bitwarden: brought in line with the nixpkgs again.

applications/bitwarden/_bitwarden_sync_module.nix

@@ -46,12 +46,6 @@ in {
       description = lib.mdDoc "Folder to store the config file.";
       default = "/etc/bitwarden/bwdc";
     };
-
-    pw_env = mkOption {
-      type = types.str;
-      description = lib.mdDoc "The ENV var that the ldap password is stored.";
-      default = "LDAP_PW";
-    };
     interval = mkOption {
       type = types.str;
       default = "*:0,15,30,45";
@@ -229,14 +223,20 @@ in {
       };
     };
 
-    env = {
+    secrets = {
       ldap = mkOption rec {
         type = types.str;
         description = "Auth for the LDAP, has value defined in {option}`pw_env";
       };
-      bitwarden = mkOption rec {
+      bitwarden = {
-        type = types.str;
+        client_path_id = mkOption rec {
-        description = "Auth for Bitwarden, has BW_CLIENTID and BW_CLIENTSECRET";
+          type = types.str;
+          description = "Path to file that contains Client ID.";
+        };
+        client_path_secret = mkOption rec {
+          type = types.str;
+          description = "Path to file that contains Client Secret.";
+        };
       };
     };
   };
@@ -290,6 +290,8 @@ in {
             ${cfg.package}/bin/${cfg.binary_name} config server ${cfg.domain}
 
             # now login to set credentials
+            export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
+            export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
             ${cfg.package}/bin/${cfg.binary_name} login
 
             jq '.authenticatedAccounts[0] as $account
@@ -306,7 +308,7 @@ in {
 
             # final config
             ${cfg.package}/bin/${cfg.binary_name} config directory 0
-            ${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretenv ${cfg.pw_env}
+            ${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretfile ${cfg.secrets.ldap}
           '';
 
           ExecStart = "${cfg.package}/bin/${cfg.binary_name} sync";
@@ -314,11 +316,6 @@ in {
           ExecStartPost = pkgs.writeShellScript "bitwarden_directory_connector-cleanup" ''
             rm -f -- ${escapeShellArg cfg.directory}/data.json
           '';
-
-          EnvironmentFile = [
-            "${cfg.env.ldap}"
-            "${cfg.env.bitwarden}"
-          ];
         };
       };
     };

applications/bitwarden/bitwarden_sync.nix

@@ -4,6 +4,7 @@
   lib,
   ...
 }: let
+  user = "bwdc";
 in {
   imports = [
     ./_bitwarden_sync_module.nix
@@ -12,18 +13,31 @@ in {
   options = {};
 
   config = {
-    age.secrets.bitwarden_sync_api.file = ../../secrets/bitwarden/api.age;
+    age.secrets.bitwarden_sync_id = {
-    age.secrets.bitwarden_sync_ldap.file = ../../secrets/ldap/details.age;
+      file = ../../secrets/bitwarden/id.age;
+      owner = user;
+      group = user;
+    };
+    age.secrets.bitwarden_sync_secret = {
+      file = ../../secrets/bitwarden/secret.age;
+      owner = user;
+      group = user;
+    };
+    age.secrets.bitwarden_sync_ldap = {
+      file = ../../secrets/ldap/pw.age;
+      owner = user;
+      group = user;
+    };
 
     services.bitwarden_directory_connector = {
       enable = true;
 
+      user = user;
+
       domain = "https://pw.skynet.ie";
 
       package = pkgs.callPackage ./_bitwarden-directory-connector.nix {};
 
-      pw_env = "LDAP_ADMIN_PW";
-
       ldap = {
         ssl = false;
         startTls = false;
@@ -54,9 +68,12 @@ in {
         groupNameAttribute = "cn";
       };
 
