mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-05 16:33:12 +00:00
move bitwarden to SP module
This commit is contained in:
parent
ade4dc08b1
commit
c0aa73ca1b
|
@ -7,7 +7,6 @@
|
|||
./users.nix
|
||||
./letsencrypt/acme.nix
|
||||
./letsencrypt/resolve.nix
|
||||
./passmgr/bitwarden.nix
|
||||
./webserver/nginx.nix
|
||||
./webserver/memcached.nix
|
||||
# ./resources/limits.nix
|
||||
|
|
18
files.nix
18
files.nix
|
@ -18,10 +18,7 @@ in
|
|||
domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
|
||||
in
|
||||
[
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
|
||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
|
||||
];
|
||||
system.activationScripts =
|
||||
let
|
||||
|
@ -41,20 +38,5 @@ in
|
|||
chmod 0440 /var/lib/cloudflare/Credentials.ini
|
||||
chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
|
||||
'';
|
||||
bitwardenCredentials =
|
||||
if cfg.bitwarden.enable then ''
|
||||
mkdir -p /var/lib/bitwarden
|
||||
token=$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.bitwarden.adminToken')
|
||||
if [ "$token" == "null" ]; then
|
||||
# If it's null, delete the contents of the file
|
||||
> /var/lib/bitwarden/.env
|
||||
else
|
||||
echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
|
||||
fi
|
||||
chmod 0640 /var/lib/bitwarden/.env
|
||||
chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
|
||||
'' else ''
|
||||
rm -f /var/lib/bitwarden/.env
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
{ pkgs, lib, config, ... }:
|
||||
let
|
||||
cfg = config.selfprivacy;
|
||||
in
|
||||
{
|
||||
fileSystems = lib.mkIf cfg.useBinds {
|
||||
"/var/lib/bitwarden" = {
|
||||
device = "/volumes/${cfg.bitwarden.location}/bitwarden";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
"/var/lib/bitwarden_rs" = {
|
||||
device = "/volumes/${cfg.bitwarden.location}/bitwarden_rs";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
services.vaultwarden = {
|
||||
enable = cfg.bitwarden.enable;
|
||||
dbBackend = "sqlite";
|
||||
backupDir = "/var/lib/bitwarden/backup";
|
||||
environmentFile = "/var/lib/bitwarden/.env";
|
||||
config = {
|
||||
domain = "https://password.${cfg.domain}/";
|
||||
signupsAllowed = true;
|
||||
rocketPort = 8222;
|
||||
};
|
||||
};
|
||||
}
|
17
sp-modules/bitwarden/cleanup-module.nix
Normal file
17
sp-modules/bitwarden/cleanup-module.nix
Normal file
|
@ -0,0 +1,17 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
inherit (import ./common.nix config) bitwarden-env sp;
|
||||
in
|
||||
# FIXME do we really want to delete passwords on module deactivation!?
|
||||
{
|
||||
config = lib.mkIf (!sp.modules.bitwarden.enable) {
|
||||
system.activationScripts.bitwarden =
|
||||
lib.trivial.warn
|
||||
(
|
||||
"bitwarden service is disabled, ${bitwarden-env} will be removed!"
