Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

bitwarden: brought in line with the nixpkgs again. (again)

Browse source
This commit is contained in:
silver 2023-11-25 22:41:48 +00:00
parent 600d1f755f
commit de69ca69c9
3 changed files with 116 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
applications/bitwarden/_bitwarden-directory-connector.nix
View file

@ -3,12 +3,11 @@
buildNpmPackage, buildNpmPackage,
fetchFromGitHub, fetchFromGitHub,
pkgs, pkgs,
git, jq,
python3, python3,
pkg-config, pkg-config,
libsecret, libsecret,
nodejs_18, nodejs_18,
makeWrapper,
}: let }: let
buildNpmPackage' = buildNpmPackage.override {nodejs = nodejs_18;}; buildNpmPackage' = buildNpmPackage.override {nodejs = nodejs_18;};
in in
@ -20,10 +19,14 @@ in
owner = "bitwarden"; owner = "bitwarden";
repo = "directory-connector"; repo = "directory-connector";
rev = "v${version}"; rev = "v${version}";
hash = "sha256-CgaCnMWNVWCJBypNcdoseVCwD8Mlq4YaWpK+VZT/7Qk="; hash = "sha256-PlOtTh+rpTxAv8ajHBDHZuL7yeeLVpbAfKEDPQlejIg=";
leaveDotGit = true;
}; };
postPatch = ''
jq 'del(.scripts.preinstall)' package.json > package.json.tmp
mv -f package.json{.tmp,}
'';
npmDepsHash = "sha256-jBAWWY12qeX2EDhUvT3TQpnQvYXRsIilRrXGpVzxYvw="; npmDepsHash = "sha256-jBAWWY12qeX2EDhUvT3TQpnQvYXRsIilRrXGpVzxYvw=";
env.ELECTRON_SKIP_BINARY_DOWNLOAD = "1"; env.ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
@ -33,15 +36,16 @@ in
installPhase = '' installPhase = ''
runHook preInstall runHook preInstall
mkdir -p $out/bin mkdir -p $out/libexec/bitwarden-directory-connector
cp -R {build-cli,node_modules} $out cp -R {build-cli,node_modules} $out/libexec/bitwarden-directory-connector
runHook postInstall runHook postInstall
''; '';
# needs to be wrapped with nodejs so that it can be executed # needs to be wrapped with nodejs so that it can be executed
postInstall = '' postInstall = ''
chmod +x $out/build-cli/bwdc.js chmod +x $out/libexec/bitwarden-directory-connector/build-cli/bwdc.js
makeWrapper $out/build-cli/bwdc.js $out/bin/${pname} --prefix PATH:"${lib.makeBinPath [nodejs_18]}" mkdir -p $out/bin
ln -s $out/libexec/bitwarden-directory-connector/build-cli/bwdc.js $out/bin/bitwarden-directory-connector
''; '';
buildInputs = [ buildInputs = [
@ -49,18 +53,17 @@ in
]; ];
nativeBuildInputs = [ nativeBuildInputs = [
git jq
python3 python3
pkg-config pkg-config
makeWrapper
]; ];
meta = with lib; { meta = with lib; {
description = "A LDAP connector for Bitwarden"; description = "LDAP connector for Bitwarden";
homepage = "https://github.com/bitwarden/directory-connector"; homepage = "https://github.com/bitwarden/directory-connector";
license = licenses.gpl3Only; license = licenses.gpl3Only;
maintainers = with maintainers; [Silver-Golden]; maintainers = with maintainers; [Silver-Golden];
platforms = platforms.linux; platforms = platforms.linux;
mainProgram = "${pname}"; mainProgram = "bitwarden-directory-connector";
}; };
} }

