feat: adds borgbackup job for vaultwarden

2025-12-04 15:00:13 +01:00 · 2025-08-17 14:11:42 +02:00 · 2025-08-17 14:11:42 +02:00 · 5cc46993c8
commit 5cc46993c8
parent fa9bff88da
1 changed files with 63 additions and 27 deletions
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@ -1,34 +1,70 @@
 { config, ... }:
 {
-  services.vaultwarden = {
+  config,
-    enable = true;
+  host,
-    dbBackend = "sqlite";
+  pkgs,
-    config = {
+  username,
-      SIGNUPS_ALLOWED = false;
+  ...
-      ENABLE_WEBSOCKET = true;
+}:
-      SENDS_ALLOWED = true;
+let
-      INVITATIONS_ENABLED = true;
+  baseRepo = "ssh://liv@dandelion:9123/spinners/rootvol/backups/${host}";
-      EMERGENCY_ACCESS_ALLOWED = true;
+in
-      EMAIL_ACCESS_ALLOWED = true;
+{
-      DOMAIN = "https://passwords.liv.town";
+  services = {
-      ROCKET_ADDRESS = "0.0.0.0";
+    vaultwarden = {
-      ROCKET_PORT = 8003;
+      enable = true;
      dbBackend = "sqlite";
      config = {
        SIGNUPS_ALLOWED = false;
        ENABLE_WEBSOCKET = true;
        SENDS_ALLOWED = true;
        INVITATIONS_ENABLED = true;
        EMERGENCY_ACCESS_ALLOWED = true;
        EMAIL_ACCESS_ALLOWED = true;
        DOMAIN = "https://passwords.liv.town";
        ROCKET_ADDRESS = "0.0.0.0";
        ROCKET_PORT = 8003;
      };
    };
-  };
+    nginx = {
-  services.nginx = {
+      enable = true;
-    enable = true;
+      recommendedProxySettings = true;
-    recommendedProxySettings = true;
+      recommendedTlsSettings = true;
-    recommendedTlsSettings = true;
+      virtualHosts = {
-    virtualHosts = {
+        "passwords.liv.town" = {
-      "passwords.liv.town" = {
+          forceSSL = true;
-        forceSSL = true;
+          sslCertificate = "/var/lib/acme/liv.town/cert.pem";
-        sslCertificate = "/var/lib/acme/liv.town/cert.pem";
+          sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
-        sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
+          locations."/" = {
-        locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
-          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+            proxyWebsockets = true;
-          proxyWebsockets = true;
+          };
        };
      };
    };
    borgbackup.jobs."violet-vaultwarden" = {
      paths = [ "/var/lib/bitwarden_rs" ];
      repo = "${baseRepo}/var-vaultwarden";
      encryption.mode = "none";
      compression = "auto,zstd";
      startAt = "daily";
      preHook = ''
        systemctl stop vaultwarden
      '';
      postHook = ''
        systemctl start vaultwarden
        if [ $exitStatus -eq 2 ]; then
          ${pkgs.ntfy-sh}/bin/ntfy send https://notify.liv.town/${host} "borgbackup: ${host} backup (vaultwarden) failed with errors"
        else
          ${pkgs.ntfy-sh}/bin/ntfy send https://notify.liv.town/${host} "borgbackup: ${host} backup (vaultwarden) completed succesfully with exit status $exitStatus"
        fi
      '';
      user = "root";
      extraCreateArgs = [
        "--stats"
      ];
      environment = {
        BORG_RSH = "ssh -p 9123 -i /home/${username}/.ssh/id_ed25519";
      };
    };
  };
 }