add mount contract to vaultwarden service
This commit is contained in:
parent
896c376b6d
commit
6b55db7d9c
1 changed files with 31 additions and 7 deletions
|
@ -7,6 +7,8 @@ let
|
||||||
shblib = pkgs.callPackage ../../lib {};
|
shblib = pkgs.callPackage ../../lib {};
|
||||||
|
|
||||||
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
||||||
|
|
||||||
|
dataFolder = "/var/lib/bitwarden_rs";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.shb.vaultwarden = {
|
options.shb.vaultwarden = {
|
||||||
|
@ -94,6 +96,24 @@ in
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
mount = lib.mkOption {
|
||||||
|
type = contracts.mount;
|
||||||
|
description = ''
|
||||||
|
Mount configuration. This is an output option.
|
||||||
|
|
||||||
|
Use it to initialize a block implementing the "mount" contract.
|
||||||
|
For example, with a zfs dataset:
|
||||||
|
|
||||||
|
```
|
||||||
|
shb.zfs.datasets."vaultwarden" = {
|
||||||
|
poolName = "root";
|
||||||
|
} // config.shb.vaultwarden.mount;
|
||||||
|
```
|
||||||
|
'';
|
||||||
|
readOnly = true;
|
||||||
|
default = { path = dataFolder; };
|
||||||
|
};
|
||||||
|
|
||||||
backupConfig = lib.mkOption {
|
backupConfig = lib.mkOption {
|
||||||
type = lib.types.nullOr lib.types.anything;
|
type = lib.types.nullOr lib.types.anything;
|
||||||
description = "Backup configuration of Vaultwarden.";
|
description = "Backup configuration of Vaultwarden.";
|
||||||
|
@ -113,7 +133,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
dbBackend = "postgresql";
|
dbBackend = "postgresql";
|
||||||
config = {
|
config = {
|
||||||
DATA_FOLDER = "/var/lib/bitwarden_rs";
|
DATA_FOLDER = dataFolder;
|
||||||
IP_HEADER = "X-Real-IP";
|
IP_HEADER = "X-Real-IP";
|
||||||
SIGNUPS_ALLOWED = false;
|
SIGNUPS_ALLOWED = false;
|
||||||
# Disabled because the /admin path is protected by SSO
|
# Disabled because the /admin path is protected by SSO
|
||||||
|
@ -135,13 +155,13 @@ in
|
||||||
SMTP_PORT = cfg.smtp.port;
|
SMTP_PORT = cfg.smtp.port;
|
||||||
SMTP_AUTH_MECHANISM = cfg.smtp.auth_mechanism;
|
SMTP_AUTH_MECHANISM = cfg.smtp.auth_mechanism;
|
||||||
};
|
};
|
||||||
environmentFile = "/var/lib/bitwarden_rs/vaultwarden.env";
|
environmentFile = "${dataFolder}/vaultwarden.env";
|
||||||
};
|
};
|
||||||
# We create a blank environment file for the service to start. Then, ExecPreStart kicks in and
|
# We create a blank environment file for the service to start. Then, ExecPreStart kicks in and
|
||||||
# fills out the environment file for ExecStart to pick it up.
|
# fills out the environment file for ExecStart to pick it up.
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /var/lib/bitwarden_rs 0750 vaultwarden vaultwarden"
|
"d ${dataFolder} 0750 vaultwarden vaultwarden"
|
||||||
"f /var/lib/bitwarden_rs/vaultwarden.env 0640 vaultwarden vaultwarden"
|
"f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
|
||||||
];
|
];
|
||||||
systemd.services.vaultwarden.preStart =
|
systemd.services.vaultwarden.preStart =
|
||||||
shblib.replaceSecrets {
|
shblib.replaceSecrets {
|
||||||
|
@ -151,7 +171,7 @@ in
|
||||||
} // lib.optionalAttrs (cfg.smtp != null) {
|
} // lib.optionalAttrs (cfg.smtp != null) {
|
||||||
SMTP_PASSWORD.source = cfg.smtp.passwordFile;
|
SMTP_PASSWORD.source = cfg.smtp.passwordFile;
|
||||||
};
|
};
|
||||||
resultPath = "/var/lib/bitwarden_rs/vaultwarden.env";
|
resultPath = "${dataFolder}/vaultwarden.env";
|
||||||
generator = name: v: pkgs.writeText "template" (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
|
generator = name: v: pkgs.writeText "template" (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -197,12 +217,16 @@ in
|
||||||
members = [ "backup" ];
|
members = [ "backup" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.backup.instances.vaultwarden =
|
shb.backup.instances.vaultwarden = lib.mkIf (cfg.backupConfig != null) (
|
||||||
cfg.backupConfig //
|
cfg.backupConfig //
|
||||||
{
|
{
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
config.services.vaultwarden.config.DATA_FOLDER
|
config.services.vaultwarden.config.DATA_FOLDER
|
||||||
];
|
];
|
||||||
};
|
});
|
||||||
|
|
||||||
|
# TODO: make this work.
|
||||||
|
# It does not work because it leads to infinite recursion.
|
||||||
|
# ${cfg.mount}.path = dataFolder;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue