{ pkgs, lib, configVars, inputs, ... }: let containerName = "vaultwarden"; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; hostAddress = configVars.networking.addresses.vaultwarden.hostAddress; localAddress = configVars.networking.addresses.vaultwarden.localAddress; vaultwardenPort = configVars.networking.addresses.vaultwarden.port; cloudnixIp = configVars.networking.addresses.cloudnix.ip; sops-nix = inputs.sops-nix; in { networking = { nat = { enable = true; internalInterfaces = ["ve-+"]; externalInterface = "enp1s0"; }; }; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; imports = [../nginx/vaultwarden.nix]; containers."${containerName}" = { autoStart = true; privateNetwork = true; hostAddress = hostAddress; localAddress = localAddress; nixpkgs = pkgs.path; bindMounts = { "/etc/ssh/ssh_host_ed25519_key" = { hostPath = "/etc/ssh/ssh_host_ed25519_key"; isReadOnly = true; }; }; config = { pkgs, lib, ... }: let secretsDirectory = builtins.toString inputs.nix-secrets; secretsFile = "${secretsDirectory}/secrets.yaml"; in { networking = { defaultGateway = cloudnixIp; firewall = { enable = true; allowedTCPPorts = [ vaultwardenPort ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; sops = { defaultSopsFile = "${secretsFile}"; validateSopsFiles = false; age = { sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; }; }; imports = [ sops-nix.nixosModules.sops ]; environment.systemPackages = [ pkgs.vim pkgs.git pkgs.lsof ]; services.vaultwarden = { enable = true; dbBackend = "sqlite"; config = { ROCKET_ADDRESS = "0.0.0.0"; ROCKET_PORT = vaultwardenPort; ROCKET_LOG = "critical"; }; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users = { root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; }; system.stateVersion = "24.05"; }; }; }