diff --git a/applications/bitwarden/_bitwarden-directory-connector.nix b/applications/bitwarden/_bitwarden-directory-connector.nix new file mode 100644 index 0000000..ec754dc --- /dev/null +++ b/applications/bitwarden/_bitwarden-directory-connector.nix @@ -0,0 +1,55 @@ +{ + lib, + buildNpmPackage, + fetchFromGitHub, + pkgs, + git, + python3, + pkg-config, + libsecret, + nodejs_18, +}: let + buildNpmPackage' = buildNpmPackage.override {nodejs = nodejs_18;}; +in + buildNpmPackage' rec { + pname = "bitwarden-directory-connector"; + version = "2023.10.0"; + + src = fetchFromGitHub { + owner = "bitwarden"; + repo = "directory-connector"; + rev = "b2bc45137013b258bffda2c2703715cb9f6e687f"; + hash = "sha256-CgaCnMWNVWCJBypNcdoseVCwD8Mlq4YaWpK+VZT/7Qk="; + leaveDotGit = true; + }; + + npmDepsHash = "sha256-jBAWWY12qeX2EDhUvT3TQpnQvYXRsIilRrXGpVzxYvw="; + + env.ELECTRON_SKIP_BINARY_DOWNLOAD = "1"; + + makeCacheWritable = true; + npmBuildScript = "build:cli:prod"; + + installPhase = '' + mkdir -p $out + cp -R {build-cli,node_modules} $out + ''; + + buildInputs = [ + libsecret + ]; + + nativeBuildInputs = [ + git + python3 + pkg-config + ]; + + meta = with lib; { + description = "A LDAP connector for Bitwarden"; + homepage = "https://github.com/bitwarden/directory-connector"; + license = licenses.gpl3Only; + maintainers = with maintainers; [Silver-Golden]; + platforms = platforms.linux; + }; + } diff --git a/applications/bitwarden/_bitwarden_sync_module.nix b/applications/bitwarden/_bitwarden_sync_module.nix new file mode 100644 index 0000000..3ca5157 --- /dev/null +++ b/applications/bitwarden/_bitwarden_sync_module.nix @@ -0,0 +1,334 @@ +{ + pkgs, + config, + lib, + ... +}: +with lib; let + # to be changed once the package is accepted + connector = pkgs.callPackage ./_bitwarden-directory-connector.nix {}; + + cfg = config.services.bitwarden_connector; + + nodejs = pkgs.nodejs-18_x; + + ldap_data = '' + { + "ssl": ${boolToString cfg.ldap.ssl}, + "startTls": ${boolToString cfg.ldap.startTls}, + "sslAllowUnauthorized": ${boolToString cfg.ldap.startTls}, + "port": ${toString cfg.ldap.port}, + "currentUser": false, + "ad": ${boolToString cfg.ldap.ad}, + "pagedSearch": true, + "password": "to_be_replaced", + "hostname": "${cfg.ldap.hostname}", + "rootPath": "${cfg.ldap.root}", + "username": "${cfg.ldap.username}" + } + ''; + + sync_data = '' + { + "removeDisabled": ${boolToString cfg.sync.removeDisabled}, + "overwriteExisting": ${boolToString cfg.sync.overwriteExisting}, + "largeImport": ${boolToString cfg.sync.largeImport}, + "creationDateAttribute": "${cfg.sync.creationDateAttribute}", + "memberAttribute": "${cfg.sync.memberAttribute}", + + "useEmailPrefixSuffix": ${boolToString cfg.sync.emailPrefixSuffix.enable}, + ${optionalString cfg.sync.emailPrefixSuffix.enable '' + "emailPrefixAttribute": "${cfg.sync.emailPrefixSuffix.prefixAttribute}", + "emailSuffix": "${cfg.sync.emailPrefixSuffix.suffix}", + ''} + + "users": ${boolToString cfg.sync.users.enable}, + ${optionalString cfg.sync.users.enable '' + "userPath": "${cfg.sync.users.path}", + "userObjectClass": "${cfg.sync.users.objectClass}", + "userEmailAttribute": "${cfg.sync.users.emailAttribute}", + "userFilter": "${cfg.sync.users.filter}", + ''} + + "groups": ${boolToString