move all vaultwarden config to default.nix

all-packages.nix

@@ -6,9 +6,9 @@
 }:
 
 let
-  callPackage = pkgs.lib.callPackageWith (pkgs // self);
+  callPackage = pkgs.lib.callPackageWith (pkgs // customPkgs);
 
-  self = rec {
+  customPkgs = rec {
     PostgresDB = callPackage ./postgresdb {};
     mkPostgresDB = callPackage ./postgresdb/mkdefault.nix {inherit PostgresDB;};
 
@@ -59,9 +59,7 @@ let
     TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;};
     mkTtrssPHPNormalizeHeaders = callPackage ./ttrss/mk-normalize-headers.nix {inherit TtrssPHPNormalizeHeaders;};
 
-    mkVaultwardenWeb = callPackage ./vaultwarden/web.nix {inherit utils;};
+    vaultwarden = callPackage ./vaultwarden {inherit utils customPkgs;};
-    mkVaultwardenService = callPackage ./vaultwarden/unit.nix {inherit utils;};
-    vaultwarden = callPackage ./vaultwarden {inherit utils;};
   };
 in
-self
+customPkgs

vaultwarden/default.nix

@@ -1,9 +1,25 @@
-{ pkgs
+{ customPkgs
+, pkgs
 , utils
 }:
-{ ingress ? 18005
+{ serviceName ? "Vaultwarden"
+, subdomain ? "vaultwarden"
+, domain ? ""
+, ingress ? 18005
+, signupsAllowed ? false
+, signupsVerify ? true
+
 , user ? "vaultwarden"
 , group ? "vaultwarden"
+, dataFolder ? "/var/lib/vaultwarden"
+, postgresDatabase ? "vaultwarden"
+, postgresUser ? "vaultwarden"
+, postgresPasswordLocation ? "vaultwarden"
+, webvaultEnabled ? true
+, webvaultPath ? "/usr/share/webapps/vaultwarden"
+
+, smtp ? {}
+, sso ? {}
 
 , distribution ? {}
 }:
@@ -13,10 +29,131 @@ let
       "127.0.0.1"
     else
       service.target.properties.hostname;
+
+
+  mkVaultwardenWeb = pkgs.callPackage ./web.nix {inherit utils;};
 in
-{
+rec {
   inherit user group;
 
+  dnsmasqSubdomains = [subdomain];
+
+  db = customPkgs.mkPostgresDB {
+    name = "${serviceName}PostgresDB";
+
+    database = postgresDatabase;
+    username = postgresUser;
+    # TODO: use passwordFile
+    password = postgresPasswordLocation;
+  };
+
+  web = mkVaultwardenWeb {
+    name = "${serviceName}Web";
+
+    path = webvaultPath;
+  };
+
+  service = let
+    name = "${serviceName}Service";
+    domain = utils.getDomain distribution name;
+  in {
+    inherit name;
+
+    pkg = {
+      db
+      , web
+    }: let
+      postgresHost = db.target.properties.hostname;
+    in utils.systemd.mkService {
+      name = "vaultwarden";
+
+      content = ''
+        [Unit]
+        Description=Vaultwarden Server
+        Documentation=https://github.com/dani-garcia/vaultwarden
+        After=network.target
+        After=${utils.keyServiceDependencies smtp.keys}
+        Wants=${utils.keyServiceDependencies smtp.keys}
+
+        [Service]
+        Environment=DATA_FOLDER=${dataFolder}
+        Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPasswordLocation}@${postgresHost}/${postgresDatabase}
+        Environment=IP_HEADER=X-Real-IP
+
+        Environment=WEB_VAULT_FOLDER=${web.path}
+        Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
+
+        Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"}
+        Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"}
+        # Disabled because the /admin path is protected by SSO
+        Environment=DISABLE_ADMIN_TOKEN=true
+        Environment=INVITATIONS_ALLOWED=true
+        Environment=DOMAIN=https://${subdomain}.${domain}
+
+        # Assumes we're behind a reverse proxy
+        Environment=ROCKET_ADDRESS=127.0.0.1
+        Environment=ROCKET_PORT=${builtins.toString ingress}
+        Environment=USE_SYSLOG=true
+        Environment=EXTENDED_LOGGING=true
+        Environment=LOG_FILE=
+        Environment=LOG_LEVEL=trace
+
+        ${utils.keyEnvironmentFiles smtp.keys}
+        Environment=SMTP_FROM=${smtp.from}
+        Environment=SMTP_FROM_NAME=${smtp.fromName}
+        Environment=SMTP_PORT=${builtins.toString smtp.port}
+        Environment=SMTP_AUTH_MECHANISM=${smtp.authMechanism}
+
+        ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
+        WorkingDirectory=${dataFolder}
+        StateDirectory=${dataFolder}
+        User=${user}
+        Group=${group}
+
+        # Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
+        # that capability
+        CapabilityBoundingSet=${if ingress <= 1024 then "CAP_NET_BIND_SERVICE" else ""}
+        AmbientCapabilities=${if ingress <= 1024 then "CAP_NET_BIND_SERVICE" else ""}
+
+        PrivateUsers=yes
+        NoNewPrivileges=yes
+        LimitNOFILE=1048576
+        UMask=0077
+        ProtectSystem=strict
+        ProtectHome=yes
+        # ReadWritePaths=${dataFolder}
+        PrivateTmp=yes
+        PrivateDevices=yes
+        ProtectHostname=yes
+        ProtectClock=yes
+        ProtectKernelTunables=yes
+        ProtectKernelModules=yes
+        ProtectKernelLogs=yes
+        ProtectControlGroups=yes
+        RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+        RestrictNamespaces=yes
+        LockPersonality=yes
+        MemoryDenyWriteExecute=yes
+        RestrictRealtime=yes
+        RestrictSUIDSGID=yes
+        RemoveIPC=yes
+
+        SystemCallFilter=@system-service
+        SystemCallFilter=~@privileged @resources
+        SystemCallArchitectures=native
+
+        [Install]
+        WantedBy=multi-user.target
+        '';
+    };
+
+    dependsOn = {
+      inherit db;
+      inherit web;
+    };
+    type = "systemd-unit";
+  };
+
   haproxy = service: {
     frontend = {
       acl = {
@@ -33,4 +170,12 @@ in
       ];
     };
   };
+
+  keycloakCliConfig = {
+    clients = {
+      vaultwarden = {
+        roles = ["uma_protection"];
+      };
+    };
+  };
 }

