diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 110 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2111.section.md | 26 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/coturn.nix | 99 | ||||
-rw-r--r-- | nixos/modules/services/security/vaultwarden/backup.sh (renamed from nixos/modules/services/security/bitwarden_rs/backup.sh) | 2 | ||||
-rw-r--r-- | nixos/modules/services/security/vaultwarden/default.nix (renamed from nixos/modules/services/security/bitwarden_rs/default.nix) | 57 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 3 | ||||
-rw-r--r-- | nixos/tests/coturn.nix | 29 | ||||
-rw-r--r-- | nixos/tests/vaultwarden.nix (renamed from nixos/tests/bitwarden.nix) | 20 |
9 files changed, 275 insertions, 73 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index abd10a6f9a7..6f4079ea9bb 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -339,6 +339,116 @@ release instead of the old 2.31.0 version. </para> </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> packages and modules were + renamed to <literal>vaultwarden</literal> + <link xlink:href="https://github.com/dani-garcia/vaultwarden/discussions/1642">following + upstream</link>. More specifically, + </para> + <itemizedlist> + <listitem> + <para> + <literal>pkgs.bitwarden_rs</literal>, + <literal>pkgs.bitwarden_rs-sqlite</literal>, + <literal>pkgs.bitwarden_rs-mysql</literal> and + <literal>pkgs.bitwarden_rs-postgresql</literal> were + renamed to <literal>pkgs.vaultwarden</literal>, + <literal>pkgs.vaultwarden-sqlite</literal>, + <literal>pkgs.vaultwarden-mysql</literal> and + <literal>pkgs.vaultwarden-postgresql</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The <literal>bitwarden_rs</literal> executable was + also renamed to <literal>vaultwarden</literal> in all + packages. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> was renamed to + <literal>pkgs.vaultwarden-vault</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>pkgs.bitwarden_rs-vault</literal> is + preserved as an alias for backwards compatibility, but + may be removed in the future. + </para> + </listitem> + <listitem> + <para> + The static files were moved from + <literal>/usr/share/bitwarden_rs</literal> to + <literal>/usr/share/vaultwarden</literal>. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + The <literal>services.bitwarden_rs</literal> config module + was renamed to <literal>services.vaultwarden</literal>. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + <literal>services.bitwarden_rs</literal> is preserved + as an alias for backwards compatibility, but may be + removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>systemd.services.bitwarden_rs</literal>, + <literal>systemd.services.backup-bitwarden_rs</literal> + and <literal>systemd.timers.backup-bitwarden_rs</literal> + were renamed to + <literal>systemd.services.vaultwarden</literal>, + <literal>systemd.services.backup-vaultwarden</literal> and + <literal>systemd.timers.backup-vaultwarden</literal>, + respectively. + </para> + <itemizedlist spacing="compact"> + <listitem> + <para> + Old names are preserved as aliases for backwards + compatibility, but may be removed in the future. + </para> + </listitem> + </itemizedlist> + </listitem> + <listitem> + <para> + <literal>users.users.bitwarden_rs</literal> and + <literal>users.groups.bitwarden_rs</literal> were renamed + to <literal>users.users.vaultwarden</literal> and + <literal>users.groups.vaultwarden</literal>, respectively. + </para> + </listitem> + <listitem> + <para> + The data directory remains located at + <literal>/var/lib/bitwarden_rs</literal>, for backwards + compatibility. + </para> + </listitem> + </itemizedlist> + </listitem> </itemizedlist> </section> <section xml:id="sec-release-21.11-notable-changes"> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index 1b7250a1815..1f532a296ea 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -85,6 +85,32 @@ In addition to numerous new and upgraded packages, this release has the followin * The `libwnck` package now defaults to the 3.x