2022-12-30 11:00:32 +01:00
|
|
|
{ customPkgs
|
|
|
|
, pkgs
|
2022-12-30 10:44:55 +01:00
|
|
|
, utils
|
|
|
|
}:
|
2022-12-30 11:00:32 +01:00
|
|
|
{ serviceName ? "Vaultwarden"
|
|
|
|
, subdomain ? "vaultwarden"
|
|
|
|
, domain ? ""
|
|
|
|
, ingress ? 18005
|
|
|
|
, signupsAllowed ? false
|
|
|
|
, signupsVerify ? true
|
|
|
|
|
2022-12-30 10:49:41 +01:00
|
|
|
, user ? "vaultwarden"
|
2022-12-30 10:44:55 +01:00
|
|
|
, group ? "vaultwarden"
|
2022-12-30 11:00:32 +01:00
|
|
|
, dataFolder ? "/var/lib/vaultwarden"
|
|
|
|
, postgresDatabase ? "vaultwarden"
|
|
|
|
, postgresUser ? "vaultwarden"
|
|
|
|
, postgresPasswordLocation ? "vaultwarden"
|
|
|
|
, webvaultEnabled ? true
|
|
|
|
, webvaultPath ? "/usr/share/webapps/vaultwarden"
|
|
|
|
|
2023-01-30 05:22:57 +01:00
|
|
|
, cookieSecretName ? "cookiesecret"
|
|
|
|
, clientSecretName ? "clientsecret"
|
|
|
|
|
2022-12-30 11:00:32 +01:00
|
|
|
, smtp ? {}
|
|
|
|
, sso ? {}
|
2022-12-30 10:49:41 +01:00
|
|
|
|
|
|
|
, distribution ? {}
|
2022-12-30 10:44:55 +01:00
|
|
|
}:
|
2022-12-30 10:49:41 +01:00
|
|
|
let
|
2022-12-30 11:00:32 +01:00
|
|
|
mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;};
|
2023-01-30 05:22:57 +01:00
|
|
|
|
|
|
|
ssoIngress = if sso != {} then ingress else null;
|
|
|
|
serviceIngress = if sso != {} then ingress+1 else ingress;
|
|
|
|
|
|
|
|
smtpConfig = smtp;
|
2022-12-30 10:49:41 +01:00
|
|
|
in
|
2022-12-30 11:00:32 +01:00
|
|
|
rec {
|
2022-12-30 10:44:55 +01:00
|
|
|
inherit user group;
|
2022-12-30 10:49:41 +01:00
|
|
|
|
2022-12-30 11:00:32 +01:00
|
|
|
dnsmasqSubdomains = [subdomain];
|
|
|
|
|
|
|
|
db = customPkgs.mkPostgresDB {
|
|
|
|
name = "${serviceName}PostgresDB";
|
|
|
|
|
|
|
|
database = postgresDatabase;
|
|
|
|
username = postgresUser;
|
|
|
|
# TODO: use passwordFile
|
|
|
|
password = postgresPasswordLocation;
|
|
|
|
};
|
|
|
|
|
|
|
|
web = mkVaultwardenWeb {
|
|
|
|
name = "${serviceName}Web";
|
|
|
|
|
|
|
|
path = webvaultPath;
|
|
|
|
};
|
|
|
|
|
|
|
|
service = let
|
|
|
|
name = "${serviceName}Service";
|
|
|
|
domain = utils.getDomain distribution name;
|
|
|
|
in {
|
|
|
|
inherit name;
|
|
|
|
|
2023-01-22 18:02:46 +01:00
|
|
|
pkg =
|
|
|
|
{ db
|
2022-12-30 11:00:32 +01:00
|
|
|
, web
|
2023-01-22 18:02:46 +01:00
|
|
|
}: let
|
|
|
|
postgresHost = db.target.properties.hostname;
|
|
|
|
in utils.systemd.mkService rec {
|
|
|
|
name = "vaultwarden";
|
|
|
|
|
|
|
|
content = ''
|
|
|
|
[Unit]
|
|
|
|
Description=Vaultwarden Server
|
|
|
|
Documentation=https://github.com/dani-garcia/vaultwarden
|
|
|
|
After=network.target
|
2023-01-30 05:22:57 +01:00
|
|
|
After=${utils.keyServiceDependencies smtpConfig.keys}
|
|
|
|
Wants=${utils.keyServiceDependencies smtpConfig.keys}
|
2023-01-22 18:02:46 +01:00
|
|
|
|
|
|
|
[Service]
|
|
|
|
Environment=DATA_FOLDER=${dataFolder}
|
|
|
|
Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPasswordLocation}@${postgresHost}/${postgresDatabase}
|
|
|
|
Environment=IP_HEADER=X-Real-IP
|
|
|
|
|
|
|
|
Environment=WEB_VAULT_FOLDER=${web.path}
|
|
|
|
Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
|
|
|
|
|
|
|
|
Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"}
|
|
|
|
Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"}
|
|
|
|
# Disabled because the /admin path is protected by SSO
|
|
|
|
Environment=DISABLE_ADMIN_TOKEN=true
|
|
|
|
Environment=INVITATIONS_ALLOWED=true
|
|
|
|
Environment=DOMAIN=https://${subdomain}.${domain}
|
|
|
|
|
|
|
|
# Assumes we're behind a reverse proxy
|
|
|
|
Environment=ROCKET_ADDRESS=127.0.0.1
|
2023-01-30 05:22:57 +01:00
|
|
|
Environment=ROCKET_PORT=${builtins.toString serviceIngress}
|
2023-01-22 18:02:46 +01:00
|
|
|
Environment=USE_SYSLOG=true
|
|
|
|
Environment=EXTENDED_LOGGING=true
|
|
|
|
Environment=LOG_FILE=
|
|
|
|
Environment=LOG_LEVEL=trace
|
|
|
|
|
2023-01-30 05:22:57 +01:00
|
|
|
${utils.keyEnvironmentFiles smtpConfig.keys}
|
|
|
|
Environment=SMTP_FROM=${smtpConfig.from}
|
|
|
|
Environment=SMTP_FROM_NAME=${smtpConfig.fromName}
|
|
|
|
Environment=SMTP_PORT=${builtins.toString smtpConfig.port}
|
|
|
|
Environment=SMTP_AUTH_MECHANISM=${smtpConfig.authMechanism}
|
2023-01-22 18:02:46 +01:00
|
|
|
|
|
|
|
ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
|
|
|
|
WorkingDirectory=${dataFolder}
|
|
|
|
StateDirectory=${name}
|
|
|
|
User=${user}
|
|
|
|
Group=${group}
|
|
|
|
|
|
|
|
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
|
|
|
|
# that capability
|
2023-01-30 05:22:57 +01:00
|
|
|
CapabilityBoundingSet=${if serviceIngress <= 1024 then "CAP_NET_BIND_SERVICE" else ""}
|
|
|
|
AmbientCapabilities=${if serviceIngress <= 1024 then "CAP_NET_BIND_SERVICE" else ""}
|
2023-01-22 18:02:46 +01:00
|
|
|
|
|
|
|
PrivateUsers=yes
|
|
|
|
NoNewPrivileges=yes
|
|
|
|
LimitNOFILE=1048576
|
|
|
|
UMask=0077
|
|
|
|
ProtectSystem=strict
|
|
|
|
ProtectHome=yes
|
|
|
|
# ReadWritePaths=${dataFolder}
|
|
|
|
PrivateTmp=yes
|
|
|
|
PrivateDevices=yes
|
|
|
|
ProtectHostname=yes
|
|
|
|
ProtectClock=yes
|
|
|
|
ProtectKernelTunables=yes
|
|
|
|
ProtectKernelModules=yes
|
|
|
|
ProtectKernelLogs=yes
|
|
|
|
ProtectControlGroups=yes
|
|
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
|
|
RestrictNamespaces=yes
|
|
|
|
LockPersonality=yes
|
|
|
|
MemoryDenyWriteExecute=yes
|
|
|
|
RestrictRealtime=yes
|
|
|
|
RestrictSUIDSGID=yes
|
|
|
|
RemoveIPC=yes
|
|
|
|
|
|
|
|
SystemCallFilter=@system-service
|
|
|
|
SystemCallFilter=~@privileged @resources
|
|
|
|
SystemCallArchitectures=native
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
