# An alternative implementation of Bitwarden written in Rust. The project # being written in Rust is a insta-self-hosting material right there. { config, lib, pkgs, foodogsquaredLib, ... }: let hostCfg = config.hosts.plover; cfg = hostCfg.services.vaultwarden; passwordManagerDomain = "pass.${config.networking.domain}"; # This should be set from service module from nixpkgs. vaultwardenUser = config.users.users.vaultwarden.name; # However, this is set on our own. vaultwardenDbName = "vaultwarden"; in { options.hosts.plover.services.vaultwarden.enable = lib.mkEnableOption "Vaultwarden instance"; config = lib.mkIf cfg.enable (lib.mkMerge [ { sops.secrets = foodogsquaredLib.sops-nix.getSecrets ../../secrets/secrets.yaml { "vaultwarden/env".owner = vaultwardenUser; }; services.vaultwarden = { enable = true; environmentFile = config.sops.secrets."vaultwarden/env".path; config = { DOMAIN = "https://${passwordManagerDomain}"; # Configuring the server. ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = 8222; # Ehh... It's only a few (or even one) users anyways so nah. Since this # instance will not configure SMTP server, this pretty much means # invitation is only via email at this point. SHOW_PASSWORD_HINT = false; # Configuring some parts of account management which is almost # nonexistent because this is just intended for me (at least right now). SIGNUPS_ALLOWED = false; SIGNUPS_VERIFY = true; # Invitations... INVITATIONS_ALLOWED = true; INVITATION_ORG_NAME = "foodogsquared's Vaultwarden"; # Notifications... WEBSOCKET_ENABLED = true; WEBSOCKET_PORT = 3012; WEBSOCKET_ADDRESS = "0.0.0.0"; # Enabling web vault with whatever nixpkgs comes in. WEB_VAULT_ENABLED = true; # Mailer service configuration (except the user and password). SMTP_HOST = "smtp.sendgrid.net"; SMTP_PORT = 587; SMTP_FROM_NAME = "Vaultwarden"; SMTP_FROM = "bot+vaultwarden@foodogsquared.one"; }; }; # We do a little service hardening. Even though the Vaultwarden NixOS # module is already doing some of those things, we'll just add some of # them. systemd.services.vaultwarden = { serviceConfig = lib.mkAfter { LockPersonality = true; NoNewPrivileges = true; RestrictSUIDSGID = true; RestrictRealtime = true; ProtectClock = true; ProtectKernelLogs = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectHostname = true; ProtectControlGroups = true; ProtectProc = "invisible"; # Filtering system calls. SystemCallFilter = [ "@system-service" "~@privileged" ]; SystemCallErrorNumber = "EPERM"; SystemCallArchitectures = "native"; # Restricting what capabilities it has access to which it # has none. CapabilityBoundingSet = [ "" ]; AmbientCapabilities = lib.mkForce [ "" ]; # Restrict what address families this service can interact # with. Since it is a web service, we expect it will only # interact with web service stuff like IPs. RestrictAddressFamilies = [ # It's required especially it can communicate with the local system. "AF_LOCAL" # The IPs. "AF_INET" "AF_INET6" ]; # Restrict what namespaces it can create which is none. RestrictNamespaces = true; }; }; } (lib.mkIf hostCfg.services.database.enable { services.vaultwarden = { dbBackend = "postgresql"; config.DATABASE_URL = "postgresql://${vaultwardenUser}@/${vaultwardenDbName}"; }; services.postgresql = { ensureDatabases = [ vaultwardenDbName ]; ensureUsers = [{ name = vaultwardenUser; ensurePermissions = { "DATABASE ${vaultwardenDbName}" = "ALL PRIVILEGES"; "SCHEMA ${vaultwardenDbName}" = "ALL PRIVILEGES"; }; }]; }; systemd.services.vaultwarden = { path = [ config.services.postgresql.package ]; # Making it comply with PostgreSQL secure schema usage pattern. preStart = lib.mkAfter '' # Setting up the appropriate schema for PostgreSQL secure schema usage. psql -tAc "SELECT 1 FROM information_schema.schemata WHERE schema_name='${vaultwardenUser}';" \ | grep -q 1 || psql -tAc "CREATE SCHEMA IF NOT EXISTS AUTHORIZATION ${vaultwardenUser};" ''; }; }) (lib.mkIf hostCfg.services.reverse-proxy.enable { services.nginx.virtualHosts."${passwordManagerDomain}" = { forceSSL = true; enableACME = true; acmeRoot = null; kTLS = true; locations = let address = config.services.vaultwarden.config.ROCKET_ADDRESS; websocketPort = config.services.vaultwarden.config.WEBSOCKET_PORT; in { "/" = { proxyPass = "http://vaultwarden"; proxyWebsockets = true; }; "/notifications/hub" = { proxyPass = "http://${address}:${toString websocketPort}"; proxyWebsockets = true; }; "/notifications/hub/negotiate" = { proxyPass = "http://vaultwarden"; proxyWebsockets = true; }; }; extraConfig = '' proxy_cache ${config.services.nginx.proxyCachePath.apps.keysZoneName}; ''; }; services.nginx.upstreams."vaultwarden" = { extraConfig = '' zone services; keepalive 2; ''; servers = let address = config.services.vaultwarden.config.ROCKET_ADDRESS; port = config.services.vaultwarden.config.ROCKET_PORT; in { "${address}:${builtins.toString port}" = { }; }; }; }) (lib.mkIf hostCfg.services.backup.enable { # Add the data directory to be backed up. services.borgbackup.jobs.services-backup.paths = [ "/var/lib/bitwarden_rs" ]; }) (lib.mkIf hostCfg.services.fail2ban.enable { # Configuring fail2ban for this service which thankfully has a dedicated page # at https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup. services.fail2ban.jails = { vaultwarden-user.settings = { enabled = true; backend = "systemd"; filter = "vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']"; maxretry = 5; }; vaultwarden-admin.settings = { enabled = true; backend = "systemd"; filter = "vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']"; maxretry = 3; }; }; environment.etc = { "fail2ban/filter.d/vaultwarden-user.conf".text = '' [Includes] before = common.conf # For more information, Vaultwarden knowledge base has a dedicated page # for configuring fail2ban with the application (i.e., # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup). [Definition] failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ ignoreregex = ''; "fail2ban/filter.d/vaultwarden-admin.conf".text = '' [Includes] before = common.conf # For more information, Vaultwarden knowledge base has a dedicated page # for configuring fail2ban with the application (i.e., # https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup). [Definition] failregex = ^.*Invalid admin token\. IP: .*$ ignoreregex = ''; }; }) ]); }