release instead of the old 2.31.0 version. +* The `bitwarden_rs` packages and modules were renamed to `vaultwarden` + [following upstream](https://github.com/dani-garcia/vaultwarden/discussions/1642). More specifically, + + * `pkgs.bitwarden_rs`, `pkgs.bitwarden_rs-sqlite`, `pkgs.bitwarden_rs-mysql` and + `pkgs.bitwarden_rs-postgresql` were renamed to `pkgs.vaultwarden`, `pkgs.vaultwarden-sqlite`, + `pkgs.vaultwarden-mysql` and `pkgs.vaultwarden-postgresql`, respectively. + * Old names are preserved as aliases for backwards compatibility, but may be removed in the future. + * The `bitwarden_rs` executable was also renamed to `vaultwarden` in all packages. + + * `pkgs.bitwarden_rs-vault` was renamed to `pkgs.vaultwarden-vault`. + * `pkgs.bitwarden_rs-vault` is preserved as an alias for backwards compatibility, but may be removed in the future. + * The static files were moved from `/usr/share/bitwarden_rs` to `/usr/share/vaultwarden`. + + * The `services.bitwarden_rs` config module was renamed to `services.vaultwarden`. + * `services.bitwarden_rs` is preserved as an alias for backwards compatibility, but may be removed in the future. + + * `systemd.services.bitwarden_rs`, `systemd.services.backup-bitwarden_rs` and `systemd.timers.backup-bitwarden_rs` + were renamed to `systemd.services.vaultwarden`, `systemd.services.backup-vaultwarden` and + `systemd.timers.backup-vaultwarden`, respectively. + * Old names are preserved as aliases for backwards compatibility, but may be removed in the future. + + * `users.users.bitwarden_rs` and `users.groups.bitwarden_rs` were renamed to `users.users.vaultwarden` and + `users.groups.vaultwarden`, respectively. + + * The data directory remains located at `/var/lib/bitwarden_rs`, for backwards compatibility. + ## Other Notable Changes {#sec-release-21.11-notable-changes} - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2d0f5d37f9e..7eb4c7e922e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -874,7 +874,6 @@ ./services/search/hound.nix ./services/search/kibana.nix ./services/search/solr.nix - ./services/security/bitwarden_rs/default.nix ./services/security/certmgr.nix ./services/security/cfssl.nix ./services/security/clamav.nix @@ -900,6 +899,7 @@ ./services/security/torsocks.nix ./services/security/usbguard.nix ./services/security/vault.nix + ./services/security/vaultwarden/default.nix ./services/security/yubikey-agent.nix ./services/system/cloud-init.nix ./services/system/dbus.nix diff --git a/nixos/modules/services/networking/coturn.nix b/nixos/modules/services/networking/coturn.nix index 1bfbc307c59..5f7d2893ae2 100644 --- a/nixos/modules/services/networking/coturn.nix +++ b/nixos/modules/services/networking/coturn.nix @@ -16,6 +16,7 @@ ${lib.optionalString cfg.lt-cred-mech "lt-cred-mech"} ${lib.optionalString cfg.no-auth "no-auth"} ${lib.optionalString cfg.use-auth-secret "use-auth-secret"} ${lib.optionalString (cfg.static-auth-secret != null) ("static-auth-secret=${cfg.static-auth-secret}")} +${lib.optionalString (cfg.static-auth-secret-file != null) ("static-auth-secret=#static-auth-secret#")} realm=${cfg.realm} ${lib.optionalString cfg.no-udp "no-udp"} ${lib.optionalString cfg.no-tcp "no-tcp"} @@ -182,6 +183,13 @@ in { by a separate program, so this is why that other mode is 'dynamic'. ''; }; + static-auth-secret-file = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Path to the file containing the static authentication secret. + ''; + }; realm = mkOption { type = types.str; default = config.networking.hostName; @@ -293,42 +301,63 @@ in { }; }; - config = mkIf cfg.enable { - users.users.turnserver = - { uid = config.ids.uids.turnserver; - description = "coturn TURN server user"; - }; - users.groups.turnserver = - { gid = config.ids.gids.turnserver; - members = [ "turnserver" ]; - }; + config = mkIf cfg.enable (mkMerge ([ + { assertions = [ + { assertion = cfg.static-auth-secret != null -> cfg.static-auth-secret-file == null ; + message = "static-auth-secret and static-auth-secret-file cannot be set at the same time"; + } + ];} - systemd.services.coturn = { - description = "coturn TURN server"; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; + { + users.users.turnserver = + { uid = config.ids.uids.turnserver; + description = "coturn TURN server user"; + }; + users.groups.turnserver = + { gid = config.ids.gids.turnserver; + members = [ "turnserver" ]; + }; - unitConfig = { - Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; - }; + systemd.services.coturn = let + runConfig = "/run/coturn/turnserver.cfg"; + in { + description = "coturn TURN server"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.coturn}/bin/turnserver -c ${configFile}"; - RuntimeDirectory = "turnserver"; - User = "turnserver"; - Group = "turnserver"; - AmbientCapabilities = - mkIf ( - cfg.listening-port < 1024 || - cfg.alt-listening-port < 1024 || - cfg.tls-listening-port < 1024 || - cfg.alt-tls-listening-port < 1024 || - cfg.min-port < 1024 - ) "cap_net_bind_service"; - Restart = "on-abort"; - }; - }; - }; + unitConfig = { + Documentation = "man:coturn(1) man:turnadmin(1) man:turnserver(1)"; + }; + + preStart = '' + cat ${configFile} > ${runConfig} + ${optionalString (cfg.static-auth-secret-file != null) '' + STATIC_AUTH_SECRET="$(head -n1 ${cfg.static-auth-secret-file} || :)" + sed -e "s,#static-auth-secret#,$STATIC_AUTH_SECRET,g" \ + -i ${runConfig} + '' } + chmod 640 ${runConfig} + ''; + serviceConfig = { + Type = "simple"; + ExecStart = "${pkgs.coturn}/bin/turnserver -c ${runConfig}"; + RuntimeDirectory = "turnserver"; + User = "turnserver"; + Group = "turnserver"; + AmbientCapabilities = + mkIf ( + cfg.listening-port < 1024 || + cfg.alt-listening-port < 1024 || + cfg.tls-listening-port < 1024 || + cfg.alt-tls-listening-port < 1024 || + cfg.min-port < 1024 + ) "cap_net_bind_service"; + Restart = "on-abort"; + }; + }; + systemd.tmpfiles.rules = [ + "d /run/coturn 0700 turnserver turnserver - -" + ]; + }])); } diff --git a/nixos/modules/services/security/bitwarden_rs/backup.sh b/nixos/modules/services/security/vaultwarden/backup.sh index 264a7da9cbb..2a3de0ab1de 100644 --- a/nixos/modules/services/security/bitwarden_rs/backup.sh +++ b/nixos/modules/services/security/vaultwarden/backup.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Based on: https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault +# Based on: https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault if ! mkdir -p "$BACKUP_FOLDER"; then echo "Could not create backup folder '$BACKUP_FOLDER'" >&2 exit 1 diff --git a/nixos/modules/services/security/bitwarden_rs/default.nix b/nixos/modules/services/security/vaultwarden/default.nix index bed59dbf821..940ac7832da 100644 --- a/nixos/modules/services/security/bitwarden_rs/default.nix +++ b/nixos/modules/services/security/vaultwarden/default.nix @@ -3,9 +3,9 @@ with lib; let - cfg = config.services.bitwarden_rs; - user = config.users.users.bitwarden_rs.name; - group = config.users.groups.bitwarden_rs.name; + cfg = config.services.vaultwarden; + user = config.users.users.vaultwarden.name; + group = config.users.groups.vaultwarden.name; # Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). nameToEnvVar = name: @@ -26,22 +26,26 @@ let if value != null then [ (nameValuePair (nameToEnvVar name) (if isBool value then boolToString value else toString value)) ] else [] ) cfg.config)); in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") { - WEB_VAULT_FOLDER = "${pkgs.bitwarden_rs-vault}/share/bitwarden_rs/vault"; + WEB_VAULT_FOLDER = "${pkgs.vaultwarden-vault}/share/vaultwarden/vault"; } // configEnv; - configFile = pkgs.writeText "bitwarden_rs.