From 4b0274153c929f8196fef1bb6d54019a804e172b Mon Sep 17 00:00:00 2001
From: ibizaman <ibizapeanut@gmail.com>
Date: Sat, 17 Dec 2022 16:45:00 -0800
Subject: [PATCH] add vaultwarden service without protected /admin

---
 all-packages.nix       |   3 +
 haproxy/config.nix     |   5 +-
 haproxy/mkconfig.nix   |   6 +-
 postgresdb/default.nix |   1 +
 vaultwarden/unit.nix   | 134 +++++++++++++++++++++++++++++++++++++++++
 vaultwarden/web.nix    |  35 +++++++++++
 6 files changed, 182 insertions(+), 2 deletions(-)
 create mode 100644 vaultwarden/unit.nix
 create mode 100644 vaultwarden/web.nix

diff --git a/all-packages.nix b/all-packages.nix
index fcf5442..66c15f4 100644
--- a/all-packages.nix
+++ b/all-packages.nix
@@ -56,6 +56,9 @@ let
     mkTtrssUpgradeDBService = callPackage ./ttrss/mkdbupgrade.nix {inherit TtrssUpgradeDBService;};
     TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;};
     mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;};
+
+    mkVaultwardenWeb = callPackage ./vaultwarden/web.nix {inherit utils;};
+    mkVaultwardenService = callPackage ./vaultwarden/unit.nix {inherit utils;};
   };
 in
 self
diff --git a/haproxy/config.nix b/haproxy/config.nix
index 88bc688..209a91f 100644
--- a/haproxy/config.nix
+++ b/haproxy/config.nix
@@ -5,8 +5,11 @@
 }:
 { configDir ? "/etc/haproxy"
 , configFile ? "haproxy.cfg"
+, user
+, group
 , config
 }:
+dependsOn:
 
 with builtins;
 with lib.attrsets;
@@ -21,5 +24,5 @@ in
 utils.mkConfigFile {
   name = configFile;
   dir = configDir;
-  content = configcreator.render (configcreator.default config);
+  content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;}));
 }
diff --git a/haproxy/mkconfig.nix b/haproxy/mkconfig.nix
index 11cfaf5..88689dd 100644
--- a/haproxy/mkconfig.nix
+++ b/haproxy/mkconfig.nix
@@ -3,15 +3,19 @@
 { name
 , configDir
 , configFile
+, user
+, group
 , config
 , dependsOn ? {}
 }:
 {
   inherit name configDir configFile;
-  inherit (config) user group;
+  inherit user group;
+
   pkg = HaproxyConfig {
     inherit configDir configFile;
     inherit config;
+    inherit user group;
   };
 
   inherit dependsOn;
diff --git a/postgresdb/default.nix b/postgresdb/default.nix
index 0e3e0db..2f1f9d3 100644
--- a/postgresdb/default.nix
+++ b/postgresdb/default.nix
@@ -20,6 +20,7 @@ assert lib.assertMsg (
 # contains a sub folder named postgresql-databases/, then the dump files stored
 # inside get imported.
 
+# TODO: https://stackoverflow.com/a/69480184/1013628
 stdenv.mkDerivation {
   name = postgresDatabase;
 
