343 lines
11 KiB
Nix
343 lines
11 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.services.bitwarden_directory_connector;
|
|
|
|
ldap_data = builtins.toJSON cfg.ldap;
|
|
sync_data = builtins.toJSON cfg.sync;
|
|
|
|
# coping directly from nix https://github.com/NixOS/nixpkgs/blob/da4024d0ead5d7820f6bd15147d3fe2a0c0cec73/nixos/modules/config/nix.nix#L62C1-L76C49
|
|
semanticConfType = with types; let
|
|
confAtom =
|
|
nullOr
|
|
(oneOf [
|
|
bool
|
|
int
|
|
float
|
|
str
|
|
path
|
|
package
|
|
])
|
|
// {
|
|
description = "Nix config atom (null, bool, int, float, str, path or package)";
|
|
};
|
|
in
|
|
attrsOf (either confAtom (listOf confAtom));
|
|
|
|
json_string = string: builtins.replaceStrings ["\""] ["\\\""] string;
|
|
in {
|
|
imports = [];
|
|
|
|
options.services.bitwarden_directory_connector = {
|
|
enable = mkEnableOption "Bitwarden Directory Connector";
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.bitwarden-directory-connector;
|
|
defaultText = literalExpression "pkgs.bitwarden-directory-connector";
|
|
description = lib.mdDoc "Reference to the Bitwarden Directory Connector package";
|
|
example = literalExpression "pkgs.bitwarden-directory-connector-example";
|
|
};
|
|
|
|
binary_name = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "The main binary for the connector.";
|
|
default = "bitwarden-directory-connector";
|
|
};
|
|
|
|
domain = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessable on.";
|
|
example = "https://vaultwarden.example.com";
|
|
};
|
|
|
|
user = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "User to run the program.";
|
|
default = "bwdc";
|
|
};
|
|
|
|
directory = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Folder to store the config file.";
|
|
default = "/etc/bitwarden/bwdc";
|
|
};
|
|
|
|
pw_env = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "The ENV var that the ldap password is stored.";
|
|
default = "LDAP_PW";
|
|
};
|
|
interval = mkOption {
|
|
type = types.str;
|
|
default = "*:0,15,30,45";
|
|
description = lib.mdDoc "When to run the connector, OnCalendar syntax.";
|
|
};
|
|
|
|
ldap = mkOption {
|
|
description = lib.mdDoc "Options to configurate LDAP.";
|
|
type = types.submodule {
|
|
freeformType = semanticConfType;
|
|
|
|
options = {
|
|
ssl = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Use SSL.";
|
|
};
|
|
startTls = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Use STARTTLS.";
|
|
};
|
|
sslAllowUnauthorized = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "";
|
|
};
|
|
port = mkOption {
|
|
type = types.int;
|
|
default = 389;
|
|
description = lib.mdDoc "Port LDAP is accessable on";
|
|
};
|
|
currentUser = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Unknown what this does.";
|
|
};
|
|
ad = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Is Active Directory.";
|
|
};
|
|
pagedSearch = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "The LDAP server paginates search results.";
|
|
};
|
|
|
|
hostname = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "The host the LDAP is accessable on.";
|
|
example = "ldap.example.com";
|
|
};
|
|
|
|
rootPath = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Root path for LDAP";
|
|
example = "dc=example,dc=com";
|
|
};
|
|
|
|
username = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "The user to authenticate as.";
|
|
example = "cn=admin,dc=example,dc=com";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
sync = mkOption {
|
|
description = lib.mdDoc "Options to configurate what gets synced.";
|
|
type = types.submodule {
|
|
freeformType = semanticConfType;
|
|
|
|
options = {
|
|
removeDisabled = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
|
|
};
|
|
overwriteExisting = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description =
|
|
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
|
|
};
|
|
largeImport = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
|
|
};
|
|
|
|
memberAttribute = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Attribute that lists members in a LDAP group.";
|
|
example = "uniqueMember";
|
|
};
|
|
|
|
creationDateAttribute = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Attribute that lists a users creation date.";
|
|
example = "whenCreated";
|
|
};
|
|
|
|
useEmailPrefixSuffix = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