208
applications/bitwarden/_bitwarden_sync_module.nix
View file

@ -1,37 +1,20 @@
{ {
pkgs,
config, config,
lib, lib,
pkgs,
... ...
}: }:
with lib; let with lib; let
cfg = config.services.bitwarden_directory_connector; cfg = config.services.bitwarden-directory-connector;
ldap_data = builtins.toJSON cfg.ldap;
sync_data = builtins.toJSON cfg.sync;
in { in {
imports = []; options.services.bitwarden-directory-connector = {
options.services.bitwarden_directory_connector = {
enable = mkEnableOption "Bitwarden Directory Connector"; enable = mkEnableOption "Bitwarden Directory Connector";
package = mkOption { package = mkPackageOption pkgs "bitwarden-directory-connector" {};
type = types.package;
default = pkgs.bitwarden-directory-connector;
defaultText = literalExpression "pkgs.bitwarden-directory-connector";
description = lib.mdDoc "Reference to the Bitwarden Directory Connector package";
example = literalExpression "pkgs.bitwarden-directory-connector-example";
};
binary_name = mkOption {
type = types.str;
description = lib.mdDoc "The main binary for the connector.";
default = "bitwarden-directory-connector";
};
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessable on."; description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on.";
example = "https://vaultwarden.example.com"; example = "https://vaultwarden.example.com";
}; };
@ -41,68 +24,71 @@ in {
default = "bwdc"; default = "bwdc";
}; };
directory = mkOption {
type = types.str;
description = lib.mdDoc "Folder to store the config file.";
default = "/etc/bitwarden/bwdc";
};
interval = mkOption { interval = mkOption {
type = types.str; type = types.str;
default = "*:0,15,30,45"; default = "*:0,15,30,45";
description = lib.mdDoc "When to run the connector, OnCalendar syntax."; description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax.";
}; };
ldap = mkOption { ldap = mkOption {
description = lib.mdDoc "Options to configurate LDAP."; description = lib.mdDoc "Options to configure the LDAP connection.";
type = types.submodule { default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type; freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = { options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
ssl = mkOption { ssl = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = lib.mdDoc "Use SSL."; description = lib.mdDoc "Whether to use TLS.";
}; };
startTls = mkOption { startTls = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = lib.mdDoc "Use STARTTLS."; description = lib.mdDoc "Whether to use STARTTLS.";
};
sslAllowUnauthorized = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "";
};
port = mkOption {
type = types.int;
default = 389;
description = lib.mdDoc "Port LDAP is accessable on";
};
currentUser = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Unknown what this does.";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Is Active Directory.";
};
pagedSearch = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "The LDAP server paginates search results.";
}; };
hostname = mkOption { hostname = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "The host the LDAP is accessable on."; description = lib.mdDoc "The host the LDAP is accessible on.";
example = "ldap.example.com"; example = "ldap.example.com";
}; };
port = mkOption {
type = types.port;
default = 389;
description = lib.mdDoc "Port LDAP is accessible on.";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP Server is an Active Directory.";
};
pagedSearch = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP server paginates search results.";
};
rootPath = mkOption { rootPath = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Root path for LDAP"; description = lib.mdDoc "Root path for LDAP.";
example = "dc=example,dc=com"; example = "dc=example,dc=com";
}; };
@ -112,26 +98,43 @@ in {
example = "cn=admin,dc=example,dc=com"; example = "cn=admin,dc=example,dc=com";
}; };
}; };
}; });
}; };
sync = mkOption { sync = mkOption {
description = lib.mdDoc "Options to configurate what gets synced."; description = lib.mdDoc "Options to configure what gets synced.";
type = types.submodule { default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type; freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = { options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
removeDisabled = mkOption { removeDisabled = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group."; description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
}; };
overwriteExisting = mkOption { overwriteExisting = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details."; lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
}; };
largeImport = mkOption { largeImport = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@ -146,7 +149,7 @@ in {
creationDateAttribute = mkOption { creationDateAttribute = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Attribute that lists a users creation date."; description = lib.mdDoc "Attribute that lists a user's creation date.";
example = "whenCreated"; example = "whenCreated";
}; };
@ -157,13 +160,13 @@ in {
}; };
emailPrefixAttribute = mkOption { emailPrefixAttribute = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Attribute that has a users username."; description = lib.mdDoc "The attribute that contains the users username.";
default = "accountName"; example = "accountName";
}; };
emailSuffix = mkOption { emailSuffix = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Suffix for the email, normally @example.com."; description = lib.mdDoc "Suffix for the email, normally @example.com.";
default = "@example.com"; example = "@example.com";
}; };
users = mkOption { users = mkOption {
@ -178,7 +181,7 @@ in {
}; };
userObjectClass = mkOption { userObjectClass = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "A class that users will have."; description = lib.mdDoc "Class that users must have.";
default = "inetOrgPerson"; default = "inetOrgPerson";
}; };
userEmailAttribute = mkOption { userEmailAttribute = mkOption {
@ -188,7 +191,7 @@ in {
}; };
