From 8ed0f14f744134878fd483903070a01290cebe80 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine97.martin@gmail.com>
Date: Sun, 31 Jan 2021 00:31:43 +0100
Subject: [PATCH] bitwarden: setup service

---
 README.org                |  7 ---
 configuration.nix         |  8 ++++
 overlays/bitwarden_rs.nix | 22 +++++++++
 services/bitwarden_rs.nix | 97 +++++++++++++++++++++++++++++++++++++++
 services/default.nix      |  1 +
 5 files changed, 128 insertions(+), 7 deletions(-)
 create mode 100644 overlays/bitwarden_rs.nix
 create mode 100644 services/bitwarden_rs.nix

diff --git a/README.org b/README.org
index dc1289d..a14a157 100644
--- a/README.org
+++ b/README.org
@@ -9,10 +9,3 @@ My Matrix homeserver =alarsyo.net= is deployed using [[file:services/matrix.nix]
 ** Monitoring
 
 Grafana and Prometheus are currently used as a glorified =htop=.
-
-* Tasks
-
-** TODO Setup BitWarden
-** TODO Setup backups BitWarden
-** TODO Setup declarative config postgresql
-** TODO Setup backup postgresql
diff --git a/configuration.nix b/configuration.nix
index 170d7d9..aefc2c0 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -71,6 +71,12 @@
 
   # List services that you want to enable:
   my.services = {
+    bitwarden_rs = {
+      enable = true;
+      privatePort = 8081;
+      websocketPort = 3012;
+    };
+
     borg-backup = {
       enable = true;
       repo = (lib.removeSuffix "\n" (builtins.readFile ./borg-backup-repo));
@@ -119,5 +125,7 @@
   system.stateVersion = "20.09"; # Did you read the comment?
 
   boot.supportedFilesystems = [ "btrfs" ];
+
+  nixpkgs.overlays = [ (import ./overlays/bitwarden_rs.nix) ];
 }
 
diff --git a/overlays/bitwarden_rs.nix b/overlays/bitwarden_rs.nix
new file mode 100644
index 0000000..c207995
--- /dev/null
+++ b/overlays/bitwarden_rs.nix
@@ -0,0 +1,22 @@
+final: prev:
+{
+  bitwarden_rs = prev.bitwarden_rs.overrideAttrs (drv: rec {
+    version = "1.18.0";
+    pname = "bitwarden_rs";
+    name = "bitwarden_rs-${version}";
+
+    src = prev.fetchFromGitHub {
+      owner = "dani-garcia";
+      repo = pname;
+      rev = "1.18.0";
+      sha256 = "sha256-iK0Yf5Hu76b4FXPTQsKIsyH69CQuLA9E/SoTaxC1U90=";
+    };
+
+    cargoDeps = drv.cargoDeps.overrideAttrs (prev.lib.const {
+      inherit src;
+      name = "${name}-vendor.tar.gz";
+
+      outputHash = "sha256-LKLjZ4tti/MtloVQJ1C593FAcp0DDskIl5famT8wGuI=";
+    });
+  });
+}
diff --git a/services/bitwarden_rs.nix b/services/bitwarden_rs.nix
new file mode 100644
index 0000000..0ecc9a4
--- /dev/null
+++ b/services/bitwarden_rs.nix
@@ -0,0 +1,97 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.my.services.bitwarden_rs;
+  my = config.my;
+
+  domain = config.networking.domain;
+in {
+  options.my.services.bitwarden_rs = {
+    enable = mkEnableOption "Bitwarden";
+
+    privatePort = mkOption {
+      type = types.int;
+      default = 8081;
+      example = 8081;
+      description = "Port used internally for rocket server";
+    };
+
+    websocketPort = mkOption {
+      type = types.int;
+      default = 3012;
+      example = 3012;
+      description = "Port used for websocket connections";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+
+      initialScript = pkgs.writeText "bitwarden_rs-init.sql" ''
+          CREATE ROLE "bitwarden_rs" WITH LOGIN;
+          CREATE DATABASE "bitwarden_rs" WITH OWNER "bitwarden_rs";
+        '';
+    };
+
+    services.postgresqlBackup = mkIf my.services.postgresql-backup.enable {
+      databases = [ "bitwarden_rs" ];
+    };
+
+    services.bitwarden_rs = {
+      enable = true;
+      dbBackend = "postgresql";
+      config = {
+        TZ = "Europe/Paris";
+        WEB_VAULT_ENABLED = true;
+        WEBSOCKET_ENABLED = true;
+        WEBSOCKET_PORT = cfg.websocketPort;
+        ROCKET_PORT = cfg.privatePort;
+        SIGNUPS_ALLOWED = false;
+        INVITATIONS_ALLOWED = false;
+        DOMAIN = "https://pass.${domain}";
+        DATABASE_URL = "postgresql://bitwarden_rs@/bitwarden_rs";
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+
+      virtualHosts = {
+        "pass.${domain}" = {
+          forceSSL = true;
+          enableACME = true;
+
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
+            proxyWebsockets = true;
+          };
+          locations."/notifications/hub" = {
+            proxyPass = "http://127.0.0.1:${toString cfg.websocketPort}";
+            proxyWebsockets = true;
+          };
+          locations."/notifications/hub/negotiate" = {
+            proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+
+    systemd.services.matrix-synapse = {
+      after = [ "postgresql.service" ];
+    };
+
+    # needed for bitwarden to find files to serve for the vault
+    environment.systemPackages = with pkgs; [
+      bitwarden_rs-vault
+    ];
+  };
+}
diff --git a/services/default.nix b/services/default.nix
index c66c1e5..67af050 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ./bitwarden_rs.nix
     ./borg-backup.nix
     ./matrix.nix
     ./miniflux.nix