From 2899de625f2c2bd1e1c0a5cb7bb84250bc6fe800 Mon Sep 17 00:00:00 2001
From: Natsu Kagami <nki@nkagami.me>
Date: Sun, 31 Oct 2021 21:41:29 -0400
Subject: [PATCH] Bitwarden WIP

---
 flake.nix                           |  1 +
 modules/cloud/bitwarden/default.nix | 65 +++++++++++++++++++++++++++++
 modules/cloud/traefik/default.nix   |  2 +-
 nki-personal-do/configuration.nix   |  1 +
 4 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 modules/cloud/bitwarden/default.nix

diff --git a/flake.nix b/flake.nix
index 910dde9..77d040c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,6 +64,7 @@
           ./modules/my-tinc
           sops-nix.nixosModules.sops
           ./nki-personal-do/configuration.nix
+          (overlayForSystem "x86_64-linux")
         ];
       };
       deploy.nodes."nki-personal-do" = {
diff --git a/modules/cloud/bitwarden/default.nix b/modules/cloud/bitwarden/default.nix
new file mode 100644
index 0000000..ca48869
--- /dev/null
+++ b/modules/cloud/bitwarden/default.nix
@@ -0,0 +1,65 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.cloud.bitwarden;
+
+  databaseUser = "bitwarden";
+  databaseUrl = "postgres:///${user}?user=${user}";
+
+  user = "bitwarden";
+
+  port = 8001;
+in
+{
+  options.cloud.bitwarden = { };
+
+  config = {
+    # users
+    users.users."${user}" = {
+      group = "${user}";
+      isSystemUser = true;
+    };
+    users.groups."${user}" = { };
+    # database
+    cloud.postgresql.databases = [ databaseUser ];
+    # traefik
+    cloud.traefik.config.http.routers.bitwarden = {
+      rule = "Host(`bw.nkagami.me`)";
+      entrypoints = "https";
+      tls.certResolver = "le";
+      service = "bitwarden";
+    };
+    cloud.traefik.config.http.services.bitwarden.loadBalancer.servers = [
+      { url = "http://localhost:${toString port}"; }
+    ];
+    # systemd unit
+    systemd.services.bitwarden-server = {
+      after = [ "network.target" ];
+      path = with pkgs; [ openssl ];
+      environment = {
+        DISABLE_ADMIN_TOKEN = "true";
+        SIGNUPS_ALLOWED = "false";
+        DATABASE_URL = databaseUrl;
+
+        DATA_FOLDER = "/var/lib/bitwarden-server";
+        WEB_VAULT_FOLDER = "${pkgs.unstable.vaultwarden-vault}/share/vaultwarden/vault";
+
+        ROCKET_PORT = toString port;
+      };
+      serviceConfig = {
+        User = user;
+        Group = user;
+        ExecStart = "${pkgs.unstable.vaultwarden-postgresql}/bin/vaultwarden";
+        LimitNOFILE = "1048576";
+        PrivateTmp = "true";
+        PrivateDevices = "true";
+        ProtectHome = "true";
+        ProtectSystem = "strict";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        StateDirectory = "bitwarden-server";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}
diff --git a/modules/cloud/traefik/default.nix b/modules/cloud/traefik/default.nix
index 63eef8b..35e2350 100644
--- a/modules/cloud/traefik/default.nix
+++ b/modules/cloud/traefik/default.nix
@@ -71,7 +71,7 @@ in
       };
     };
 
-    dynamicConfigOptions = {};
+    dynamicConfigOptions = cfg.config;
   };
   # Set up cloudflare key
   config.systemd.services.traefik.environment.CF_DNS_API_TOKEN_FILE = cfg.cloudflareKeyFile;
diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix
index 0d2486a..69f5941 100644
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@@ -6,6 +6,7 @@
     # Set up cloud
     ../modules/cloud/postgresql
     ../modules/cloud/traefik
+    ../modules/cloud/bitwarden
   ];
 
   boot.cleanTmpDir = true;