From 18148b03af697e2f0ea4bdbfee33e0cd6df82d1b Mon Sep 17 00:00:00 2001
From: "RingOfStorms (Joshua Bell)" <ringofstorms@gmail.com>
Date: Tue, 11 Mar 2025 09:22:06 -0500
Subject: [PATCH] updates to vault and tailscale

---
 components/nix/tailscale.nix      |  1 +
 hosts/lio/flake.nix               |  9 +++
 hosts/oracle/o001/vaultwarden.nix | 98 +++++++++++++------------------
 3 files changed, 51 insertions(+), 57 deletions(-)

diff --git a/components/nix/tailscale.nix b/components/nix/tailscale.nix
index 3a0c29c..d19b3c7 100644
--- a/components/nix/tailscale.nix
+++ b/components/nix/tailscale.nix
@@ -28,6 +28,7 @@
       # https://tailscale.com/kb/1241/tailscale-up
       extraUpFlags = lib.mkIf config.components.tailscale.useHeadscale [
         "--login-server=https://headscale.joshuabell.xyz"
+        "--no-logs-support"
       ];
     };
     networking.firewall.trustedInterfaces = [ config.services.tailscale.interfaceName ];
diff --git a/hosts/lio/flake.nix b/hosts/lio/flake.nix
index f95433c..d900cb5 100644
--- a/hosts/lio/flake.nix
+++ b/hosts/lio/flake.nix
@@ -66,6 +66,14 @@
                   # Allow emulation of aarch64-linux binaries for cross compiling
                   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
+                  programs._1password.enable = true;
+                  programs._1password-gui = {
+                    enable = true;
+                    # Certain features, including CLI integration and system authentication support,
+                    # require enabling PolKit integration on some desktop environments (e.g. Plasma).
+                    polkitPolicyOwners = [ "josh" ];
+                  };
+
                   mods = {
                     common = {
                       disableRemoteBuildsOnLio = true;
@@ -99,6 +107,7 @@
                             openscad
                             vlc
                             bitwarden
+                            vaultwarden
                           ];
                         };
                       };
diff --git a/hosts/oracle/o001/vaultwarden.nix b/hosts/oracle/o001/vaultwarden.nix
index 5079366..e1703b3 100644
--- a/hosts/oracle/o001/vaultwarden.nix
+++ b/hosts/oracle/o001/vaultwarden.nix
@@ -1,85 +1,69 @@
 {
-  lib,
-  config,
   ...
 }:
 let
   name = "vaultwarden";
+  user = name;
+  uid = 114;
   hostDataDir = "/var/lib/${name}";
-  hostAddress = "192.168.100.2";
-  localAddress = "192.168.100.111";
 
-  binds = [
-    {
-      host = "${hostDataDir}";
-      container = "/data";
-      user = "vaultwarden";
-      uid = 114;
-    }
-  ];
+  v_port = 8222;
 in
 {
-  users = lib.foldl (
-    acc: bind:
-    {
-      users.${bind.user} = {
-        isSystemUser = true;
-        home = bind.host;
-        createHome = true;
-        group = bind.user;
-        uid = bind.uid;
-      };
-      groups.${bind.user}.gid = bind.uid;
-    }
-    // acc
-  ) { } binds;
+  users = {
+    users.${user} = {
+      isSystemUser = true;
+      group = user;
+      inherit uid;
+    };
+    groups.${user}.gid = uid;
+  };
+  system.activationScripts.createMediaServerDirs = ''
+    mkdir -p ${hostDataDir}/data
+    mkdir -p ${hostDataDir}/backups
+    chown -R ${toString uid}:${toString uid} ${hostDataDir}
+    chmod -R 750 ${hostDataDir}
+  '';
 
   containers.${name} = {
     ephemeral = true;
     autoStart = true;
-    privateNetwork = true;
-    inherit localAddress hostAddress;
-    bindMounts = lib.foldl (
-      acc: bind:
-      {
-        "${bind.container}" = {
-          hostPath = bind.host;
-          isReadOnly = false;
-        };
-      }
-      // acc
-    ) { } binds;
+    privateNetwork = false;
+    bindMounts = {
+      "/var/lib/vaultwarden" = {
+        hostPath = "${hostDataDir}/data";
+        isReadOnly = false;
+      };
+      "/var/lib/backups/vaultwarden" = {
+        hostPath = "${hostDataDir}/backups";
+        isReadOnly = false;
+      };
+    };
     config =
       { ... }:
       {
         system.stateVersion = "24.11";
-        users = lib.foldl (
-          acc: bind:
-          {
-            users.${bind.user} = {
-              isSystemUser = true;
-              home = bind.container;
-              uid = bind.uid;
-              group = bind.user;
-            };
-            groups.${bind.user}.gid = bind.uid;
-          }
-          // acc
-        ) { } binds;
+        users = {
+          users.${user} = {
+            isSystemUser = true;
+            group = user;
+            inherit uid;
+          };
+          groups.${user}.gid = uid;
+        };
 
         services.vaultwarden = {
           enable = true;
           dbBackend = "sqlite";
-          backupDir = "/data/backups";
+          backupDir = "/var/lib/backups/vaultwarden";
           config = {
             DOMAIN = "https://vault.joshuabell.xyz";
             SIGNUPS_ALLOWED = false;
+            ROCKET_PORT = builtins.toString v_port;
+            ROCKET_ADDRESS = "127.0.0.1";
+            # ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$2DU5GEIKJeMoxqHrAacAYpX4BsSbOgoRmM2+4wjbAvY$9ZyWVV4xIx4M7/WGfvznOhEvrVx+4DrHcBPmeKKUMYE";
           };
         };
-        networking.firewall = {
-          enable = true;
-          allowedTCPPorts = [ 8222 ];
-        };
       };
   };
 
@@ -89,7 +73,7 @@ in
     locations = {
       "/" = {
         proxyWebsockets = true;
-        proxyPass = "http://${localAddress}:8222"; # vaultwarden TODO left off here the port is 8000 depsite the docs showing 8222 as default, set ecplisit
+        proxyPass = "http://127.0.0.1:${builtins.toString v_port}";
       };
     };
   };