|
|
};
|
|
emailPrefixAttribute = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Attribute that has a users username.";
|
|
default = "accountName";
|
|
};
|
|
emailSuffix = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Suffix for the email, normally @example.com.";
|
|
default = "@example.com";
|
|
};
|
|
|
|
users = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Sync users.";
|
|
};
|
|
userPath = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "User directory, relative to root.";
|
|
default = "ou=users";
|
|
};
|
|
userObjectClass = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "A class that users will have.";
|
|
default = "inetOrgPerson";
|
|
};
|
|
userEmailAttribute = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Attribute for a users email.";
|
|
default = "mail";
|
|
};
|
|
userFilter = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Filter for users.";
|
|
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
|
|
default = "";
|
|
};
|
|
|
|
groups = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc "Sync groups.";
|
|
};
|
|
groupPath = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Group directory, relative to root.";
|
|
default = "ou=groups";
|
|
};
|
|
groupObjectClass = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "A class that groups will have.";
|
|
default = "groupOfNames";
|
|
};
|
|
groupNameAttribute = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Attribute for a name of group.";
|
|
default = "cn";
|
|
};
|
|
groupFilter = mkOption {
|
|
type = types.str;
|
|
description = lib.mdDoc "Filter for groups.";
|
|
example = "(cn=sales)";
|
|
default = "";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
env = {
|
|
ldap = mkOption rec {
|
|
type = types.str;
|
|
description = "Auth for the LDAP, has value defined in {option}`pw_env";
|
|
};
|
|
bitwarden = mkOption rec {
|
|
type = types.str;
|
|
description = "Auth for Bitwarden, has BW_CLIENTID and BW_CLIENTSECRET";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
users.groups."${cfg.user}" = {};
|
|
|
|
users.users."${cfg.user}" = {
|
|
createHome = true;
|
|
isSystemUser = true;
|
|
home = "${cfg.directory}";
|
|
group = "${cfg.user}";
|
|
homeMode = "711";
|
|
};
|
|
|
|
systemd = {
|
|
timers.bitwarden_directory_connector = {
|
|
description = "Sync timer for Bitwarden Directory Connector";
|
|
wantedBy = ["timers.target"];
|
|
partOf = ["bitwarden_directory_connector.service"];
|
|
timerConfig = {
|
|
OnCalendar = cfg.interval;
|
|
Unit = "bitwarden_directory_connector.service";
|
|
Persistent = true;
|
|
};
|
|
};
|
|
|
|
services.bitwarden_directory_connector = {
|
|
description = "Main process for Bitwarden Directory Connector";
|
|
wantedBy = ["multi-user.target"];
|
|
after = ["network-online.target"];
|
|
wants = [];
|
|
path = [pkgs.jq];
|
|
|
|
environment = {
|
|
BITWARDENCLI_CONNECTOR_APPDATA_DIR = cfg.directory;
|
|
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
User = "${cfg.user}";
|
|
Group = "${cfg.user}";
|
|
ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
|
|
# create the config file
|
|
${cfg.package}/bin/${cfg.binary_name} data-file
|
|
|
|
${cfg.package}/bin/${cfg.binary_name} config server ${cfg.domain}
|
|
|
|
# now login to set credentials
|
|
${cfg.package}/bin/${cfg.binary_name} login
|
|
|
|
jq '.authenticatedAccounts[0] as $account
|
|
| .[$account].directoryConfigurations.ldap |= $ldap_data
|
|
| .[$account].directorySettings.organizationId |= $orgID
|
|
| .[$account].directorySettings.sync |= $sync_data' \
|
|
--argjson ldap_data ${escapeShellArg ldap_data} \
|
|
--arg orgID "''${BW_CLIENTID//organization.}" \
|
|
--argjson sync_data ${escapeShellArg sync_data} \
|
|
${escapeShellArg cfg.directory}/data.json \
|
|
> ${escapeShellArg cfg.directory}/data.json.tmp
|
|
|
|
mv -f -- ${escapeShellArg cfg.directory}/data.json.tmp ${escapeShellArg cfg.directory}/data.json
|
|
|
|
# final config
|
|
${cfg.package}/bin/${cfg.binary_name} config directory 0
|
|
${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretenv ${cfg.pw_env}
|
|
'';
|
|
|
|
ExecStart = ''${cfg.package}/bin/${cfg.binary_name} sync'';
|
|
|
|
EnvironmentFile = [
|
|
"${cfg.env.ldap}"
|
|
"${cfg.env.bitwarden}"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
meta = with lib; {
|
|
maintainers = with maintainers; [Silver-Golden];
|
|
};
|
|
}
|