userFilter = mkOption { userFilter = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Filter for users."; description = lib.mdDoc "LDAP filter for users.";
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)"; example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
default = ""; default = "";
}; };
@ -196,7 +199,7 @@ in {
groups = mkOption { groups = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = lib.mdDoc "Sync groups."; description = lib.mdDoc "Whether to sync ldap groups into BitWarden.";
}; };
groupPath = mkOption { groupPath = mkOption {
type = types.str; type = types.str;
@ -215,25 +218,26 @@ in {
}; };
groupFilter = mkOption { groupFilter = mkOption {
type = types.str; type = types.str;
description = lib.mdDoc "Filter for groups."; description = lib.mdDoc "LDAP filter for groups.";
example = "(cn=sales)"; example = "(cn=sales)";
default = ""; default = "";
}; };
}; };
}; });
}; };
secrets = { secrets = {
ldap = mkOption rec { ldap = mkOption {
type = types.str; type = types.str;
description = "Auth for the LDAP, has value defined in {option}`pw_env"; description = "Path to file that contains LDAP password for user in {option}`ldap.username";
}; };
bitwarden = { bitwarden = {
client_path_id = mkOption rec { client_path_id = mkOption {
type = types.str; type = types.str;
description = "Path to file that contains Client ID."; description = "Path to file that contains Client ID.";
}; };
client_path_secret = mkOption rec { client_path_secret = mkOption {
type = types.str; type = types.str;
description = "Path to file that contains Client Secret."; description = "Path to file that contains Client Secret.";
}; };
@ -243,20 +247,16 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
users.groups."${cfg.user}" = {}; users.groups."${cfg.user}" = {};
users.users."${cfg.user}" = { users.users."${cfg.user}" = {
createHome = true;
isSystemUser = true; isSystemUser = true;
home = "${cfg.directory}"; group = cfg.user;
group = "${cfg.user}";
homeMode = "711";
}; };
systemd = { systemd = {
timers.bitwarden_directory_connector = { timers.bitwarden_directory_connector = {
description = "Sync timer for Bitwarden Directory Connector"; description = "Sync timer for Bitwarden Directory Connector";
wantedBy = ["timers.target"]; wantedBy = ["timers.target"];
partOf = ["bitwarden_directory_connector.service"]; after = ["network-online.target"];
timerConfig = { timerConfig = {
OnCalendar = cfg.interval; OnCalendar = cfg.interval;
Unit = "bitwarden_directory_connector.service"; Unit = "bitwarden_directory_connector.service";
@ -266,62 +266,54 @@ in {
services.bitwarden_directory_connector = { services.bitwarden_directory_connector = {
description = "Main process for Bitwarden Directory Connector"; description = "Main process for Bitwarden Directory Connector";
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = [];
path = [pkgs.jq]; path = [pkgs.jq];
environment = { environment = {
BITWARDENCLI_CONNECTOR_APPDATA_DIR = cfg.directory; BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp";
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true"; BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
}; };
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "${cfg.user}"; User = "${cfg.user}";
Group = "${cfg.user}"; PrivateTmp = true;
ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" '' ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
# create the config file set -eo pipefail
${cfg.package}/bin/${cfg.binary_name} data-file
touch -- ${escapeShellArg cfg.directory}/data.json.tmp
chmod 600 ${escapeShellArg cfg.directory}/data.json
chmod 600 -- ${escapeShellArg cfg.directory}/data.json.tmp
${cfg.package}/bin/${cfg.binary_name} config server ${cfg.domain} # create the config file
${lib.getExe cfg.package} data-file
touch /tmp/data.json.tmp
chmod 600 /tmp/data.json{,.tmp}
${lib.getExe cfg.package} config server ${cfg.domain}
# now login to set credentials # now login to set credentials
export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})" export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})" export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
${cfg.package}/bin/${cfg.binary_name} login ${lib.getExe cfg.package} login
jq '.authenticatedAccounts[0] as $account jq '.authenticatedAccounts[0] as $account
| .[$account].directoryConfigurations.ldap |= $ldap_data | .[$account].directoryConfigurations.ldap |= $ldap_data
| .[$account].directorySettings.organizationId |= $orgID | .[$account].directorySettings.organizationId |= $orgID
| .[$account].directorySettings.sync |= $sync_data' \ | .[$account].directorySettings.sync |= $sync_data' \
--argjson ldap_data ${escapeShellArg ldap_data} \ --argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \
--arg orgID "''${BW_CLIENTID//organization.}" \ --arg orgID "''${BW_CLIENTID//organization.}" \
--argjson sync_data ${escapeShellArg sync_data} \ --argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \
${escapeShellArg cfg.directory}/data.json \ /tmp/data.json \
> ${escapeShellArg cfg.directory}/data.json.tmp > /tmp/data.json.tmp
mv -f -- ${escapeShellArg cfg.directory}/data.json.tmp ${escapeShellArg cfg.directory}/data.json mv -f /tmp/data.json.tmp /tmp/data.json
# final config # final config
${cfg.package}/bin/${cfg.binary_name} config directory 0 ${lib.getExe cfg.package} config directory 0
${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretfile ${cfg.secrets.ldap} ${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap}
''; '';
ExecStart = "${cfg.package}/bin/${cfg.binary_name} sync"; ExecStart = "${lib.getExe cfg.package} sync";
ExecStartPost = pkgs.writeShellScript "bitwarden_directory_connector-cleanup" ''
rm -f -- ${escapeShellArg cfg.directory}/data.json
'';
}; };
}; };
}; };
}; };
meta = with lib; { meta.maintainers = with maintainers; [Silver-Golden];
maintainers = with maintainers; [Silver-Golden];
};
} }

2
applications/bitwarden/bitwarden_sync.nix
View file

@ -29,7 +29,7 @@ in {
group = user; group = user;
}; };
services.bitwarden_directory_connector = { services.bitwarden-directory-connector = {
enable = true; enable = true;
user = user; user = user;