From 8d373c9b8c3da6d5d09757d570fdc8f728040548 Mon Sep 17 00:00:00 2001
From: Oliver Davies <oliver@oliverdavies.dev>
Date: Wed, 30 Apr 2025 20:15:57 +0100
Subject: [PATCH] Automated dev commit

---
 hosts/nixedo/homelab.nix              |  6 +++++-
 hosts/nixedo/services/default.nix     |  4 ++++
 hosts/nixedo/services/vaultwarden.nix | 20 ++++++++++++--------
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/hosts/nixedo/homelab.nix b/hosts/nixedo/homelab.nix
index 617aa091..fd95d34e 100644
--- a/hosts/nixedo/homelab.nix
+++ b/hosts/nixedo/homelab.nix
@@ -24,7 +24,11 @@
       paperless.enable = true;
       uptime-kuma.enable = true;
 
-      vaultwarden.enable = true;
+      vaultwarden = {
+        enable = true;
+
+        cloudflared.tunnelId = "41feb37d-a0f5-4c21-80c8-36ab63ec3b17";
+      };
     };
   };
 }
diff --git a/hosts/nixedo/services/default.nix b/hosts/nixedo/services/default.nix
index 5b65a247..40fdd42d 100644
--- a/hosts/nixedo/services/default.nix
+++ b/hosts/nixedo/services/default.nix
@@ -5,4 +5,8 @@
     ./uptime-kuma.nix
     ./vaultwarden.nix
   ];
+
+  services = {
+    tailscale.enable = true;
+  };
 }
diff --git a/hosts/nixedo/services/vaultwarden.nix b/hosts/nixedo/services/vaultwarden.nix
index 0402699f..53cfba66 100644
--- a/hosts/nixedo/services/vaultwarden.nix
+++ b/hosts/nixedo/services/vaultwarden.nix
@@ -21,6 +21,11 @@ in
       type = types.str;
     };
 
+    cloudflared.tunnelId = mkOption {
+      example = "00000000-0000-0000-0000-000000000000";
+      type = types.str;
+    };
+
     homepage.name = mkOption {
       default = "Vaultwarden";
       type = types.str;
@@ -49,19 +54,18 @@ in
 
         config = {
           DOMAIN = "https://${cfg.url}";
+          ROCKET_ADDRESS = "127.0.0.1";
           ROCKET_PORT = 8222;
           SIGNUPS_ALLOWED = false;
         };
       };
 
-      nginx.virtualHosts.${cfg.url} = {
-        forceSSL = true;
-        useACMEHost = homelab.baseDomain;
-
-        locations."/" = {
-          proxyPass = "http://localhost:${toString config.services.${service}.config.ROCKET_PORT}";
-          recommendedProxySettings = true;
-        };
+      cloudflared.tunnels.${cfg.cloudflared.tunnelId} = {
+        credentialsFile = config.age.secrets.cloudflared.path;
+        default = "http_status:404";
+        ingress."${cfg.url}".service = "http://${config.services.${service}.config.ROCKET_ADDRESS}:${
+          toString config.services.${service}.config.ROCKET_PORT
+        }";
       };
     };
   };