ashisgreat22 5b584cdb11 Update Vaultwarden spec with review feedback

- Add module header comment pattern
- Clarify Nginx WebSocket integration with concrete example
- Add SOPS secrets and templates declarations
- Update Files to Modify table

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-18 03:06:55 +01:00

3.2 KiB

Raw Blame History

Vaultwarden Module Design

Overview

Add Vaultwarden (a lightweight Bitwarden-compatible password manager) as a NixOS module following the existing Podman container pattern.

Requirements

Domain: vault.ashisgreat.xyz
WebSocket support for real-time sync
Admin panel enabled
No email functionality needed

Module Header Comment

# Vaultwarden Module (Podman)
# Provides: Bitwarden-compatible password manager
#
# Usage:
#   myModules.vaultwarden = {
#     enable = true;
#     port = 8222;
#     websocketPort = 3012;
#     domain = "vault.example.com";
#   };

Module Options

options.myModules.vaultwarden = {
  enable = lib.mkEnableOption "Vaultwarden password manager";

  domain = lib.mkOption {
    type = lib.types.str;
    example = "vault.example.com";
    description = "Public domain for Vaultwarden";
  };

  port = lib.mkOption {
    type = lib.types.port;
    default = 8222;
    description = "HTTP port for Vaultwarden web interface";
  };

  websocketPort = lib.mkOption {
    type = lib.types.port;
    default = 3012;
    description = "WebSocket port for real-time sync";
  };
};

Architecture

Container Configuration

Image: vaultwarden/server:latest
Ports:
- HTTP: 127.0.0.1:8222 → 80
- WebSocket: 127.0.0.1:3012 → 3012
Volumes:
- vaultwarden-data:/data - Persistent storage for SQLite database
Environment:
- ADMIN_TOKEN - From SOPS secret
- SHOW_PASSWORD_HINT=false - Disabled since no email
- SIGNUPS_ALLOWED=true - Can be changed via admin panel

Nginx Integration

The module adds the domain to myModules.nginx.domains with WebSocket support via extraConfig:

myModules.nginx.domains = {
  "${cfg.domain}" = {
    port = cfg.port;
    extraConfig = ''
      location /notifications/hub {
        proxyPass http://127.0.0.1:${toString cfg.websocketPort};
        proxyHttpVersion 1.1;
        proxySetHeader Upgrade $http_upgrade;
        proxySetHeader Connection "upgrade";
      }
    '';
  };
};

This configures:

Main location / → proxy to HTTP port (handled by nginx module)
WebSocket location /notifications/hub → proxy to WebSocket port with upgrade headers

Secrets

SOPS secret declaration (in configuration.nix):

sops.secrets.vaultwarden_admin_token = { };

SOPS template (in configuration.nix):

sops.templates."vaultwarden.env" = {
  content = ''
    ADMIN_TOKEN=${config.sops.placeholder.vaultwarden_admin_token}
  '';
};

Secret required in secrets/secrets.yaml:

vaultwarden_admin_token - Token for accessing the admin panel at /admin

Files to Create/Modify

File	Action
`modules/vaultwarden.nix`	Create - new module
`modules/default.nix`	Modify - add import
`configuration.nix`	Modify - enable module, add sops.secrets, add sops.templates
`secrets/secrets.yaml`	Modify - add admin token (manual)

Usage

After deployment:

Navigate to https://vault.ashisgreat.xyz
Create an account
Access admin panel at https://vault.ashisgreat.xyz/admin with the admin token

Dependencies

myModules.podman - Container runtime
myModules.nginx - Reverse proxy (for domain registration)
SOPS-nix - Secrets management

3.2 KiB Raw Blame History