| Skyler Grey | 87a1155 | 2023-06-14 23:02:25 +0200 | [diff] [blame^] | 1 | { base, pkgs, drive_paths, lib, config, ... }: { |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 2 | environment.systemPackages = with pkgs; [ vaultwarden ]; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 3 | |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 4 | services.vaultwarden.enable = true; |
| 5 | services.vaultwarden.dbBackend = "postgresql"; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 6 | |
| Skyler Grey | 87a1155 | 2023-06-14 23:02:25 +0200 | [diff] [blame^] | 7 | sops.secrets = lib.pipe [ "ADMIN_TOKEN" "SMTP_PASSWORD" "YUBICO_SECRET_KEY" "HIBP_API_KEY" ] [ |
| 8 | (map (name: { |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 9 | inherit name; value = { |
| 10 | mode = "0400"; |
| 11 | owner = config.users.users.root.name; |
| 12 | group = config.users.users.nobody.group; |
| 13 | sopsFile = ../secrets/vaultwarden.json; |
| 14 | format = "json"; |
| 15 | }; |
| Skyler Grey | 87a1155 | 2023-06-14 23:02:25 +0200 | [diff] [blame^] | 16 | })) |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 17 | builtins.listToAttrs |
| 18 | ]; |
| 19 | } // ( |
| 20 | let |
| 21 | isDerived = base != null; |
| 22 | in |
| 23 | if isDerived |
| 24 | # We cannot use mkIf as both sides are evaluated no matter the condition value |
| 25 | # Given we use base as an attrset, mkIf will error if base is null in here |
| 26 | then |
| 27 | with lib; |
| 28 | let |
| 29 | cfg = services.vaultwarden; |
| 30 | |
| 31 | vaultwarden_config = { |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 32 | # Server Settings |
| 33 | DOMAIN = "https://passwords.clicks.codes"; |
| 34 | ROCKET_ADDRESS = "127.0.0.1"; |
| 35 | ROCKET_PORT = 8452; |
| 36 | |
| 37 | |
| 38 | # General Settings |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 39 | SIGNUPS_ALLOWED = false; |
| 40 | INVITATIONS_ALLOWED = true; |
| 41 | SIGNUPS_DOMAINS_WHITELIST = "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev"; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 42 | |
| Skyler Grey | 87a1155 | 2023-06-14 23:02:25 +0200 | [diff] [blame^] | 43 | RSA_KEY_FILENAME = "${drive_paths.External1000SSD}/bitwarden/rsa_key"; |
| 44 | ICON_CACHE_FOLDER = "${drive_paths.External1000SSD}/bitwarden/icon_cache"; |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 45 | ATTACHMENTS_FOLDER = "${drive_paths.External4000HDD}/bitwarden/attachments"; |
| 46 | SENDS_FOLDER = "${drive_paths.External4000HDD}/bitwarden/sends"; |
| 47 | TMP_FOLDER = "${drive_paths.External4000HDD}/bitwarden/tmp"; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 48 | |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 49 | DISABLE_2FA_REMEMBER = true; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 50 | |
| 51 | # Admin Account |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 52 | ADMIN_TOKEN = "!!ADMIN_TOKEN!!"; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 53 | |
| 54 | |
| 55 | # Database Settings |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 56 | DATABASE_URL = "postgresql://vaultwarden:!!clicks_bitwarden_db_secret!!@127.0.0.1:${config.services.postgresql.port}/vaultwarden"; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 57 | |
| 58 | |
| 59 | # Mail Settings |
| 60 | SMTP_HOST = "127.0.0.1"; |
| 61 | SMTP_FROM = "bitwarden@clicks.codes"; |
| 62 | SMTP_FROM_NAME = "Clicks Bitwarden"; |
