copy nb configuration and modules

2023-07-12 16:13:10 +02:00
parent 1af70a3095
commit 127eab91d5
114 changed files with 9070 additions and 0 deletions
--- a/utils/modules/bitwarden/default.nix
+++ b/utils/modules/bitwarden/default.nix
@@ -0,0 +1,126 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  ldapConfig = {
+    vaultwarden_url = "https://bitwarden.cloonar.com";
+    vaultwarden_admin_token = "@ADMIN_TOKEN@";
+    ldap_host = "ldap.cloonar.com";
+    ldap_ssl = true;
+    ldap_bind_dn = "cn=bitwarden,ou=system,ou=users,dc=cloonar,dc=com";
+    ldap_bind_password = "@LDAP_PASSWORD@";
+    ldap_search_base_dn = "ou=users,dc=cloonar,dc=com";
+    ldap_search_filter = "(&(objectClass=cloonarUser))";
+    ldap_sync_interval_seconds = 3600;
+  };
+
+  ldapConfigFile =
+    pkgs.runCommand "config.toml"
+    {
+      buildInputs = [pkgs.remarshal];
+      preferLocalBuild = true;
+    } ''
+      remarshal -if json -of toml \
+      < ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \
+      > $out
+    '';
+in {
+  imports = [
+    ../nur.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    nur.repos.mic92.vaultwarden_ldap
+  ];
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "mysql";
+    config = {
+      domain = "https://bitwarden.cloonar.com";
+      signupsAllowed = false;
+      rocketPort = 3011;
+      enableDbWal = "false";
+      websocketEnabled = true;
+      smtpHost = "mail.cloonar.com";
+      smtpFrom = "bitwarden@cloonar.com";
+      smtpUsername = "bitwarden@cloonar.com";
+    };
+  };
+
+  systemd.services.vaultwarden.serviceConfig = {
+    EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path];
+  };
+
+  systemd.services.vaultwarden_ldap = {
+    wantedBy = ["multi-user.target"];
+
+    preStart = ''
+      sed \
+        -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \
+        -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \
+        ${ldapConfigFile} \
+        > /run/vaultwarden_ldap/config.toml
+    '';
+
+    serviceConfig = {
+      Restart = "on-failure";
+      RestartSec = "2s";
+      ExecStart = "${pkgs.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap";
+      Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml";
+
+      RuntimeDirectory = ["vaultwarden_ldap"];
+      User = "vaultwarden_ldap";
+    };
+  };
+
+  services.nginx.virtualHosts."bitwarden.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    extraConfig = ''
+      client_max_body_size 128M;
+    '';
+    locations."/" = {
+      proxyPass = "http://localhost:3011";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub" = {
+      proxyPass = "http://localhost:3012";
+      proxyWebsockets = true;
+    };
+    locations."/notifications/hub/negotiate" = {
+      proxyPass = "http://localhost:3011";
+      proxyWebsockets = true;
+    };
+  };
+
+  sops.secrets = {
+    bitwarden-admin-token = {
+      owner = "vaultwarden_ldap";
+      sopsFile = ./secrets.yaml;
+    };
+    bitwarden-ldap-password = {
+      owner = "vaultwarden_ldap";
+      sopsFile = ./secrets.yaml;
+    };
+    bitwarden-db-password = {
+      owner = "vaultwarden";
+      sopsFile = ./secrets.yaml;
+    };
+    bitwarden-smtp-password = {
+      owner = "vaultwarden";
+      sopsFile = ./secrets.yaml;
+    };
+  };
+
+  users.users.vaultwarden_ldap = {
+    isSystemUser = true;
+    group = "vaultwarden_ldap";
+  };
+
+  users.groups.vaultwarden_ldap = {};
+
+  services.mysqlBackup.databases = [ "bitwarden" ];
+}