1
0
Fork 0

add mount contract to vaultwarden service

This commit is contained in:
ibizaman 2024-08-12 03:04:20 +02:00 committed by Pierre Penninckx
parent 896c376b6d
commit 6b55db7d9c

View file

@ -7,6 +7,8 @@ let
shblib = pkgs.callPackage ../../lib {}; shblib = pkgs.callPackage ../../lib {};
fqdn = "${cfg.subdomain}.${cfg.domain}"; fqdn = "${cfg.subdomain}.${cfg.domain}";
dataFolder = "/var/lib/bitwarden_rs";
in in
{ {
options.shb.vaultwarden = { options.shb.vaultwarden = {
@ -94,6 +96,24 @@ in
}); });
}; };
mount = lib.mkOption {
type = contracts.mount;
description = ''
Mount configuration. This is an output option.
Use it to initialize a block implementing the "mount" contract.
For example, with a zfs dataset:
```
shb.zfs.datasets."vaultwarden" = {
poolName = "root";
} // config.shb.vaultwarden.mount;
```
'';
readOnly = true;
default = { path = dataFolder; };
};
backupConfig = lib.mkOption { backupConfig = lib.mkOption {
type = lib.types.nullOr lib.types.anything; type = lib.types.nullOr lib.types.anything;
description = "Backup configuration of Vaultwarden."; description = "Backup configuration of Vaultwarden.";
@ -113,7 +133,7 @@ in
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
config = { config = {
DATA_FOLDER = "/var/lib/bitwarden_rs"; DATA_FOLDER = dataFolder;
IP_HEADER = "X-Real-IP"; IP_HEADER = "X-Real-IP";
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
# Disabled because the /admin path is protected by SSO # Disabled because the /admin path is protected by SSO
@ -135,13 +155,13 @@ in
SMTP_PORT = cfg.smtp.port; SMTP_PORT = cfg.smtp.port;
SMTP_AUTH_MECHANISM = cfg.smtp.auth_mechanism; SMTP_AUTH_MECHANISM = cfg.smtp.auth_mechanism;
}; };
environmentFile = "/var/lib/bitwarden_rs/vaultwarden.env"; environmentFile = "${dataFolder}/vaultwarden.env";
}; };
# We create a blank environment file for the service to start. Then, ExecPreStart kicks in and # We create a blank environment file for the service to start. Then, ExecPreStart kicks in and
# fills out the environment file for ExecStart to pick it up. # fills out the environment file for ExecStart to pick it up.
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/bitwarden_rs 0750 vaultwarden vaultwarden" "d ${dataFolder} 0750 vaultwarden vaultwarden"
"f /var/lib/bitwarden_rs/vaultwarden.env 0640 vaultwarden vaultwarden" "f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
]; ];
systemd.services.vaultwarden.preStart = systemd.services.vaultwarden.preStart =
shblib.replaceSecrets { shblib.replaceSecrets {
@ -151,7 +171,7 @@ in
} // lib.optionalAttrs (cfg.smtp != null) { } // lib.optionalAttrs (cfg.smtp != null) {
SMTP_PASSWORD.source = cfg.smtp.passwordFile; SMTP_PASSWORD.source = cfg.smtp.passwordFile;
}; };
resultPath = "/var/lib/bitwarden_rs/vaultwarden.env"; resultPath = "${dataFolder}/vaultwarden.env";
generator = name: v: pkgs.writeText "template" (lib.generators.toINIWithGlobalSection {} { globalSection = v; }); generator = name: v: pkgs.writeText "template" (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
}; };
@ -197,12 +217,16 @@ in
members = [ "backup" ]; members = [ "backup" ];
}; };
shb.backup.instances.vaultwarden = shb.backup.instances.vaultwarden = lib.mkIf (cfg.backupConfig != null) (
cfg.backupConfig // cfg.backupConfig //
{ {
sourceDirectories = [ sourceDirectories = [
config.services.vaultwarden.config.DATA_FOLDER config.services.vaultwarden.config.DATA_FOLDER
]; ];
}; });
# TODO: make this work.
# It does not work because it leads to infinite recursion.
# ${cfg.mount}.path = dataFolder;
}; };
} }