cfg.sync.groups.enable}, + ${optionalString cfg.sync.groups.enable '' + "groupPath": "${cfg.sync.groups.path}", + "groupObjectClass": "${cfg.sync.groups.objectClass}", + "groupNameAttribute": "${cfg.sync.groups.nameAttribute}", + "groupFilter": "${cfg.sync.groups.filter}", + ''} + + "interval": 5 + } + ''; + + sed_string = string: builtins.replaceStrings ["." "/" "\n"] ["\\." "\\/" "\\n"] string; +in { + imports = []; + + options.services.bitwarden_connector = { + enable = mkEnableOption "Bitwarden Directory Connector"; + + domain = mkOption { + type = types.str; + description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessable on."; + example = "https://vaultwarden.example.com"; + }; + + user = mkOption { + type = types.str; + description = lib.mdDoc "User to run the program."; + default = "bwdc"; + }; + + directory = mkOption { + type = types.str; + description = lib.mdDoc "Folder to store the config file."; + default = "/etc/bitwarden/${cfg.user}"; + }; + + ldap = { + ssl = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Use SSL."; + }; + startTls = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Use startTls."; + }; + sslAllowUnauthorized = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc ""; + }; + ad = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Is Active Directory."; + }; + port = mkOption { + type = types.int; + default = 389; + description = lib.mdDoc "Port LDAP is accessable on"; + }; + hostname = mkOption { + type = types.str; + description = lib.mdDoc "The host the LDAP is accessable on."; + example = "ldap.example.com"; + }; + + root = mkOption { + type = types.str; + description = lib.mdDoc "Root path for LDAP"; + example = "dc=example,dc=com"; + }; + + username = mkOption { + type = types.str; + description = lib.mdDoc "The user to authenticate as."; + example = "cn=admin,dc=example,dc=com"; + }; + pw_env = mkOption { + type = types.str; + description = lib.mdDoc "The ENV var that the ldap password is stored."; + default = "LDAP_PW"; + }; + }; + + sync = { + interval = mkOption { + type = types.str; + default = "*:0,15,30,45"; + description = lib.mdDoc "When to run the connector, cron syntax."; + }; + removeDisabled = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group."; + }; + overwriteExisting = mkOption { + type = types.bool; + default = false; + description = + lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details."; + }; + largeImport = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Enable if you ar syncing more than 2000 users/groups."; + }; + + memberAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute that lists members in a LDAP group."; + example = "uniqueMember"; + }; + + creationDateAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute that lists a users creation date."; + example = "whenCreated"; + }; + + emailPrefixSuffix = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email."; + }; + prefixAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute that has a users username."; + example = "accountName"; + }; + suffix = mkOption { + type = types.str; + description = lib.mdDoc "Suffix for the email, normally @example.com."; + example = "@example.com"; + }; + }; + + users = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Sync users."; + }; + path = mkOption { + type = types.str; + description = lib.mdDoc "User directory, relative to root."; + example = "ou=users"; + }; + objectClass = mkOption { + type = types.str; + description = lib.mdDoc "A class that users will have."; + example = "inetOrgPerson"; + }; + emailAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute for a users email."; + example = "mail"; + }; + filter = mkOption { + type = types.str; + description = lib.mdDoc "Filter for users."; + example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)"; + }; + }; + groups = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc "Sync groups."; + }; + path = mkOption { + type = types.str; + description = lib.mdDoc "Group directory, relative to root."; + example = "ou=groups"; + }; + objectClass = mkOption { + type = types.str; + description = lib.mdDoc "A class that groups will have."; + example = "groupOfNames"; + }; + nameAttribute = mkOption { + type = types.str; + description = lib.mdDoc "Attribute for a name of group."; + example = "cn"; + }; + filter = mkOption { + type = types.str; + description = lib.mdDoc "Filter for groups."; + example = "(cn=sales)"; + }; + }; + }; + + env = { + description = "Env files to be passed in."; + ldap = mkOption rec { + type = types.str; + description = "Auth for the LDAP, has ${cfg.ldap.pw_env}"; + }; + bitwarden = mkOption rec { + type = types.str; + description = "Auth for Bitwarden, has BW_CLIENTID and BW_CLIENTSECRET"; + }; + }; + }; + + config = mkIf cfg.enable { + users.groups."${cfg.user}" = {}; + + users.users."${cfg.user}" = { + createHome = true; + isSystemUser = true; + home = "${cfg.directory}"; + group = "${cfg.user}"; + homeMode = "711"; + }; + + systemd = { + timers."${cfg.user}" = { + description = "Timer for ${cfg.user}"; + wantedBy = ["timers.target"]; + partOf = ["${cfg.user}.service"]; + timerConfig = { + OnCalendar = cfg.sync.interval; + Unit = "${cfg.user}.service"; + Persistent = true; + }; + }; + + services."${cfg.user}" = { + description = "Main process for Bitwarden Directory Connector"; + wantedBy = ["multi-user.target"]; + after = ["network-online.target"]; + wants = []; + + environment = { + BITWARDENCLI_CONNECTOR_APPDATA_DIR = cfg.directory; + BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true"; + }; + + serviceConfig = { + Type = "oneshot"; + User = "${cfg.user}"; + Group = "${cfg.user}"; + ExecStartPre = pkgs.writeShellScript "${cfg.user}-config" '' + # create the config file + ${nodejs}/bin/node ${connector}/build-cli/bwdc.js data-file + + ${nodejs}/bin/node ${connector}/build-cli/bwdc.js config server ${cfg.domain} + + # now login to set credentials + ${nodejs}/bin/node ${connector}/build-cli/bwdc.js login + + # set the ldap details + sed -i 's/"ldap": null/"ldap": ${sed_string ldap_data}/' ${cfg.directory}/data.json + + # set the client id + orgID=$(echo $BW_CLIENTID | sed 's/organization\.//g') + sed -i "s/\"organizationId\": null/\"organizationId\": \"$orgID\"/" ${cfg.directory}/data.json + + # and sync data + sed -i 's/"sync": null/"sync": ${sed_string sync_data}/' ${cfg.directory}/data.json + + # final config + ${nodejs}/bin/node ${connector}/build-cli/bwdc.js config directory 0 + ${nodejs}/bin/node ${connector}/build-cli/bwdc.js config ldap.password --secretenv ${cfg.ldap.pw_env} + ''; + + ExecStart = ''${nodejs}/bin/node ${connector}/build-cli/bwdc.js sync''; + + EnvironmentFile = [ + "${cfg.env.ldap}" + "${cfg.env.bitwarden}" + ]; + }; + }; + }; + }; +} diff --git a/applications/bitwarden/bitwarden_sync.nix b/applications/bitwarden/bitwarden_sync.nix new file mode 100644 index 0000000..a993846 --- /dev/null +++ b/applications/bitwarden/bitwarden_sync.nix @@ -0,0 +1,64 @@ +{ + pkgs, + config, + lib, + ... +}: let +in { + imports = [ + ./_bitwarden_sync_module.nix + ]; + + options = {}; + + config = { + age.secrets.bitwarden_sync_api.file = ../../secrets/bitwarden/api.age; + age.secrets.bitwarden_sync_ldap.file = ../../secrets/ldap/details.age; + + services.bitwarden_connector = { + enable = true; + + domain = "https://pw.skynet.ie"; + + ldap = { + ssl = false; + startTls = false; + sslAllowUnauthorized = false; + ad = false; + port = 389; + hostname = "account.skynet.ie"; + root = "dc=skynet,dc=ie"; + username = "cn=admin,dc=skynet,dc=ie"; + pw_env = "LDAP_ADMIN_PW"; + }; + + sync = { + removeDisabled = true; + overwriteExisting = false; + largeImport = false; + memberAttribute = "member"; + creationDateAttribute = "skCreated"; + emailPrefixSuffix.enable = false; + users = { + enable = true; + path = "ou=users"; + objectClass = "inetOrgPerson"; + emailAttribute = "skMail"; + filter = "(|(memberOf=cn=skynet-committee,ou=groups,dc=skynet,dc=ie)(memberOf=cn=skynet-admins,ou=groups,dc=skynet,dc=ie))"; + }; + groups = { + enable = true; + path = "ou=groups"; + objectClass = "groupOfNames"; + nameAttribute = "cn"; + filter = ""; + }; + }; + + env = { + bitwarden = config.age.secrets.bitwarden_sync_api.path; + ldap = config.age.secrets.bitwarden_sync_ldap.path; + }; + }; + }; +} diff --git a/applications/bitwarden/vaultwarden.nix b/applications/bitwarden/vaultwarden.nix new file mode 100644 index 0000000..22808e9 --- /dev/null +++ b/applications/bitwarden/vaultwarden.nix @@ -0,0 +1,93 @@ +{ + config, + pkgs, + lib, + inputs, + ... +}: +with lib; let + cfg = config.services.skynet_vaultwarden; + + domain_sub = "pw"; + domain = "${domain_sub}.skynet.ie"; +in { + imports = [ + ../acme.nix + ../dns.nix + ../nginx.nix + ]; + + options.services.skynet_vaultwarden = { + enable = mkEnableOption "Skynet vaultwarden server"; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + }; + + config = mkIf cfg.enable { + #backups = [ "/etc/silver_ul_ical/database.db" ]; + + # Website config + skynet_acme.domains = [ + domain + ]; + + skynet_dns.records = [ + { + record = domain_sub; + r_type = "CNAME"; + value = cfg.host.name; + } + ]; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + useACMEHost = "skynet"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + }; + }; + + # has ADMIN_TOKEN and SMTP_PASSWORD + age.secrets.bitwarden_details.file = ../../secrets/bitwarden/details.age; + + services.vaultwarden = { + enable = true; + + environmentFile = config.age.secrets.bitwarden_details.path; + config = { + DOMAIN = "https://${domain}"; + SENDS_ALLOWED = true; + SIGNUPS_ALLOWED = false; + + INVITATION_ORG_NAME = "Skyhold"; + + ORG_GROUPS_ENABLED = true; + + USE_SENDMAIL = false; + + SMTP_HOST = "mail.skynet.ie"; + SMTP_FROM = "vaultwarden@skynet.ie"; + SMTP_FROM_NAME = "Skynet Bitwarden server"; + SMTP_SECURITY = "starttls"; + SMTP_PORT = 587; + + SMTP_USERNAME = "vaultwarden@skynet.ie"; + SMTP_AUTH_MECHANISM = "Login"; + SMTP_EMBED_IMAGES = true; + + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + ROCKET_LOG = "critical"; + }; + }; + }; +} diff --git a/machines/kitt.nix b/machines/kitt.nix index da699d3..5891571 100644 --- a/machines/kitt.nix +++ b/machines/kitt.nix @@ -23,6 +23,8 @@ in { imports = [ ../applications/ldap/server.nix ../applications/discord.nix + ../applications/bitwarden/vaultwarden.nix + ../applications/bitwarden/bitwarden_sync.nix ]; deployment = { @@ -66,4 +68,13 @@ in { services.discord_bot = { enable = true; }; + + services.skynet_vaultwarden = { + enable = true; + + host = { + ip = ip_pub; + name = name; + }; + }; } diff --git a/secrets/bitwarden/api.age b/secrets/bitwarden/api.age new file mode 100644 index 0000000..e92f6e7 --- /dev/null +++ b/secrets/bitwarden/api.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 V1pwNA 9sIoEpzKd/eI94AuhnxT1jyTIpLiqvNLvZ2oDqEzXUY +YstVwGRjZUXguF+MVJrzi4pj4h3YJI222mw0yzZf6NQ +-> ssh-ed25519 4PzZog 7kF/5y4OqdF88N4Dhx7G93fUCO2RwR+6QxWn5tH6RVQ +cV2hwmEhwGWIjpktlUnXDvBU8Zlc0nHNfDgrhNnH9+g +-> ssh-ed25519 5Nd93w Wjt9rcp1YEgkt9/P8vYUeVbNA420drbz/mZZERZFUGU +VE5a0Wx5WTy12cCm2Vg3J8GYQ1B+WnEca/FTFPhZ3nE +-> ssh-ed25519 q8eJgg EmdkKgMt9LkZSVm0pN0vf35p8UwpBWzF/cC32VviyQM +Ii+g+vgMoCj9XYpCoOyTD4sahYNUhbQRoDwgDnZCUEU +-> ssh-ed25519 IzAMqA pNlr1079F7f8zqfb4bujzQPNahoKUBH4GShDu9g2r30 +FUa1QqHBLy2qb4eHYeZgQetyjX44LnckPlv46694Sds +-> 1-grease Jr S68AA 6z@gP Y) + +--- mEkHKhEzkas0RT9tzEVFeEenFW6Av4E0uXzCeYgCdRA +,BU@!*y +C1!t{b*leHOh#/V,5J:)4f ssh-ed25519 V1pwNA d3Xy8iQxiSb8gV8NRqBAxBm0g5V1INUAeHJDFdAqe3o +Uaw/Q/BjZabCWBoKJmSICiUn8/OWXjj+/sx0BZKxWj8 +-> ssh-ed25519 4PzZog qxpYb+zz05nntFRA8k0ZwWSmpvOA8gnf8AaBuy5xyhQ +ssOtug0RBDkPbSEC4Acs/UNelfLmkLLH2pEm0geAuVE +-> ssh-ed25519 5Nd93w iXfwzbDeUuFqwXPztMdaBXnfXY7W8sQXmcxEtMqkPzM +t88pMxJ09RtrNEd1tn8N5iUh2mnaHwzb3dD6xlt8jRw +-> ssh-ed25519 q8eJgg 4NAejBkAf4tZEsq6YsWJiOTq3wBBkDHB3Z1CFG8LeSk +yIicVNLUkaHs9RzaEFFn0SVqR5QiKNJZShehiEfvTh4 +-> ssh-ed25519 IzAMqA orpGqetn3ND76DC2QejaGnAlPDlV43l7/GdJB47SFQA +U0Bm9/VgoY6/dwIdqZpOY5rQc5j/TBlKzRS8rndyxu4 +-> _-grease yOwV[T R\ b>SI aVM^#_X +VfqPBdd5CK3GXPcBxXzbq9ak7qYJrnrxU7O7pKmfavJJ55dsmXKvEI7NE2tgASsr +Gxc1ttbQ4310R2CN0IM7xvMRLQsg/MnA2WGiwO52OYkHJXZ/i9F8ro4sq8q5cJE +--- T8NUXH3YnnAIycabcEi8uFUfnDuvdgy3COrUoPPA+lQ +QýPE*NcY޳ Y튰nKBaz^fJyhW!u|dDq'}6^5wSk1%Nsmwi+|Dpϔqr!1ə ?H$(f͐gKn{a93tl܂GbrでbMY(`y&,'{= \ No newline at end of file diff --git a/secrets/email/details.age b/secrets/email/details.age index 677a153..3c73aa0 100644 --- a/secrets/email/details.age +++ b/secrets/email/details.age @@ -1,23 +1,23 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA P02Xzq2IYlbZMvvBUjy6eM0FN1CfSyCinTJnQrZUUlg -QU9CrDYFL0KwDiH9T0zOzydeJBm4eS+Rp4m2ozA3FA0 --> ssh-ed25519 4PzZog 0dqzbH7AY96+GFtwrkrcxYKuO/c9eBPgdxMKa1qliw0 -y0Kx5IG3CCzFcXM5MuS3eLij/l7QFKaHlr3VQty+gsA --> ssh-ed25519 5Nd93w i9j9spcBf2ww6koxQu+802p8ua70VmQTtuLNC/v8MzY -wgYQc+JdSPd2cen/mQyL4NVn9fHtRsHX0E5lDW06yMs --> ssh-ed25519 q8eJgg L55YurMQv+czgj6uwgHS3L2vX2A5VYRcUEXsGcj0r38 -vLRAuYLEljcVqVXs6k0hrVQNkRIpvvpCUeMP4jWVItQ --> ssh-ed25519 IzAMqA Q1wP64lIZtvFPa0wAD+jQZtS7NwDr4rkthZEoVtuJjo -EnLKgtFFpzEKpLZMatZFNTt0rINciFUryYd0GMIUSp0 --> ssh-ed25519 uZzB3g EwOnsGci+aqHj7XR+sVCi2pNowFbTLtQimzFNHy7LTo -jtl2RhtNayPr44rrZ1ESgR6p1hDJg1h70flu/0rDCjg --> ssh-ed25519 Hb0ipQ Jmcvd8zOLb7qf2ZIY1HsBrMA3wETGJFUTicBb/Gf2n4 -RTiE+f1N+npbnh1M20x76MJ/uj/5SDTdWKj1uMWPThM --> ssh-ed25519 IzAMqA cSzsukksm2E0coLmIXmd6DsEs/gHmIeGfcH/unNd1B4 -6ThlGLwm5iFG/UXoNMtAup909MVxz5JTpK45HJDeYFk --> d7'/PSOq-grease BF, -ka0OOXHqf7TrhcdP9NFMQVGlF2x+fnC5PRZba5o ---- s5GXDMgktkfdge6Ndk1J8ooCdXVsryH9XzD2+TF6wC8 -`2S -%͋cA2 w L(q\0})D#k)Y\&X"į506|4)._vD6Nҽ*+R)59 -E} ~gC1 ea \ No newline at end of file +-> ssh-ed25519 V1pwNA jq+XbDiOKLZYMvnmsSod+uedgov0IG0owyKLnh8UWSE +Qvoh1P8BCj677JtljcNsz+wlimAsOc6VhUMJhV1GqiU +-> ssh-ed25519 4PzZog QW53/Ugxrrxc409WcGAIvM1/Y4Vmx3ApggipX/eIEjw +IAYk1jPQmim0+TItOXAskS3PVgCnZDtYdIBKlvcLxwA +-> ssh-ed25519 5Nd93w sCuEYWuaUPIMRjZXmggeeWCgkIaJT7D5bAXb2ixWq2Q +1o9D3Uz/mNnh4ys0I78j25MiKlHqhGdaP+D8HvtpOWY +-> ssh-ed25519 q8eJgg 6WC13FFyND94sHo7cbG+3uZUNsmy42DmpUOVkCmVbHw +RJJ+3aUtwP1M4bDkiHKr0uz+HwRwH0bAn+GPEs4utGQ +-> ssh-ed25519 IzAMqA 87Jsefduk7iRFF84+ZvPGdTpz/FzRYuzg9UkbPQxPW8 +xBUyjiOg9/zq28fXFo2/kHitPuz3HaZ+ckEwgWqYXH4 +-> ssh-ed25519 uZzB3g 2/G93JVSGG8Bq3TzXiC7VxGvLgt8VpfBDxNLnsQJnzQ +eqvUUuCxDnj1YJt31bOXEZtCk6W8Fb073LUp6JoCLSs +-> ssh-ed25519 Hb0ipQ VrLe6mWpNh3VasQNuZoYVSG+UoExVvp9plKEuRi6+DQ +xem0syYeUihXShPuhN4Y0caleqYD3Guw89phtQ+IzHw +-> ssh-ed25519 IzAMqA Ki9fF+v0YtXbnZFOX9Qyp2RF8NkvtgVM2vWxvc7TiDI +parIXPuSLa9NKLw3tUJFWK3FsGfD85h+DL28y5sNgrk +-> c{-grease -ufY Ew| +tdST+ze++xYVJLumh6+FoeoLRYS2WKdR/HSY8UphDPJx1OW+2ZSJNyG5XjTX582r +zSM85sEgYsJe0arZqPDHwnjssUCkAuiLMZM8atLM +--- PICAIqdJW/DCPw9lvrRLsdMJLUFsE48EQxd03DboxqI +Hr !{'!yo$0:d6ituRf; ʹ݈?Ma6l; +P@pXkir& |2S#څ6A@~T*R/ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 385da2c..cc13d63 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -93,6 +93,10 @@ let nextcloud = [ cadie ]; + + bitwarden = [ + kitt + ]; in { # nix run github:ryantm/agenix -- -e secret1.age @@ -115,7 +119,7 @@ in { # for ldap "ldap/pw.age".publicKeys = users ++ ldap; # for use connectring to teh ldap - "ldap/details.age".publicKeys = users ++ ldap ++ discord; + "ldap/details.age".publicKeys = users ++ ldap ++ discord ++ bitwarden; # everyone has access to this "backup/restic.age".publicKeys = users ++ systems; @@ -133,4 +137,8 @@ in { # handles pulling in data from teh wolves api "wolves/details.age".publicKeys = users ++ ldap ++ discord; + + # for bitwarden connector + "bitwarden/api.age".publicKeys = users ++ bitwarden; + "bitwarden/details.age".publicKeys = users ++ bitwarden; }