2023-11-07 04:47:31 +01:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
cfg = config.shb.vaultwarden;
|
|
|
|
|
2024-01-12 08:22:46 +01:00
|
|
|
contracts = pkgs.callPackage ../contracts {};
|
2024-02-10 05:56:26 +01:00
|
|
|
shblib = pkgs.callPackage ../../lib {};
|
2024-01-12 08:22:46 +01:00
|
|
|
|
2023-11-07 04:47:31 +01:00
|
|
|
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
2024-08-12 03:04:20 +02:00
|
|
|
|
2024-08-31 11:22:30 +02:00
|
|
|
dataFolder = if lib.versionOlder (config.system.stateVersion or "24.11") "24.11" then "/var/lib/bitwarden_rs" else "/var/lib/vaultwarden";
|
2023-11-07 04:47:31 +01:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options.shb.vaultwarden = {
|
|
|
|
enable = lib.mkEnableOption "selfhostblocks.vaultwarden";
|
|
|
|
|
|
|
|
subdomain = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "Subdomain under which Authelia will be served.";
|
|
|
|
example = "ha";
|
|
|
|
};
|
|
|
|
|
|
|
|
domain = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "domain under which Authelia will be served.";
|
|
|
|
example = "mydomain.com";
|
|
|
|
};
|
|
|
|
|
2024-01-12 08:22:46 +01:00
|
|
|
ssl = lib.mkOption {
|
|
|
|
description = "Path to SSL files";
|
|
|
|
type = lib.types.nullOr contracts.ssl.certs;
|
|
|
|
default = null;
|
|
|
|
};
|
|
|
|
|
2023-11-07 04:47:31 +01:00
|
|
|
port = lib.mkOption {
|
|
|
|
type = lib.types.port;
|
|
|
|
description = "Port on which vaultwarden service listens.";
|
|
|
|
default = 8222;
|
|
|
|
};
|
|
|
|
|
2023-11-30 21:48:57 +01:00
|
|
|
authEndpoint = lib.mkOption {
|
2024-05-25 00:02:38 +02:00
|
|
|
type = lib.types.nullOr lib.types.str;
|
2023-11-07 04:47:31 +01:00
|
|
|
description = "OIDC endpoint for SSO";
|
2024-05-25 00:02:38 +02:00
|
|
|
default = null;
|
2023-11-07 04:47:31 +01:00
|
|
|
example = "https://authelia.example.com";
|
|
|
|
};
|
|
|
|
|
|
|
|
databasePasswordFile = lib.mkOption {
|
2024-05-25 00:02:38 +02:00
|
|
|
type = lib.types.path;
|
2023-11-07 04:47:31 +01:00
|
|
|
description = "File containing the password to connect to the postgresql database.";
|
|
|
|
};
|
|
|
|
|
|
|
|
smtp = lib.mkOption {
|
2023-12-04 09:33:16 +01:00
|
|
|
description = "SMTP options.";
|
2024-05-25 00:02:38 +02:00
|
|
|
default = null;
|
|
|
|
type = lib.types.nullOr (lib.types.submodule {
|
2023-11-07 04:47:31 +01:00
|
|
|
options = {
|
|
|
|
from_address = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "SMTP address from which the emails originate.";
|
|
|
|
example = "vaultwarden@mydomain.com";
|
|
|
|
};
|
|
|
|
from_name = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "SMTP name from which the emails originate.";
|
|
|
|
default = "Vaultwarden";
|
|
|
|
};
|
|
|
|
host = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "SMTP host to send the emails to.";
|
|
|
|
};
|
|
|
|
security = lib.mkOption {
|
|
|
|
type = lib.types.enum [ "starttls" "force_tls" "off" ];
|
|
|
|
description = "Security expected by SMTP host.";
|
|
|
|
default = "starttls";
|
|
|
|
};
|
|
|
|
port = lib.mkOption {
|
|
|
|
type = lib.types.port;
|
|
|
|
description = "SMTP port to send the emails to.";
|
|
|
|
default = 25;
|
|
|
|
};
|
|
|
|
username = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "Username to connect to the SMTP host.";
|
|
|
|
};
|
|
|
|
auth_mechanism = lib.mkOption {
|
|
|
|
type = lib.types.enum [ "Login" ];
|
|
|
|
description = "Auth mechanism.";
|
|
|
|
default = "Login";
|
|
|
|
};
|
|
|
|
passwordFile = lib.mkOption {
|
|
|
|
type = lib.types.str;
|
|
|
|
description = "File containing the password to connect to the SMTP host.";
|
|
|
|
};
|
|
|
|
};
|
2024-05-25 00:02:38 +02:00
|
|
|
});
|
2023-11-07 04:47:31 +01:00
|
|
|
};
|
|
|
|
|
2024-08-12 03:04:20 +02:00
|
|
|
mount = lib.mkOption {
|
|
|
|
type = contracts.mount;
|
|
|
|
description = ''
|
|
|
|
Mount configuration. This is an output option.