|
||||
)
|
||||
''
|
||||
rm -f -v ${bitwarden-env}
|
||||
'';
|
||||
};
|
||||
}
|
5
sp-modules/bitwarden/common.nix
Normal file
5
sp-modules/bitwarden/common.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
config:
|
||||
{
|
||||
sp = config.selfprivacy;
|
||||
bitwarden-env = "/var/lib/bitwarden/.env";
|
||||
}
|
5
sp-modules/bitwarden/config-paths-needed.json
Normal file
5
sp-modules/bitwarden/config-paths-needed.json
Normal file
|
@ -0,0 +1,5 @@
|
|||
[
|
||||
[ "selfprivacy", "domain" ],
|
||||
[ "selfprivacy", "useBinds" ],
|
||||
[ "selfprivacy", "modules", "bitwarden" ]
|
||||
]
|
10
sp-modules/bitwarden/flake.nix
Normal file
10
sp-modules/bitwarden/flake.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
description = "PoC SP module for Bitwarden password management solution";
|
||||
|
||||
outputs = { self }: {
|
||||
nixosModules.default = _:
|
||||
{ imports = [ ./module.nix ./cleanup-module.nix ]; };
|
||||
configPathsNeeded =
|
||||
builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
|
||||
};
|
||||
}
|
66
sp-modules/bitwarden/module.nix
Normal file
66
sp-modules/bitwarden/module.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
secrets-filepath = "/etc/selfprivacy/secrets.json";
|
||||
inherit (import ./common.nix config) bitwarden-env sp;
|
||||
in
|
||||
{
|
||||
options.selfprivacy.modules.bitwarden = {
|
||||
enable = lib.mkOption {
|
||||
default = false;
|
||||
type = with lib.types; nullOr bool;
|
||||
};
|
||||
location = lib.mkOption {
|
||||
default = "sda1";
|
||||
type = with lib.types; nullOr str;
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
|
||||
fileSystems = lib.mkIf sp.useBinds {
|
||||
"/var/lib/bitwarden" = {
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
"/var/lib/bitwarden_rs" = {
|
||||
device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
|
||||
options = [ "bind" ];
|
||||
};
|
||||
};
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
dbBackend = "sqlite";
|
||||
backupDir = "/var/lib/bitwarden/backup";
|
||||
environmentFile = "${bitwarden-env}";
|
||||
config = {
|
||||
domain = "https://password.${sp.domain}/";
|
||||
signupsAllowed = true;
|
||||
rocketPort = 8222;
|
||||
};
|
||||
};
|
||||
systemd.services.bitwarden-secrets = {
|
||||
before = [ "vaultwarden.service" ];
|
||||
requiredBy = [ "vaultwarden.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
path = with pkgs; [ coreutils jq ];
|
||||
script = ''
|
||||
set -o nounset
|
||||
|
||||
token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
|
||||
if [ "$token" == "null" ]; then
|
||||
# If it's null, empty the contents of the file
|
||||
bitwarden_env=""
|
||||
else
|
||||
bitwarden_env="ADMIN_TOKEN=$token"
|
||||
fi
|
||||
# TODO revise this permissions mode
|
||||
install -m 0640 -o vaultwarden -g vaultwarden -DT \
|
||||
<(printf "%s" "$bitwarden_env") ${bitwarden-env}
|
||||
'';
|
||||
};
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/bitwarden 0777 vaultwarden vaultwarden -"
|
||||
"d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -"
|
||||
"f ${bitwarden-env} 0640 vaultwarden vaultwarden - -"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -18,10 +18,6 @@ jsonData: { lib, ... }:
|
|||
server = {
|
||||
provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData;
|
||||
};
|
||||
bitwarden = {
|
||||
enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
|
||||
location = lib.attrsets.attrByPath [ "bitwarden" "location" ] "sda1" jsonData;
|
||||
};
|
||||
gitea = {
|
||||
enable = lib.attrsets.attrByPath [ "gitea" "enable" ] false jsonData;
|
||||
location = lib.attrsets.attrByPath [ "gitea" "location" ] "sda1" jsonData;
|
||||
|
|
|
@ -109,16 +109,6 @@ with lib;
|
|||
##############
|
||||
# Services #
|
||||
##############
|
||||
bitwarden = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.nullOr types.bool;
|
||||
};
|
||||
location = mkOption {
|
||||
default = "sda1";
|
||||
type = types.nullOr types.str;
|
||||
};
|
||||
};
|
||||
email = {
|
||||
location = mkOption {
|
||||
default = "sda1";
|
||||
|
|
Loading…
Reference in a new issue