fix(bw): nginx access

nixos/vaultwarden.nix

@@ -15,6 +15,7 @@ in {
     databaseUrlPath = mkIf (!postgresql.enable) (mkDefault config.sops.secrets.vaultwarden-database-url.path);
     adminTokenPath = mkIf enableAdmin (mkDefault config.sops.secrets.vaultwarden-admin-token.path);
     config = {
+      DOMAIN = mkDefault "https://bw.${config.networking.domain}";
       SIGNUPS_ALLOWED = mkDefault false;
       ROCKET_ADDRESS = mkDefault "::";
       WEBSOCKET_ADDRESS = mkDefault "::";

systems/keycloak/default.nix

@@ -12,6 +12,10 @@ _: {
       keycloak.enable = true;
       vouch-proxy.enable = true;
       vaultwarden.enable = true;
+      nginx = {
+        enable = true;
+        ports.proxied.enable = true;
+      };
     };
   };
 }

systems/keycloak/nixos.nix

@@ -2,8 +2,11 @@
   meta,
   config,
   access,
+  lib,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkMerge;
+in {
   imports = let
     inherit (meta) nixos;
   in [
@@ -15,6 +18,8 @@
     nixos.vaultwarden
     nixos.cloudflared
     nixos.vouch
+    nixos.nginx
+    nixos.access.vaultwarden
   ];
 
   services.cloudflared = let
@@ -24,14 +29,14 @@
       default = "http_status:404";
       credentialsFile = config.sops.secrets.cloudflared-tunnel-keycloak.path;
       ingress = let
+        inherit (config.services) nginx;
+        inherit (config.networking) domain;
         keycloak'system = access.systemForService "keycloak";
         inherit (keycloak'system.exports.services) keycloak;
         vouch'system = access.systemForServiceId "login";
         inherit (vouch'system.exports.services) vouch-proxy;
-        vaultwarden'system = access.systemForServiceId "bw";
-        inherit (vaultwarden'system.exports.services) vaultwarden;
-      in {
-        "${keycloak.id}.${config.networking.domain}" = let
+        ingress = {
+          "${keycloak.id}.${domain}" = let
             portName =
               if keycloak.ports.https.enable
               then "https"
@@ -49,19 +54,24 @@
             } =
               true;
           };
-        "${vouch-proxy.id}.${config.networking.domain}" = {
+          "${vouch-proxy.id}.${domain}" = {
             service = access.proxyUrlFor {
               system = vouch'system;
               service = vouch-proxy;
             };
           };
-        "${vaultwarden.id}.${config.networking.domain}" = {
-          service = access.proxyUrlFor {
-            system = vaultwarden'system;
-            service = vaultwarden;
-          };
+        };
+      in mkMerge [
+        ingress
+        (nginx.virtualHosts.vaultwarden.proxied.cloudflared.getIngress {})
+      ];
     };
   };
+
+  services.nginx = {
+    proxied.enable = true;
+    virtualHosts = {
+      vaultwarden.proxied.enable = "cloudflared";
     };
   };