diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/tedicross.nix | 100 | ||||
-rw-r--r-- | nixos/modules/services/security/bitwarden_rs/backup.sh | 17 | ||||
-rw-r--r-- | nixos/modules/services/security/bitwarden_rs/default.nix | 126 |
4 files changed, 245 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ba61ac364b1c..9e589258ee0b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -673,6 +673,7 @@ ./services/networking/syncthing-relay.nix ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix + ./services/networking/tedicross.nix ./services/networking/tinc.nix ./services/networking/tinydns.nix ./services/networking/tftpd.nix @@ -706,6 +707,7 @@ ./services/search/hound.nix ./services/search/kibana.nix ./services/search/solr.nix + ./services/security/bitwarden_rs/default.nix ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix diff --git a/nixos/modules/services/networking/tedicross.nix b/nixos/modules/services/networking/tedicross.nix new file mode 100644 index 000000000000..0716975f594a --- /dev/null +++ b/nixos/modules/services/networking/tedicross.nix @@ -0,0 +1,100 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + dataDir = "/var/lib/tedicross"; + cfg = config.services.tedicross; + configJSON = pkgs.writeText "tedicross-settings.json" (builtins.toJSON cfg.config); + configYAML = pkgs.runCommand "tedicross-settings.yaml" { preferLocalBuild = true; } '' + ${pkgs.remarshal}/bin/json2yaml -i ${configJSON} -o $out + ''; + +in { + options = { + services.tedicross = { + enable = mkEnableOption "the TediCross Telegram-Discord bridge service"; + + config = mkOption { + type = types.attrs; + # from https://github.com/TediCross/TediCross/blob/master/example.settings.yaml + example = literalExample '' + { + telegram = { + useFirstNameInsteadOfUsername = false; + colonAfterSenderName = false; + skipOldMessages = true; + sendEmojiWithStickers = true; + }; + discord = { + useNickname = false; + skipOldMessages = true; + displayTelegramReplies = "embed"; + replyLength = 100; + }; + bridges = [ + { + name = "Default bridge"; + direction = "both"; + telegram = { + chatId = -123456789; + relayJoinMessages = true; + relayLeaveMessages = true; + sendUsernames = true; + ignoreCommands = true; + }; + discord = { + serverId = "DISCORD_SERVER_ID"; + channelId = "DISCORD_CHANNEL_ID"; + relayJoinMessages = true; + relayLeaveMessages = true; + sendUsernames = true; + crossDeleteOnTelegram = true; + }; + } + ]; + + debug = false; + } + ''; + description = '' + <filename>settings.yaml</filename> configuration as a Nix attribute set. + Secret tokens should be specified using <option>environmentFile</option> + instead of this world-readable file. + ''; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + File containing environment variables to be passed to the TediCross service, + in which secret tokens can be specified securely using the + <literal>TELEGRAM_BOT_TOKEN</literal> and <literal>DISCORD_BOT_TOKEN</literal> + keys. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + # from https://github.com/TediCross/TediCross/blob/master/guides/autostart/Linux.md + systemd.services.tedicross = { + description = "TediCross Telegram-Discord bridge service"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.nodePackages.tedicross}/bin/tedicross --config='${configYAML}' --data-dir='${dataDir}'"; + Restart = "always"; + DynamicUser = true; + StateDirectory = baseNameOf dataDir; + EnvironmentFile = cfg.environmentFile; + }; + }; + }; + + meta.maintainers = with maintainers; [ pacien ]; +} + diff --git a/nixos/modules/services/security/bitwarden_rs/backup.sh b/nixos/modules/services/security/bitwarden_rs/backup.sh new file mode 100644 index 000000000000..264a7da9cbb6 --- /dev/null +++ b/nixos/modules/services/security/bitwarden_rs/backup.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +# Based on: https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault +if ! mkdir -p "$BACKUP_FOLDER"; then + echo "Could not create backup folder '$BACKUP_FOLDER'" >&2 + exit 1 +fi + +if [[ ! -f "$DATA_FOLDER"/db.sqlite3 ]]; then + echo "Could not find SQLite database file '$DATA_FOLDER/db.sqlite3'" >&2 + exit 1 +fi + +sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'" +cp "$DATA_FOLDER"/rsa_key.