From f4155bc8a8da3a1dbc25027c5055a4291238a18b Mon Sep 17 00:00:00 2001
From: Lzebulon <lzebulon@crans.org>
Date: Mon, 5 Jan 2026 19:40:23 +0100
Subject: [PATCH 1/3] add zamok safe ip

---
 hosts/physique/hyponix/services/fail2ban.nix |  4 +++
 modules/available/vaultwarden.nix            | 34 ++++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 modules/available/vaultwarden.nix

diff --git a/hosts/physique/hyponix/services/fail2ban.nix b/hosts/physique/hyponix/services/fail2ban.nix
index edc9a34..a997185 100644
--- a/hosts/physique/hyponix/services/fail2ban.nix
+++ b/hosts/physique/hyponix/services/fail2ban.nix
@@ -2,6 +2,10 @@
 {
   services.fail2ban = {
     enable = true;
+
+    ignoreIP = [
+      "zamok.crans.org"
+    ];
   };
 
   services.openssh.settings.LogLevel = "VERBOSE";
diff --git a/modules/available/vaultwarden.nix b/modules/available/vaultwarden.nix
new file mode 100644
index 0000000..bdd8533
--- /dev/null
+++ b/modules/available/vaultwarden.nix
@@ -0,0 +1,34 @@
+{ config, ... }:
+let
+  domain = "pass.${config.networking.domain}";
+in
+{
+
+  age.secrets = {
+    vaultwarden_secret = {
+      file = ../../secrets/services/vaultwarden.age;
+      owner = "vaultwarden";
+    };
+  };
+
+
+  services.vaultwarden = {
+    enable = false; # TODO: enable
+    # TODO: move to pgsql
+    #dbBackend = "postgresql";
+    environmentFile = config.age.secrets.vaultwarden_secret.path;
+    config = {
+      DOMAIN = "https://${domain}";
+      SIGNUPS_ALLOWED = false;
+      
+      ROCKET_ADDRESS = "::1";
+      ROCKET_PORT = 8222;
+    };
+  };
+
+  services.caddy.virtualHosts."${domain}" = {
+    extraConfig = ''
+      			reverse_proxy localhost:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}
+      		'';
+  };
+}

From c36ea77671e5f8f66be8a9da2e8583fef6e0c344 Mon Sep 17 00:00:00 2001
From: Lzebulon <lzebulon@crans.org>
Date: Mon, 5 Jan 2026 19:41:31 +0100
Subject: [PATCH 2/3] open firewall for monitoring

---
 modules/common/monitoring.nix | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/modules/common/monitoring.nix b/modules/common/monitoring.nix
index 90ea232..117328d 100644
--- a/modules/common/monitoring.nix
+++ b/modules/common/monitoring.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
   services.prometheus.exporters = {
     node = {
@@ -9,6 +9,19 @@
         "--collector.softirqs"
         "--collector.tcpstat"
       ];
+
+      openFirewall = true;
+    };
+
+    postgres = {
+      enable = config.services.postgresql.enable;
     };
   };
+
+
+  services.caddy.globalConfig = "
+      metrics {
+        per_host
+      }
+    ";
 }

From 02eb3b5599da1fea4c2ef59b535c28b417cb0a0e Mon Sep 17 00:00:00 2001
From: Lzebulon <lzebulon@crans.org>
Date: Mon, 5 Jan 2026 19:41:57 +0100
Subject: [PATCH 3/3] fix: rename system -> stdenv.hostPlatform.system nixos a
 supprime l'alias system

---
 tools/devshell.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/devshell.nix b/tools/devshell.nix
index 724c18e..3dd58fb 100644
--- a/tools/devshell.nix
+++ b/tools/devshell.nix
@@ -8,7 +8,7 @@ pkgs.mkShell {
   packages = with pkgs; [
     nil
     nixpkgs-fmt
-    agenix.packages.${system}.default
+    agenix.packages.${stdenv.hostPlatform.system}.default
   ];
 
   shellHook = ''