modules/common/vaultwarden.nix - Infra/NixFiles - Gitiles

 { base, pkgs, lib, config, ... }:
 lib.recursiveUpdate {
   environment.systemPackages = with pkgs; [ vaultwarden ];

   services.vaultwarden.enable = true;
   services.vaultwarden.dbBackend = "postgresql";
   systemd.services.vaultwarden.requires = [ "postgresql.service" ];

   sops.secrets = lib.pipe [
     "ADMIN_TOKEN"
     "SMTP_PASSWORD"
     "YUBICO_SECRET_KEY"
     "HIBP_API_KEY"
   ] [
     (map (name: {
       inherit name;
       value = {
         mode = "0400";
         owner = config.users.users.root.name;
         group = config.users.users.root.group;
         sopsFile = ../../secrets/vaultwarden.json;
         format = "json";
       };
     }))
     builtins.listToAttrs
   ];
 } (let isDerived = base != null;
 in if isDerived
 # We cannot use mkIf as both sides are evaluated no matter the condition value
 # Given we use base as an attrset, mkIf will error if base is null in here
 then
   with lib;
   let
     cfg = config.services.vaultwarden;

     vaultwarden_config = {
       # Server Settings
       DOMAIN = "https://vaultwarden.clicks.codes";
       ROCKET_ADDRESS = "127.0.0.255";
       ROCKET_PORT = 1028;

       # General Settings
       SIGNUPS_ALLOWED = false;
       INVITATIONS_ALLOWED = true;
       SIGNUPS_DOMAINS_WHITELIST =
         "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
       SIGNUPS_VERIFY = true;

       DISABLE_2FA_REMEMBER = true;

       # Admin Account
       ADMIN_TOKEN = "!!ADMIN_TOKEN!!";

       # Database Settings
       DATABASE_URL =
         "postgresql://vaultwarden:!!clicks_vaultwarden_db_secret!!@127.0.0.1:${
           toString config.services.postgresql.port
         }/vaultwarden";

       # Mail Settings
       SMTP_HOST = "mail.clicks.codes";
       SMTP_FROM = "vaultwarden@clicks.codes";
       SMTP_FROM_NAME = "Clicks vaultwarden";
       SMTP_SECURITY = "starttls";
       SMTP_PORT = 587;

       SMTP_USERNAME = "vaultwarden@clicks.codes";
       SMTP_PASSWORD = "!!SMTP_PASSWORD!!";

       REQUIRE_DEVICE_EMAIL = true;

       IP_HEADER = "X-Forwarded-For";

       # YubiKey Settings
       YUBICO_CLIENT_ID = "89788";
       YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";

       # HIBP Settings
       HIBP_API_KEY="!!HIBP_API_KEY!!";

       ORG_ENABLE_GROUPS = true;
       # I have looked at the risks. They seem relatively small in comparison to the utility
       # (stuff like sync issues if you don't refresh your page)
       # Also a general lack of real-world testing. Which, honestly, doesn't
       # seem too bad. Please contact me *immediately* upon noticing issues
       # as I want to make sure that as little as possible is lost if we need
       # to restore from backups (although I doubt it'll come to that)
     };

     nameToEnvVar = name:
       let
         parts = builtins.split "([A-Z0-9]+)" name;
         partsToEnvVar = parts:
           foldl' (key: x:
             let last = stringLength key - 1;
             in if isList x then
               key
               + optionalString (key != "" && substring last 1 key != "_") "_"
               + head x
             else if key != "" && elem (substring 0 1 x)
             lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
               substring 0 last key
               + optionalString (substring (last - 1) 1 key != "_") "_"
               + substring last 1 key + toUpper x
             else
               key + toUpper x) "" parts;
       in if builtins.match "[A-Z0-9_]+" name != null then
         name
       else
         partsToEnvVar parts;

     # Due to the different naming schemes allowed for config keys,
     # we can only check for values consistently after converting them to their corresponding environment variable name.
     configEnv = let
       configEnv = concatMapAttrs (name: value:
         optionalAttrs (value != null) {
           ${nameToEnvVar name} =
             if isBool value then boolToString value else toString value;
         }) vaultwarden_config;
     in {
       DATA_FOLDER = "/var/lib/bitwarden_rs";
     } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED)
       || configEnv.WEB_VAULT_ENABLED == "true") {
         WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
       } // configEnv;

     configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList
       (name: value: ''
         ${name}=${value}
       '') configEnv));
   in {
     scalpel.trafos."vaultwarden.env" = {
       source = toString configFile;
       matchers."ADMIN_TOKEN".secret = config.sops.secrets.ADMIN_TOKEN.path;
       matchers."SMTP_PASSWORD".secret = config.sops.secrets.SMTP_PASSWORD.path;
       matchers."YUBICO_SECRET_KEY".secret =
         config.sops.secrets.YUBICO_SECRET_KEY.path;
       matchers."HIBP_API_KEY".secret = config.sops.secrets.HIBP_API_KEY.path;
       matchers."clicks_vaultwarden_db_secret".secret =
         config.sops.secrets.clicks_vaultwarden_db_password.path;
       owner = config.users.users.vaultwarden.name;
       group = config.users.groups.vaultwarden.name;
       mode = "0400";
     };

