selfprivacy-nixos-config/sp-modules/bitwarden/module.nix

{ config, lib, pkgs, ... }:
let
  secrets-filepath = "/etc/selfprivacy/secrets.json";
  backup-dir = "/var/lib/bitwarden/backup";
  inherit (import ./common.nix config) bitwarden-env sp;
in
{
  options.selfprivacy.modules.bitwarden = {
    enable = lib.mkOption {
      default = false;
      type = with lib.types; nullOr bool;
    };
    location = lib.mkOption {
      default = "sda1";
      type = with lib.types; nullOr str;
    };
  };

  config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
    fileSystems = lib.mkIf sp.useBinds {
      "/var/lib/bitwarden" = {
        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
        options = [
          "bind"
          "x-systemd.required-by=bitwarden-secrets.service"
          "x-systemd.required-by=backup-vaultwarden.service"
          "x-systemd.required-by=vaultwarden.service"
        ];
      };
      "/var/lib/bitwarden_rs" = {
        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
        options = [
          "bind"
          "x-systemd.required-by=bitwarden-secrets.service"
          "x-systemd.required-by=backup-vaultwarden.service"
          "x-systemd.required-by=vaultwarden.service"
        ];
      };
    };
    services.vaultwarden = {
      enable = true;
      dbBackend = "sqlite";
      backupDir = backup-dir;
      environmentFile = "${bitwarden-env}";
      config = {
        domain = "https://password.${sp.domain}/";
        signupsAllowed = true;
        rocketPort = 8222;
      };
    };
    systemd.services.bitwarden-secrets = {
      before = [ "vaultwarden.service" ];
      requiredBy = [ "vaultwarden.service" ];
      serviceConfig.Type = "oneshot";
      path = with pkgs; [ coreutils jq ];
      script = ''
        set -o nounset

        token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
        if [ "$token" == "null" ]; then
            # If it's null, empty the contents of the file
            bitwarden_env=""
        else
            bitwarden_env="ADMIN_TOKEN=$token"
        fi

        install -C -m 0700 -o vaultwarden -g vaultwarden \
        -d /var/lib/bitwarden

        install -C -m 0600 -o vaultwarden -g vaultwarden -DT \
        <(printf "%s" "$bitwarden_env") ${bitwarden-env}
      '';
    };
    services.nginx.virtualHosts."password.${sp.domain}" = {
      sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";
      sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";
      forceSSL = true;
      extraConfig = ''
        add_header Strict-Transport-Security $hsts_header;
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
        expires 10m;
      '';
      locations = {
        "/" = {
          proxyPass = "http://127.0.0.1:8222";
        };
      };
    };
    # NixOS upstream bug? Otherwise, backup-vaultwarden cannot find sqlite DB.
    systemd.services.backup-vaultwarden.after = [ "vaultwarden.service" ];
    systemd.services.backup-vaultwarden.before = lib.mkForce [ ];
  };
}
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`{ config, lib, pkgs, ... }:`
			`let`
			`secrets-filepath = "/etc/selfprivacy/secrets.json";`
sp-modules: get rid of systemd.tmpfiles Because it causes troubles when using bind-mounts for /var/lib/*. 2023-12-18 11:33:09 +00:00			`backup-dir = "/var/lib/bitwarden/backup";`
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`inherit (import ./common.nix config) bitwarden-env sp;`
			`in`
			`{`
			`options.selfprivacy.modules.bitwarden = {`
			`enable = lib.mkOption {`
			`default = false;`
			`type = with lib.types; nullOr bool;`
			`};`
			`location = lib.mkOption {`
			`default = "sda1";`
			`type = with lib.types; nullOr str;`
			`};`
			`};`

