Update Vaultwarden spec with review feedback

- Add module header comment pattern - Clarify Nginx WebSocket integration with concrete example - Add SOPS secrets and templates declarations - Update Files to Modify table Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-18 03:06:55 +01:00 · 2026-03-18 03:06:55 +01:00 · 5b584cdb11
commit 5b584cdb11
parent 2304648927
1 changed files with 52 additions and 7 deletions
--- a/docs/superpowers/specs/2026-03-18-vaultwarden-design.md
+++ b/docs/superpowers/specs/2026-03-18-vaultwarden-design.md
@ -11,10 +11,25 @@ Add Vaultwarden (a lightweight Bitwarden-compatible password manager) as a NixOS
 - Admin panel enabled
 - No email functionality needed

+## Module Header Comment
+
+```nix
+# Vaultwarden Module (Podman)
+# Provides: Bitwarden-compatible password manager
+#
+# Usage:
+#   myModules.vaultwarden = {
+#     enable = true;
+#     port = 8222;
+#     websocketPort = 3012;
+#     domain = "vault.example.com";
+#   };
+```
+
 ## Module Options

 ```nix
-myModules.vaultwarden = {
+options.myModules.vaultwarden = {
  enable = lib.mkEnableOption "Vaultwarden password manager";

  domain = lib.mkOption {
@ -54,16 +69,46 @@ myModules.vaultwarden = {

 ### Nginx Integration

-The module adds the domain to `myModules.nginx.domains` with:
- Main location `/` → proxy to HTTP port
+The module adds the domain to `myModules.nginx.domains` with WebSocket support via `extraConfig`:
+
+```nix
+myModules.nginx.domains = {
+  "${cfg.domain}" = {
+    port = cfg.port;
+    extraConfig = ''
+      location /notifications/hub {
+        proxyPass http://127.0.0.1:${toString cfg.websocketPort};
+        proxyHttpVersion 1.1;
+        proxySetHeader Upgrade $http_upgrade;
+        proxySetHeader Connection "upgrade";
+      }
+    '';
+  };
+};
+```
+
+This configures:
+- Main location `/` → proxy to HTTP port (handled by nginx module)
 - WebSocket location `/notifications/hub` → proxy to WebSocket port with upgrade headers

 ### Secrets

-One secret required in `secrets/secrets.yaml`:
- `vaultwarden_admin_token` - Token for accessing the admin panel at `/admin`
+**SOPS secret declaration** (in configuration.nix):
+```nix
+sops.secrets.vaultwarden_admin_token = { };
+```

-SOPS template `vaultwarden.env` will inject the admin token.
+**SOPS template** (in configuration.nix):
+```nix
+sops.templates."vaultwarden.env" = {
+  content = ''
+    ADMIN_TOKEN=${config.sops.placeholder.vaultwarden_admin_token}
+  '';
+};
+```
+
+**Secret required** in `secrets/secrets.yaml`:
+- `vaultwarden_admin_token` - Token for accessing the admin panel at `/admin`

 ## Files to Create/Modify

@ -71,7 +116,7 @@ SOPS template `vaultwarden.env` will inject the admin token.
 |------|--------|
 | `modules/vaultwarden.nix` | Create - new module |
 | `modules/default.nix` | Modify - add import |
-| `configuration.nix` | Modify - enable module and add secrets |
+| `configuration.nix` | Modify - enable module, add sops.secrets, add sops.templates |
 | `secrets/secrets.yaml` | Modify - add admin token (manual) |

 ## Usage