Format with nixfmt
Change-Id: If9839d2c3308538ac8f3e166b69675d3b40bd7d9
diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix
index 0a3764e..a46987e 100644
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -1,146 +1,159 @@
{ base, pkgs, drive_paths, lib, config, ... }:
-lib.recursiveUpdate
-{
+lib.recursiveUpdate {
environment.systemPackages = with pkgs; [ vaultwarden ];
services.vaultwarden.enable = true;
services.vaultwarden.dbBackend = "postgresql";
- sops.secrets = lib.pipe [ "ADMIN_TOKEN" "SMTP_PASSWORD" "YUBICO_SECRET_KEY" "HIBP_API_KEY" ] [
+ sops.secrets = lib.pipe [
+ "ADMIN_TOKEN"
+ "SMTP_PASSWORD"
+ "YUBICO_SECRET_KEY"
+ "HIBP_API_KEY"
+ ] [
(map (name: {
- inherit name; value = {
- mode = "0400";
- owner = config.users.users.root.name;
- group = config.users.users.nobody.group;
- sopsFile = ../secrets/vaultwarden.json;
- format = "json";
- };
+ inherit name;
+ value = {
+ mode = "0400";
+ owner = config.users.users.root.name;
+ group = config.users.users.nobody.group;
+ sopsFile = ../secrets/vaultwarden.json;
+ format = "json";
+ };
}))
builtins.listToAttrs
];
-}
- (
- let
- isDerived = base != null;
- in
- if isDerived
- # We cannot use mkIf as both sides are evaluated no matter the condition value
- # Given we use base as an attrset, mkIf will error if base is null in here
- then
- with lib;
+} (let isDerived = base != null;
+in if isDerived
+# We cannot use mkIf as both sides are evaluated no matter the condition value
+# Given we use base as an attrset, mkIf will error if base is null in here
+then
+ with lib;
+ let
+ cfg = config.services.vaultwarden;
+
+ vaultwarden_config = {
+ # Server Settings
+ DOMAIN = "https://passwords.clicks.codes";
+ ROCKET_ADDRESS = "127.0.0.1";
+ ROCKET_PORT = 8452;
+
+ # General Settings
+ SIGNUPS_ALLOWED = false;
+ INVITATIONS_ALLOWED = true;
+ SIGNUPS_DOMAINS_WHITELIST =
+ "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
+ SIGNUPS_VERIFY = true;
+
+ RSA_KEY_FILENAME =
+ "${drive_paths.External1000SSD.path}/bitwarden/rsa_key";
+ ICON_CACHE_FOLDER =
+ "${drive_paths.External1000SSD.path}/bitwarden/icon_cache";
+ ATTACHMENTS_FOLDER =
+ "${drive_paths.External4000HDD.path}/bitwarden/attachments";
+ SENDS_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/sends";
+ TMP_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/tmp";
+
+ DISABLE_2FA_REMEMBER = true;
+
+ # Admin Account
+ ADMIN_TOKEN = "!!ADMIN_TOKEN!!";
+
+ # Database Settings
+ DATABASE_URL =
+ "postgresql://vaultwarden:!!clicks_bitwarden_db_secret!!@127.0.0.1:${
+ toString config.services.postgresql.port
+ }/vaultwarden";
+
+ # Mail Settings
+ SMTP_HOST = "mail.clicks.codes";
+ SMTP_FROM = "bitwarden@clicks.codes";
+ SMTP_FROM_NAME = "Clicks Bitwarden";
+ SMTP_SECURITY = "starttls";
+ SMTP_PORT = 587;
+
+ SMTP_USERNAME = "bitwarden@clicks.codes";
+ SMTP_PASSWORD = "!!SMTP_PASSWORD!!";
+
+ REQUIRE_DEVICE_EMAIL = true;
+
+ IP_HEADER = "X-Forwarded-For";
+
+ # YubiKey Settings
+ YUBICO_CLIENT_ID = "89788";
+ YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";
+
+ # TODO: Buy a license
+ # HIBP Settings
+ # HIBP_API_KEY="!!HIBP_API_KEY!!";
+
+ ORG_ENABLE_GROUPS = true;
+ # I have looked at the risks. They seem relatively small in comparison to the utility
+ # (stuff like sync issues if you don't refresh your page)
+ # Also a general lack of real-world testing. Which, honestly, doesn't
+ # seem too bad. Please contact me *immediately* upon noticing issues
+ # as I want to make sure that as little as possible is lost if we need
+ # to restore from backups (although I doubt it'll come to that)
+ };
+
+ nameToEnvVar = name:
let
- cfg = config.services.vaultwarden;
+ parts = builtins.split "([A-Z0-9]+)" name;
+ partsToEnvVar = parts:
+ foldl' (key: x:
+ let last = stringLength key - 1;
+ in if isList x then
+ key
+ + optionalString (key != "" && substring last 1 key != "_") "_"
+ + head x
+ else if key != "" && elem (substring 0 1 x)
+ lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
+ substring 0 last key
+ + optionalString (substring (last - 1) 1 key != "_") "_"
+ + substring last 1 key + toUpper x
+ else
+ key + toUpper x) "" parts;
+ in if builtins.match "[A-Z0-9_]+" name != null then
+ name
+ else
+ partsToEnvVar parts;
- vaultwarden_config = {
- # Server Settings
- DOMAIN = "https://passwords.clicks.codes";
- ROCKET_ADDRESS = "127.0.0.1";
- ROCKET_PORT = 8452;
+ # Due to the different naming schemes allowed for config keys,
+ # we can only check for values consistently after converting them to their corresponding environment variable name.