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); + configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv)); - bitwarden_rs = pkgs.bitwarden_rs.override { inherit (cfg) dbBackend; }; + vaultwarden = pkgs.vaultwarden.override { inherit (cfg) dbBackend; }; in { - options.services.bitwarden_rs = with types; { - enable = mkEnableOption "bitwarden_rs"; + imports = [ + (mkRenamedOptionModule [ "services" "bitwarden_rs" ] [ "services" "vaultwarden" ]) + ]; + + options.services.vaultwarden = with types; { + enable = mkEnableOption "vaultwarden"; dbBackend = mkOption { type = enum [ "sqlite" "mysql" "postgresql" ]; default = "sqlite"; description = '' - Which database backend bitwarden_rs will be using. + Which database backend vaultwarden will be using. ''; }; @@ -49,7 +53,7 @@ in { type = nullOr str; default = null; description = '' - The directory under which bitwarden_rs will backup its persistent data. + The directory under which vaultwarden will backup its persistent data. ''; }; @@ -65,7 +69,7 @@ in { } ''; description = '' - The configuration of bitwarden_rs is done through environment variables, + The configuration of vaultwarden is done through environment variables, therefore the names are converted from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER). In this conversion digits (0-9) are handled just like upper case characters, @@ -75,17 +79,17 @@ in { This allows working around any potential future conflicting naming conventions. Based on the attributes passed to this config option an environment file will be generated - that is passed to bitwarden_rs's systemd service. + that is passed to vaultwarden's systemd service. The available configuration options can be found in - <link xlink:href="https://github.com/dani-garcia/bitwarden_rs/blob/${bitwarden_rs.version}/.env.template">the environment template file</link>. + <link xlink:href="https://github.com/dani-garcia/vaultwarden/blob/${vaultwarden.version}/.env.template">the environment template file</link>. ''; }; environmentFile = mkOption { type = with types; nullOr path; default = null; - example = "/root/bitwarden_rs.env"; + example = "/root/vaultwarden.env"; description = '' Additional environment file as defined in <citerefentry> <refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum> @@ -95,7 +99,7 @@ in { may be passed to the service without adding them to the world-readable Nix store. Note that this file needs to be available on the host on which - <literal>bitwarden_rs</literal> is running. + <literal>vaultwarden</literal> is running. ''; }; }; @@ -106,20 +110,21 @@ in { message = "Backups for database backends other than sqlite will need customization"; } ]; - users.users.bitwarden_rs = { + users.users.vaultwarden = { inherit group; isSystemUser = true; }; - users.groups.bitwarden_rs = { }; + users.groups.vaultwarden = { }; - systemd.services.bitwarden_rs = { + systemd.services.vaultwarden = { + aliases = [ "bitwarden_rs" ]; after = [ "network.target" ]; path = with pkgs; [ openssl ]; serviceConfig = { User = user; Group = group; EnvironmentFile = [ configFile ] ++ optional (cfg.environmentFile != null) cfg.environmentFile; - ExecStart = "${bitwarden_rs}/bin/bitwarden_rs"; + ExecStart = "${vaultwarden}/bin/vaultwarden"; LimitNOFILE = "1048576"; PrivateTmp = "true"; PrivateDevices = "true"; @@ -131,15 +136,16 @@ in { wantedBy = [ "multi-user.target" ]; }; - systemd.services.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { - description = "Backup bitwarden_rs"; + systemd.services.backup-vaultwarden = mkIf (cfg.backupDir != null) { + aliases = [ "backup-bitwarden_rs" ]; + description = "Backup vaultwarden"; environment = { DATA_FOLDER = "/var/lib/bitwarden_rs"; BACKUP_FOLDER = cfg.backupDir; }; path = with pkgs; [ sqlite ]; serviceConfig = { - SyslogIdentifier = "backup-bitwarden_rs"; + SyslogIdentifier = "backup-vaultwarden"; Type = "oneshot"; User = mkDefault user; Group = mkDefault group; @@ -148,12 +154,13 @@ in { wantedBy = [ "multi-user.target" ]; }; - systemd.timers.backup-bitwarden_rs = mkIf (cfg.backupDir != null) { - description = "Backup bitwarden_rs on time"; + systemd.timers.backup-vaultwarden = mkIf (cfg.backupDir != null) { + aliases = [ "backup-bitwarden_rs" ]; + description = "Backup vaultwarden on time"; timerConfig = { OnCalendar = mkDefault "23:00"; Persistent = "true"; - Unit = "backup-bitwarden_rs.service"; + Unit = "backup-vaultwarden.service"; }; wantedBy = [ "multi-user.target" ]; }; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index b5126be8af7..c77e72a7f49 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -42,7 +42,6 @@ in bind = handleTest ./bind.nix {}; bitcoind = handleTest ./bitcoind.nix {}; bittorrent = handleTest ./bittorrent.nix {}; - bitwarden = handleTest ./bitwarden.nix {}; blockbook-frontend = handleTest ./blockbook-frontend.nix {}; boot = handleTestOn ["x86_64-linux"] ./boot.nix {}; # syslinux is unsupported on aarch64 boot-stage1 = handleTest ./boot-stage1.nix {}; @@ -88,6 +87,7 @@ in containers-tmpfs = handleTest ./containers-tmpfs.nix {}; convos = handleTest ./convos.nix {}; corerad = handleTest ./corerad.nix {}; + coturn = handleTest ./coturn.nix {}; couchdb = handleTest ./couchdb.nix {}; cri-o = handleTestOn ["x86_64-linux"] ./cri-o.nix {}; custom-ca = handleTest ./custom-ca.nix {}; @@ -446,6 +446,7 @@ in v2ray = handleTest ./v2ray.nix {}; vault = handleTest ./vault.nix {}; vault-postgresql = handleTest ./vault-postgresql.nix {}; + vaultwarden = handleTest ./vaultwarden.nix {}; vector = handleTest ./vector.nix {}; victoriametrics = handleTest ./victoriametrics.nix {}; virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {}; diff --git a/nixos/tests/coturn.nix b/nixos/tests/coturn.nix new file mode 100644 index 00000000000..dff832281c7 --- /dev/null +++ b/nixos/tests/coturn.nix @@ -0,0 +1,29 @@ +import ./make-test-python.nix ({ ... }: { + name = "coturn"; + nodes = { + default = { + services.coturn.enable = true; + }; + secretsfile = { + boot.postBootCommands = '' + echo "some-very-secret-string" > /run/coturn-secret + ''; + services.coturn = { + enable = true; + static-auth-secret-file = "/run/coturn-secret"; + }; + }; + }; + + testScript = + '' + start_all() + + with subtest("by default works without configuration"): + default.wait_for_unit("coturn.service") + + with subtest("works with static-auth-secret-file"): + secretsfile.wait_for_unit("coturn.service") + secretsfile.succeed("grep 'some-very-secret-string' /run/coturn/turnserver.cfg") + ''; +}) diff --git a/nixos/tests/bitwarden.nix b/nixos/tests/vaultwarden.nix index f64cf171f01..b5343f5cad2 100644 --- a/nixos/tests/bitwarden.nix +++ b/nixos/tests/vaultwarden.nix @@ -4,7 +4,7 @@ }: # These tests will: -# * Set up a bitwarden-rs server +# * Set up a vaultwarden server # * Have Firefox use the web vault to create an account, log in, and save a password to the valut # * Have the bw cli log in and read that password from the vault # @@ -24,8 +24,8 @@ let storedPassword = "seeeecret"; - makeBitwardenTest = backend: makeTest { - name = "bitwarden_rs-${backend}"; + makeVaultwardenTest = backend: makeTest { + name = "vaultwarden-${backend}"; meta = { maintainers = with pkgs.lib.maintainers; [ jjjollyjim ]; }; @@ -45,9 +45,9 @@ let package = pkgs.mariadb; }; - services.bitwarden_rs.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + services.vaultwarden.config.databaseUrl = "mysql://bitwardenuser:${dbPassword}@localhost/bitwarden"; - systemd.services.bitwarden_rs.after = [ "mysql.service" ]; + systemd.services.vaultwarden.after = [ "mysql.service" ]; }; postgresql = { @@ -60,9 +60,9 @@ let ''; }; - services.bitwarden_rs.config.databaseUrl = "postgresql://bitwardenuser:${dbPassword}@localhost/bitwarden"; + services.vaultwarden.config.databaseUrl = "postgresql://bitwardenuser:${dbPassword}@localhost/bitwarden"; - systemd.services.bitwarden_rs.after = [ "postgresql.service" ]; + systemd.services.vaultwarden.after = [ "postgresql.service" ]; }; sqlite = { }; @@ -71,7 +71,7 @@ let mkMerge [ backendConfig.${backend} { - services.bitwarden_rs = { + services.vaultwarden = { enable = true; dbBackend = backend; config.rocketPort = 80; @@ -152,7 +152,7 @@ let testScript = '' start_all() - server.wait_for_unit("bitwarden_rs.service") + server.wait_for_unit("vaultwarden.service") server.wait_for_open_port(80) with subtest("configure the cli"): @@ -184,6 +184,6 @@ let in builtins.listToAttrs ( map - (backend: { name = backend; value = makeBitwardenTest backend; }) + (backend: { name = backend; value = makeVaultwardenTest backend; }) backends ) |