move bitwarden to SP module

2023-12-03 12:29:01 +04:00
parent ade4dc08b1
commit c0aa73ca1b
10 changed files with 103 additions and 60 deletions
--- a/sp-modules/bitwarden/cleanup-module.nix
+++ b/sp-modules/bitwarden/cleanup-module.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+let
+  inherit (import ./common.nix config) bitwarden-env sp;
+in
+# FIXME do we really want to delete passwords on module deactivation!?
+{
+  config = lib.mkIf (!sp.modules.bitwarden.enable) {
+    system.activationScripts.bitwarden =
+      lib.trivial.warn
+        (
+          "bitwarden service is disabled, ${bitwarden-env} will be removed!"
+        )
+        ''
+          rm -f -v ${bitwarden-env}
+        '';
+  };
+}
--- a/sp-modules/bitwarden/common.nix
+++ b/sp-modules/bitwarden/common.nix
@@ -0,0 +1,5 @@
+config:
+{
+  sp = config.selfprivacy;
+  bitwarden-env = "/var/lib/bitwarden/.env";
+}
--- a/sp-modules/bitwarden/config-paths-needed.json
+++ b/sp-modules/bitwarden/config-paths-needed.json
@@ -0,0 +1,5 @@
+[
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "useBinds" ],
+  [ "selfprivacy", "modules", "bitwarden" ]
+]
--- a/sp-modules/bitwarden/flake.nix
+++ b/sp-modules/bitwarden/flake.nix
@@ -0,0 +1,10 @@
+{
+  description = "PoC SP module for Bitwarden password management solution";
+
+  outputs = { self }: {
+    nixosModules.default = _:
+      { imports = [ ./module.nix ./cleanup-module.nix ]; };
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
--- a/sp-modules/bitwarden/module.nix
+++ b/sp-modules/bitwarden/module.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+let
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
+  inherit (import ./common.nix config) bitwarden-env sp;
+in
+{
+  options.selfprivacy.modules.bitwarden = {
+    enable = lib.mkOption {
+      default = false;
+      type = with lib.types; nullOr bool;
+    };
+    location = lib.mkOption {
+      default = "sda1";
+      type = with lib.types; nullOr str;
+    };
+  };
+
+  config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
+    fileSystems = lib.mkIf sp.useBinds {
+      "/var/lib/bitwarden" = {
+        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
+        options = [ "bind" ];
+      };
+      "/var/lib/bitwarden_rs" = {
+        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
+        options = [ "bind" ];
+      };
+    };
+    services.vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+      backupDir = "/var/lib/bitwarden/backup";
+      environmentFile = "${bitwarden-env}";
+      config = {
+        domain = "https://password.${sp.domain}/";
+        signupsAllowed = true;
+        rocketPort = 8222;
+      };
+    };
+    systemd.services.bitwarden-secrets = {
+      before = [ "vaultwarden.service" ];
+      requiredBy = [ "vaultwarden.service" ];
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [ coreutils jq ];
+      script = ''
+        set -o nounset
+
+        token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
+        if [ "$token" == "null" ]; then
+            # If it's null, empty the contents of the file
+            bitwarden_env=""
+        else
+            bitwarden_env="ADMIN_TOKEN=$token"
+        fi
+        # TODO revise this permissions mode
+        install -m 0640 -o vaultwarden -g vaultwarden -DT \
+        <(printf "%s" "$bitwarden_env") ${bitwarden-env}
+      '';
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -"
+      "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -"
+      "f ${bitwarden-env} 0640 vaultwarden vaultwarden - -"
+    ];
+  };
+}