Merge 3aa0a1837d into 423418f69e

Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action) from V28 to 30. This release includes the previously tagged commit.
- [Release notes](https://github.com/cachix/install-nix-action/releases)
- [Commits](https://github.com/cachix/install-nix-action/compare/V28...v30)

---
updated-dependencies:
- dependency-name: cachix/install-nix-action
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/ci.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@V28
+      - uses: cachix/install-nix-action@v30
         with:
           nix_path: nixpkgs=channel:nixos-unstable
       - name: Free Disk Space

.github/workflows/update-flake.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: Install Nix
-        uses: cachix/install-nix-action@V28
+        uses: cachix/install-nix-action@v30
       - name: Update flake.lock
         uses: DeterminateSystems/update-flake-lock@v24
         with:

home/c/programs/rbw/default.nix

@@ -3,7 +3,7 @@
     enable = true;
     settings = {
       base_url = "https://vaultwarden.cleslie.uk";
-      email = "cal@callumleslie.me";
+      email = "vw@cleslie.uk";
       pinentry = pkgs.pinentry-gnome3;
     };
   };

hosts/hermes/default.nix

@@ -11,5 +11,6 @@
     ./media.nix
     ./headscale.nix
     ./forgejo.nix
+    ./vaultwarden.nix
   ];
 }

hosts/hermes/vaultwarden.nix

@@ -0,0 +1,29 @@
+{config, ...}: let
+  domain = "vaultwarden.cleslie.uk";
+in {
+  services = {
+    cloudflare-dyndns.domains = [domain];
+    vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+      config = {
+        DOMAIN = "https://${domain}";
+        SIGNUPS_ALLOWED = false;
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+        ROCKET_LOG = "critical";
+      };
+      environmentFile = "${config.age.secrets.vaultwarden-env.path}";
+    };
+
+    caddy.virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
+      }
+    '';
+  };
+
+  age.secrets."vaultwarden-env" = {
+    file = ../../secrets/vaultwarden-env.age;
+  };
+}

secrets/secrets.nix

@@ -11,4 +11,5 @@ in {
   "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
   "forgejo-password.age".publicKeys = keys.c ++ [systems.hermes];
   "cloudflare-api.age".publicKeys = keys.c ++ [systems.hermes];
+  "vaultwarden-env.age".publicKeys = keys.c ++ [systems.hermes];
 }

secrets/vaultwarden-env.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg FyWjw52mFlS8j8s0hZZvu1C1jy4kFNHEMDyMer7uQjw
+5nZS6DoNscDHLmB77aRfOiG/CxRDpGmo/q+2D15MrZM
+-> ssh-ed25519 aSaoJQ yuB2O/EitRDPlpIjTQT7lz+gLBnVTaHMgJ2enexvWnk
++2BXZOWHuIDoQfZoh5X1XIuy2HJP+tJQh7ZJ6uxI48k
+--- u4zTk4QXTWj0SdzP/2aHnGsN6MHdyEAhGRzTgpIgCeE
+t8€·XRƒT ØÒv`;©];u]ó6DRzú³zl¦
×[…êˆé6O´Š3õÅ—f@ʦ•cEŒ‡X’CÌ
{õ‡#[gb§¹G,›©ÀÉèîAÎp ±±nЋ­<E280B9>ÁUƒ"ä†îøä÷ɺù_‘‹©°ØÉÉ”ó%™«ÖD<C396>LŽç,4Ù&ÆÅê<C385>êoNH‹¶&…<>!Pwz&¶¡ýÝÆÝ!¸S®H—(@~Ÿ~Þ{!