Bitwarden WIP

2021-10-31 21:41:29 -04:00 · 2021-10-31 21:41:29 -04:00 · 2899de625f
parent 181f6bc408
commit 2899de625f
4 changed files with 68 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -64,6 +64,7 @@
          ./modules/my-tinc
          sops-nix.nixosModules.sops
          ./nki-personal-do/configuration.nix
+          (overlayForSystem "x86_64-linux")
        ];
      };
      deploy.nodes."nki-personal-do" = {
--- a/modules/cloud/bitwarden/default.nix
+++ b/modules/cloud/bitwarden/default.nix
@ -0,0 +1,65 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.cloud.bitwarden;
+
+  databaseUser = "bitwarden";
+  databaseUrl = "postgres:///${user}?user=${user}";
+
+  user = "bitwarden";
+
+  port = 8001;
+in
+{
+  options.cloud.bitwarden = { };
+
+  config = {
+    # users
+    users.users."${user}" = {
+      group = "${user}";
+      isSystemUser = true;
+    };
+    users.groups."${user}" = { };
+    # database
+    cloud.postgresql.databases = [ databaseUser ];
+    # traefik
+    cloud.traefik.config.http.routers.bitwarden = {
+      rule = "Host(`bw.nkagami.me`)";
+      entrypoints = "https";
+      tls.certResolver = "le";
+      service = "bitwarden";
+    };
+    cloud.traefik.config.http.services.bitwarden.loadBalancer.servers = [
+      { url = "http://localhost:${toString port}"; }
+    ];
+    # systemd unit
+    systemd.services.bitwarden-server = {
+      after = [ "network.target" ];
+      path = with pkgs; [ openssl ];
+      environment = {
+        DISABLE_ADMIN_TOKEN = "true";
+        SIGNUPS_ALLOWED = "false";
+        DATABASE_URL = databaseUrl;
+
+        DATA_FOLDER = "/var/lib/bitwarden-server";
+        WEB_VAULT_FOLDER = "${pkgs.unstable.vaultwarden-vault}/share/vaultwarden/vault";
+
+        ROCKET_PORT = toString port;
+      };
+      serviceConfig = {
+        User = user;
+        Group = user;
+        ExecStart = "${pkgs.unstable.vaultwarden-postgresql}/bin/vaultwarden";
+        LimitNOFILE = "1048576";
+        PrivateTmp = "true";
+        PrivateDevices = "true";
+        ProtectHome = "true";
+        ProtectSystem = "strict";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+        StateDirectory = "bitwarden-server";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}
--- a/modules/cloud/traefik/default.nix
+++ b/modules/cloud/traefik/default.nix
@ -71,7 +71,7 @@ in
      };
    };

-    dynamicConfigOptions = {};
+    dynamicConfigOptions = cfg.config;
  };
  # Set up cloudflare key
  config.systemd.services.traefik.environment.CF_DNS_API_TOKEN_FILE = cfg.cloudflareKeyFile;
--- a/nki-personal-do/configuration.nix
+++ b/nki-personal-do/configuration.nix
@ -6,6 +6,7 @@
    # Set up cloud
    ../modules/cloud/postgresql
    ../modules/cloud/traefik
+    ../modules/cloud/bitwarden
  ];

  boot.cleanTmpDir = true;