diff --git a/applications/bitwarden/_bitwarden_sync_module.nix b/applications/bitwarden/_bitwarden_sync_module.nix index 6a45fb8..7582397 100644 --- a/applications/bitwarden/_bitwarden_sync_module.nix +++ b/applications/bitwarden/_bitwarden_sync_module.nix @@ -46,12 +46,6 @@ in { description = lib.mdDoc "Folder to store the config file."; default = "/etc/bitwarden/bwdc"; }; - - pw_env = mkOption { - type = types.str; - description = lib.mdDoc "The ENV var that the ldap password is stored."; - default = "LDAP_PW"; - }; interval = mkOption { type = types.str; default = "*:0,15,30,45"; @@ -229,14 +223,20 @@ in { }; }; - env = { + secrets = { ldap = mkOption rec { type = types.str; description = "Auth for the LDAP, has value defined in {option}`pw_env"; }; - bitwarden = mkOption rec { - type = types.str; - description = "Auth for Bitwarden, has BW_CLIENTID and BW_CLIENTSECRET"; + bitwarden = { + client_path_id = mkOption rec { + type = types.str; + description = "Path to file that contains Client ID."; + }; + client_path_secret = mkOption rec { + type = types.str; + description = "Path to file that contains Client Secret."; + }; }; }; }; @@ -290,6 +290,8 @@ in { ${cfg.package}/bin/${cfg.binary_name} config server ${cfg.domain} # now login to set credentials + export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})" + export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})" ${cfg.package}/bin/${cfg.binary_name} login jq '.authenticatedAccounts[0] as $account @@ -306,7 +308,7 @@ in { # final config ${cfg.package}/bin/${cfg.binary_name} config directory 0 - ${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretenv ${cfg.pw_env} + ${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretfile ${cfg.secrets.ldap} ''; ExecStart = "${cfg.package}/bin/${cfg.binary_name} sync"; @@ -314,11 +316,6 @@ in { ExecStartPost = pkgs.writeShellScript "bitwarden_directory_connector-cleanup" '' rm -f -- ${escapeShellArg cfg.directory}/data.json ''; - - EnvironmentFile = [ - "${cfg.env.ldap}" - "${cfg.env.bitwarden}" - ]; }; }; }; diff --git a/applications/bitwarden/bitwarden_sync.nix b/applications/bitwarden/bitwarden_sync.nix index 983904c..4136b97 100644 --- a/applications/bitwarden/bitwarden_sync.nix +++ b/applications/bitwarden/bitwarden_sync.nix @@ -4,6 +4,7 @@ lib, ... }: let + user = "bwdc"; in { imports = [ ./_bitwarden_sync_module.nix @@ -12,18 +13,31 @@ in { options = {}; config = { - age.secrets.bitwarden_sync_api.file = ../../secrets/bitwarden/api.age; - age.secrets.bitwarden_sync_ldap.file = ../../secrets/ldap/details.age; + age.secrets.bitwarden_sync_id = { + file = ../../secrets/bitwarden/id.age; + owner = user; + group = user; + }; + age.secrets.bitwarden_sync_secret = { + file = ../../secrets/bitwarden/secret.age; + owner = user; + group = user; + }; + age.secrets.bitwarden_sync_ldap = { + file = ../../secrets/ldap/pw.age; + owner = user; + group = user; + }; services.bitwarden_directory_connector = { enable = true; + user = user; + domain = "https://pw.skynet.ie"; package = pkgs.callPackage ./_bitwarden-directory-connector.nix {}; - pw_env = "LDAP_ADMIN_PW"; - ldap = { ssl = false; startTls = false; @@ -54,9 +68,12 @@ in { groupNameAttribute = "cn"; }; - env = { - bitwarden = config.age.secrets.bitwarden_sync_api.path; + secrets = { ldap = config.age.secrets.bitwarden_sync_ldap.path; + bitwarden = { + client_path_id = config.age.secrets.bitwarden_sync_id.path; + client_path_secret = config.age.secrets.bitwarden_sync_secret.path; + }; }; }; }; diff --git a/secrets/bitwarden/api.age b/secrets/bitwarden/api.age deleted file mode 100644 index 44e2959..0000000 Binary files a/secrets/bitwarden/api.age and /dev/null differ diff --git a/secrets/bitwarden/details.age b/secrets/bitwarden/details.age index 4d10a48..5e36846 100644 Binary files a/secrets/bitwarden/details.age and b/secrets/bitwarden/details.age differ diff --git a/secrets/bitwarden/id.age b/secrets/bitwarden/id.age new file mode 100644 index 0000000..f9d1e61 Binary files /dev/null and b/secrets/bitwarden/id.age differ diff --git a/secrets/bitwarden/secret.age b/secrets/bitwarden/secret.age new file mode 100644 index 0000000..bb4a338 --- /dev/null +++ b/secrets/bitwarden/secret.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 V1pwNA BxPb6d6nlJHiTkbcwOoPrvAPBuR1iJSFAXIp9n23Ix0 +hl0X3RjOEYp2G1QU4SC6CBF5YVlCWiakMsRbGTBYkzs +-> ssh-ed25519 4PzZog Nf/tUysmhTfzaoHhubwdQ5NKZw5SBd3CEs129FGkuio +750oaBtfeBEpDuasZFr7RY5uBzFZZNMNGQkRyFfEGCo +-> ssh-ed25519 5Nd93w fI9TNLWkDkvLCDA8eTMfVw7fRPylWHPGzPupya737xY +wQcz+yf+EqDNmRWqldNuQjjy9tKc1zN//yumtGpGbaM +-> ssh-ed25519 q8eJgg T9Iv+fRwmOLYMXe3ur6dqudA1z2wQsKQX6ogkyQT3Fw +LBYKL2OtLiwq25FkvZjT4H3tu8fOA+KFmFp5vjbncLI +-> ssh-ed25519 IzAMqA O9JfKAlOUao2S14iczlnTzT2sTSAM1vOR5KjO8eJMG0 +ioTSe6X4E6jE4c9Utl2d6EUHZYilnbtRnB5QJg3S3Q4 +-> 6&-grease +BkWorA2LiphyWLmdV3AeKsI +--- +MO1wX7pJf7eq4MkiWSP+xyxThI5jnfseS8jd7LbFoY +WV>dD"`i+ ǸլSмkHOjt*k؏Ԣ9P \ No newline at end of file diff --git a/secrets/ldap/pw.age b/secrets/ldap/pw.age index 7bcc8ba..84ca23d 100644 --- a/secrets/ldap/pw.age +++ b/secrets/ldap/pw.age @@ -1,20 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA y4Jn8Hbj1tfjCM5x0uNHYMgFUNDr6KHCcuXoPxlT9RY -tbBvpE6eGiBTpUdIq4qgZ9JRC9RptiqV+b0xghMITgA --> ssh-ed25519 4PzZog e+daH2rT2eant/6TKRpcWs6upAMZ3Xw9SnRWtXo/s0Y -mDvQxqaj2XYnZ0SPMW1CeaWiWBalHt3LsEgHeEwCbQ0 --> ssh-ed25519 