@ -3,9 +3,9 @@
with lib ;
let
cfg = config . services . bitwarden_rs ;
user = config . users . users . bitwarden_rs . name ;
group = config . users . groups . bitwarden_rs . name ;
cfg = config . services . vaultwarden ;
user = config . users . users . vaultwarden . name ;
group = config . users . groups . vaultwarden . name ;
# Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER).
nameToEnvVar = name :
@ -26,22 +26,26 @@ let
if value != null then [ ( nameValuePair ( nameToEnvVar name ) ( if isBool value then boolToString value else toString value ) ) ] else [ ]
) cfg . config ) ) ;
in { DATA_FOLDER = " / v a r / l i b / b i t w a r d e n _ r s " ; } // optionalAttrs ( ! ( configEnv ? WEB_VAULT_ENABLED ) || configEnv . WEB_VAULT_ENABLED == " t r u e " ) {
WEB_VAULT_FOLDER = " ${ pkgs . bitwarden_rs -vault} / s h a r e / b i t w a r d e n _ r s / v a u l t " ;
WEB_VAULT_FOLDER = " ${ pkgs . vaultwarden -vault} / s h a r e / v a u l t w a r d e n / v a u l t " ;
} // configEnv ;
configFile = pkgs . writeText " b i t w a r d e n _ r s . e n v " ( concatStrings ( mapAttrsToList ( name : value : " ${ name } = ${ value } \n " ) configEnv ) ) ;
configFile = pkgs . writeText " v a u l t w a r d e n . e n v " ( concatStrings ( mapAttrsToList ( name : value : " ${ name } = ${ value } \n " ) configEnv ) ) ;
bitwarden_rs = pkgs . bitwarden_rs . override { inherit ( cfg ) dbBackend ; } ;
vaultwarden = pkgs . vaultwarden . override { inherit ( cfg ) dbBackend ; } ;
in {
options . services . bitwarden_rs = with types ; {
enable = mkEnableOption " b i t w a r d e n _ r s " ;
imports = [
( mkRenamedOptionModule [ " s e r v i c e s " " b i t w a r d e n _ r s " ] [ " s e r v i c e s " " v a u l t w a r d e n " ] )
] ;
options . services . vaultwarden = with types ; {
enable = mkEnableOption " v a u l t w a r d e n " ;
dbBackend = mkOption {
type = enum [ " s q l i t e " " m y s q l " " p o s t g r e s q l " ] ;
default = " s q l i t e " ;
description = ''
Which database backend bitwarden_rs will be using .
Which database backend vaultwarden will be using .
'' ;
} ;
@ -49,7 +53,7 @@ in {
type = nullOr str ;
default = null ;
description = ''
The directory under which bitwarden_rs will backup its persistent data .
The directory under which vaultwarden will backup its persistent data .
'' ;
} ;
@ -65,7 +69,7 @@ in {
}
'' ;
description = ''
The configuration of bitwarden_rs is done through environment variables ,
The configuration of vaultwarden is done through environment variables ,
therefore the names are converted from camel case ( e . g . disable2FARemember )
to upper case snake case ( e . g . DISABLE_2FA_REMEMBER ) .
In this conversion digits ( 0 -9 ) are handled just like upper case characters ,
@ -75,17 +79,17 @@ in {
This allows working around any potential future conflicting naming conventions .
Based on the attributes passed to this config option an environment file will be generated
that is passed to bitwarden_rs 's systemd service .
that is passed to vaultwarden 's systemd service .
The available configuration options can be found in
< link xlink:href= " h t t p s : / / g i t h u b . c o m / d a n i - g a r c i a / b i t w a r d e n _ r s / b l o b / ${ bitwarden_rs . version } / . e n v . t e m p l a t e " > the environment template file < /link > .
< link xlink:href= " h t t p s : / / g i t h u b . c o m / d a n i - g a r c i a / v a u l t w a r d e n / b l o b / ${ vaultwarden . version } / . e n v . t e m p l a t e " > the environment template file < /link > .
'' ;
} ;
environmentFile = mkOption {
type = with types ; nullOr path ;
default = null ;
example = " / r o o t / b i t w a r d e n _ r s . e n v " ;
example = " / r o o t / v a u l t w a r d e n . e n v " ;
description = ''
Additional environment file as defined in <citerefentry>
<refentrytitle> systemd . exec < /refentrytitle > <manvolnum> 5 < /manvolnum >
@ -95,7 +99,7 @@ in {
may be passed to the service without adding them to the world-readable Nix store .
Note that this file needs to be available on the host on which
<literal> bitwarden_rs < /literal > is running .
<literal> vaultwarden < /literal > is running .
'' ;
} ;
} ;
@ -106,20 +110,21 @@ in {
message = " B a c k u p s f o r d a t a b a s e b a c k e n d s o t h e r t h a n s q l i t e w i l l n e e d c u s t o m i z a t i o n " ;
} ] ;
users . users . bitwarden_rs = {
users . users . vaultwarden = {
inherit group ;
isSystemUser = true ;
} ;
users . groups . bitwarden_rs = { } ;
users . groups . vaultwarden = { } ;
systemd . services . bitwarden_rs = {
systemd . services . vaultwarden = {
aliases = [ " b i t w a r d e n _ r s " ] ;
after = [ " n e t w o r k . t a r g e t " ] ;
path = with pkgs ; [ openssl ] ;
serviceConfig = {
User = user ;
Group = group ;
EnvironmentFile = [ configFile ] ++ optional ( cfg . environmentFile != null ) cfg . environmentFile ;
ExecStart = " ${ bitwarden_rs } / b i n / b i t w a r d e n _ r s " ;
ExecStart = " ${ vaultwarden } / b i n / v a u l t w a r d e n " ;
LimitNOFILE = " 1 0 4 8 5 7 6 " ;
PrivateTmp = " t r u e " ;
PrivateDevices = " t r u e " ;
@ -131,15 +136,16 @@ in {
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
systemd . services . backup-bitwarden_rs = mkIf ( cfg . backupDir != null ) {
description = " B a c k u p b i t w a r d e n _ r s " ;
systemd . services . backup-vaultwarden = mkIf ( cfg . backupDir != null ) {
aliases = [ " b a c k u p - b i t w a r d e n _ r s " ] ;
description = " B a c k u p v a u l t w a r d e n " ;
environment = {
DATA_FOLDER = " / v a r / l i b / b i t w a r d e n _ r s " ;
BACKUP_FOLDER = cfg . backupDir ;
} ;
path = with pkgs ; [ sqlite ] ;
serviceConfig = {
SyslogIdentifier = " b a c k u p - b i t w a r d e n _ r s " ;
SyslogIdentifier = " b a c k u p - v a u l t w a r d e n " ;
Type = " o n e s h o t " ;
User = mkDefault user ;
Group = mkDefault group ;
@ -148,12 +154,13 @@ in {
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;
systemd . timers . backup-bitwarden_rs = mkIf ( cfg . backupDir != null ) {
description = " B a c k u p b i t w a r d e n _ r s o n t i m e " ;
systemd . timers . backup-vaultwarden = mkIf ( cfg . backupDir != null ) {
aliases = [ " b a c k u p - b i t w a r d e n _ r s " ] ;
description = " B a c k u p v a u l t w a r d e n o n t i m e " ;
timerConfig = {
OnCalendar = mkDefault " 2 3 : 0 0 " ;
Persistent = " t r u e " ;
Unit = " b a c k u p - b i t w a r d e n _ r s . s e r v i c e " ;
Unit = " b a c k u p - v a u l t w a r d e n . s e r v i c e " ;
} ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
} ;