-      env = {
+      secrets = {
-        bitwarden = config.age.secrets.bitwarden_sync_api.path;
         ldap = config.age.secrets.bitwarden_sync_ldap.path;
+        bitwarden = {
+          client_path_id = config.age.secrets.bitwarden_sync_id.path;
+          client_path_secret = config.age.secrets.bitwarden_sync_secret.path;
+        };
       };
     };
   };

secrets/bitwarden/secret.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA BxPb6d6nlJHiTkbcwOoPrvAPBuR1iJSFAXIp9n23Ix0
+hl0X3RjOEYp2G1QU4SC6CBF5YVlCWiakMsRbGTBYkzs
+-> ssh-ed25519 4PzZog Nf/tUysmhTfzaoHhubwdQ5NKZw5SBd3CEs129FGkuio
+750oaBtfeBEpDuasZFr7RY5uBzFZZNMNGQkRyFfEGCo
+-> ssh-ed25519 5Nd93w fI9TNLWkDkvLCDA8eTMfVw7fRPylWHPGzPupya737xY
+wQcz+yf+EqDNmRWqldNuQjjy9tKc1zN//yumtGpGbaM
+-> ssh-ed25519 q8eJgg T9Iv+fRwmOLYMXe3ur6dqudA1z2wQsKQX6ogkyQT3Fw
+LBYKL2OtLiwq25FkvZjT4H3tu8fOA+KFmFp5vjbncLI
+-> ssh-ed25519 IzAMqA O9JfKAlOUao2S14iczlnTzT2sTSAM1vOR5KjO8eJMG0
+ioTSe6X4E6jE4c9Utl2d6EUHZYilnbtRnB5QJg3S3Q4
+-> 6&-grease
+BkWorA2LiphyWLmdV3AeKsI
+--- +MO1wX7pJf7eq4MkiWSP+xyxThI5jnfseS8jd7LbFoY
+¿ÕWV¥—>ådD­"ð`ûi+€Ç¸ÃæÕ¬ã<C2AC>ÂSмk°H¨Ojt<6A>±Ç*âòkßäŒØ<C592>ŒÔ¢9Ë×P

