selfprivacy-nixos-config/sp-modules/bitwarden/module.nix

74 lines
2.1 KiB
Nix
Raw Normal View History

2023-12-03 08:29:01 +00:00
{ config, lib, pkgs, ... }:
let
secrets-filepath = "/etc/selfprivacy/secrets.json";
backup-dir = "/var/lib/bitwarden/backup";
2023-12-03 08:29:01 +00:00
inherit (import ./common.nix config) bitwarden-env sp;
in
{
options.selfprivacy.modules.bitwarden = {
enable = lib.mkOption {
default = false;
type = with lib.types; nullOr bool;
};
location = lib.mkOption {
default = "sda1";
type = with lib.types; nullOr str;
};
};
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
fileSystems = lib.mkIf sp.useBinds {
"/var/lib/bitwarden" = {
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
options = [
"bind"
"x-systemd.required-by=bitwarden-secrets.service"
"x-systemd.required-by=vaultwarden.service"
];
2023-12-03 08:29:01 +00:00
};
"/var/lib/bitwarden_rs" = {
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
options = [
"bind"
"x-systemd.required-by=bitwarden-secrets.service"
"x-systemd.required-by=vaultwarden.service"
];
2023-12-03 08:29:01 +00:00
};
};
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
backupDir = backup-dir;
2023-12-03 08:29:01 +00:00
environmentFile = "${bitwarden-env}";
config = {
domain = "https://password.${sp.domain}/";
signupsAllowed = true;
rocketPort = 8222;
};
};
systemd.services.bitwarden-secrets = {
before = [ "vaultwarden.service" ];
requiredBy = [ "vaultwarden.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils jq ];
script = ''
set -o nounset
token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
if [ "$token" == "null" ]; then
# If it's null, empty the contents of the file
bitwarden_env=""
else
bitwarden_env="ADMIN_TOKEN=$token"
fi
install -C -m 0700 -o vaultwarden -g vaultwarden \
-d /var/lib/bitwarden
install -C -m 0600 -o vaultwarden -g vaultwarden -DT \
2023-12-03 08:29:01 +00:00
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
'';
};
};
}