        };
+      };
+
+      system.stateVersion = "24.05";
+    };
+  };
+}
diff --git a/hosts/common/optional/nixos-containers/vaultwarden.nix b/hosts/common/optional/nixos-containers/vaultwarden.nix
new file mode 100644
index 0000000..0d132d5
--- /dev/null
+++ b/hosts/common/optional/nixos-containers/vaultwarden.nix
@@ -0,0 +1,110 @@
+{
+  pkgs,
+  lib,
+  configVars,
+  inputs,
+  ...
+}: let
+  containerName = "vaultwarden";
+  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
+  hostAddress = configVars.networking.addresses.vaultwarden.hostAddress;
+  localAddress = configVars.networking.addresses.vaultwarden.localAddress;
+  vaultwardenPort = configVars.networking.addresses.vaultwarden.port;
+  cloudnixIp = configVars.networking.addresses.cloudnix.ip;
+  sops-nix = inputs.sops-nix;
+in {
+
+  networking = {
+    nat = {
+      enable = true;
+      internalInterfaces = ["ve-+"];
+      externalInterface = "enp1s0";
+    };
+  };
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos-containers/${containerName}"
+    ];
+  };
+
+  containers."${containerName}" = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = hostAddress;
+    localAddress = localAddress;
+    nixpkgs = pkgs.path;
+    bindMounts = {
+      "/etc/ssh/ssh_host_ed25519_key" = {
+        hostPath = "/etc/ssh/ssh_host_ed25519_key";
+        isReadOnly = true;
+      };
+    };
+
+    config = {
+      pkgs,
+      lib,
+      ...
+    }: let
+      secretsDirectory = builtins.toString inputs.nix-secrets;
+      secretsFile = "${secretsDirectory}/secrets.yaml";
+    in {
+      
+      networking = {
+        defaultGateway = cloudnixIp;
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [
+            vaultwardenPort
+          ];
+        };
+        useHostResolvConf = lib.mkForce false;
+      };
+
+      services.resolved.enable = true;
+
+      sops = {
+        defaultSopsFile = "${secretsFile}";
+        validateSopsFiles = false;
+
+        age = {
+          sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+        };
+      };
+
+      imports = [
+        sops-nix.nixosModules.sops
+      ];
+
+      environment.systemPackages = [
+        pkgs.vim
+        pkgs.git
+        pkgs.lsof
+      ];
+
+      services.vaultwarden = {
+        enable = true;
+        dbBackend = "sqlite";
+        config = {
+          ROCKET_ADDRESS = "0.0.0.0";
+          ROCKET_PORT = vaultwardenPort;
+          ROCKET_LOG = "critical";
+        };
+      };
+
+      services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+      };
+
+      users.users = {
+        root = {
+          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+        };
+      };
+
+      system.stateVersion = "24.05";
+    };
+  };
+}