diff --git a/vaultwarden/unit.nix b/vaultwarden/unit.nix
new file mode 100644
index 0000000..07b2394
--- /dev/null
+++ b/vaultwarden/unit.nix
@@ -0,0 +1,134 @@
+{ stdenv
+, pkgs
+, utils
+}:
+{ name ? "vaultwarden"
+, user ? "vaultwarden"
+, group ? "vaultwarden"
+, port ? 18005
+, dataFolder ? "/var/lib/vaultwarden"
+, hostname
+, postgresDatabase ? "vaultwarden"
+, postgresUser ? "vaultwarden"
+, postgresPassword
+, postgresHost ? x: "127.0.0.1"
+
+, smtpFrom
+, smtpFromName ? "vaultwarden"
+, smtpPort ? 587
+, smtpAuthMechanism ? "Login"
+
+, webvaultEnabled ? false
+, webvaultFolder ? "/usr/share/webapps/vaultwarden-web"
+, signupsAllowed ? false
+, signupsVerify ? true
+
+, keys
+
+, VaultwardenWeb
+, VaultwardenPostgresDB
+}:
+
+{
+  inherit name;
+
+  inherit port;
+  
+  pkg =
+    { VaultwardenPostgresDB
+    , VaultwardenWeb
+    }: utils.systemd.mkService rec {
+    name = "vaultwarden";
+
+    content = ''
+    [Unit]
+    Description=Vaultwarden Server
+    Documentation=https://github.com/dani-garcia/vaultwarden
+    After=network.target
+    After=${utils.keyServiceDependencies keys}
+    Wants=${utils.keyServiceDependencies keys}
+  
+    [Service]
+    Environment=DATA_FOLDER=${dataFolder}
+    Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase}
+    Environment=IP_HEADER=X-Real-IP
+  
+    Environment=WEB_VAULT_FOLDER=${webvaultFolder}
+    Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
+  
+    Environment=SIGNUPS_ALLOWED=${signupsAllowed}
+    Environment=SIGNUPS_VERIFY=${signupsVerify}
+    # Implies the /admin path is protected
+    Environment=DISABLE_ADMIN_TOKEN=true
+    Environment=INVITATIONS_ALLOWED=true
+    Environment=DOMAIN=https://${hostname}
+  
+    # Assumes we're behind a reverse proxy
+    Environment=ROCKET_ADDRESS=127.0.0.1
+    Environment=ROCKET_PORT=${builtins.toString port}
+    Environment=USE_SYSLOG=true
+    Environment=EXTENDED_LOGGING=true
+    Environment=LOG_FILE=
+    Environment=LOG_LEVEL=trace
+  
+    ${utils.keyEnvironmentFile keys.smtpSetup}
+    Environment=SMTP_FROM=${smtpFrom}
+    Environment=SMTP_FROM_NAME=${smtpFromName}
+    Environment=SMTP_PORT=${builtins.toString smtpPort}
+    Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism}
+  
+    ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
+    WorkingDirectory=${dataFolder}
+    User=${user}
+    Group=${group}
+    
+    # Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
+    # that capability
+    #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+    #AmbientCapabilities=CAP_NET_BIND_SERVICE
+    
+    # If vaultwarden is run at ports >1024, you should apply these options via a
+    # drop-in file
+    CapabilityBoundingSet=
+    AmbientCapabilities=
+    PrivateUsers=yes
+    
+    NoNewPrivileges=yes
+    
+    LimitNOFILE=1048576
+    UMask=0077
+    
+    ProtectSystem=strict
+    ProtectHome=yes
+    ReadWritePaths=${dataFolder}
+    PrivateTmp=yes
+    PrivateDevices=yes
+    ProtectHostname=yes
+    ProtectClock=yes
+    ProtectKernelTunables=yes
+    ProtectKernelModules=yes
+    ProtectKernelLogs=yes
+    ProtectControlGroups=yes
+    RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+    RestrictNamespaces=yes
+    LockPersonality=yes
+    MemoryDenyWriteExecute=yes
+    RestrictRealtime=yes
+    RestrictSUIDSGID=yes
+    RemoveIPC=yes
+    
+    SystemCallFilter=@system-service
+    SystemCallFilter=~@privileged @resources
+    SystemCallArchitectures=native
+    
+    [Install]
+    WantedBy=multi-user.target
+    '';
+  };
+
+  dependsOn = {
+    inherit VaultwardenWeb;
+    inherit VaultwardenPostgresDB;
+  };
+  type = "systemd-unit";
+}
diff --git a/vaultwarden/web.nix b/vaultwarden/web.nix
new file mode 100644
index 0000000..d0b0e42
--- /dev/null
+++ b/vaultwarden/web.nix
@@ -0,0 +1,35 @@
+{ stdenv
+, pkgs
+, utils
+}:
+{ name
+, path
+}:
+
+{
+  inherit name;
+
+  inherit path;
+
+  pkg = stdenv.mkDerivation rec {
+    inherit name;
+
+    buildCommand =
+      let
+        dir = dirOf path;
+        base = baseNameOf path;
+      in ''
+        mkdir -p $out
+        ln -s ${pkgs.vaultwarden-vault}/share/vaultwarden/vault $out/${base}
+
+        echo "${dir}" > $out/.dysnomia-targetdir
+
+        cat > $out/.dysnomia-fileset <<FILESET
+          symlink $out/${base}
+          target .
+        FILESET
+      '';
+  };
+
+  type = "fileset";
+}