5Nd93w AXtyVYaQ2LEIM2rqrh8blQHt51qDfwQ3aiI5RRvgtHo -sSfCow1fkwpYuT2WQhFzuuDqKIrR0wxBrWxOcrPRC3A --> ssh-ed25519 q8eJgg LS2iaiXUINhcAv131p1TftyQOBz/efp1+IV2tUkHwDw -ZW3ktiCi8vTspB6Sc7tq9tSAaDMtyHL5FADXLi9nlxc --> ssh-ed25519 IzAMqA SH4eaJm8kdw6Pf4eIQGsMx3Wg9dRkEjCkjbpSWPxSGE -YKTUSXXyswYkfFUdYB963isQXAEaMefQsNIDwCmwt8o --> ssh-ed25519 uZzB3g W1aPkpNkRJufFmDy+GoWJmwi3a5jp3RWyTiKSPP+2HM -N+njssQYN1tMmfcvYcFHmPR1gYSom3aJkVsTIHUpslg --> ssh-ed25519 Hb0ipQ hvEFVHPzRtX2T8AbEk/rWIf5QGDE2kmQFylFVWzHmG0 -NWwpgmqnIMUDFeHynofn+1GTe2nNWI+YOelmuLC7hhI --> WEEa'-grease \ NIu4o?\m S;\E"U. -SZy71FpmUaUVoMICsdVcYZ1i4zbDmq4+w/fKB/Dkepm5dX3u3kRimmYdOp7S/s8H -3GaZ5oFXeBt3Alj6Vw3UizOZjPwWbyyA/Q ---- ARW6OvhJD/OEtsgEnb3x0bf5xBUYaZ0eZzXfvc5K9rw -H?ɖEUP].)S(͕XN}4o{Ƹw e1!Q3¤tl;dw__(K6F#_nL(%4%eB}K i i,IGQ:\ŽU⍧d>A<4]#` \ No newline at end of file +-> ssh-ed25519 V1pwNA 7xMn5rTcihSdgzDvXVBCbcGX8d428ytwBK0G1TOAMBQ +AYXY36I3DdQc8TJeWknIW8HFRZKXalkwBnJp5J4HjKM +-> ssh-ed25519 4PzZog +V5lAWzv8+NbK3jZZeCc491F2dLcCMqaVbzX14nPcS8 +c6DqiOextznWRSOtsR8KJmyGSJL+Ubx9jHVSeH0w+zs +-> ssh-ed25519 5Nd93w 7JnyPksmvytXPorlyoNPrh8BSsZNCAXXILKlS8F+ogk +iStkE+rT43h0zkgcRehbVTX1wGYZkJj0/zIQilm78Ak +-> ssh-ed25519 q8eJgg 6EGWaxyf1vDSzdvRU4+XEsVEfaj3K6dE/3tt8MA5YAE +CrIad5K2lTWlDh7jLZr+nIWtdWpRYg6HVt0HbhmMaMk +-> ssh-ed25519 IzAMqA eh7mAmV0l35n55rnmMPV6N/MUxrCKT+v7OFKNZlakgU +6cBUHDuHX6/5x84WFIbxlVVtIyx4eiJaGB9TP718u2A +-> ssh-ed25519 uZzB3g RbnBlsD9bSqG2W6RC8eWFhV3hVSx6ItFbH+irxa+uFk +mNGkTJODGb+anzqrWIX53AfUfMBjhZMdRF4ZGmT+bBM +-> ssh-ed25519 Hb0ipQ 9dQNJXGE3uIVPGLi2J/TCVW2xPem/qwKAEq/GPzEl0E +VTQYcZjCUTkom7bloTaIvR+/fA4rNwBUU2YzCUX1sss +-> ssh-ed25519 IzAMqA Q/SCKGBzFVtk2fkXYF4cyWWSdGG8BiSztPLHyr3UnCQ +l75JzJC9hRp34yA3cBUkDOupA4UTifxSwVNqb+aWXZk +-> T4-grease & M~o 5A#" =^Z3b: +oI4xOpmGL8b+HPrdKyMomAuW2AfCqCvXxbIv7NSA+nd1dYH/QFuw +--- vSy8f0+j42gCL0K7N8yZlWajUMwKKtGptqKP6ajbW1U +wϑm*tXt.JhAޞ*ӊ叉QhwaZ!6`SXׁpu l9nˋli&Cf֥:v^=$1= gycKk@@Zc#̙d#e_.(68 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 33ecbb3..3cdbeec 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -117,7 +117,7 @@ in { "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; # for ldap - "ldap/pw.age".publicKeys = users ++ ldap; + "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden; # for use connectring to teh ldap "ldap/details.age".publicKeys = users ++ ldap ++ discord ++ bitwarden; @@ -139,6 +139,7 @@ in { "wolves/details.age".publicKeys = users ++ ldap ++ discord; # for bitwarden connector - "bitwarden/api.age".publicKeys = users ++ bitwarden; + "bitwarden/id.age".publicKeys = users ++ bitwarden; + "bitwarden/secret.age".publicKeys = users ++ bitwarden; "bitwarden/details.age".publicKeys = users ++ bitwarden; }