From e4821a33cb5f0e939c495133ca7b9980f168da5a Mon Sep 17 00:00:00 2001
From: Qubasa <consulting@qube.email>
Date: Mon, 19 Aug 2024 11:40:46 +0200
Subject: [PATCH] clanModules: Init vaultwarden, the bitwarden server

---
 checks/matrix-synapse/default.nix   |   5 +-
 clanModules/dyndns/default.nix      |   7 +-
 clanModules/flake-module.nix        |   2 +
 clanModules/vaultwarden/README.md   |   3 +
 clanModules/vaultwarden/default.nix | 164 ++++++++++++++++++++++++++++
 5 files changed, 174 insertions(+), 7 deletions(-)
 create mode 100644 clanModules/vaultwarden/README.md
 create mode 100644 clanModules/vaultwarden/default.nix

diff --git a/checks/matrix-synapse/default.nix b/checks/matrix-synapse/default.nix
index 5205abbf5..9bd39e84d 100644
--- a/checks/matrix-synapse/default.nix
+++ b/checks/matrix-synapse/default.nix
@@ -22,7 +22,10 @@
               enableACME = lib.mkForce false;
               forceSSL = lib.mkForce false;
             };
-            clan.matrix-synapse.domain = "clan.test";
+            clan.matrix-synapse.domain = {
+              server = "clan.test";
+              client = "element.clan.test";
+            };
             clan.matrix-synapse.users.admin.admin = true;
             clan.matrix-synapse.users.someuser = { };
 
diff --git a/clanModules/dyndns/default.nix b/clanModules/dyndns/default.nix
index 3363b251c..7722005c6 100644
--- a/clanModules/dyndns/default.nix
+++ b/clanModules/dyndns/default.nix
@@ -143,6 +143,7 @@ in
       "dyndns"
       "enable"
     ] "Just define clan.dyndns.settings to enable it")
+    ../nginx
   ];
 
   config = lib.mkMerge [
@@ -158,11 +159,6 @@ in
         createHome = true;
       };
 
-      networking.firewall.allowedTCPPorts = lib.mkIf cfg.server.enable [
-        80
-        443
-      ];
-
       services.nginx = lib.mkIf cfg.server.enable {
         enable = true;
         virtualHosts = {
@@ -249,7 +245,6 @@ in
             PrivateDevices = "yes";
             ProtectKernelModules = "yes";
             ProtectKernelTunables = "yes";
-
             WorkingDirectory = "/var/lib/${name}";
             ReadWritePaths = [
               "/proc/self"
diff --git a/clanModules/flake-module.nix b/clanModules/flake-module.nix
index 60e1a32fc..d0f950eda 100644
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@@ -15,6 +15,7 @@
     moonlight = ./moonlight;
     mumble = ./mumble;
     packages = ./packages;
+    nginx = ./nginx;
     postgresql = ./postgresql;
     root-password = ./root-password;
     single-disk = ./single-disk;
@@ -26,6 +27,7 @@
     thelounge = ./thelounge;
     trusted-nix-caches = ./trusted-nix-caches;
     user-password = ./user-password;
+    vaultwarden = ./vaultwarden;
     xfce = ./xfce;
     zerotier-static-peers = ./zerotier-static-peers;
     zt-tcp-relay = ./zt-tcp-relay;
diff --git a/clanModules/vaultwarden/README.md b/clanModules/vaultwarden/README.md
new file mode 100644
index 000000000..d2d0b76b8
--- /dev/null
+++ b/clanModules/vaultwarden/README.md
@@ -0,0 +1,3 @@
+---
+description = "The server for the password manager bitwarden"
+---
diff --git a/clanModules/vaultwarden/default.nix b/clanModules/vaultwarden/default.nix
new file mode 100644
index 000000000..7f110c8ec
--- /dev/null
+++ b/clanModules/vaultwarden/default.nix
@@ -0,0 +1,164 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.clan.vaultwarden;
+  module_name = "vaultwarden";
+
+  admin_pwd_secret = "${module_name}-admin";
+  admin_pwd_hash_secret = "${admin_pwd_secret}-hash";
+  smtp_pwd_secret = "${module_name}-smtp";
+  smtp_pwd_secret_path =
+    config.clan.core.facts.services."${smtp_pwd_secret}".secret."${smtp_pwd_secret}".path;
+  admin_secret_cfg_path =
+    config.clan.core.facts.services."${admin_pwd_secret}".secret."${admin_pwd_hash_secret}".path;
+in
+
+{
+  imports = [
+    ../postgresql
+    (lib.mkRemovedOptionModule [
+      "clan"
+      "vaultwarden"
+      "enable"
+    ] "Importing the module will already enable the service.")
+    ../nginx
+  ];
+
+  options.clan."${module_name}" = {
+    domain = lib.mkOption {
+      type = lib.types.str;
+      example = "bitwarden.example.com";
+      description = "The domain to use for Vaultwarden";
+    };
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 3011;
+      description = "The port to use for Vaultwarden";
+    };
+    allow_signups = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Allow signups for new users";
+    };
+
+    smtp = {
+      host = lib.mkOption {
+        type = lib.types.str;
+        example = "smtp.example.com";
+        description = "The email server domain address";
+      };
+      from = lib.mkOption {
+        type = lib.types.str;
+        example = "foobar@example.com";
+        description = "From whom the email is coming from";
+      };
+      username = lib.mkOption {
+        type = lib.types.str;
+        example = "foobar@example.com";
+        description = "The email server username";
+      };
+    };
+  };
+
+  config = {
+
+    clan.postgresql.users.vaultwarden = { };
+    clan.postgresql.databases.vaultwarden.create.options = {
+      TEMPLATE = "template0";
+      LC_COLLATE = "C";
+      LC_CTYPE = "C";
+      ENCODING = "UTF8";
+      OWNER = "vaultwarden";
+    };
+    clan.postgresql.databases.vaultwarden.restore.stopOnRestore = [ "vaultwarden" ];
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "${cfg.domain}" = {
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = ''
+            client_max_body_size 128M;
+          '';
+          locations."/" = {
+            proxyPass = "http://localhost:${builtins.toString cfg.port}";
+            proxyWebsockets = true;
+          };
+          locations."/notifications/hub" = {
+            proxyPass = "http://localhost:${builtins.toString cfg.port}";
+            proxyWebsockets = true;
+          };
+          locations."/notifications/hub/negotiate" = {
+            proxyPass = "http://localhost:${builtins.toString cfg.port}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    clan.core.facts.services = {
+      "${admin_pwd_secret}" = {
+        secret."${admin_pwd_secret}" = { };
+        secret."${admin_pwd_hash_secret}" = { };
+        generator.path = with pkgs; [
+          coreutils
+          pwgen
+          libargon2
+          openssl
+        ];
+        generator.script = ''
+          ADMIN_PWD=$(pwgen 16 -n1 | tr -d "\n")
+          ADMIN_HASH=$(echo -n "$ADMIN_PWD" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
+
+          config="
+          ADMIN_TOKEN=\"$ADMIN_HASH\"
+          "
+          echo -n "$ADMIN_PWD" > $secrets/${admin_pwd_secret}
+          echo -n "$config" > $secrets/${admin_pwd_hash_secret}
+        '';
+      };
+      "${smtp_pwd_secret}" = {
+        secret."${smtp_pwd_secret}" = { };
+        generator.prompt = "${cfg.smtp.from} SMTP password";
+        generator.path = with pkgs; [ coreutils ];
+        generator.script = ''
+          config="
+            SMTP_PASSWORD="$prompt_value"
+          "
+          echo -n "$config" > $secrets/${smtp_pwd_secret}
+        '';
+      };
+    };
+
+    systemd.services."${module_name}" = {
+      serviceConfig = {
+        EnvironmentFile = [ smtp_pwd_secret_path ];
+      };
+    };
+
+    services."${module_name}" = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = admin_secret_cfg_path; # TODO: Make this upstream an array
+      config = {
+        SMTP_SECURITY = "force_tls";
+        SMTP_HOST = cfg.smtp.host;
+        SMTP_FROM = cfg.smtp.from;
+        SMTP_USERNAME = cfg.smtp.username;
+        DOMAIN = "https://${cfg.domain}";
+        SIGNUPS_ALLOWED = cfg.allow_signups;
+        ROCKET_PORT = builtins.toString cfg.port;
+        DATABASE_URL = "postgresql://"; # TODO: This should be set upstream if dbBackend is set to postgresql
+        ENABLE_WEBSOCKET = true;
+        ROCKET_ADDRESS = "127.0.0.1";
+      };
+    };
+
+  };
+
+}