'';
|
|
|
|
};
|
2022-12-30 11:00:32 +01:00
|
|
|
|
|
|
|
dependsOn = {
|
|
|
|
inherit db;
|
|
|
|
inherit web;
|
|
|
|
};
|
|
|
|
type = "systemd-unit";
|
|
|
|
};
|
|
|
|
|
2022-12-30 10:49:41 +01:00
|
|
|
haproxy = service: {
|
|
|
|
frontend = {
|
|
|
|
acl = {
|
|
|
|
acl_vaultwarden = "hdr_beg(host) vaultwarden.";
|
|
|
|
};
|
|
|
|
use_backend = "if acl_vaultwarden";
|
|
|
|
};
|
|
|
|
backend = {
|
2023-01-01 00:18:51 +01:00
|
|
|
# TODO: instead, we should generate target specific service https://hydra.nixos.org/build/203347995/download/2/manual/#idm140737322273072
|
|
|
|
servers = map (dist: {
|
2023-01-22 18:02:46 +01:00
|
|
|
name = "vaultwarden_${dist.properties.hostname}_1";
|
|
|
|
# TODO: should use the hostname
|
|
|
|
# address = "${dist.properties.hostname}:${builtins.toString ingress}";
|
|
|
|
address = "127.0.0.1:${builtins.toString ingress}";
|
|
|
|
resolvers = "default";
|
2023-01-01 00:18:51 +01:00
|
|
|
}) service;
|
2022-12-30 10:49:41 +01:00
|
|
|
};
|
|
|
|
};
|
2022-12-30 11:00:32 +01:00
|
|
|
|
2023-01-30 05:22:57 +01:00
|
|
|
oauth2Proxy = {
|
|
|
|
name = "${serviceName}Oauth2Proxy";
|
|
|
|
serviceName = subdomain;
|
|
|
|
inherit domain;
|
|
|
|
cookieSecret = "${serviceName}_oauth2proxy_cookiesecret";
|
|
|
|
clientSecret = "${serviceName}_oauth2proxy_clientsecret";
|
|
|
|
};
|
|
|
|
|
2022-12-30 11:00:32 +01:00
|
|
|
keycloakCliConfig = {
|
|
|
|
clients = {
|
|
|
|
vaultwarden = {
|
|
|
|
roles = ["uma_protection"];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2023-01-29 01:01:04 +01:00
|
|
|
|
2023-02-05 09:27:09 +01:00
|
|
|
deployKeys = domain: {
|
2023-01-30 05:22:57 +01:00
|
|
|
"${serviceName}_oauth2proxy_cookiesecret".text = ''
|
|
|
|
OAUTH2_PROXY_COOKIE_SECRET="${builtins.extraBuiltins.pass "${domain}/${subdomain}/${cookieSecretName}"}"
|
|
|
|
'';
|
|
|
|
"${serviceName}_oauth2proxy_clientsecret".text = ''
|
|
|
|
OAUTH2_PROXY_CLIENT_SECRET="${builtins.extraBuiltins.pass "${domain}/${subdomain}/${clientSecretName}"}"
|
|
|
|
'';
|
|
|
|
"${serviceName}_smtp_all".text = ''
|
|
|
|
SMTP_HOST="${builtins.extraBuiltins.pass "mailgun.com/mg.tiserbox.com/smtp_hostname"}"
|
|
|
|
SMTP_USERNAME="${builtins.extraBuiltins.pass "mailgun.com/mg.tiserbox.com/smtp_login"}"
|
|
|
|
SMTP_PASSWORD="${builtins.extraBuiltins.pass "mailgun.com/mg.tiserbox.com/password"}"
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
smtp.keys.setup = "${serviceName}_smtp_all";
|
|
|
|
|
2023-01-29 01:01:04 +01:00
|
|
|
services = {
|
|
|
|
${db.name} = db;
|
|
|
|
${web.name} = web;
|
|
|
|
${service.name} = service;
|
|
|
|
};
|
|
|
|
|
|
|
|
distribute = on: {
|
|
|
|
${db.name} = on;
|
|
|
|
${web.name} = on;
|
|
|
|
${service.name} = on;
|
|
|
|
};
|
2022-12-30 11:00:32 +01:00
|
|
|
}
|