Commit files for public release

nixos-modules/vault/README.md

@@ -0,0 +1,37 @@
+# Vaultwarden / Bitwarden
+
+To use our Vaultwarden instance, you can use the regular
+[Bitwarden apps](https://bitwarden.com/download/) with our custom server when logging in:
+
+Username: `first.lastname@qo.is`  
+Server Name: `https://vault.qo.is`
+
+## Create Accounts
+
+We currently [allow signups](https://vault.qo.is/#/register) for `@qo.is` email addresses.
+
+Please instruct users to:
+
+- use their full `firstname.lastname@qo.is` email so users may be connected to a LDAP database in the future
+- remember that the login password is used to encrypt the password database and should therefor be good.
+- the password cannot be reset without loosing all the passwords.
+  Use of [Emergency Contacts](https://bitwarden.com/help/emergency-access/) or Organizations may be advisable.
+
+
+## Administration
+
+An admin panel is available under [vault.qo.is/admin](https://vault.qo.is/admin).
+The password is saved in the pass database under `vaultwarden-admin`.
+
+In the administration panel, users and organizations may be managed.
+Instance settings should be changed with the nixos module in the infrastructure repository only.
+
+
+## Backup / Restore
+
+1. `systemctl stop vaultwarden.service`
+2. Import Postgresql Database Backup
+3. Restore `/var/lib/bitwarden_rs`
+4. `systemctl start vaultwarden.service`
+5. Click `Force clients to resync` in the [Administration interface under _Users_](https://vault.qo.is/admin/users/overview)
+

nixos-modules/vault/default.nix

@@ -0,0 +1,90 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cfg = config.qois.vault;
+in
+with lib;
+{
+  options.qois.vault = {
+    enable = mkEnableOption "Enable qois vault service";
+
+    domain = mkOption {
+      type = types.str;
+      default = "vault.qo.is";
+      description = "Domain, under which the service is served.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    services.vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      environmentFile = config.sops.secrets."vaultwarden/environment-file".path;
+      config = {
+        DATA_FOLDER = "/var/lib/bitwarden_rs";
+        DATABASE_URL = "postgresql:///vaultwarden";
+
+        DOMAIN = "https://${cfg.domain}";
+        ROCKET_PORT = 8222;
+
+        USE_SENDMAIL = true;
+        SMTP_FROM = "vault@qo.is";
+        SMTP_FROM_NAME = cfg.domain;
+
+        SIGNUPS_ALLOWED = false;
+        INVITATIONS_ALLOWED = false;
+        SIGNUPS_DOMAINS_WHITELIST = "qo.is";
+        SIGNUPS_VERIFY = true;
+
+        EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials";
+        SHOW_PASSWORD_HINT = false;
+        TRASH_AUTO_DELETE_DAYS = 30;
+      };
+    };
+
+    qois.postgresql.enable = true;
+
+    qois.backup-client.includePaths = [ config.services.vaultwarden.config.DATA_FOLDER ];
+
+    services.postgresql =
+      let
+        name = config.users.users.vaultwarden.name;
+      in
+      {
+        ensureUsers = [
+          {
+            inherit name;
+            ensureDBOwnership = true;
+          }
+        ];
+        ensureDatabases = [ name ];
+      };
+
+    # See https://search.nixos.org/options?channel=unstable&show=services.vaultwarden.environmentFile
+    sops.secrets."vaultwarden/environment-file".restartUnits = [ "vaultwarden.service" ];
+
+    systemd.services.vaultwarden.path = [ pkgs.msmtp ];
+    users.users.vaultwarden.extraGroups = [ "postdrop" ];
+
+    networking.hosts."127.0.0.1" = [ cfg.domain ];
+    services.nginx = {
+      enable = true;
+
+      virtualHosts.${cfg.domain} = {
+        kTLS = true;
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+}