services: adapt bitwarden to vaultwarden rename

This commit is contained in:
Antoine Martin 2021-08-20 00:59:28 +02:00
parent 8f1eb162b9
commit 2c7abf829a
3 changed files with 18 additions and 26 deletions

View file

@ -60,7 +60,7 @@ in
# List services that you want to enable: # List services that you want to enable:
my.services = { my.services = {
bitwarden_rs = { vaultwarden = {
enable = true; enable = true;
privatePort = 8081; privatePort = 8081;
websocketPort = 3012; websocketPort = 3012;

View file

@ -2,7 +2,7 @@
{ {
imports = [ imports = [
./bitwarden_rs.nix ./vaultwarden.nix
./borg-backup.nix ./borg-backup.nix
./fail2ban.nix ./fail2ban.nix
./fava.nix ./fava.nix

View file

@ -3,13 +3,13 @@
with lib; with lib;
let let
cfg = config.my.services.bitwarden_rs; cfg = config.my.services.vaultwarden;
my = config.my; my = config.my;
domain = config.networking.domain; domain = config.networking.domain;
in { in {
options.my.services.bitwarden_rs = { options.my.services.vaultwarden = {
enable = mkEnableOption "Bitwarden"; enable = mkEnableOption "Vaultwarden";
privatePort = mkOption { privatePort = mkOption {
type = types.port; type = types.port;
@ -29,18 +29,13 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
initialScript = pkgs.writeText "bitwarden_rs-init.sql" ''
CREATE ROLE "bitwarden_rs" WITH LOGIN;
CREATE DATABASE "bitwarden_rs" WITH OWNER "bitwarden_rs";
'';
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
databases = [ "bitwarden_rs" ]; databases = [ "vaultwarden" ];
}; };
services.bitwarden_rs = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "postgresql"; dbBackend = "postgresql";
config = { config = {
@ -54,7 +49,8 @@ in {
SIGNUPS_ALLOWED = false; SIGNUPS_ALLOWED = false;
INVITATIONS_ALLOWED = false; INVITATIONS_ALLOWED = false;
DOMAIN = "https://pass.${domain}"; DOMAIN = "https://pass.${domain}";
DATABASE_URL = "postgresql://bitwarden_rs@/bitwarden_rs"; # FIXME: should be renamed to vaultwarden eventually
DATABASE_URL = "postgresql://vaultwarden@/vaultwarden";
}; };
}; };
@ -80,46 +76,42 @@ in {
}; };
}; };
# needed for bitwarden to find files to serve for the vault # FIXME: should be renamed to vaultwarden eventually
environment.systemPackages = with pkgs; [
bitwarden_rs-vault
];
my.services.restic-backup = mkIf cfg.enable { my.services.restic-backup = mkIf cfg.enable {
paths = [ "/var/lib/bitwarden_rs" ]; paths = [ "/var/lib/bitwarden_rs" ];
exclude = [ "/var/lib/bitwarden_rs/icon_cache" ]; exclude = [ "/var/lib/bitwarden_rs/icon_cache" ];
}; };
services.fail2ban.jails = { services.fail2ban.jails = {
bitwarden_rs = '' vaultwarden = ''
enabled = true enabled = true
filter = bitwarden_rs filter = vaultwarden
port = http,https port = http,https
maxretry = 5 maxretry = 5
''; '';
# Admin page isn't enabled by default, but just in case... # Admin page isn't enabled by default, but just in case...
bitwarden_rs-admin = '' vaultwarden-admin = ''
enabled = true enabled = true
filter = bitwarden_rs-admin filter = vaultwarden-admin
port = http,https port = http,https
maxretry = 2 maxretry = 2
''; '';
}; };
environment.etc = { environment.etc = {
"fail2ban/filter.d/bitwarden_rs.conf".text = '' "fail2ban/filter.d/vaultwarden.conf".text = ''
[Definition] [Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$ failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex = ignoreregex =
journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service journalmatch = _SYSTEMD_UNIT=vaultwarden.service
''; '';
"fail2ban/filter.d/bitwarden_rs-admin.conf".text = '' "fail2ban/filter.d/vaultwarden-admin.conf".text = ''
[Definition] [Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$ failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex = ignoreregex =
journalmatch = _SYSTEMD_UNIT=bitwarden_rs.service journalmatch = _SYSTEMD_UNIT=vaultwarden.service
''; '';
}; };
}; };