Move all flakes into modules/ and sep't, create deploy script for a1d2
Change-Id: Ie4d50fb8f16da193195beb139922a366b72b0b0a
diff --git a/modules/common/vaultwarden.nix b/modules/common/vaultwarden.nix
new file mode 100644
index 0000000..40047dd
--- /dev/null
+++ b/modules/common/vaultwarden.nix
@@ -0,0 +1,161 @@
+{ base, pkgs, drive_paths, lib, config, ... }:
+if drive_paths == null
+then {}
+else lib.recursiveUpdate {
+ environment.systemPackages = with pkgs; [ vaultwarden ];
+
+ services.vaultwarden.enable = true;
+ services.vaultwarden.dbBackend = "postgresql";
+
+ sops.secrets = lib.pipe [
+ "ADMIN_TOKEN"
+ "SMTP_PASSWORD"
+ "YUBICO_SECRET_KEY"
+ "HIBP_API_KEY"
+ ] [
+ (map (name: {
+ inherit name;
+ value = {
+ mode = "0400";
+ owner = config.users.users.root.name;
+ group = config.users.users.root.group;
+ sopsFile = ../../secrets/vaultwarden.json;
+ format = "json";
+ };
+ }))
+ builtins.listToAttrs
+ ];
+} (let isDerived = base != null;
+in if isDerived
+# We cannot use mkIf as both sides are evaluated no matter the condition value
+# Given we use base as an attrset, mkIf will error if base is null in here
+then
+ with lib;
+ let
+ cfg = config.services.vaultwarden;
+
+ vaultwarden_config = {
+ # Server Settings
+ DOMAIN = "https://passwords.clicks.codes";
+ ROCKET_ADDRESS = "127.0.0.1";
+ ROCKET_PORT = 8452;
+
+ # General Settings
+ SIGNUPS_ALLOWED = false;
+ INVITATIONS_ALLOWED = true;
+ SIGNUPS_DOMAINS_WHITELIST =
+ "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
+ SIGNUPS_VERIFY = true;
+
+ RSA_KEY_FILENAME =
+ "${drive_paths.External1000SSD.path}/bitwarden/rsa_key";
+ ICON_CACHE_FOLDER =
+ "${drive_paths.External1000SSD.path}/bitwarden/icon_cache";
+ ATTACHMENTS_FOLDER =
+ "${drive_paths.External4000HDD.path}/bitwarden/attachments";
+ SENDS_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/sends";
+ TMP_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/tmp";
+
+ DISABLE_2FA_REMEMBER = true;
+
+ # Admin Account
+ ADMIN_TOKEN = "!!ADMIN_TOKEN!!";
+
+ # Database Settings
+ DATABASE_URL =
+ "postgresql://vaultwarden:!!clicks_bitwarden_db_secret!!@127.0.0.1:${
+ toString config.services.postgresql.port
+ }/vaultwarden";
+
+ # Mail Settings
+ SMTP_HOST = "mail.clicks.codes";
+ SMTP_FROM = "bitwarden@clicks.codes";
+ SMTP_FROM_NAME = "Clicks Bitwarden";
+ SMTP_SECURITY = "starttls";
+ SMTP_PORT = 587;
+
+ SMTP_USERNAME = "bitwarden@clicks.codes";
+ SMTP_PASSWORD = "!!SMTP_PASSWORD!!";
+
+ REQUIRE_DEVICE_EMAIL = true;
+
+ IP_HEADER = "X-Forwarded-For";
+
+ # YubiKey Settings
+ YUBICO_CLIENT_ID = "89788";
+ YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";
+
+ # TODO: Buy a license
+ # HIBP Settings
+ # HIBP_API_KEY="!!HIBP_API_KEY!!";
+
+ ORG_ENABLE_GROUPS = true;
+ # I have looked at the risks. They seem relatively small in comparison to the utility
+ # (stuff like sync issues if you don't refresh your page)
+ # Also a general lack of real-world testing. Which, honestly, doesn't
+ # seem too bad. Please contact me *immediately* upon noticing issues
+ # as I want to make sure that as little as possible is lost if we need
+ # to restore from backups (although I doubt it'll come to that)
+ };
+
+ nameToEnvVar = name:
+ let
+ parts = builtins.split "([A-Z0-9]+)" name;
+ partsToEnvVar = parts:
+ foldl' (key: x:
+ let last = stringLength key - 1;
+ in if isList x then
+ key
+ + optionalString (key != "" && substring last 1 key != "_") "_"
+ + head x
+ else if key != "" && elem (substring 0 1 x)
+ lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
+ substring 0 last key
+ + optionalString (substring (last - 1) 1 key != "_") "_"
+ + substring last 1 key + toUpper x
+ else
+ key + toUpper x) "" parts;
+ in if builtins.match "[A-Z0-9_]+" name != null then
+ name
+ else
+ partsToEnvVar parts;
+
+ # Due to the different naming schemes allowed for config keys,
+ # we can only check for values consistently after converting them to their corresponding environment variable name.
+ configEnv = let
+ configEnv = concatMapAttrs (name: value:
+ optionalAttrs (value != null) {
+ ${nameToEnvVar name} =
+ if isBool value then boolToString value else toString value;
+ }) vaultwarden_config;
+ in {
+ DATA_FOLDER = "/var/lib/bitwarden_rs";
+ } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED)
+ || configEnv.WEB_VAULT_ENABLED == "true") {
+ WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
+ } // configEnv;
+
+ configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList
+ (name: value: ''
+ ${name}=${value}
+ '') configEnv));
+ in {
+ scalpel.trafos."vaultwarden.env" = {
+ source = toString configFile;
+ matchers."ADMIN_TOKEN".secret = config.sops.secrets.ADMIN_TOKEN.path;
+ matchers."SMTP_PASSWORD".secret = config.sops.secrets.SMTP_PASSWORD.path;
+ matchers."YUBICO_SECRET_KEY".secret =
+ config.sops.secrets.YUBICO_SECRET_KEY.path;
+ matchers."HIBP_API_KEY".secret = config.sops.secrets.HIBP_API_KEY.path;
+ matchers."clicks_bitwarden_db_secret".secret =
+ config.sops.secrets.clicks_bitwarden_db_password.path;
+ owner = config.users.users.vaultwarden.name;
+ group = config.users.groups.vaultwarden.name;
+ mode = "0400";
+ };
+
+ services.vaultwarden.environmentFile =
+ config.scalpel.trafos."vaultwarden.env".destination;
+ }
+else
+ { })