secrets/ldap/pw.age

@@ -1,20 +1,21 @@
 age-encryption.org/v1
--> ssh-ed25519 V1pwNA y4Jn8Hbj1tfjCM5x0uNHYMgFUNDr6KHCcuXoPxlT9RY
+-> ssh-ed25519 V1pwNA 7xMn5rTcihSdgzDvXVBCbcGX8d428ytwBK0G1TOAMBQ
-tbBvpE6eGiBTpUdIq4qgZ9JRC9RptiqV+b0xghMITgA
+AYXY36I3DdQc8TJeWknIW8HFRZKXalkwBnJp5J4HjKM
--> ssh-ed25519 4PzZog e+daH2rT2eant/6TKRpcWs6upAMZ3Xw9SnRWtXo/s0Y
+-> ssh-ed25519 4PzZog +V5lAWzv8+NbK3jZZeCc491F2dLcCMqaVbzX14nPcS8
-mDvQxqaj2XYnZ0SPMW1CeaWiWBalHt3LsEgHeEwCbQ0
+c6DqiOextznWRSOtsR8KJmyGSJL+Ubx9jHVSeH0w+zs
--> ssh-ed25519 5Nd93w AXtyVYaQ2LEIM2rqrh8blQHt51qDfwQ3aiI5RRvgtHo
+-> ssh-ed25519 5Nd93w 7JnyPksmvytXPorlyoNPrh8BSsZNCAXXILKlS8F+ogk
-sSfCow1fkwpYuT2WQhFzuuDqKIrR0wxBrWxOcrPRC3A
+iStkE+rT43h0zkgcRehbVTX1wGYZkJj0/zIQilm78Ak
--> ssh-ed25519 q8eJgg LS2iaiXUINhcAv131p1TftyQOBz/efp1+IV2tUkHwDw
+-> ssh-ed25519 q8eJgg 6EGWaxyf1vDSzdvRU4+XEsVEfaj3K6dE/3tt8MA5YAE
-ZW3ktiCi8vTspB6Sc7tq9tSAaDMtyHL5FADXLi9nlxc
+CrIad5K2lTWlDh7jLZr+nIWtdWpRYg6HVt0HbhmMaMk
--> ssh-ed25519 IzAMqA SH4eaJm8kdw6Pf4eIQGsMx3Wg9dRkEjCkjbpSWPxSGE
+-> ssh-ed25519 IzAMqA eh7mAmV0l35n55rnmMPV6N/MUxrCKT+v7OFKNZlakgU
-YKTUSXXyswYkfFUdYB963isQXAEaMefQsNIDwCmwt8o
+6cBUHDuHX6/5x84WFIbxlVVtIyx4eiJaGB9TP718u2A
--> ssh-ed25519 uZzB3g W1aPkpNkRJufFmDy+GoWJmwi3a5jp3RWyTiKSPP+2HM
+-> ssh-ed25519 uZzB3g RbnBlsD9bSqG2W6RC8eWFhV3hVSx6ItFbH+irxa+uFk
-N+njssQYN1tMmfcvYcFHmPR1gYSom3aJkVsTIHUpslg
+mNGkTJODGb+anzqrWIX53AfUfMBjhZMdRF4ZGmT+bBM
--> ssh-ed25519 Hb0ipQ hvEFVHPzRtX2T8AbEk/rWIf5QGDE2kmQFylFVWzHmG0
+-> ssh-ed25519 Hb0ipQ 9dQNJXGE3uIVPGLi2J/TCVW2xPem/qwKAEq/GPzEl0E
-NWwpgmqnIMUDFeHynofn+1GTe2nNWI+YOelmuLC7hhI
+VTQYcZjCUTkom7bloTaIvR+/fA4rNwBUU2YzCUX1sss
--> WEEa'-grease \ NIu4o?\m S;\E"U.
+-> ssh-ed25519 IzAMqA Q/SCKGBzFVtk2fkXYF4cyWWSdGG8BiSztPLHyr3UnCQ
-SZy71FpmUaUVoMICsdVcYZ1i4zbDmq4+w/fKB/Dkepm5dX3u3kRimmYdOp7S/s8H
+l75JzJC9hRp34yA3cBUkDOupA4UTifxSwVNqb+aWXZk
-3GaZ5oFXeBt3Alj6Vw3UizOZjPwWbyyA/Q
+-> T4-grease & M~o 5A#" =^Z3b:
---- ARW6OvhJD/OEtsgEnb3x0bf5xBUYaZ0eZzXfvc5K9rw
+oI4xOpmGL8b+HPrdKyMomAuW2AfCqCvXxbIv7NSA+nd1dYH/QFuw
-H?æô É––EµÏàUPë]·×.Øþ„)S—(‘Í•ì¯XN¢ }4Àþo{Ƹw	ÌÄe1¼!Qý3¶ž
¡…¤ÌÒtlÃ;dw½À_‘¦ñ_¹Ý(ùK6F#ñ¥ê_nŽL®(
%4%eõB}¡KÏã	‡ii,æú˜I<CB9C>GQ:£Ë\ðéŽUâ<>§d¦>A<4¿Ÿ]#`Ñ
+--- vSy8f0+j42gCL0K7N8yZlWajUMwKKtGptqKP6ajbW1U
+wÏ‘µm*¶¡tX§t.JúhA»Þž*
Á²ÓŠå<C5A0>‰æQŽh™ÏwÿËÍaZŒÅ
œ!Ï6`ÔéËSXÀéÙ×<C399>pu<70>ãïl¨¼²9n<39>ÒË‹lÁÎÄi&áC÷áæf <66>Ö¥:v^Ÿ=
Ò$1=‚
¡ãg¢¹ycK…µ‘kÚ@ê@Z¹cŠ­#Ì™ëÅd#e”›_.þ(6´8Þ

secrets/secrets.nix

@@ -117,7 +117,7 @@ in {
   "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
 
   # for ldap
-  "ldap/pw.age".publicKeys = users ++ ldap;
+  "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
   # for use connectring to teh ldap
   "ldap/details.age".publicKeys = users ++ ldap ++ discord ++ bitwarden;
 
@@ -139,6 +139,7 @@ in {
   "wolves/details.age".publicKeys = users ++ ldap ++ discord;
 
   # for bitwarden connector
-  "bitwarden/api.age".publicKeys = users ++ bitwarden;
+  "bitwarden/id.age".publicKeys = users ++ bitwarden;
+  "bitwarden/secret.age".publicKeys = users ++ bitwarden;
   "bitwarden/details.age".publicKeys = users ++ bitwarden;
 }