Merge branch 'feature/vaultwarden' into 'main'

vaultwarden: add nixos unstable module See merge request hacc/infra/haccfiles!80
2021-09-23 18:52:51 +00:00 · 2021-09-23 18:52:51 +00:00 · 438545ea47
parent 2044b77401 a3b59b5ea6
commit 438545ea47
4 changed files with 126 additions and 1 deletions
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@ -21,6 +21,7 @@
    ../../services/gitlab-runner.nix
    ../../services/unifi.nix
    ../../services/lantifa.nix
+    ../../services/vaultwarden.nix

    ./lxc.nix
  ];
--- a/modules/default.nix
+++ b/modules/default.nix
@ -5,5 +5,12 @@ in {
  imports = [
    ./nftnat
    ./decklink.nix
+    "${sources.nixpkgs-unstable}/nixos/modules/services/security/vaultwarden"
+  ];
+
+  # disabled since vaultwarden defines a dummy bitwarden_rs option that
+  # shows a deprication warning, which conflicts with this module
+  disabledModules = [
+    "services/security/bitwarden_rs/default.nix"
  ];
 }
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -60,7 +60,7 @@ let
      '';
    };

-    inherit (unstable) bottom;
+    inherit (unstable) bottom vaultwarden vaultwarden-vault;
  };

 in pkgs.extend(_: _: newpkgs)
--- a/services/vaultwarden.nix
+++ b/services/vaultwarden.nix
@ -0,0 +1,117 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    config = {
+! Do we want to use PSQL or are we fine with SQLite?
+      ## Database URL
+      ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+      # DATABASE_URL=data/db.sqlite3
+      ## When using MySQL, specify an appropriate connection URI.
+      ## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html
+      # DATABASE_URL=mysql://user:password@host[:port]/database_name
+      ## When using PostgreSQL, specify an appropriate connection URI (recommended)
+      ## or keyword/value connection string.
+      ## Details:
+      ## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html
+      ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+      # DATABASE_URL=postgresql://user:password@host[:port]/database_name
+      
+      ## Database max connections
+      ## Define the size of the connection pool used for connecting to the database.
+      # DATABASE_MAX_CONNS=10
+
+      ## Enable WAL for the DB
+      ## Set to false to avoid enabling WAL during startup.
+      ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+      ## this setting only prevents vaultwarden from automatically enabling it on start.
+      ## Please read project wiki page about this setting first before changing the value as it can
+      ## cause performance degradation or might render the service unable to start.
+      # ENABLE_DB_WAL=true
+      
+      ## Database connection retries
+      ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
+      # DB_CONNECTION_RETRIES=15
+      
+      ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
+      ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+      # IP_HEADER=X-Real-IP
+      
+      ## Controls whether users are allowed to create Bitwarden Sends.
+      ## This setting applies globally to all users.
+      ## To control this on a per-org basis instead, use the "Disable Send" org policy.
+      # SENDS_ALLOWED=true
+      
+      ## Enable extended logging, which shows timestamps and targets in the logs
+      # EXTENDED_LOGGING=true
+
+      ## Logging to Syslog
+      ## This requires extended logging
+      ## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+      # USE_SYSLOG=false
+      
+      ## Log level
+      ## Change the verbosity of the log output
+      ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+      ## Setting it to "trace" or "debug" would also show logs for mounted
+      ## routes and static file, websocket and alive requests
+      LOG_LEVEL=off
+      SIGNUPS_ALLOWED=false
+      SIGNUPS_VERIFY=true
+      SIGNUPS_DOMAINS_WHITELIST=hacc.space
+      ORG_CREATION_USERS=admin@hacc.space
+      
+
+! TODO: Find out how to set this via file
+      ## Token for the admin interface, preferably use a long random string
+      ## One option is to use 'openssl rand -base64 48'
+      ## If not set, the admin panel is disabled
+      # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+      
+      ## Invitations org admins to invite users, even when signups are disabled
+      INVITATIONS_ALLOWED=true
+      INVITATION_ORG_NAME=haccwarden
+      TRASH_AUTO_DELETE_DAYS=90
+      
+      ## Domain settings
+      ## The domain must match the address from where you access the server
+      ## It's recommended to configure this value, otherwise certain functionality might not work,
+      ## like attachment downloads, email links and U2F.
+      ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+      # DOMAIN=https://pw.hacc.space:8443
+      DOMAIN=https://pw.hacc.space:443
+      
+
+! do we want a nginx proxy additionally?
+      ## Rocket specific settings
+      ## See https://rocket.rs/v0.4/guide/configuration/ for more details.
+      ROCKET_ADDRESS=127.0.0.1
+      ROCKET_PORT=5354  # Defaults to 80 in the Docker images, or 8000 otherwise.
+      ROCKET_WORKERS=10
+      # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+      
+! TODO: set password via file
+      ## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+      ## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+      ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+      SMTP_HOST=mail.hacc.space
+      SMTP_FROM=vaultwarden@hacc.space
+      SMTP_FROM_NAME=haccwarden
+      SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
+      SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
+      SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
+      # SMTP_USERNAME=username
+      # SMTP_PASSWORD=password
+      # SMTP_TIMEOUT=15
+
+! TODO: do we want this? 
+      ## HIBP Api Key
+      ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
+      # HIBP_API_KEY=
+    };
+    dbBackend = "sqlite";
+
+    backupDir = "/persist/data/vaultwarden";
+  };
+}