feat (mcentire): add Vaultwarden service

flake.lock

@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770260404,
-        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
+        "lastModified": 1772985280,
+        "narHash": "sha256-FdrNykOoY9VStevU4zjSUdvsL9SzJTcXt4omdEDZDLk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
+        "rev": "8f736f007139d7f70752657dff6a401a585d6cbc",
         "type": "github"
       },
       "original": {
@@ -76,11 +76,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767634391,
-        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
+        "lastModified": 1772129556,
+        "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
+        "rev": "ebec37af18215214173c98cf6356d0aca24a2585",
         "type": "github"
       },
       "original": {
@@ -112,11 +112,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771208521,
-        "narHash": "sha256-X01Q3DgSpjeBpapoGA4rzKOn25qdKxbPnxHeMLNoHTU=",
+        "lastModified": 1772822230,
+        "narHash": "sha256-yf3iYLGbGVlIthlQIk5/4/EQDZNNEmuqKZkQssMljuw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fa56d7d6de78f5a7f997b0ea2bc6efd5868ad9e8",
+        "rev": "71caefce12ba78d84fe618cf61644dce01cf3a96",
         "type": "github"
       },
       "original": {
@@ -128,27 +128,27 @@
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1771352457,
-        "narHash": "sha256-CCItBNMyLmtWqxTVaDAeeaIigbuaiZuN3WO8PZNkGBc=",
+        "lastModified": 1766129819,
+        "narHash": "sha256-crNRwvsbH2XSV8IwBjX6Tm+uWmYwhYyRuNVJ9/ZwlmA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f8a68d8ce473ec59300d9fb510a1b545c1290939",
+        "rev": "eedcb27bf99430e51f83d896cd1149b828290d20",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixpkgs-25.11-darwin",
         "repo": "nixpkgs",
+        "rev": "eedcb27bf99430e51f83d896cd1149b828290d20",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1771177547,
-        "narHash": "sha256-trTtk3WTOHz7hSw89xIIvahkgoFJYQ0G43IlqprFoMA=",
+        "lastModified": 1772771118,
+        "narHash": "sha256-xWzaTvmmACR/SRWtABgI/Z97lcqwJAeoSd5QW1KdK1s=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ac055f38c798b0d87695240c7b761b82fc7e5bc2",
+        "rev": "e38213b91d3786389a446dfce4ff5a8aaf6012f2",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1771425294,
-        "narHash": "sha256-owiQE9oINf1cgaulbrr2sMjelk2cmR8rkxLRPYYL6Kg=",
+        "lastModified": 1773029295,
+        "narHash": "sha256-xmHhVHbaA5hR3dCEoGwqAgL6HTTJ0KEMRUTLdJuVtGM=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "242d44cd6af365da2dfa77422263b29d0ac9f39f",
+        "rev": "bf45b24de2134f1488f7a6c135f4b0420ccec6fe",
         "type": "github"
       },
       "original": {
@@ -189,11 +189,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770766818,
-        "narHash": "sha256-12RCFLyAedyMOdenUi7cN3ioJPEGjA/ZG1BLjugfUVs=",
+        "lastModified": 1772361940,
+        "narHash": "sha256-B1Cz+ydL1iaOnGlwOFld/C8lBECPtzhiy/pP93/CuyY=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "44b928068359b7d2310a34de39555c63c93a2c90",
+        "rev": "a4b33606111c9c5dcd10009042bb710307174f51",
         "type": "github"
       },
       "original": {
@@ -240,11 +240,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1771301023,
-        "narHash": "sha256-0XauSmXBLOqn8SYHRWOL7Z9O7m5qtF0Yw6rqXVHkEnw=",
+        "lastModified": 1773028978,
+        "narHash": "sha256-4BjOTYhHP8ljHShQyZ1gUIdwgSLjvaGN2ueKfqp6CQk=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "1cf8b4f42720573ef35dcd7d2ba0fd80e40954e9",
+        "rev": "a6ed037ffc0b50a9bd0c92e20e31f270a03ca1e3",
         "type": "gitlab"
       },
       "original": {

flake.nix

@@ -4,7 +4,9 @@
   inputs = {
     # Specify the source of Home Manager and Nixpkgs.
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
-    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.11-darwin";
+    # Revert to a cached version of Julia for aarch64-darwin
+    nixpkgs-darwin.url =
+      "github:nixos/nixpkgs/eedcb27bf99430e51f83d896cd1149b828290d20";
     nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
 
     # Inputs for both darwin and linux systems

programs/zed.nix

@@ -59,6 +59,10 @@
       };
       lsp = {
         nil = { settings.nix.flake.autoArchive = true; };
+        nixd = {
+          settings.options.home-manager.expr =
+            "(builtins.getFlake (builtins.toString ./.)).homeConfigurations.<name>.options";
+        };
         texlab = {
           settings = {
             build = {

secrets.nix

@@ -48,4 +48,6 @@ in {
     ++ [ bosephus-host ];
   "secrets/redis-password.age".publicKeys = system-administrators
     ++ [ mcentire-host ];
+  "secrets/vaultwarden.toml.age".publicKeys = system-administrators
+    ++ [ mcentire-host ];
 }

services/fireflyiii.nix

@@ -80,7 +80,7 @@ in {
     virtualisation.quadlet = let
       inherit (config.virtualisation.quadlet) containers;
       inherit (config.virtualisation.quadlet) networks;
-      secrets = osConfig.millironx.podman-secrets.freshrss;
+      secrets = osConfig.millironx.podman-secrets.fireflyiii;
     in {
       autoUpdate.enable = true;
       autoEscape = true;

services/vaultwarden.nix

@@ -0,0 +1,125 @@
+{ config, pkgs, home-manager-quadlet-nix, ... }:
+let
+  user = "vaultwarden";
+  port = "92858";
+  containerPort = port;
+  authentikPort = "9000";
+  stateDirectory = "/var/lib/${user}";
+  servicePaths = [ "data" ];
+  databasePaths = [ "database" ];
+in {
+  age.secrets."vaultwarden.toml" = {
+    file = ./../secrets/vaultwarden.toml.age;
+    owner = user;
+  };
+
+  millironx.podman-secrets.vaultwarden = {
+    inherit user;
+    secrets-files = [ config.age.secrets."vaultwarden.toml".path ];
+  };
+
+  systemd.tmpfiles.rules =
+    map (d: "d ${stateDirectory}/${d} 1775 ${user} ${user} -")
+    ([ "" ] ++ servicePaths ++ databasePaths);
+
+  services.borgmatic.configurations."${config.networking.hostName}" = {
+    source_directories = map (d: "${stateDirectory}/${d}") servicePaths;
+    postgresql_databases = [{
+      name = user;
+      psql_command =
+        "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${user}-db psql --username=${user}";
+      pg_dump_command =
+        "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${user}-db pg_dump --username=${user}";
+      pg_restore_command =
+        "/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${user}-db pg_restore --username=${user}";
+    }];
+  };
+
+  services.caddy.virtualHosts."vault.millironx.com".extraConfig = ''
+    reverse_proxy http://127.0.0.1:${port}
+  '';
+
+  users.users."${user}" = {
+    group = user;
+    isNormalUser = true;
+    home = stateDirectory;
+    createHome = true;
+    linger = true;
+    autoSubUidGidRange = true;
+  };
+  users.groups."${user}" = { };
+
+  home-manager.users."${user}" = { config, osConfig, ... }: {
+    imports = [ home-manager-quadlet-nix ];
+
+    home.stateVersion = "25.05";
+
+    virtualisation.quadlet = let
+      inherit (config.virtualisation.quadlet) containers;
+      inherit (config.virtualisation.quadlet) networks;
+      secrets = osConfig.millironx.podman-secrets.vaultwarden;
+    in {
+      autoUpdate.enable = true;
+      autoEscape = true;
+
+      networks."${user}" = { };
+
+      containers = {
+        "${user}-db" = {
+          autoStart = true;
+          containerConfig = {
+            image = "docker.io/library/postgres:16";
+            environments = {
+              POSTGRES_DB = user;
+              POSTGRES_USER = user;
+            };
+            secrets = [
+              "POSTGRES_PASSWORD,type=env"
+              "POSTGRES_PASSWORD,type=env,target=PGPASSWORD"
+            ];
+            healthCmd = "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}";
+            healthInterval = "30s";
+            healthRetries = 5;
+            healthStartPeriod = "20s";
+            volumes =
+              [ "${stateDirectory}/database:/var/lib/postgresql/data:U" ];
+            networks = [ networks."${user}".ref ];
+          };
+          unitConfig.Requires = [ secrets.ref ];
+          unitConfig.After = [ secrets.ref ];
+        };
+
+        "${user}" = {
+          autoStart = true;
+          containerConfig = {
+            image = "ghcr.io/dani-garcia/vaultwarden:latest";
+            environments = {
+              DOMAIN = "https://vault.millironx.com";
+              ROCKET_PORT = port;
+              SIGNUPS_ALLOWED = "false";
+              SMTP_FROM_NAME = "Milliron X Vault";
+            };
+            secrets = map (s: "${s},type=env") [
+              "ADMIN_TOKEN"
+              "DATABASE_URL"
+              "SMTP_FROM"
+              "SMTP_HOST"
+              "SMTP_PORT"
+              "SMTP_PASSWORD"
+              "SMTP_USERNAME"
+              "YUBICO_CLIENT_ID"
+              "YUBICO_SECRET_KEY"
+            ];
+            volumes = [ "${stateDirectory}/data:/data:U" ];
+            networks = [ networks."${user}".ref ];
+            publishPorts = [ "127.0.0.1:${port}:${containerPort}" ];
+          };
+          unitConfig.Requires = [ secrets.ref containers."${user}".ref ];
+          unitConfig.After = [ secrets.ref containers."${user}".ref ];
+        };
+      };
+    };
+
+  };
+
+}

systems/darwin/corianne.nix

@@ -32,9 +32,17 @@ in {
       automatic = true;
       interval = { Weekday = 1; };
       options = ''
-        --delete-older-than 14d
+        --delete-older-than 90d
       '';
     };
+    settings = {
+      substituters =
+        [ "https://nix-community.cachix.org" "https://cache.nixos.org/" ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      ];
+    };
+
     # Needed for rosetta-builder, see
     # <https://github.com/cpick/nix-rosetta-builder/issues/40#issuecomment-3368602687>
     # <https://github.com/cpick/nix-rosetta-builder/issues/37>
@@ -184,15 +192,7 @@ in {
       no_quarantine = true;
 
     };
-    taps = [
-      "homebrew/services"
-      {
-        name = "millironx/millironx";
-        clone_target =
-          "https://code.millironx.com/millironx/homebrew-millironx.git";
-      }
-      "r-lib/rig"
-    ];
+    taps = [ "r-lib/rig" ];
     brews = [
       "borgbackup/tap/borgbackup-fuse"
       "buildkit"
@@ -207,6 +207,7 @@ in {
     ];
     casks = [
       "alt-tab"
+      "dash"
       "db-browser-for-sqlite"
       "firefox"
       "inkscape"

systems/linux/mcentire.nix

@@ -11,6 +11,7 @@
     ./../../services/fireflyiii.nix
     ./../../services/freshrss.nix
     ./../../services/navidrome.nix
+    ./../../services/vaultwarden.nix
   ];
 
   # Use the GRUB 2 boot loader.