{der,pem,pub.der} "$BACKUP_FOLDER" +cp -r "$DATA_FOLDER"/attachments "$BACKUP_FOLDER" +cp -r "$DATA_FOLDER"/icon_cache "$BACKUP_FOLDER" diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/bitwarden_rs/default.nix new file mode 100644 index 000000000000..bb036ee020f4 --- /dev/null +++ b/nixos/modules/services/security/bitwarden_rs/default.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.bitwarden_rs; + user = config.users.users.bitwarden_rs.name; + group = config.users.groups.bitwarden_rs.name; + + # Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). + nameToEnvVar = name: + let + parts = builtins.split "([A-Z0-9]+)" name; + partsToEnvVar = parts: foldl' (key: x: let last = stringLength key - 1; in + if isList x then key + optionalString (key != "" && substring last 1 key != "_") "_" + head x + else if key != "" && elem (substring 0 1 x) lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ] + substring 0 last key + optionalString (substring (last - 1) 1 key != "_") "_" + substring last 1 key + toUpper x + else key + toUpper x) "" parts; + in if builtins.match "[A-Z0-9_]+" name != null then name else partsToEnvVar parts; + + configFile = pkgs.writeText "bitwarden_rs.env" (concatMapStrings (s: s + "\n") ( + (concatLists (mapAttrsToList (name: value: + if value != null then [ "${nameToEnvVar name}=${if isBool value then boolToString value else toString value}" ] else [] + ) cfg.config)))); + +in { + options.services.bitwarden_rs = with types; { + enable = mkEnableOption "bitwarden_rs"; + + backupDir = mkOption { + type = nullOr str; + default = null; + description = '' + The directory under which bitwarden_rs will backup its persistent data. + ''; + }; + + config = mkOption { + type = attrsOf (nullOr (either (either bool int) str)); + default = {}; + example = literalExample '' + { + domain = https://bw.domain.tld:8443; + signupsAllowed = true; + rocketPort = 8222; + rocketLog = "critical"; + } + ''; + description = '' + The configuration of bitwarden_rs is done through environment variables, + therefore the names are converted from camel case (e.g. disable2FARemember) + to upper case snake case (e.g. DISABLE_2FA_REMEMBER). + In this conversion digits (0-9) are handled just like upper case characters, + so foo2 would be converted to FOO_2. + Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such, + even though foo2 would have been converted to FOO_2. + This allows working around any potential future conflicting naming conventions. + + Based on the attributes passed to this config option a environment file will be generated + that is passed to bitwarden_rs's systemd service. + + The available configuration options can be found in + <link xlink:href="https://github.com/dani-garcia/bitwarden_rs/blob/1.8.0/.env.template">the environment template file</link>. + ''; + apply = config: optionalAttrs config.webVaultEnabled { + webVaultFolder = "${pkgs.bitwarden_rs-vault}/share/bitwarden_rs/vault"; + } // config; + }; + }; + + config = mkIf cfg.enable { + services.bitwarden_rs.config = { + dataFolder = "/var/lib/bitwarden_rs"; + webVaultEnabled = mkDefault true; + }; + + users.users.bitwarden_rs = { inherit group; }; + users.groups.bitwarden_rs = { }; + + systemd.services.bitwarden_rs = { + after = [ "network.target" ]; + path = with pkgs; [ openssl ]; + serviceConfig = { + User = user; + Group = group; + EnvironmentFile = configFile; + ExecStart = "${pkgs.bitwarden_rs}/bin/bitwarden_rs"; + LimitNOFILE = "1048576"; + LimitNPROC = "64"; + PrivateTmp = "true"; + PrivateDevices = "true"; + ProtectHome = "true"; + ProtectSystem = "strict"; + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + StateDirectory = "bitwarden_rs"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { + description = "Backup bitwarden_rs"; + environment = { + DATA_FOLDER = "/var/lib/bitwarden_rs"; + BACKUP_FOLDER = cfg.backupDir; + }; + path = with pkgs; [ sqlite ]; + serviceConfig = { + SyslogIdentifier = "backup-bitwarden_rs"; + User = mkDefault user; + Group = mkDefault group; + ExecStart = "${pkgs.bash}/bin/bash ${./backup.sh}"; + }; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.timers.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { + description = "Backup bitwarden_rs on time"; + timerConfig = { + OnCalendar = mkDefault "23:00"; + Persistent = "true"; + Unit = "backup-bitwarden_rs.service"; + }; + wantedBy = [ "multi-user.target" ]; + }; + }; +} |