|
|
|
|
|
|
|
|
Use it to initialize a block implementing the "mount" contract.
|
|
|
|
For example, with a zfs dataset:
|
|
|
|
|
|
|
|
```
|
|
|
|
shb.zfs.datasets."vaultwarden" = {
|
|
|
|
poolName = "root";
|
|
|
|
} // config.shb.vaultwarden.mount;
|
|
|
|
```
|
|
|
|
'';
|
|
|
|
readOnly = true;
|
|
|
|
default = { path = dataFolder; };
|
|
|
|
};
|
|
|
|
|
2024-08-20 07:09:10 +02:00
|
|
|
backup = lib.mkOption {
|
|
|
|
type = contracts.backup;
|
|
|
|
description = ''
|
|
|
|
Backup configuration. This is an output option.
|
|
|
|
|
|
|
|
Use it to initialize a block implementing the "backup" contract.
|
|
|
|
For example, with the restic block:
|
|
|
|
|
|
|
|
```
|
|
|
|
shb.restic.instances."vaultwarden" = {
|
2024-08-20 16:33:13 +02:00
|
|
|
enable = true;
|
|
|
|
|
|
|
|
# Options specific to Restic.
|
2024-08-20 07:09:10 +02:00
|
|
|
} // config.shb.vaultwarden.backup;
|
|
|
|
```
|
|
|
|
'';
|
|
|
|
readOnly = true;
|
|
|
|
default = {
|
2024-08-24 07:37:18 +02:00
|
|
|
user = "vaultwarden";
|
2024-08-20 07:09:10 +02:00
|
|
|
sourceDirectories = [
|
|
|
|
dataFolder
|
|
|
|
];
|
|
|
|
};
|
2023-11-07 04:47:31 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
debug = lib.mkOption {
|
|
|
|
type = lib.types.bool;
|
|
|
|
description = "Set to true to enable debug logging.";
|
|
|
|
default = false;
|
|
|
|
example = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
services.vaultwarden = {
|
|
|
|
enable = true;
|
|
|
|
dbBackend = "postgresql";
|
|
|
|
config = {
|
|
|
|
IP_HEADER = "X-Real-IP";
|
|
|
|
SIGNUPS_ALLOWED = false;
|
|
|
|
# Disabled because the /admin path is protected by SSO
|
|
|
|
DISABLE_ADMIN_TOKEN = true;
|
|
|
|
INVITATIONS_ALLOWED = true;
|
|
|
|
DOMAIN = "https://${fqdn}";
|
|
|
|
USE_SYSLOG = true;
|
|
|
|
EXTENDED_LOGGING = cfg.debug;
|
|
|
|
LOG_LEVEL = if cfg.debug then "trace" else "info";
|
|
|
|
ROCKET_LOG = if cfg.debug then "trace" else "info";
|
|
|
|
ROCKET_ADDRESS = "127.0.0.1";
|
|
|
|
ROCKET_PORT = cfg.port;
|
2024-05-25 00:02:38 +02:00
|
|
|
} // lib.optionalAttrs (cfg.smtp != null) {
|
2023-11-07 04:47:31 +01:00
|
|
|
SMTP_FROM = cfg.smtp.from_address;
|
|
|
|
SMTP_FROM_NAME = cfg.smtp.from_name;
|
|
|
|
SMTP_HOST = cfg.smtp.host;
|
|
|
|
SMTP_SECURITY = cfg.smtp.security;
|
|
|
|
SMTP_USERNAME = cfg.smtp.username;
|
|
|
|
SMTP_PORT = cfg.smtp.port;
|
|
|
|
SMTP_AUTH_MECHANISM = cfg.smtp.auth_mechanism;
|
|
|
|
};
|
2024-08-12 03:04:20 +02:00
|
|
|
environmentFile = "${dataFolder}/vaultwarden.env";
|
2023-11-07 04:47:31 +01:00
|
|
|
};
|
|
|
|
# We create a blank environment file for the service to start. Then, ExecPreStart kicks in and
|
|
|
|
# fills out the environment file for ExecStart to pick it up.
|
|
|
|
systemd.tmpfiles.rules = [
|
2024-08-12 03:04:20 +02:00
|
|
|
"d ${dataFolder} 0750 vaultwarden vaultwarden"
|
|
|
|
"f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
|
2023-11-07 04:47:31 +01:00
|
|
|
];
|
2024-08-31 09:57:21 +02:00
|
|
|
# Needed to be able to write template config.
|
|
|
|
systemd.services.vaultwarden.serviceConfig.ProtectHome = lib.mkForce false;
|
2023-11-07 04:47:31 +01:00
|
|
|
systemd.services.vaultwarden.preStart =
|
2024-03-01 00:34:53 +01:00
|
|
|
shblib.replaceSecrets {
|
|
|
|
userConfig = {
|
|
|
|
DATABASE_URL.source = cfg.databasePasswordFile;
|
|
|
|
DATABASE_URL.transform = v: "postgresql://vaultwarden:${v}@127.0.0.1:5432/vaultwarden";
|
2024-05-25 00:02:38 +02:00
|
|
|
} // lib.optionalAttrs (cfg.smtp != null) {
|
2024-03-01 00:34:53 +01:00
|
|
|
SMTP_PASSWORD.source = cfg.smtp.passwordFile;
|
2023-11-07 04:47:31 +01:00
|
|
|
};
|
2024-08-12 03:04:20 +02:00
|
|
|
resultPath = "${dataFolder}/vaultwarden.env";
|
2024-05-25 00:02:38 +02:00
|
|
|
generator = name: v: pkgs.writeText "template" (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
|
2024-03-01 00:34:53 +01:00
|
|
|
};
|
2023-11-07 04:47:31 +01:00
|
|
|
|
2024-05-25 00:01:45 +02:00
|
|
|
shb.nginx.vhosts = [
|
2023-11-07 04:47:31 +01:00
|
|
|
{
|
2024-01-12 08:22:46 +01:00
|
|
|
inherit (cfg) subdomain domain authEndpoint ssl;
|
2023-11-07 04:47:31 +01:00
|
|
|
upstream = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
|
2024-05-25 00:01:45 +02:00
|
|
|
autheliaRules = lib.mkIf (cfg.authEndpoint != null) [
|
2023-11-07 04:47:31 +01:00
|
|
|
{
|
2023-11-08 22:53:32 +01:00
|
|
|
domain = "${fqdn}";
|
2023-11-07 04:47:31 +01:00
|
|
|
policy = "two_factor";
|
|
|
|
subject = ["group:vaultwarden_admin"];
|
2023-11-08 22:53:32 +01:00
|
|
|
resources = [
|
|
|
|
"^/admin"
|
|
|
|
];
|
|
|
|
}
|
|
|
|
# There's no way to protect the webapp using Authelia this way, see
|
|
|
|
# https://github.com/dani-garcia/vaultwarden/discussions/3188
|
|
|
|
{
|
|
|
|
domain = fqdn;
|
|
|
|
policy = "bypass";
|
2023-11-07 04:47:31 +01:00
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
2023-11-23 10:03:33 +01:00
|
|
|
shb.postgresql.enableTCPIP = true;
|
|
|
|
shb.postgresql.ensures = [
|
2023-11-07 04:47:31 +01:00
|
|
|
{
|
|
|
|
username = "vaultwarden";
|
|
|
|
database = "vaultwarden";
|
2024-05-25 00:02:38 +02:00
|
|
|
passwordFile = builtins.toString cfg.databasePasswordFile;
|
2023-11-07 04:47:31 +01:00
|
|
|
}
|
|
|
|
];
|
2024-08-12 03:04:20 +02:00
|
|
|
# TODO: make this work.
|
|
|
|
# It does not work because it leads to infinite recursion.
|
|
|
|
# ${cfg.mount}.path = dataFolder;
|
2023-11-07 04:47:31 +01:00
|
|
|
};
|
|
|
|
}
|