mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
feat(bw): vaultwarden
This commit is contained in:
arcnmx
parent
0b0a91d506
commit
0947ca0532
15 changed files with 437 additions and 7 deletions
|
|
@ -92,7 +92,10 @@ in {
|
|||
prepKeyEnvironment = pkgs.writeShellScript "barcodebuddy-scanner-apikey.sh" ''
|
||||
set -eu
|
||||
|
||||
printf "API_KEY=$(cat $API_KEY_PATH)\\n" > $RUNTIME_DIRECTORY/${apiKeyFile}
|
||||
printf "" > $RUNTIME_DIRECTORY/${apiKeyFile}
|
||||
chmod 0640 $RUNTIME_DIRECTORY/${apiKeyFile}
|
||||
|
||||
printf "API_KEY=$(cat $API_KEY_PATH)\\n" >> $RUNTIME_DIRECTORY/${apiKeyFile}
|
||||
'';
|
||||
in {
|
||||
wantedBy = [
|
||||
|
|
|
|||
86
modules/nixos/vaultwarden.nix
Normal file
86
modules/nixos/vaultwarden.nix
Normal file
|
|
@ -0,0 +1,86 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (lib.options) mkOption;
|
||||
inherit (lib.modules) mkIf mkOptionDefault;
|
||||
inherit (lib.attrsets) attrNames filterAttrs mapAttrs' nameValuePair;
|
||||
inherit (lib.strings) concatMapStringsSep;
|
||||
cfg = config.services.vaultwarden;
|
||||
RuntimeDirectory = "bitwarden_rs";
|
||||
secretsFile = "secrets.env";
|
||||
in {
|
||||
options.services.vaultwarden = with lib.types; {
|
||||
port = mkOption {
|
||||
type = port;
|
||||
default = 8222;
|
||||
};
|
||||
websocketPort = mkOption {
|
||||
type = nullOr port;
|
||||
default = null;
|
||||
};
|
||||
databaseUrlPath = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
adminTokenPath = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
smtpPasswordPath = mkOption {
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
config.services.vaultwarden = {
|
||||
config = {
|
||||
DATA_FOLDER = mkOptionDefault "/var/lib/bitwarden_rs";
|
||||
WEB_VAULT_ENABLED = mkOptionDefault true;
|
||||
ROCKET_ENV = mkOptionDefault "production";
|
||||
ROCKET_ADDRESS = mkOptionDefault "::1";
|
||||
ROCKET_PORT = mkOptionDefault cfg.port;
|
||||
WEBSOCKET_ENABLED = mkOptionDefault (cfg.websocketPort != null);
|
||||
WEBSOCKET_ADDRESS = mkOptionDefault "::1";
|
||||
WEBSOCKET_PORT = mkIf (cfg.websocketPort != null) cfg.websocketPort;
|
||||
};
|
||||
};
|
||||
config.systemd.services.vaultwarden = let
|
||||
filterNullAttrs = filterAttrs (_: v: v != null);
|
||||
secretPaths' = {
|
||||
DATABASE_URL = cfg.databaseUrlPath;
|
||||
ADMIN_TOKEN = cfg.adminTokenPath;
|
||||
SMTP_PASSWORD = cfg.smtpPasswordPath;
|
||||
};
|
||||
secretPaths = filterNullAttrs secretPaths';
|
||||
hasSecrets = secretPaths != {};
|
||||
mkPrintSecret = key: let
|
||||
path = "${key}_PATH";
|
||||
in ''
|
||||
if [[ -n ''${${path}-} ]]; then
|
||||
printf "${key}=$(cat ''${${path}})\\n" >> $RUNTIME_DIRECTORY/${secretsFile}
|
||||
fi
|
||||
'';
|
||||
prepSecrets = pkgs.writeShellScript "vaultwarden-secrets.sh" ''
|
||||
set -eu
|
||||
|
||||
printf "" > $RUNTIME_DIRECTORY/${secretsFile}
|
||||
chmod 0640 $RUNTIME_DIRECTORY/${secretsFile}
|
||||
|
||||
${concatMapStringsSep "\n" mkPrintSecret (attrNames secretPaths')}
|
||||
'';
|
||||
in
|
||||
mkIf cfg.enable {
|
||||
environment = mkIf hasSecrets (mapAttrs' (key: nameValuePair "${key}_PATH") secretPaths);
|
||||
serviceConfig = {
|
||||
inherit RuntimeDirectory;
|
||||
EnvironmentFile = mkIf hasSecrets [
|
||||
"-/run/${RuntimeDirectory}/${secretsFile}"
|
||||
];
|
||||
ExecStartPre = mkIf hasSecrets [
|
||||
"${prepSecrets}"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
41
modules/system/exports/vaultwarden.nix
Normal file
41
modules/system/exports/vaultwarden.nix
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
{
|
||||
lib,
|
||||
gensokyo-zone,
|
||||
...
|
||||
}: let
|
||||
inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
|
||||
inherit (lib.modules) mkIf;
|
||||
inherit (lib.attrsets) mapAttrs;
|
||||
in {
|
||||
config.exports.services.vaultwarden = {config, ...}: {
|
||||
id = mkAlmostOptionDefault "bw";
|
||||
defaults.port.listen = mkAlmostOptionDefault "lan";
|
||||
nixos = {
|
||||
serviceAttr = "vaultwarden";
|
||||
assertions = mkIf config.enable [
|
||||
(nixosConfig: {
|
||||
assertion = config.ports.default.port == nixosConfig.services.vaultwarden.port;
|
||||
message = "port mismatch";
|
||||
})
|
||||
(nixosConfig: {
|
||||
assertion = nixosConfig.services.vaultwarden.websocketPort == null || config.ports.websocket.port == nixosConfig.services.vaultwarden.websocketPort;
|
||||
message = "websocketPort mismatch";
|
||||
})
|
||||
(nixosConfig: {
|
||||
assertion = config.ports.websocket.enable == (nixosConfig.services.vaultwarden.websocketPort != null);
|
||||
message = "websocketPort enable mismatch";
|
||||
})
|
||||
];
|
||||
};
|
||||
ports = mapAttrs (_: mapAlmostOptionDefaults) {
|
||||
default = {
|
||||
port = 8222;
|
||||
protocol = "http";
|
||||
};
|
||||
websocket = {
|
||||
port = 8223;
|
||||
protocol = "http";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue