feat(bw): vaultwarden

systems/keycloak/default.nix

@@ -12,6 +12,7 @@ _: {
       sshd.enable = true;
       keycloak.enable = true;
       vouch-proxy.enable = true;
+      vaultwarden.enable = true;
     };
   };
 }

systems/keycloak/lxc.json

@@ -1,6 +1,7 @@
 {
 	"lxc": {
 		"lxc.mount.entry": [
+			"/rpool/shared/vaultwarden mnt/shared/vaultwarden none bind,optional,create=dir",
 			"/dev/net/tun dev/net/tun none bind,optional,create=file"
 		],
 		"lxc.idmap": [

systems/keycloak/nixos.nix

@@ -12,6 +12,7 @@
     nixos.reisen-ct
     nixos.ipa
     nixos.keycloak
+    nixos.vaultwarden
     nixos.cloudflared
     nixos.vouch
   ];
@@ -27,6 +28,8 @@
         inherit (keycloak'system.exports.services) keycloak;
         vouch'system = access.systemForServiceId "login";
         inherit (vouch'system.exports.services) vouch-proxy;
+        vaultwarden'system = access.systemForServiceId "bw";
+        inherit (vaultwarden'system.exports.services) vaultwarden;
       in {
         "${keycloak.id}.${config.networking.domain}" = let
           portName =
@@ -52,6 +55,12 @@
             service = vouch-proxy;
           };
         };
+        "${vaultwarden.id}.${config.networking.domain}" = {
+          service = access.proxyUrlFor {
+            system = vaultwarden'system;
+            service = vaultwarden;
+          };
+        };
       };
     };
   };