From 000355c31814889cf625ee8767f452e0c9601532 Mon Sep 17 00:00:00 2001
From: Harivansh Rathi <rathiharivansh@gmail.com>
Date: Tue, 31 Mar 2026 15:15:59 -0400
Subject: [PATCH] self-host vault-warden

---
 hosts/netty/configuration.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/hosts/netty/configuration.nix b/hosts/netty/configuration.nix
index 421eef7..0850536 100644
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@@ -11,6 +11,7 @@ let
   packageSets = import ../../lib/package-sets.nix { inherit inputs lib pkgs; };
   sandboxDomain = "netty.harivan.sh";
   forgejoDomain = "git.harivan.sh";
+  vaultDomain = "vault.harivan.sh";
   forgejoApiUrl = "http://127.0.0.1:3000";
   sandboxAgentPackage = pkgs.callPackage ../../pkgs/sandbox-agent { };
   sandboxAgentDir = "/home/${username}/.config/sandbox-agent";
@@ -216,6 +217,25 @@ in
       forceSSL = true;
       locations."/".proxyPass = "http://127.0.0.1:3000";
     };
+
+    virtualHosts.${vaultDomain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:8222";
+    };
+  };
+
+  # --- Vaultwarden ---
+  services.vaultwarden = {
+    enable = true;
+    backupDir = "/var/backup/vaultwarden";
+    environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
+    config = {
+      DOMAIN = "https://${vaultDomain}";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+    };
   };
 
   # --- Forgejo ---