From f85133ced9acd3e236bb0aa5591298d8d7e3ce70 Mon Sep 17 00:00:00 2001
From: samuel <samuel.campos@netoik.io>
Date: Fri, 24 Apr 2026 00:47:26 +0200
Subject: [PATCH] feat: add config files

---
 Makefile                                 |  9 ++--
 files/nginx/vault.netoik.io.conf         |  8 ++++
 files/systemd/vaultwarden.conf           |  3 ++
 files/vaultwarden/netoik_vaultwarden.cfg | 52 ++++++++++++++++++++++++
 netoik-vault.spec                        | 37 ++++++++++++++++-
 5 files changed, 103 insertions(+), 6 deletions(-)
 create mode 100644 files/nginx/vault.netoik.io.conf
 create mode 100644 files/systemd/vaultwarden.conf
 create mode 100644 files/vaultwarden/netoik_vaultwarden.cfg

diff --git a/Makefile b/Makefile
index 274515b..e447287 100644
--- a/Makefile
+++ b/Makefile
@@ -73,11 +73,10 @@ install:  ## Install files into rpm dest (requires env var DESTDIR)
 		printf "[CRITICAL] Missing env var DESTDIR\n[CRITICAL] This command is designed to be called by rpmbuild only!\n" 1>&2; \
 		exit 1; \
 	fi
-	install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/z_default.conf
-	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
-	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
+	install --mode=755 --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/vaultwarden $(DESTDIR)$(RPM_UNITDIR)/vaultwarden.service.d
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/vault.netoik.io.conf
+	install --mode=640 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/vaultwarden files/vaultwarden/netoik_vaultwarden.cfg
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR)/vaultwarden.service.d files/systemd/vaultwarden.conf
 
 .PHONY: upload
 upload:  ## Upload rpm package to Gitea repository (requires env var PKG_TOKEN)
diff --git a/files/nginx/vault.netoik.io.conf b/files/nginx/vault.netoik.io.conf
new file mode 100644
index 0000000..7ad1b70
--- /dev/null
+++ b/files/nginx/vault.netoik.io.conf
@@ -0,0 +1,8 @@
+server {
+    listen       443 ssl;
+    server_name  vault.netoik.io;
+
+    location / {
+        proxy_pass http://127.0.0.1:8000;
+    }
+}
diff --git a/files/systemd/vaultwarden.conf b/files/systemd/vaultwarden.conf
new file mode 100644
index 0000000..198efd2
--- /dev/null
+++ b/files/systemd/vaultwarden.conf
@@ -0,0 +1,3 @@
+[Service]
+Environment=
+Environment="ENV_FILE=/etc/vaultwarden/netoik_vaultwarden.cfg"
diff --git a/files/vaultwarden/netoik_vaultwarden.cfg b/files/vaultwarden/netoik_vaultwarden.cfg
new file mode 100644
index 0000000..b547897
--- /dev/null
+++ b/files/vaultwarden/netoik_vaultwarden.cfg
@@ -0,0 +1,52 @@
+####################
+### Data folders ###
+####################
+
+## Main data folder
+DATA_FOLDER=/var/lib/vaultwarden
+
+## Web vault settings
+WEB_VAULT_FOLDER=/usr/share/vaultwarden-web
+WEB_VAULT_ENABLED=true
+
+
+#########################
+### Database settings ###
+#########################
+
+## Database URL
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+# DATABASE_URL=data/db.sqlite3
+## When using MySQL, specify an appropriate connection URI.
+## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
+# DATABASE_URL=mysql://user:password@host[:port]/database_name
+## When using PostgreSQL, specify an appropriate connection URI (recommended)
+## or keyword/value connection string.
+## Details:
+## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
+## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+DATABASE_URL=postgresql:///
+
+
+########################
+### General settings ###
+########################
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
+## Details:
+## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
+## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
+## For development
+# DOMAIN=http://localhost
+## For public server
+# DOMAIN=https://vw.domain.tld
+## For public server (URL with port number)
+# DOMAIN=https://vw.domain.tld:8443
+## For public server (URL with path)
+# DOMAIN=https://domain.tld/vw
+DOMAIN=https://vault.netoik.io
diff --git a/netoik-vault.spec b/netoik-vault.spec
index 16d48b0..d74da13 100644
--- a/netoik-vault.spec
+++ b/netoik-vault.spec
@@ -22,14 +22,49 @@ Install the secrets vault called vaultwarden with a predefined configuration.
 %make_install
 
 %post
+# Display commands and exit on error
+set -xe
+
+# Change rights of config file
+chgrp vaultwarden %{_sysconfdir}/vaultwarden/netoik_vaultwarden.cfg
+
+# Add vaultwarden user to postgres group
+usermod --groups postgres --append vaultwarden
+
+# Create postgres user and db
+if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet vaultwarden; then
+  runuser --user=postgres -- createuser vaultwarden
+fi
+if ! runuser --user=postgres -- psql --quiet --tuples-only --command='\l' | grep --quiet vaultwarden; then
+  runuser --user=postgres -- createdb --owner=vaultwarden vaultwarden
+fi
+
 # Restart services
 systemctl daemon-reload
-systemctl reenable nginx.service vaultwarden.service 
+systemctl reenable nginx.service vaultwarden.service
 systemctl restart nginx.service vaultwarden.service
 
 %postun
+# Display commands and exit on error
+set -xe
+
+# If uninstalling, then delete users and db
+if [ $1 == 0 ]; then
+  # Remove gitea database if existing
+  if runuser --user=postgres -- psql --quiet --tuples-only --command='\l' | grep --quiet vaultwarden; then
+    runuser --user=postgres -- dropdb vaultwarden
+  fi
+  if runuser --user=postgres -- psql --quiet --tuples-only --command='\du' | grep --quiet vaultwarden; then
+    runuser --user=postgres -- dropuser vaultwarden
+  fi
+fi
 
 %files
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/vault.netoik.io.conf
+%attr(640, root, -) %{_sysconfdir}/vaultwarden/netoik_vaultwarden.cfg
+
+%dir %attr(755, root, root) %{_unitdir}/vaultwarden.service.d
+%attr(644, root, root) %{_unitdir}/vaultwarden.service.d/vaultwarden.conf
 
 %changelog
 %autochangelog