ci: bump cachix/install-nix-action from V28 to 30

Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action) from V28 to 30. This release includes the previously tagged commit. - [Release notes](https://github.com/cachix/install-nix-action/releases) - [Commits](https://github.com/cachix/install-nix-action/compare/V28...v30) --- updated-dependencies: - dependency-name: cachix/install-nix-action dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
vaultwarden
2025-12-18 20:09:21 +00:00 · 2024-10-15 16:45:24 +01:00 · 2024-10-15 16:32:53 +01:00
7 changed files with 41 additions and 3 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: cachix/install-nix-action@V28
+      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
      - name: Free Disk Space
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@ -12,7 +12,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install Nix
-        uses: cachix/install-nix-action@V28
+        uses: cachix/install-nix-action@v30
      - name: Update flake.lock
        uses: DeterminateSystems/update-flake-lock@v24
        with:
--- a/home/c/programs/rbw/default.nix
+++ b/home/c/programs/rbw/default.nix
@ -3,7 +3,7 @@
    enable = true;
    settings = {
      base_url = "https://vaultwarden.cleslie.uk";
-      email = "cal@callumleslie.me";
+      email = "vw@cleslie.uk";
      pinentry = pkgs.pinentry-gnome3;
    };
  };
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@ -11,5 +11,6 @@
    ./media.nix
    ./headscale.nix
    ./forgejo.nix
+    ./vaultwarden.nix
  ];
 }
--- a/hosts/hermes/vaultwarden.nix
+++ b/hosts/hermes/vaultwarden.nix
@ -0,0 +1,29 @@
+{config, ...}: let
+  domain = "vaultwarden.cleslie.uk";
+in {
+  services = {
+    cloudflare-dyndns.domains = [domain];
+    vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+      config = {
+        DOMAIN = "https://${domain}";
+        SIGNUPS_ALLOWED = false;
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+        ROCKET_LOG = "critical";
+      };
+      environmentFile = "${config.age.secrets.vaultwarden-env.path}";
+    };
+
+    caddy.virtualHosts.${domain}.extraConfig = ''
+      reverse_proxy localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
+        header_up X-Real-IP {remote_host}
+      }
+    '';
+  };
+
+  age.secrets."vaultwarden-env" = {
+    file = ../../secrets/vaultwarden-env.age;
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -11,4 +11,5 @@ in {
  "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
  "forgejo-password.age".publicKeys = keys.c ++ [systems.hermes];
  "cloudflare-api.age".publicKeys = keys.c ++ [systems.hermes];
+  "vaultwarden-env.age".publicKeys = keys.c ++ [systems.hermes];
 }
--- a/secrets/vaultwarden-env.age
+++ b/secrets/vaultwarden-env.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg FyWjw52mFlS8j8s0hZZvu1C1jy4kFNHEMDyMer7uQjw
+5nZS6DoNscDHLmB77aRfOiG/CxRDpGmo/q+2D15MrZM
+-> ssh-ed25519 aSaoJQ yuB2O/EitRDPlpIjTQT7lz+gLBnVTaHMgJ2enexvWnk
+2BXZOWHuIDoQfZoh5X1XIuy2HJP+tJQh7ZJ6uxI48k
+--- u4zTk4QXTWj0SdzP/2aHnGsN6MHdyEAhGRzTgpIgCeE
+t8€·XRƒT ØÒv`;©];u]ó6DRzú³zl¦×[…êˆé6O´Š3õÅ—f@Ê¦•cEŒ‡X’CÌ{õ‡#[gb§¹G,›©ÀÉèîAÎp ±±nÐ‹<E280B9>ÁUƒ"ä†îøä÷Éºù_‘‹©°ØÉÉ”ó%™«ÖD<C396>LŽç,4Ù&ÆÅê<C385>êoNH‹¶&…<>!Pwz&¶¡ýÝÃ†Ý!¸S®H—(@~Ÿ~Þ{!