     services.vaultwarden.environmentFile =
       config.scalpel.trafos."vaultwarden.env".destination;
   }
 else
   { })
	{ base, pkgs, lib, config, ... }:
	lib.recursiveUpdate {
	environment.systemPackages = with pkgs; [ vaultwarden ];

	services.vaultwarden.enable = true;
	services.vaultwarden.dbBackend = "postgresql";
	systemd.services.vaultwarden.requires = [ "postgresql.service" ];

	sops.secrets = lib.pipe [
	"ADMIN_TOKEN"
	"SMTP_PASSWORD"
	"YUBICO_SECRET_KEY"
	"HIBP_API_KEY"
	] [
	(map (name: {
	inherit name;
	value = {
	mode = "0400";
	owner = config.users.users.root.name;
	group = config.users.users.root.group;
	sopsFile = ../../secrets/vaultwarden.json;
	format = "json";
	};
	}))
	builtins.listToAttrs
	];
	} (let isDerived = base != null;
	in if isDerived
	# We cannot use mkIf as both sides are evaluated no matter the condition value
	# Given we use base as an attrset, mkIf will error if base is null in here
	then
	with lib;
	let
	cfg = config.services.vaultwarden;

	vaultwarden_config = {
	# Server Settings
	DOMAIN = "https://vaultwarden.clicks.codes";
	ROCKET_ADDRESS = "127.0.0.255";
	ROCKET_PORT = 1028;

	# General Settings
	SIGNUPS_ALLOWED = false;
	INVITATIONS_ALLOWED = true;
	SIGNUPS_DOMAINS_WHITELIST =
	"clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
	SIGNUPS_VERIFY = true;

	DISABLE_2FA_REMEMBER = true;

	# Admin Account
	ADMIN_TOKEN = "!!ADMIN_TOKEN!!";

	# Database Settings
	DATABASE_URL =
	"postgresql://vaultwarden:!!clicks_vaultwarden_db_secret!!@127.0.0.1:${
	toString config.services.postgresql.port
	}/vaultwarden";

	# Mail Settings
	SMTP_HOST = "mail.clicks.codes";
	SMTP_FROM = "vaultwarden@clicks.codes";
	SMTP_FROM_NAME = "Clicks vaultwarden";
	SMTP_SECURITY = "starttls";
	SMTP_PORT = 587;

	SMTP_USERNAME = "vaultwarden@clicks.codes";
	SMTP_PASSWORD = "!!SMTP_PASSWORD!!";

	REQUIRE_DEVICE_EMAIL = true;

	IP_HEADER = "X-Forwarded-For";

	# YubiKey Settings
	YUBICO_CLIENT_ID = "89788";
	YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";

	# HIBP Settings
	HIBP_API_KEY="!!HIBP_API_KEY!!";

	ORG_ENABLE_GROUPS = true;
	# I have looked at the risks. They seem relatively small in comparison to the utility
	# (stuff like sync issues if you don't refresh your page)
	# Also a general lack of real-world testing. Which, honestly, doesn't
	# seem too bad. Please contact me immediately upon noticing issues
	# as I want to make sure that as little as possible is lost if we need
	# to restore from backups (although I doubt it'll come to that)
	};

	nameToEnvVar = name:
	let
	parts = builtins.split "([A-Z0-9]+)" name;
	partsToEnvVar = parts:
	foldl' (key: x:
	let last = stringLength key - 1;
	in if isList x then
	key
	+ optionalString (key != "" && substring last 1 key != "_") "_"
	+ head x
	else if key != "" && elem (substring 0 1 x)
	lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
	substring 0 last key
	+ optionalString (substring (last - 1) 1 key != "_") "_"
	+ substring last 1 key + toUpper x
	else
	key + toUpper x) "" parts;
	in if builtins.match "[A-Z0-9_]+" name != null then
	name
	else
	partsToEnvVar parts;

	# Due to the different naming schemes allowed for config keys,
	# we can only check for values consistently after converting them to their corresponding environment variable name.
	configEnv = let
	configEnv = concatMapAttrs (name: value:
	optionalAttrs (value != null) {
	${nameToEnvVar name} =
	if isBool value then boolToString value else toString value;
	}) vaultwarden_config;
	in {
	DATA_FOLDER = "/var/lib/bitwarden_rs";
	} // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED)
	\|\| configEnv.WEB_VAULT_ENABLED == "true") {
	WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
	} // configEnv;

	configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList
	(name: value: ''
	${name}=${value}
	'') configEnv));
	in {
	scalpel.trafos."vaultwarden.env" = {
	source = toString configFile;
	matchers."ADMIN_TOKEN".secret = config.sops.secrets.ADMIN_TOKEN.path;
	matchers."SMTP_PASSWORD".secret = config.sops.secrets.SMTP_PASSWORD.path;
	matchers."YUBICO_SECRET_KEY".secret =
	config.sops.secrets.YUBICO_SECRET_KEY.path;
	matchers."HIBP_API_KEY".secret = config.sops.secrets.HIBP_API_KEY.path;
	matchers."clicks_vaultwarden_db_secret".secret =
	config.sops.secrets.clicks_vaultwarden_db_password.path;
	owner = config.users.users.vaultwarden.name;
	group = config.users.groups.vaultwarden.name;
	mode = "0400";
	};

	services.vaultwarden.environmentFile =
	config.scalpel.trafos."vaultwarden.env".destination;
	}
	else
	{ })