| 63 | SMTP_SECURITY = "starttls"; |
| 64 | SMTP_PORT = 587; |
| 65 | |
| TheCodedProf | bdc2345 | 2023-06-14 13:39:10 -0400 | [diff] [blame] | 66 | SMTP_USERNAME = "FILL_ME_IN"; |
| 67 | SMTP_PASSWORD = "!!SMTP_PASSWORD!!"; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 68 | |
| TheCodedProf | bdc2345 | 2023-06-14 13:39:10 -0400 | [diff] [blame] | 69 | REQUIRE_DEVICE_EMAIL = true; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 70 | |
| 71 | |
| 72 | # YubiKey Settings |
| TheCodedProf | bdc2345 | 2023-06-14 13:39:10 -0400 | [diff] [blame] | 73 | YUBICO_CLIENT_ID = "89788"; |
| 74 | YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!"; |
| TheCodedProf | aec8c45 | 2023-06-12 18:26:46 -0400 | [diff] [blame] | 75 | |
| 76 | |
| 77 | # TODO: Buy a license |
| 78 | # HIBP Settings |
| TheCodedProf | d23784c | 2023-06-13 14:28:23 -0400 | [diff] [blame] | 79 | # HIBP_API_KEY="!!HIBP_API_KEY!!"; |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 80 | }; |
| 81 | |
| 82 | nameToEnvVar = name: |
| 83 | let |
| 84 | parts = builtins.split "([A-Z0-9]+)" name; |
| 85 | partsToEnvVar = parts: foldl' |
| 86 | (key: x: |
| 87 | let last = stringLength key - 1; in |
| 88 | if isList x then key + optionalString (key != "" && substring last 1 key != "_") "_" + head x |
| 89 | else if key != "" && elem (substring 0 1 x) lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ] |
| 90 | substring 0 last key + optionalString (substring (last - 1) 1 key != "_") "_" + substring last 1 key + toUpper x |
| 91 | else key + toUpper x) "" |
| 92 | parts; |
| 93 | in |
| 94 | if builtins.match "[A-Z0-9_]+" name != null then name else partsToEnvVar parts; |
| 95 | |
| 96 | # Due to the different naming schemes allowed for config keys, |
| 97 | # we can only check for values consistently after converting them to their corresponding environment variable name. |
| 98 | configEnv = |
| 99 | let |
| 100 | configEnv = concatMapAttrs |
| 101 | (name: value: optionalAttrs (value != null) { |
| 102 | ${nameToEnvVar name} = if isBool value then boolToString value else toString value; |
| 103 | }) |
| 104 | vaultwarden_config; |
| 105 | in |
| 106 | { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { |
| 107 | WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault"; |
| TheCodedProf | bdc2345 | 2023-06-14 13:39:10 -0400 | [diff] [blame] | 108 | } // configEnv; |
| TheCodedProf | b618460 | 2023-06-13 17:04:59 -0400 | [diff] [blame] | 109 | |
| 110 | configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); |
| 111 | in |
| 112 | { |
| 113 | scalpel.trafos."vaultwarden.env" = { |
| 114 | source = toString configFile; |
| 115 | matchers."ADMIN_TOKEN".secret = |
| 116 | config.sops.secrets.ADMIN_TOKEN.path; |
| 117 | matchers."SMTP_PASSWORD".secret = |
| 118 | config.sops.secrets.SMTP_PASSWORD.path; |
| 119 | matchers."YUBICO_SECRET_KEY".secret = |
| 120 | config.sops.secrets.YUBICO_SECRET_KEY.path; |
| 121 | matchers."HIBP_API_KEY".secret = |
| 122 | config.sops.secrets.HIBP_API_KEY.path; |
| 123 | matchers."clicks_bitwarden_db_secret".secret = |
| 124 | config.sops.secrets.clicks_bitwarden_db_password.path; |
| 125 | owner = config.users.users.vaultwarden.name; |
| 126 | group = config.users.groups.vaultwarden.name; |
| 127 | mode = "0400"; |
| 128 | }; |
| 129 | |
| 130 | services.vaultwarden.environmentFile = config.scalpel.trafos."vaultwarden.env".destination; |
| 131 | } else { } |
| 132 | ) |