add vaultwarden service without protected /admin

all-packages.nix

@@ -56,6 +56,9 @@ let
     mkTtrssUpgradeDBService = callPackage ./ttrss/mkdbupgrade.nix {inherit TtrssUpgradeDBService;};
     TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;};
     mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;};
+
+    mkVaultwardenWeb = callPackage ./vaultwarden/web.nix {inherit utils;};
+    mkVaultwardenService = callPackage ./vaultwarden/unit.nix {inherit utils;};
   };
 in
 self

haproxy/config.nix

@@ -5,8 +5,11 @@
 }:
 { configDir ? "/etc/haproxy"
 , configFile ? "haproxy.cfg"
+, user
+, group
 , config
 }:
+dependsOn:
 
 with builtins;
 with lib.attrsets;
@@ -21,5 +24,5 @@ in
 utils.mkConfigFile {
   name = configFile;
   dir = configDir;
-  content = configcreator.render (configcreator.default config);
+  content = configcreator.render (configcreator.default (config dependsOn // {inherit user group;}));
 }

haproxy/mkconfig.nix

@@ -3,15 +3,19 @@
 { name
 , configDir
 , configFile
+, user
+, group
 , config
 , dependsOn ? {}
 }:
 {
   inherit name configDir configFile;
-  inherit (config) user group;
+  inherit user group;
+
   pkg = HaproxyConfig {
     inherit configDir configFile;
     inherit config;
+    inherit user group;
   };
 
   inherit dependsOn;

postgresdb/default.nix

@@ -20,6 +20,7 @@ assert lib.assertMsg (
 # contains a sub folder named postgresql-databases/, then the dump files stored
 # inside get imported.
 
+# TODO: https://stackoverflow.com/a/69480184/1013628
 stdenv.mkDerivation {
   name = postgresDatabase;
 

vaultwarden/unit.nix

@@ -0,0 +1,134 @@
+{ stdenv
+, pkgs
+, utils
+}:
+{ name ? "vaultwarden"
+, user ? "vaultwarden"
+, group ? "vaultwarden"
+, port ? 18005
+, dataFolder ? "/var/lib/vaultwarden"
+, hostname
+, postgresDatabase ? "vaultwarden"
+, postgresUser ? "vaultwarden"
+, postgresPassword
+, postgresHost ? x: "127.0.0.1"
+
+, smtpFrom
+, smtpFromName ? "vaultwarden"
+, smtpPort ? 587
+, smtpAuthMechanism ? "Login"
+
+, webvaultEnabled ? false
+, webvaultFolder ? "/usr/share/webapps/vaultwarden-web"
+, signupsAllowed ? false
+, signupsVerify ? true
+
+, keys
+
+, VaultwardenWeb
+, VaultwardenPostgresDB
+}:
+
+{
+  inherit name;
+
+  inherit port;
+  
+  pkg =
+    { VaultwardenPostgresDB
+    , VaultwardenWeb
+    }: utils.systemd.mkService rec {
+    name = "vaultwarden";
+
+    content = ''
+    [Unit]
+    Description=Vaultwarden Server
+    Documentation=https://github.com/dani-garcia/vaultwarden
+    After=network.target
+    After=${utils.keyServiceDependencies keys}
+    Wants=${utils.keyServiceDependencies keys}
+  
+    [Service]
+    Environment=DATA_FOLDER=${dataFolder}
+    Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase}
+    Environment=IP_HEADER=X-Real-IP
+  
+    Environment=WEB_VAULT_FOLDER=${webvaultFolder}
+    Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
+  
+    Environment=SIGNUPS_ALLOWED=${signupsAllowed}
+    Environment=SIGNUPS_VERIFY=${signupsVerify}
+    # Implies the /admin path is protected
+    Environment=DISABLE_ADMIN_TOKEN=true
+    Environment=INVITATIONS_ALLOWED=true
+    Environment=DOMAIN=https://${hostname}
+  
+    # Assumes we're behind a reverse proxy
+    Environment=ROCKET_ADDRESS=127.0.0.1
+    Environment=ROCKET_PORT=${builtins.toString port}
+    Environment=USE_SYSLOG=true
+    Environment=EXTENDED_LOGGING=true
+    Environment=LOG_FILE=
+    Environment=LOG_LEVEL=trace
+  
+    ${utils.keyEnvironmentFile keys.smtpSetup}
+    Environment=SMTP_FROM=${smtpFrom}
+    Environment=SMTP_FROM_NAME=${smtpFromName}
+    Environment=SMTP_PORT=${builtins.toString smtpPort}
+    Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism}
+  
+    ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
+    WorkingDirectory=${dataFolder}
+    User=${user}
+    Group=${group}
+    
+    # Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
+    # that capability
+    #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+    #AmbientCapabilities=CAP_NET_BIND_SERVICE
+    
+    # If vaultwarden is run at ports >1024, you should apply these options via a
+    # drop-in file
+    CapabilityBoundingSet=
+    AmbientCapabilities=
+    PrivateUsers=yes
+    
+    NoNewPrivileges=yes
+    
+    LimitNOFILE=1048576
+    UMask=0077
+    
+    ProtectSystem=strict
+    ProtectHome=yes
+    ReadWritePaths=${dataFolder}
+    PrivateTmp=yes
+    PrivateDevices=yes
+    ProtectHostname=yes
+    ProtectClock=yes
+    ProtectKernelTunables=yes
+    ProtectKernelModules=yes
+    ProtectKernelLogs=yes
+    ProtectControlGroups=yes
+    RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+    RestrictNamespaces=yes
+    LockPersonality=yes
+    MemoryDenyWriteExecute=yes
+    RestrictRealtime=yes
+    RestrictSUIDSGID=yes
+    RemoveIPC=yes
+    
+    SystemCallFilter=@system-service
+    SystemCallFilter=~@privileged @resources
+    SystemCallArchitectures=native
+    
+    [Install]
+    WantedBy=multi-user.target
+    '';
+  };
+
+  dependsOn = {
+    inherit VaultwardenWeb;
+    inherit VaultwardenPostgresDB;
+  };
+  type = "systemd-unit";
+}

vaultwarden/web.nix

@@ -0,0 +1,35 @@
+{ stdenv
+, pkgs
+, utils
+}:
+{ name
+, path
+}:
+
+{
+  inherit name;
+
+  inherit path;
+
+  pkg = stdenv.mkDerivation rec {
+    inherit name;
+
+    buildCommand =
+      let
+        dir = dirOf path;
+        base = baseNameOf path;
+      in ''
+        mkdir -p $out
+        ln -s ${pkgs.vaultwarden-vault}/share/vaultwarden/vault $out/${base}
+
+        echo "${dir}" > $out/.dysnomia-targetdir
+
+        cat > $out/.dysnomia-fileset <<FILESET
+          symlink $out/${base}
+          target .
+        FILESET
+      '';
+  };
+
+  type = "fileset";
+}