diff --git a/all-packages.nix b/all-packages.nix index 5d49c6f..d0a27f0 100644 --- a/all-packages.nix +++ b/all-packages.nix @@ -6,9 +6,9 @@ }: let - callPackage = pkgs.lib.callPackageWith (pkgs // self); + callPackage = pkgs.lib.callPackageWith (pkgs // customPkgs); - self = rec { + customPkgs = rec { PostgresDB = callPackage ./postgresdb {}; mkPostgresDB = callPackage ./postgresdb/mkdefault.nix {inherit PostgresDB;}; @@ -59,9 +59,7 @@ let TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;}; mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;}; - mkVaultwardenWeb = callPackage ./vaultwarden/web.nix {inherit utils;}; - mkVaultwardenService = callPackage ./vaultwarden/unit.nix {inherit utils;}; - vaultwarden = callPackage ./vaultwarden {inherit utils;}; + vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;}; }; in -self +customPkgs diff --git a/vaultwarden/default.nix b/vaultwarden/default.nix index 25a9856..86454f8 100644 --- a/vaultwarden/default.nix +++ b/vaultwarden/default.nix @@ -1,9 +1,25 @@ -{ pkgs +{ customPkgs +, pkgs , utils }: -{ ingress ? 18005 +{ serviceName ? "Vaultwarden" +, subdomain ? "vaultwarden" +, domain ? "" +, ingress ? 18005 +, signupsAllowed ? false +, signupsVerify ? true + , user ? "vaultwarden" , group ? "vaultwarden" +, dataFolder ? "/var/lib/vaultwarden" +, postgresDatabase ? "vaultwarden" +, postgresUser ? "vaultwarden" +, postgresPasswordLocation ? "vaultwarden" +, webvaultEnabled ? true +, webvaultPath ? "/usr/share/webapps/vaultwarden" + +, smtp ? {} +, sso ? {} , distribution ? {} }: @@ -13,10 +29,131 @@ let "127.0.0.1" else service.target.properties.hostname; + + + mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;}; in -{ +rec { inherit user group; + dnsmasqSubdomains = [subdomain]; + + db = customPkgs.mkPostgresDB { + name = "${serviceName}PostgresDB"; + + database = postgresDatabase; + username = postgresUser; + # TODO: use passwordFile + password = postgresPasswordLocation; + }; + + web = mkVaultwardenWeb { + name = "${serviceName}Web"; + + path = webvaultPath; + }; + + service = let + name = "${serviceName}Service"; + domain = utils.getDomain distribution name; + in { + inherit name; + + pkg = { + db + , web + }: let + postgresHost = db.target.properties.hostname; + in utils.systemd.mkService { + name = "vaultwarden"; + + content = '' + [Unit] + Description=Vaultwarden Server + Documentation=https://github.com/dani-garcia/vaultwarden + After=network.target + After=${utils.keyServiceDependencies smtp.keys} + Wants=${utils.keyServiceDependencies smtp.keys} + + [Service] + Environment=DATA_FOLDER=${dataFolder} + Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPasswordLocation}@${postgresHost}/${postgresDatabase} + Environment=IP_HEADER=X-Real-IP + + Environment=WEB_VAULT_FOLDER=${web.path} + Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"} + + Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"} + Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"} + # Disabled because the /admin path is protected by SSO + Environment=DISABLE_ADMIN_TOKEN=true + Environment=INVITATIONS_ALLOWED=true + Environment=DOMAIN=https://${subdomain}.${domain} + + # Assumes we're behind a reverse proxy + Environment=ROCKET_ADDRESS=127.0.0.1 + Environment=ROCKET_PORT=${builtins.toString ingress} + Environment=USE_SYSLOG=true + Environment=EXTENDED_LOGGING=true + Environment=LOG_FILE= + Environment=LOG_LEVEL=trace + + ${utils.keyEnvironmentFiles smtp.keys} + Environment=SMTP_FROM=${smtp.from} + Environment=SMTP_FROM_NAME=${smtp.fromName} + Environment=SMTP_PORT=${builtins.toString smtp.port} + Environment=SMTP_AUTH_MECHANISM=${smtp.authMechanism} + + ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden + WorkingDirectory=${dataFolder} + StateDirectory=${dataFolder} + User=${user} + Group=${group} + + # Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to + # that capability + CapabilityBoundingSet=${if ingress <= 1024 then "CAP_NET_BIND_SERVICE" else ""} + AmbientCapabilities=${if ingress <= 1024 then "CAP_NET_BIND_SERVICE" else ""} + + PrivateUsers=yes + NoNewPrivileges=yes + LimitNOFILE=1048576 + UMask=0077 + ProtectSystem=strict + ProtectHome=yes + # ReadWritePaths=${dataFolder} + PrivateTmp=yes + PrivateDevices=yes + ProtectHostname=yes + ProtectClock=yes + ProtectKernelTunables=yes + ProtectKernelModules=yes + ProtectKernelLogs=yes + ProtectControlGroups=yes + RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + RestrictNamespaces=yes + LockPersonality=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes + RestrictSUIDSGID=yes + RemoveIPC=yes + + SystemCallFilter=@system-service + SystemCallFilter=~@privileged @resources + SystemCallArchitectures=native + + [Install] + WantedBy=multi-user.target + ''; + }; + + dependsOn = { + inherit db; + inherit web; + }; + type = "systemd-unit"; + }; + haproxy = service: { frontend = { acl = { @@ -33,4 +170,12 @@ in ]; }; }; -} \ No newline at end of file + + keycloakCliConfig = { + clients = { + vaultwarden = { + roles = ["uma_protection"]; + }; + }; + }; +} diff --git a/vaultwarden/unit.nix b/vaultwarden/unit.nix deleted file mode 100644 index 8efc46b..0000000 --- a/vaultwarden/unit.nix +++ /dev/null @@ -1,134 +0,0 @@ -{ stdenv -, pkgs -, utils -}: -{ name ? "vaultwarden" -, user ? "vaultwarden" -, group ? "vaultwarden" -, port ? 18005 -, dataFolder ? "/var/lib/vaultwarden" -, hostname -, postgresDatabase ? "vaultwarden" -, postgresUser ? "vaultwarden" -, postgresPassword -, postgresHost ? x: "127.0.0.1" - -, smtpFrom -, smtpFromName ? "vaultwarden" -, smtpPort ? 587 -, smtpAuthMechanism ? "Login" - -, webvaultEnabled ? false -, webvaultFolder ? "/usr/share/webapps/vaultwarden-web" -, signupsAllowed ? false -, signupsVerify ? true - -, keys - -, VaultwardenWeb -, VaultwardenPostgresDB -}: - -{ - inherit name; - - inherit port; - - pkg = - { VaultwardenPostgresDB - , VaultwardenWeb - }: utils.systemd.mkService rec { - name = "vaultwarden"; - - content = '' - [Unit] - Description=Vaultwarden Server - Documentation=https://github.com/dani-garcia/vaultwarden - After=network.target - After=${utils.keyServiceDependencies keys} - Wants=${utils.keyServiceDependencies keys} - - [Service] - Environment=DATA_FOLDER=${dataFolder} - Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase} - Environment=IP_HEADER=X-Real-IP - - Environment=WEB_VAULT_FOLDER=${webvaultFolder} - Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"} - - Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"} - Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"} - # Implies the /admin path is protected - Environment=DISABLE_ADMIN_TOKEN=true - Environment=INVITATIONS_ALLOWED=true - Environment=DOMAIN=https://${hostname} - - # Assumes we're behind a reverse proxy - Environment=ROCKET_ADDRESS=127.0.0.1 - Environment=ROCKET_PORT=${builtins.toString port} - Environment=USE_SYSLOG=true - Environment=EXTENDED_LOGGING=true - Environment=LOG_FILE= - Environment=LOG_LEVEL=trace - - ${utils.keyEnvironmentFile keys.smtpSetup} - Environment=SMTP_FROM=${smtpFrom} - Environment=SMTP_FROM_NAME=${smtpFromName} - Environment=SMTP_PORT=${builtins.toString smtpPort} - Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism} - - ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden - WorkingDirectory=${dataFolder} - User=${user} - Group=${group} - - # Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to - # that capability - #CapabilityBoundingSet=CAP_NET_BIND_SERVICE - #AmbientCapabilities=CAP_NET_BIND_SERVICE - - # If vaultwarden is run at ports >1024, you should apply these options via a - # drop-in file - CapabilityBoundingSet= - AmbientCapabilities= - PrivateUsers=yes - - NoNewPrivileges=yes - - LimitNOFILE=1048576 - UMask=0077 - - ProtectSystem=strict - ProtectHome=yes - ReadWritePaths=${dataFolder} - PrivateTmp=yes - PrivateDevices=yes - ProtectHostname=yes - ProtectClock=yes - ProtectKernelTunables=yes - ProtectKernelModules=yes - ProtectKernelLogs=yes - ProtectControlGroups=yes - RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 - RestrictNamespaces=yes - LockPersonality=yes - MemoryDenyWriteExecute=yes - RestrictRealtime=yes - RestrictSUIDSGID=yes - RemoveIPC=yes - - SystemCallFilter=@system-service - SystemCallFilter=~@privileged @resources - SystemCallArchitectures=native - - [Install] - WantedBy=multi-user.target - ''; - }; - - dependsOn = { - inherit VaultwardenWeb; - inherit VaultwardenPostgresDB; - }; - type = "systemd-unit"; -}