vaultwarden/unit.nix

@@ -1,134 +0,0 @@
-{ stdenv
-, pkgs
-, utils
-}:
-{ name ? "vaultwarden"
-, user ? "vaultwarden"
-, group ? "vaultwarden"
-, port ? 18005
-, dataFolder ? "/var/lib/vaultwarden"
-, hostname
-, postgresDatabase ? "vaultwarden"
-, postgresUser ? "vaultwarden"
-, postgresPassword
-, postgresHost ? x: "127.0.0.1"
-
-, smtpFrom
-, smtpFromName ? "vaultwarden"
-, smtpPort ? 587
-, smtpAuthMechanism ? "Login"
-
-, webvaultEnabled ? false
-, webvaultFolder ? "/usr/share/webapps/vaultwarden-web"
-, signupsAllowed ? false
-, signupsVerify ? true
-
-, keys
-
-, VaultwardenWeb
-, VaultwardenPostgresDB
-}:
-
-{
-  inherit name;
-
-  inherit port;
-  
-  pkg =
-    { VaultwardenPostgresDB
-    , VaultwardenWeb
-    }: utils.systemd.mkService rec {
-    name = "vaultwarden";
-
-    content = ''
-    [Unit]
-    Description=Vaultwarden Server
-    Documentation=https://github.com/dani-garcia/vaultwarden
-    After=network.target
-    After=${utils.keyServiceDependencies keys}
-    Wants=${utils.keyServiceDependencies keys}
-  
-    [Service]
-    Environment=DATA_FOLDER=${dataFolder}
-    Environment=DATABASE_URL=postgresql://${postgresUser}:${postgresPassword}@${postgresHost {inherit VaultwardenPostgresDB;}}/${postgresDatabase}
-    Environment=IP_HEADER=X-Real-IP
-  
-    Environment=WEB_VAULT_FOLDER=${webvaultFolder}
-    Environment=WEB_VAULT_ENABLED=${if webvaultEnabled then "true" else "false"}
-  
-    Environment=SIGNUPS_ALLOWED=${if signupsAllowed then "true" else "false"}
-    Environment=SIGNUPS_VERIFY=${if signupsVerify then "true" else "false"}
-    # Implies the /admin path is protected
-    Environment=DISABLE_ADMIN_TOKEN=true
-    Environment=INVITATIONS_ALLOWED=true
-    Environment=DOMAIN=https://${hostname}
-  
-    # Assumes we're behind a reverse proxy
-    Environment=ROCKET_ADDRESS=127.0.0.1
-    Environment=ROCKET_PORT=${builtins.toString port}
-    Environment=USE_SYSLOG=true
-    Environment=EXTENDED_LOGGING=true
-    Environment=LOG_FILE=
-    Environment=LOG_LEVEL=trace
-  
-    ${utils.keyEnvironmentFile keys.smtpSetup}
-    Environment=SMTP_FROM=${smtpFrom}
-    Environment=SMTP_FROM_NAME=${smtpFromName}
-    Environment=SMTP_PORT=${builtins.toString smtpPort}
-    Environment=SMTP_AUTH_MECHANISM=${smtpAuthMechanism}
-  
-    ExecStart=${pkgs.vaultwarden-postgresql}/bin/vaultwarden
-    WorkingDirectory=${dataFolder}
-    User=${user}
-    Group=${group}
-    
-    # Allow vaultwarden to bind ports in the range of 0-1024 and restrict it to
-    # that capability
-    #CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-    #AmbientCapabilities=CAP_NET_BIND_SERVICE
-    
-    # If vaultwarden is run at ports >1024, you should apply these options via a
-    # drop-in file
-    CapabilityBoundingSet=
-    AmbientCapabilities=
-    PrivateUsers=yes
-    
-    NoNewPrivileges=yes
-    
-    LimitNOFILE=1048576
-    UMask=0077
-    
-    ProtectSystem=strict
-    ProtectHome=yes
-    ReadWritePaths=${dataFolder}
-    PrivateTmp=yes
-    PrivateDevices=yes
-    ProtectHostname=yes
-    ProtectClock=yes
-    ProtectKernelTunables=yes
-    ProtectKernelModules=yes
-    ProtectKernelLogs=yes
-    ProtectControlGroups=yes
-    RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-    RestrictNamespaces=yes
-    LockPersonality=yes
-    MemoryDenyWriteExecute=yes
-    RestrictRealtime=yes
-    RestrictSUIDSGID=yes
-    RemoveIPC=yes
-    
-    SystemCallFilter=@system-service
-    SystemCallFilter=~@privileged @resources
-    SystemCallArchitectures=native
-    
-    [Install]
-    WantedBy=multi-user.target
-    '';
-  };
-
-  dependsOn = {
-    inherit VaultwardenWeb;
-    inherit VaultwardenPostgresDB;
-  };
-  type = "systemd-unit";
-}