From 8ed0f14f744134878fd483903070a01290cebe80 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Sun, 31 Jan 2021 00:31:43 +0100 Subject: [PATCH] bitwarden: setup service --- README.org | 7 --- configuration.nix | 8 ++++ overlays/bitwarden_rs.nix | 22 +++++++++ services/bitwarden_rs.nix | 97 +++++++++++++++++++++++++++++++++++++++ services/default.nix | 1 + 5 files changed, 128 insertions(+), 7 deletions(-) create mode 100644 overlays/bitwarden_rs.nix create mode 100644 services/bitwarden_rs.nix diff --git a/README.org b/README.org index dc1289d..a14a157 100644 --- a/README.org +++ b/README.org @@ -9,10 +9,3 @@ My Matrix homeserver =alarsyo.net= is deployed using [[file:services/matrix.nix] ** Monitoring Grafana and Prometheus are currently used as a glorified =htop=. - -* Tasks - -** TODO Setup BitWarden -** TODO Setup backups BitWarden -** TODO Setup declarative config postgresql -** TODO Setup backup postgresql diff --git a/configuration.nix b/configuration.nix index 170d7d9..aefc2c0 100644 --- a/configuration.nix +++ b/configuration.nix @@ -71,6 +71,12 @@ # List services that you want to enable: my.services = { + bitwarden_rs = { + enable = true; + privatePort = 8081; + websocketPort = 3012; + }; + borg-backup = { enable = true; repo = (lib.removeSuffix "\n" (builtins.readFile ./borg-backup-repo)); @@ -119,5 +125,7 @@ system.stateVersion = "20.09"; # Did you read the comment? boot.supportedFilesystems = [ "btrfs" ]; + + nixpkgs.overlays = [ (import ./overlays/bitwarden_rs.nix) ]; } diff --git a/overlays/bitwarden_rs.nix b/overlays/bitwarden_rs.nix new file mode 100644 index 0000000..c207995 --- /dev/null +++ b/overlays/bitwarden_rs.nix @@ -0,0 +1,22 @@ +final: prev: +{ + bitwarden_rs = prev.bitwarden_rs.overrideAttrs (drv: rec { + version = "1.18.0"; + pname = "bitwarden_rs"; + name = "bitwarden_rs-${version}"; + + src = prev.fetchFromGitHub { + owner = "dani-garcia"; + repo = pname; + rev = "1.18.0"; + sha256 = "sha256-iK0Yf5Hu76b4FXPTQsKIsyH69CQuLA9E/SoTaxC1U90="; + }; + + cargoDeps = drv.cargoDeps.overrideAttrs (prev.lib.const { + inherit src; + name = "${name}-vendor.tar.gz"; + + outputHash = "sha256-LKLjZ4tti/MtloVQJ1C593FAcp0DDskIl5famT8wGuI="; + }); + }); +} diff --git a/services/bitwarden_rs.nix b/services/bitwarden_rs.nix new file mode 100644 index 0000000..0ecc9a4 --- /dev/null +++ b/services/bitwarden_rs.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.my.services.bitwarden_rs; + my = config.my; + + domain = config.networking.domain; +in { + options.my.services.bitwarden_rs = { + enable = mkEnableOption "Bitwarden"; + + privatePort = mkOption { + type = types.int; + default = 8081; + example = 8081; + description = "Port used internally for rocket server"; + }; + + websocketPort = mkOption { + type = types.int; + default = 3012; + example = 3012; + description = "Port used for websocket connections"; + }; + }; + + config = mkIf cfg.enable { + services.postgresql = { + enable = true; + + initialScript = pkgs.writeText "bitwarden_rs-init.sql" '' + CREATE ROLE "bitwarden_rs" WITH LOGIN; + CREATE DATABASE "bitwarden_rs" WITH OWNER "bitwarden_rs"; + ''; + }; + + services.postgresqlBackup = mkIf my.services.postgresql-backup.enable { + databases = [ "bitwarden_rs" ]; + }; + + services.bitwarden_rs = { + enable = true; + dbBackend = "postgresql"; + config = { + TZ = "Europe/Paris"; + WEB_VAULT_ENABLED = true; + WEBSOCKET_ENABLED = true; + WEBSOCKET_PORT = cfg.websocketPort; + ROCKET_PORT = cfg.privatePort; + SIGNUPS_ALLOWED = false; + INVITATIONS_ALLOWED = false; + DOMAIN = "https://pass.${domain}"; + DATABASE_URL = "postgresql://bitwarden_rs@/bitwarden_rs"; + }; + }; + + services.nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + + virtualHosts = { + "pass.${domain}" = { + forceSSL = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://127.0.0.1:${toString cfg.websocketPort}"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://127.0.0.1:${toString cfg.privatePort}"; + proxyWebsockets = true; + }; + }; + }; + }; + + systemd.services.matrix-synapse = { + after = [ "postgresql.service" ]; + }; + + # needed for bitwarden to find files to serve for the vault + environment.systemPackages = with pkgs; [ + bitwarden_rs-vault + ]; + }; +} diff --git a/services/default.nix b/services/default.nix index c66c1e5..67af050 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,6 +2,7 @@ { imports = [ + ./bitwarden_rs.nix ./borg-backup.nix ./matrix.nix ./miniflux.nix