+ configEnv = let
+ configEnv = concatMapAttrs (name: value:
+ optionalAttrs (value != null) {
+ ${nameToEnvVar name} =
+ if isBool value then boolToString value else toString value;
+ }) vaultwarden_config;
+ in {
+ DATA_FOLDER = "/var/lib/bitwarden_rs";
+ } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED)
+ || configEnv.WEB_VAULT_ENABLED == "true") {
+ WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
+ } // configEnv;
+ configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList
+ (name: value: ''
+ ${name}=${value}
+ '') configEnv));
+ in {
+ scalpel.trafos."vaultwarden.env" = {
+ source = toString configFile;
+ matchers."ADMIN_TOKEN".secret = config.sops.secrets.ADMIN_TOKEN.path;
+ matchers."SMTP_PASSWORD".secret = config.sops.secrets.SMTP_PASSWORD.path;
+ matchers."YUBICO_SECRET_KEY".secret =
+ config.sops.secrets.YUBICO_SECRET_KEY.path;
+ matchers."HIBP_API_KEY".secret = config.sops.secrets.HIBP_API_KEY.path;
+ matchers."clicks_bitwarden_db_secret".secret =
+ config.sops.secrets.clicks_bitwarden_db_password.path;
+ owner = config.users.users.vaultwarden.name;
+ group = config.users.groups.vaultwarden.name;
+ mode = "0400";
+ };
- # General Settings
- SIGNUPS_ALLOWED = false;
- INVITATIONS_ALLOWED = true;
- SIGNUPS_DOMAINS_WHITELIST = "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
- SIGNUPS_VERIFY = true;
-
- RSA_KEY_FILENAME = "${drive_paths.External1000SSD.path}/bitwarden/rsa_key";
- ICON_CACHE_FOLDER = "${drive_paths.External1000SSD.path}/bitwarden/icon_cache";
- ATTACHMENTS_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/attachments";
- SENDS_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/sends";
- TMP_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/tmp";
-
- DISABLE_2FA_REMEMBER = true;
-
- # Admin Account
- ADMIN_TOKEN = "!!ADMIN_TOKEN!!";
-
-
- # Database Settings
- DATABASE_URL =
- "postgresql://vaultwarden:!!clicks_bitwarden_db_secret!!@127.0.0.1:${toString config.services.postgresql.port}/vaultwarden";
-
-
- # Mail Settings
- SMTP_HOST = "mail.clicks.codes";
- SMTP_FROM = "bitwarden@clicks.codes";
- SMTP_FROM_NAME = "Clicks Bitwarden";
- SMTP_SECURITY = "starttls";
- SMTP_PORT = 587;
-
- SMTP_USERNAME = "bitwarden@clicks.codes";
- SMTP_PASSWORD = "!!SMTP_PASSWORD!!";
-
- REQUIRE_DEVICE_EMAIL = true;
-
- IP_HEADER = "X-Forwarded-For";
-
- # YubiKey Settings
- YUBICO_CLIENT_ID = "89788";
- YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";
-
-
- # TODO: Buy a license
- # HIBP Settings
- # HIBP_API_KEY="!!HIBP_API_KEY!!";
-
- ORG_ENABLE_GROUPS = true;
- # I have looked at the risks. They seem relatively small in comparison to the utility
- # (stuff like sync issues if you don't refresh your page)
- # Also a general lack of real-world testing. Which, honestly, doesn't
- # seem too bad. Please contact me *immediately* upon noticing issues
- # as I want to make sure that as little as possible is lost if we need
- # to restore from backups (although I doubt it'll come to that)
- };
-
- nameToEnvVar = name:
- let
- parts = builtins.split "([A-Z0-9]+)" name;
- partsToEnvVar = parts: foldl'
- (key: x:
- let last = stringLength key - 1; in
- if isList x then key + optionalString (key != "" && substring last 1 key != "_") "_" + head x
- else if key != "" && elem (substring 0 1 x) lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
- substring 0 last key + optionalString (substring (last - 1) 1 key != "_") "_" + substring last 1 key + toUpper x
- else key + toUpper x) ""
- parts;
- in
- if builtins.match "[A-Z0-9_]+" name != null then name else partsToEnvVar parts;
-
- # Due to the different naming schemes allowed for config keys,
- # we can only check for values consistently after converting them to their corresponding environment variable name.
- configEnv =
- let
- configEnv = concatMapAttrs
- (name: value: optionalAttrs (value != null) {
- ${nameToEnvVar name} = if isBool value then boolToString value else toString value;
- })
- vaultwarden_config;
- in
- { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
- WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
- } // configEnv;
-
- configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv));
- in
- {
- scalpel.trafos."vaultwarden.env" = {
- source = toString configFile;
- matchers."ADMIN_TOKEN".secret =
- config.sops.secrets.ADMIN_TOKEN.path;
- matchers."SMTP_PASSWORD".secret =
- config.sops.secrets.SMTP_PASSWORD.path;
- matchers."YUBICO_SECRET_KEY".secret =
- config.sops.secrets.YUBICO_SECRET_KEY.path;
- matchers."HIBP_API_KEY".secret =
- config.sops.secrets.HIBP_API_KEY.path;
- matchers."clicks_bitwarden_db_secret".secret =
- config.sops.secrets.clicks_bitwarden_db_password.path;
- owner = config.users.users.vaultwarden.name;
- group = config.users.groups.vaultwarden.name;
- mode = "0400";
- };
-
- services.vaultwarden.environmentFile = config.scalpel.trafos."vaultwarden.env".destination;
- } else { }
- )
+ services.vaultwarden.environmentFile =
+ config.scalpel.trafos."vaultwarden.env".destination;
+ }
+else
+ { })