1
0
Fork 0

move all vaultwarden config to default.nix

This commit is contained in:
ibizaman 2022-12-30 02:00:32 -08:00
parent a89b6b5afc
commit cdc41a04e9
3 changed files with 153 additions and 144 deletions

View file

@ -6,9 +6,9 @@
}:
let
callPackage = pkgs.lib.callPackageWith (pkgs // self);
callPackage = pkgs.lib.callPackageWith (pkgs // customPkgs);
self = rec {
customPkgs = rec {
PostgresDB = callPackage ./postgresdb {};
mkPostgresDB = callPackage ./postgresdb/mkdefault.nix {inherit PostgresDB;};
@ -59,9 +59,7 @@ let
TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;};
mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;};
mkVaultwardenWeb = callPackage ./vaultwarden/web.nix {inherit utils;};
mkVaultwardenService = callPackage ./vaultwarden/unit.nix {inherit utils;};
vaultwarden = callPackage ./vaultwarden {inherit utils;};
vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;};
};
in
self
customPkgs

View file

@ -1,9 +1,25 @@
{ pkgs
{ customPkgs
, pkgs
, utils
}:
{ ingress ? 18005
{ serviceName ? "Vaultwarden"
, subdomain ? "vaultwarden"
, domain ? ""
, ingress ? 18005
, signupsAllowed ? false
, signupsVerify ? true
, user ? "vaultwarden"
, group ? "vaultwarden"
, dataFolder ? "/var/lib/vaultwarden"
, postgresDatabase ? "vaultwarden"
, postgresUser ? "vaultwarden"
, postgresPasswordLocation ? "vaultwarden"
, webvaultEnabled ? true
, webvaultPath ? "/usr/share/webapps/vaultwarden"
, smtp ? {}
, sso ? {}
, distribution ? {}
}:
@ -13,10 +29,131 @@ let
"127.0.0.1"
else
service.target.properties.hostname;
mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;};
in
{
rec {
inherit user group;
dnsmasqSubdomains = [subdomain];
db = customPkgs.mkPostgresDB {
name = "${serviceName}PostgresDB";
database = postgresDatabase;
username = postgresUser;
# TODO: use passwordFile
password = postgresPasswordLocation;
};
web = mkVaultwardenWeb {
name = "${serviceName}Web";
path = webvaultPath;
};
service = let
name = "${serviceName}Service";
domain = utils.getDomain distribution name;
in {
inherit name;
pkg = {
db
, web
}: let
postgresHost = db.target.properties.hostname;
in utils.systemd.mkService {
name = "vaultwarden";
content = ''
[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
After=${utils.keyServiceDependencies smtp.keys}
Wants=${utils.keyServiceDependencies smtp.keys}
[Service]
Environment=DATA_FOLDER=${dataFolder}
Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPasswordLocation}@${postgresHost}/${postgresDatabase}
Environment=IP_HEADER=X-Real-IP
Environment=WEB_VAULT_FOLDER=${web.path}
Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"}
Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"}
# Disabled because the /admin path is protected by SSO
Environment=DISABLE_ADMIN_TOKEN=true
Environment=INVITATIONS_ALLOWED=true
Environment=DOMAIN=https://${subdomain}.${domain}
# Assumes we're behind a reverse proxy
Environment=ROCKET_ADDRESS=127.0.0.1
Environment=ROCKET_PORT=${builtins.toString ingress}
Environment=USE_SYSLOG=true
Environment=EXTENDED_LOGGING=true
Environment=LOG_FILE=
Environment=LOG_LEVEL=trace
${utils.keyEnvironmentFiles smtp.keys}
Environment=SMTP_FROM=${smtp.from}
Environment=SMTP_FROM_NAME=${smtp.fromName}
Environment=SMTP_PORT=${builtins.toString smtp.port}
Environment=SMTP_AUTH_MECHANISM=${smtp.authMechanism}
ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
WorkingDirectory=${dataFolder}
StateDirectory=${dataFolder}
User=${user}
Group=${group}
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
# that capability
CapabilityBoundingSet=${if ingress <= 1024 then "CAP_NET_BIND_SERVICE" else ""}
AmbientCapabilities=${if ingress <= 1024 then "CAP_NET_BIND_SERVICE" else ""}
PrivateUsers=yes
NoNewPrivileges=yes
LimitNOFILE=1048576
UMask=0077
ProtectSystem=strict
ProtectHome=yes
# ReadWritePaths=${dataFolder}
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
'';
};
dependsOn = {
inherit db;
inherit web;
};
type = "systemd-unit";
};
haproxy = service: {
frontend = {
acl = {
@ -33,4 +170,12 @@ in
];
};
};
}
keycloakCliConfig = {
clients = {
vaultwarden = {
roles = ["uma_protection"];
};
};
};
}

View file

@ -1,134 +0,0 @@
{ stdenv
, pkgs
, utils
}:
{ name ? "vaultwarden"
, user ? "vaultwarden"
, group ? "vaultwarden"
, port ? 18005
, dataFolder ? "/var/lib/vaultwarden"
, hostname
, postgresDatabase ? "vaultwarden"
, postgresUser ? "vaultwarden"
, postgresPassword
, postgresHost ? x: "127.0.0.1"
, smtpFrom
, smtpFromName ? "vaultwarden"
, smtpPort ? 587
, smtpAuthMechanism ? "Login"
, webvaultEnabled ? false
, webvaultFolder ? "/usr/share/webapps/vaultwarden-web"
, signupsAllowed ? false
, signupsVerify ? true
, keys
, VaultwardenWeb
, VaultwardenPostgresDB
}:
{
inherit name;
inherit port;
pkg =
{ VaultwardenPostgresDB
, VaultwardenWeb
}: utils.systemd.mkService rec {
name = "vaultwarden";
content = ''
[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
After=${utils.keyServiceDependencies keys}
Wants=${utils.keyServiceDependencies keys}
[Service]
Environment=DATA_FOLDER=${dataFolder}
Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase}
Environment=IP_HEADER=X-Real-IP
Environment=WEB_VAULT_FOLDER=${webvaultFolder}
Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"}
Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"}
# Implies the /admin path is protected
Environment=DISABLE_ADMIN_TOKEN=true
Environment=INVITATIONS_ALLOWED=true
Environment=DOMAIN=https://${hostname}
# Assumes we're behind a reverse proxy
Environment=ROCKET_ADDRESS=127.0.0.1
Environment=ROCKET_PORT=${builtins.toString port}
Environment=USE_SYSLOG=true
Environment=EXTENDED_LOGGING=true
Environment=LOG_FILE=
Environment=LOG_LEVEL=trace
${utils.keyEnvironmentFile keys.smtpSetup}
Environment=SMTP_FROM=${smtpFrom}
Environment=SMTP_FROM_NAME=${smtpFromName}
Environment=SMTP_PORT=${builtins.toString smtpPort}
Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism}
ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
WorkingDirectory=${dataFolder}
User=${user}
Group=${group}
# Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
# that capability
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
# If vaultwarden is run at ports >1024, you should apply these options via a
# drop-in file
CapabilityBoundingSet=
AmbientCapabilities=
PrivateUsers=yes
NoNewPrivileges=yes
LimitNOFILE=1048576
UMask=0077
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=${dataFolder}
PrivateTmp=yes
PrivateDevices=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
'';
};
dependsOn = {
inherit VaultwardenWeb;
inherit VaultwardenPostgresDB;
};
type = "systemd-unit";
}