1
0
Fork 0

add vaultwarden service without protected /admin

This commit is contained in:
ibizaman 2022-12-17 16:45:00 -08:00
parent e9ef7f3a1a
commit 4b0274153c
6 changed files with 182 additions and 2 deletions

View file

@ -56,6 +56,9 @@ let
mkTtrssUpgradeDBService = callPackage ./ttrss/mkdbupgrade.nix {inherit TtrssUpgradeDBService;};
TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;};
mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;};
mkVaultwardenWeb = callPackage ./vaultwarden/web.nix {inherit utils;};
mkVaultwardenService = callPackage ./vaultwarden/unit.nix {inherit utils;};
};
in
self

View file

@ -5,8 +5,11 @@
}:
{ configDir ? "/etc/haproxy"
, configFile ? "haproxy.cfg"
, user
, group
, config
}:
dependsOn:
with builtins;
with lib.attrsets;
@ -21,5 +24,5 @@ in
utils.mkConfigFile {
name = configFile;
dir = configDir;
content = configcreator.render (configcreator.default config);
content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;}));
}

View file

@ -3,15 +3,19 @@
{ name
, configDir
, configFile
, user
, group
, config
, dependsOn ? {}
}:
{
inherit name configDir configFile;
inherit (config) user group;
inherit user group;
pkg = HaproxyConfig {
inherit configDir configFile;
inherit config;
inherit user group;
};
inherit dependsOn;

View file

@ -20,6 +20,7 @@ assert lib.assertMsg (
# contains a sub folder named postgresql-databases/, then the dump files stored
# inside get imported.
# TODO: https://stackoverflow.com/a/69480184/1013628
stdenv.mkDerivation {
name = postgresDatabase;

134
vaultwarden/unit.nix Normal file
View file

@ -0,0 +1,134 @@
{ stdenv
, pkgs
, utils
}:
{ name ? "vaultwarden"
, user ? "vaultwarden"
, group ? "vaultwarden"
, port ? 18005
, dataFolder ? "/var/lib/vaultwarden"
, hostname
, postgresDatabase ? "vaultwarden"
, postgresUser ? "vaultwarden"
, postgresPassword
, postgresHost ? x: "127.0.0.1"
, smtpFrom
, smtpFromName ? "vaultwarden"
, smtpPort ? 587
, smtpAuthMechanism ? "Login"
, webvaultEnabled ? false
, webvaultFolder ? "/usr/share/webapps/vaultwarden-web"
, signupsAllowed ? false
, signupsVerify ? true
, keys
, VaultwardenWeb
, VaultwardenPostgresDB
}:
{
inherit name;
inherit port;
pkg =
{ VaultwardenPostgresDB
, VaultwardenWeb
}: utils.systemd.mkService rec {
name = "vaultwarden";
content = ''
[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
After=${utils.keyServiceDependencies keys}
Wants=${utils.keyServiceDependencies keys}
[Service]
Environment=DATA_FOLDER=${dataFolder}
Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase}
Environment=IP_HEADER=X-Real-IP
Environment=WEB_VAULT_FOLDER=${webvaultFolder}
Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
Environment=SIGNUPS_ALLOWED=${signupsAllowed}
Environment=SIGNUPS_VERIFY=${signupsVerify}
# Implies the /admin path is protected
Environment=DISABLE_ADMIN_TOKEN=true
Environment=INVITATIONS_ALLOWED=true
Environment=DOMAIN=https://${hostname}
# Assumes we're behind a reverse proxy
Environment=ROCKET_ADDRESS=127.0.0.1
Environment=ROCKET_PORT=${builtins.toString port}
Environment=USE_SYSLOG=true
Environment=EXTENDED_LOGGING=true
Environment=LOG_FILE=
Environment=LOG_LEVEL=trace
${utils.keyEnvironmentFile keys.smtpSetup}
Environment=SMTP_FROM=${smtpFrom}
Environment=SMTP_FROM_NAME=${smtpFromName}
Environment=SMTP_PORT=${builtins.toString smtpPort}
Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism}
ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
WorkingDirectory=${dataFolder}
User=${user}
Group=${group}
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
# that capability
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
# If vaultwarden is run at ports >1024, you should apply these options via a
# drop-in file
CapabilityBoundingSet=
AmbientCapabilities=
PrivateUsers=yes
NoNewPrivileges=yes
LimitNOFILE=1048576
UMask=0077
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=${dataFolder}
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
'';
};
dependsOn = {
inherit VaultwardenWeb;
inherit VaultwardenPostgresDB;
};
type = "systemd-unit";
}

35
vaultwarden/web.nix Normal file
View file

@ -0,0 +1,35 @@
{ stdenv
, pkgs
, utils
}:
{ name
, path
}:
{
inherit name;
inherit path;
pkg = stdenv.mkDerivation rec {
inherit name;
buildCommand =
let
dir = dirOf path;
base = baseNameOf path;
in ''
mkdir -p $out
ln -s ${pkgs.vaultwarden-vault}/share/vaultwarden/vault $out/${base}
echo "${dir}" > $out/.dysnomia-targetdir
cat > $out/.dysnomia-fileset <<FILESET
symlink $out/${base}
target .
FILESET
'';
};
type = "fileset";
}