From 1f28e2853dc08a561513c5eacc3db329f5bbfee0 Mon Sep 17 00:00:00 2001
From: lightly-toasted <tooast@duck.com>
Date: Thu, 2 Oct 2025 21:41:42 +0900
Subject: [PATCH] feat(vps): add caddy reverse proxy for vaultwarden at
 /vaultwarden/

---
 hosts/vps/modules/services/caddy.nix       | 7 +++++++
 hosts/vps/modules/services/tailscale.nix   | 1 +
 hosts/vps/modules/services/vaultwarden.nix | 1 +
 3 files changed, 9 insertions(+)

diff --git a/hosts/vps/modules/services/caddy.nix b/hosts/vps/modules/services/caddy.nix
index daf295f..016a4f6 100644
--- a/hosts/vps/modules/services/caddy.nix
+++ b/hosts/vps/modules/services/caddy.nix
@@ -1,3 +1,5 @@
+{ pkgs, ... }:
+
 {
   services.caddy = {
     enable = true;
@@ -6,5 +8,10 @@
     virtualHosts."i.toast.name".extraConfig = ''
       reverse_proxy http://127.0.0.1:3000
     '';
+
+    # vaultwarden
+    virtualHosts."vps.curl-pence.ts.net".extraConfig = ''
+      reverse_proxy /vaultwarden/* http://127.0.0.1:8222
+    '';
   };
 }
diff --git a/hosts/vps/modules/services/tailscale.nix b/hosts/vps/modules/services/tailscale.nix
index de75634..85f7a0d 100644
--- a/hosts/vps/modules/services/tailscale.nix
+++ b/hosts/vps/modules/services/tailscale.nix
@@ -7,5 +7,6 @@
     enable = true;
     authKeyFile = config.sops.secrets."tailscale/authkey".path;
     useRoutingFeatures = "both";
+    permitCertUid = "caddy";
   };
 }
diff --git a/hosts/vps/modules/services/vaultwarden.nix b/hosts/vps/modules/services/vaultwarden.nix
index 04de1e1..a826c97 100644
--- a/hosts/vps/modules/services/vaultwarden.nix
+++ b/hosts/vps/modules/services/vaultwarden.nix
@@ -4,6 +4,7 @@
     config = {
       ROCKET_ADDRESS = "127.0.0.1";
       ROCKET_PORT = 8222;
+      DOMAIN = "https://vps.curl-pence.ts.net/vaultwarden";
     };
   };
 }