clanModules: Init vaultwarden, the bitwarden server

2024-08-19 11:40:46 +02:00
parent 234ac6965a
commit 586c5adf71
5 changed files with 174 additions and 7 deletions
--- a/checks/matrix-synapse/default.nix
+++ b/checks/matrix-synapse/default.nix
@@ -22,7 +22,10 @@
              enableACME = lib.mkForce false;
              forceSSL = lib.mkForce false;
            };
-            clan.matrix-synapse.domain = "clan.test";
+            clan.matrix-synapse.domain = {
+              server = "clan.test";
+              client = "element.clan.test";
+            };
            clan.matrix-synapse.users.admin.admin = true;
            clan.matrix-synapse.users.someuser = { };

--- a/clanModules/dyndns/default.nix
+++ b/clanModules/dyndns/default.nix
@@ -143,6 +143,7 @@ in
      "dyndns"
      "enable"
    ] "Just define clan.dyndns.settings to enable it")
+    ../nginx
  ];

  config = lib.mkMerge [
@@ -158,11 +159,6 @@ in
        createHome = true;
      };

-      networking.firewall.allowedTCPPorts = lib.mkIf cfg.server.enable [
-        80
-        443
-      ];
-
      services.nginx = lib.mkIf cfg.server.enable {
        enable = true;
        virtualHosts = {
@@ -249,7 +245,6 @@ in
            PrivateDevices = "yes";
            ProtectKernelModules = "yes";
            ProtectKernelTunables = "yes";
-
            WorkingDirectory = "/var/lib/${name}";
            ReadWritePaths = [
              "/proc/self"
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@@ -15,6 +15,7 @@
    moonlight = ./moonlight;
    mumble = ./mumble;
    packages = ./packages;
+    nginx = ./nginx;
    postgresql = ./postgresql;
    root-password = ./root-password;
    single-disk = ./single-disk;
@@ -26,6 +27,7 @@
    thelounge = ./thelounge;
    trusted-nix-caches = ./trusted-nix-caches;
    user-password = ./user-password;
+    vaultwarden = ./vaultwarden;
    xfce = ./xfce;
    zerotier-static-peers = ./zerotier-static-peers;
    zt-tcp-relay = ./zt-tcp-relay;
--- a/clanModules/vaultwarden/README.md
+++ b/clanModules/vaultwarden/README.md
@@ -0,0 +1,3 @@
+---
+description = "The server for the password manager bitwarden"
+---
--- a/clanModules/vaultwarden/default.nix
+++ b/clanModules/vaultwarden/default.nix
@@ -0,0 +1,164 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.clan.vaultwarden;
+  module_name = "vaultwarden";
+
+  admin_pwd_secret = "${module_name}-admin";
+  admin_pwd_hash_secret = "${admin_pwd_secret}-hash";
+  smtp_pwd_secret = "${module_name}-smtp";
+  smtp_pwd_secret_path =
+    config.clan.core.facts.services."${smtp_pwd_secret}".secret."${smtp_pwd_secret}".path;
+  admin_secret_cfg_path =
+    config.clan.core.facts.services."${admin_pwd_secret}".secret."${admin_pwd_hash_secret}".path;
+in
+
+{
+  imports = [
+    ../postgresql
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "vaultwarden"
+      "enable"
+    ] "Importing the module will already enable the service.")
+    ../nginx
+  ];
+
+  options.clan."${module_name}" = {
+    domain = lib.mkOption {
+      type = lib.types.str;
+      example = "bitwarden.example.com";
+      description = "The domain to use for Vaultwarden";
+    };
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 3011;
+      description = "The port to use for Vaultwarden";
+    };
+    allow_signups = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Allow signups for new users";
+    };
+
+    smtp = {
+      host = lib.mkOption {
+        type = lib.types.str;
+        example = "smtp.example.com";
+        description = "The email server domain address";
+      };
+      from = lib.mkOption {
+        type = lib.types.str;
+        example = "foobar@example.com";
+        description = "From whom the email is coming from";
+      };
+      username = lib.mkOption {
+        type = lib.types.str;
+        example = "foobar@example.com";
+        description = "The email server username";
+      };
+    };
+  };
+
+  config = {
+
+    clan.postgresql.users.vaultwarden = { };
+    clan.postgresql.databases.vaultwarden.create.options = {
+      TEMPLATE = "template0";
+      LC_COLLATE = "C";
+      LC_CTYPE = "C";
+      ENCODING = "UTF8";
+      OWNER = "vaultwarden";
+    };
+    clan.postgresql.databases.vaultwarden.restore.stopOnRestore = [ "vaultwarden" ];
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "${cfg.domain}" = {
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = ''
+            client_max_body_size 128M;
+          '';
+          locations."/" = {
+            proxyPass = "http://localhost:${builtins.toString cfg.port}";
+            proxyWebsockets = true;
+          };
+          locations."/notifications/hub" = {
+            proxyPass = "http://localhost:${builtins.toString cfg.port}";
+            proxyWebsockets = true;
+          };
+          locations."/notifications/hub/negotiate" = {
+            proxyPass = "http://localhost:${builtins.toString cfg.port}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    clan.core.facts.services = {
+      "${admin_pwd_secret}" = {
+        secret."${admin_pwd_secret}" = { };
+        secret."${admin_pwd_hash_secret}" = { };
+        generator.path = with pkgs; [
+          coreutils
+          pwgen
+          libargon2
+          openssl
+        ];
+        generator.script = ''
+          ADMIN_PWD=$(pwgen 16 -n1 | tr -d "\n")
+          ADMIN_HASH=$(echo -n "$ADMIN_PWD" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
+
+          config="
+          ADMIN_TOKEN=\"$ADMIN_HASH\"
+          "
+          echo -n "$ADMIN_PWD" > $secrets/${admin_pwd_secret}
+          echo -n "$config" > $secrets/${admin_pwd_hash_secret}
+        '';
+      };
+      "${smtp_pwd_secret}" = {
+        secret."${smtp_pwd_secret}" = { };
+        generator.prompt = "${cfg.smtp.from} SMTP password";
+        generator.path = with pkgs; [ coreutils ];
+        generator.script = ''
+          config="
+            SMTP_PASSWORD="$prompt_value"
+          "
+          echo -n "$config" > $secrets/${smtp_pwd_secret}
+        '';
+      };
+    };
+
+    systemd.services."${module_name}" = {
+      serviceConfig = {
+        EnvironmentFile = [ smtp_pwd_secret_path ];
+      };
+    };
+
+    services."${module_name}" = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = admin_secret_cfg_path; # TODO: Make this upstream an array
+      config = {
+        SMTP_SECURITY = "force_tls";
+        SMTP_HOST = cfg.smtp.host;
+        SMTP_FROM = cfg.smtp.from;
+        SMTP_USERNAME = cfg.smtp.username;
+        DOMAIN = "https://${cfg.domain}";
+        SIGNUPS_ALLOWED = cfg.allow_signups;
+        ROCKET_PORT = builtins.toString cfg.port;
+        DATABASE_URL = "postgresql://"; # TODO: This should be set upstream if dbBackend is set to postgresql
+        ENABLE_WEBSOCKET = true;
+        ROCKET_ADDRESS = "127.0.0.1";
+      };
+    };
+
+  };
+
+}