nixfiles/hosts/hetzner-arm/containers/vault/default.nix

{
  self,
  hostPath,
  tree,
  inputs,
  config,
  pkgs,
  ...
}: let
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.vault;
in {
  containers.vault = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
    localAddress = containerIP;
    additionalCapabilities = ["CAP_IPC_LOCK"];

    specialArgs = {
      inherit inputs;
      inherit tree;
      inherit self;
      inherit hostPath;
    };

    config = {...}: {
      nixpkgs.pkgs = pkgs;

      imports = with tree;
        [
          presets.nixos.containerBase
          ./secrets.nix
        ]
        ++ (with hosts.hetzner-arm.containers.vault.profiles; [
          vault
          #internalCA
          restic
        ]);

      networking.firewall.allowedTCPPorts = [8200 8443];

      home-manager.users.root.home.stateVersion = "24.05";
      system.stateVersion = "24.05";
    };
  };

  services.nginx.virtualHosts."vault.owo.monster" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/".proxyPass = "http://${containerIP}:8200";
    };
  };

  # TODO: redo this
  #security.acme.certs."vault.genderfucked.monster" = {
  #  server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory";
  #};

  #services.nginx.virtualHosts."vault.genderfucked.monster" = {
  #  forceSSL = true;
  #  enableACME = true;
  #  locations = {
  #    "/".proxyPass = "http://${containerIP}:8200";
  #  };
  #};
}
attempt moving vault to hetzner-arm 2024-05-24 18:58:21 +01:00			`{`
			`self,`
			`hostPath,`
			`tree,`
			`inputs,`
			`config,`
			`pkgs,`
			`...`
			`}: let`
			`containerAddresses = import "${hostPath}/data/containerAddresses.nix";`
			`hostIP = containerAddresses.host;`
migrate away from hetzner storagebox and get rid of some gaming and media stuff 2024-07-06 17:20:28 +01:00			`containerIP = containerAddresses.containers.vault;`
attempt moving vault to hetzner-arm 2024-05-24 18:58:21 +01:00			`in {`
migrate away from hetzner storagebox and get rid of some gaming and media stuff 2024-07-06 17:20:28 +01:00			`containers.vault = {`
attempt moving vault to hetzner-arm 2024-05-24 18:58:21 +01:00			`autoStart = true;`
			`privateNetwork = true;`
			`hostAddress = hostIP;`
			`localAddress = containerIP;`
add vault cli to vault-ca container 2024-05-24 20:26:51 +01:00			`additionalCapabilities = ["CAP_IPC_LOCK"];`
attempt moving vault to hetzner-arm 2024-05-24 18:58:21 +01:00
			`specialArgs = {`
			`inherit inputs;`
			`inherit tree;`
			`inherit self;`
			`inherit hostPath;`
			`};`

			`config = {...}: {`
			`nixpkgs.pkgs = pkgs;`

			`imports = with tree;`
			`[`
			`presets.nixos.containerBase`
			`./secrets.nix`
			`]`
migrate away from hetzner storagebox and get rid of some gaming and media stuff 2024-07-06 17:20:28 +01:00			`++ (with hosts.hetzner-arm.containers.vault.profiles; [`
attempt moving vault to hetzner-arm 2024-05-24 18:58:21 +01:00			`vault`
			`#internalCA`
			`restic`
			`]);`

			`networking.firewall.allowedTCPPorts = [8200 8443];`

remove quassel, update stateVersion, move to new server, some tidying 2024-05-25 21:10:26 +01:00			`home-manager.users.root.home.stateVersion = "24.05";`
			`system.stateVersion = "24.05";`
attempt moving vault to hetzner-arm 2024-05-24 18:58:21 +01:00			`};`
			`};`

			`services.nginx.virtualHosts."vault.owo.monster" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations = {`
			`"/".proxyPass = "http://${containerIP}:8200";`
			`};`
			`};`

			`# TODO: redo this`
			`#security.acme.certs."vault.genderfucked.monster" = {`
			`# server = "https://internal-ca.genderfucked.monster:8443/acme/acme/directory";`
			`#};`

			`#services.nginx.virtualHosts."vault.genderfucked.monster" = {`
			`# forceSSL = true;`
			`# enableACME = true;`
			`# locations = {`
			`# "/".proxyPass = "http://${containerIP}:8200";`
			`# };`
			`#};`
			`}`