ashie/nixos-vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update Vaultwarden spec with review feedback

Browse source 
- Add module header comment pattern
- Clarify Nginx WebSocket integration with concrete example
- Add SOPS secrets and templates declarations
- Update Files to Modify table

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ashisgreat22 2026-03-18 03:06:55 +01:00
parent 2304648927
commit 5b584cdb11
1 changed files with 52 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

59
docs/superpowers/specs/2026-03-18-vaultwarden-design.md
View file

@ -11,10 +11,25 @@ Add Vaultwarden (a lightweight Bitwarden-compatible password manager) as a NixOS
- Admin panel enabled - Admin panel enabled
- No email functionality needed - No email functionality needed
## Module Header Comment
```nix
# Vaultwarden Module (Podman)
# Provides: Bitwarden-compatible password manager
#
# Usage:
# myModules.vaultwarden = {
# enable = true;
# port = 8222;
# websocketPort = 3012;
# domain = "vault.example.com";
# };
```
## Module Options ## Module Options
```nix ```nix
myModules.vaultwarden = { options.myModules.vaultwarden = {
enable = lib.mkEnableOption "Vaultwarden password manager"; enable = lib.mkEnableOption "Vaultwarden password manager";
domain = lib.mkOption { domain = lib.mkOption {
@ -54,16 +69,46 @@ myModules.vaultwarden = {
### Nginx Integration ### Nginx Integration
The module adds the domain to `myModules.nginx.domains` with: The module adds the domain to `myModules.nginx.domains` with WebSocket support via `extraConfig`:
- Main location `/` → proxy to HTTP port
```nix
myModules.nginx.domains = {
"${cfg.domain}" = {
port = cfg.port;
extraConfig = ''
location /notifications/hub {
proxyPass http://127.0.0.1:${toString cfg.websocketPort};
proxyHttpVersion 1.1;
proxySetHeader Upgrade $http_upgrade;
proxySetHeader Connection "upgrade";
}
'';
};
};
```
This configures:
- Main location `/` → proxy to HTTP port (handled by nginx module)
- WebSocket location `/notifications/hub` → proxy to WebSocket port with upgrade headers - WebSocket location `/notifications/hub` → proxy to WebSocket port with upgrade headers
### Secrets ### Secrets
One secret required in `secrets/secrets.yaml`: **SOPS secret declaration** (in configuration.nix):
- `vaultwarden_admin_token` - Token for accessing the admin panel at `/admin` ```nix
sops.secrets.vaultwarden_admin_token = { };
```
SOPS template `vaultwarden.env` will inject the admin token. **SOPS template** (in configuration.nix):
```nix
sops.templates."vaultwarden.env" = {
content = ''
ADMIN_TOKEN=${config.sops.placeholder.vaultwarden_admin_token}
'';
};
```
**Secret required** in `secrets/secrets.yaml`:
- `vaultwarden_admin_token` - Token for accessing the admin panel at `/admin`
## Files to Create/Modify ## Files to Create/Modify
@ -71,7 +116,7 @@ SOPS template `vaultwarden.env` will inject the admin token.
|------|--------| |------|--------|
| `modules/vaultwarden.nix` | Create - new module | | `modules/vaultwarden.nix` | Create - new module |
| `modules/default.nix` | Modify - add import | | `modules/default.nix` | Modify - add import |
| `configuration.nix` | Modify - enable module and add secrets | | `configuration.nix` | Modify - enable module, add sops.secrets, add sops.templates |
| `secrets/secrets.yaml` | Modify - add admin token (manual) | | `secrets/secrets.yaml` | Modify - add admin token (manual) |
## Usage ## Usage