			`config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {`
			`fileSystems = lib.mkIf sp.useBinds {`
			`"/var/lib/bitwarden" = {`
			`device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";`
sp-modules: get rid of systemd.tmpfiles Because it causes troubles when using bind-mounts for /var/lib/*. 2023-12-18 11:33:09 +00:00			`options = [`
			`"bind"`
			`"x-systemd.required-by=bitwarden-secrets.service"`
sp-modules: some startup fixes 2023-12-18 18:16:40 +00:00			`"x-systemd.required-by=backup-vaultwarden.service"`
sp-modules: get rid of systemd.tmpfiles Because it causes troubles when using bind-mounts for /var/lib/*. 2023-12-18 11:33:09 +00:00			`"x-systemd.required-by=vaultwarden.service"`
			`];`
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`};`
			`"/var/lib/bitwarden_rs" = {`
			`device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";`
sp-modules: get rid of systemd.tmpfiles Because it causes troubles when using bind-mounts for /var/lib/*. 2023-12-18 11:33:09 +00:00			`options = [`
			`"bind"`
			`"x-systemd.required-by=bitwarden-secrets.service"`
sp-modules: some startup fixes 2023-12-18 18:16:40 +00:00			`"x-systemd.required-by=backup-vaultwarden.service"`
sp-modules: get rid of systemd.tmpfiles Because it causes troubles when using bind-mounts for /var/lib/*. 2023-12-18 11:33:09 +00:00			`"x-systemd.required-by=vaultwarden.service"`
			`];`
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`};`
			`};`
			`services.vaultwarden = {`
			`enable = true;`
			`dbBackend = "sqlite";`
sp-modules: get rid of systemd.tmpfiles Because it causes troubles when using bind-mounts for /var/lib/*. 2023-12-18 11:33:09 +00:00			`backupDir = backup-dir;`
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`environmentFile = "${bitwarden-env}";`
			`config = {`
			`domain = "https://password.${sp.domain}/";`
			`signupsAllowed = true;`
			`rocketPort = 8222;`
			`};`
			`};`
			`systemd.services.bitwarden-secrets = {`
explicit dependency between backup-vaultwarden and vaultwarden 2023-12-18 19:40:15 +00:00			`before = [ "vaultwarden.service" ];`
			`requiredBy = [ "vaultwarden.service" ];`
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`serviceConfig.Type = "oneshot";`
			`path = with pkgs; [ coreutils jq ];`
			`script = ''`
			`set -o nounset`

			`token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"`
			`if [ "$token" == "null" ]; then`
			`# If it's null, empty the contents of the file`
			`bitwarden_env=""`
			`else`
			`bitwarden_env="ADMIN_TOKEN=$token"`
			`fi`
sp-modules: get rid of systemd.tmpfiles Because it causes troubles when using bind-mounts for /var/lib/*. 2023-12-18 11:33:09 +00:00
			`install -C -m 0700 -o vaultwarden -g vaultwarden \`
			`-d /var/lib/bitwarden`

			`install -C -m 0600 -o vaultwarden -g vaultwarden -DT \`
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`<(printf "%s" "$bitwarden_env") ${bitwarden-env}`
			`'';`
			`};`
move nginx exclusive virtualHosts to SP modules 2023-12-18 15:02:54 +00:00			`services.nginx.virtualHosts."password.${sp.domain}" = {`
			`sslCertificate = "/var/lib/acme/${sp.domain}/fullchain.pem";`
			`sslCertificateKey = "/var/lib/acme/${sp.domain}/key.pem";`
			`forceSSL = true;`
			`extraConfig = ''`
			`add_header Strict-Transport-Security $hsts_header;`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`
			`add_header X-Frame-Options DENY;`
			`add_header X-Content-Type-Options nosniff;`
			`add_header X-XSS-Protection "1; mode=block";`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`expires 10m;`
			`'';`
			`locations = {`
			`"/" = {`
			`proxyPass = "http://127.0.0.1:8222";`
			`};`
			`};`
			`};`
explicit dependency between backup-vaultwarden and vaultwarden 2023-12-18 19:40:15 +00:00			`# NixOS upstream bug? Otherwise, backup-vaultwarden cannot find sqlite DB.`
			`systemd.services.backup-vaultwarden.after = [ "vaultwarden.service" ];`
api module: avoid simultaneous runs 2023-12-18 19:40:56 +00:00			`systemd.services.backup-vaultwarden.before = lib.mkForce [ ];`
move bitwarden to SP module 2023-12-03 08:29:01 +00:00			`};`
			`}`