nixos/applications/bitwarden/_bitwarden_sync_module.nix

343 lines
11 KiB
Nix

{
pkgs,
config,
lib,
...
}:
with lib; let
cfg = config.services.bitwarden_directory_connector;
ldap_data = builtins.toJSON cfg.ldap;
sync_data = builtins.toJSON cfg.sync;
# coping directly from nix https://github.com/NixOS/nixpkgs/blob/da4024d0ead5d7820f6bd15147d3fe2a0c0cec73/nixos/modules/config/nix.nix#L62C1-L76C49
semanticConfType = with types; let
confAtom =
nullOr
(oneOf [
bool
int
float
str
path
package
])
// {
description = "Nix config atom (null, bool, int, float, str, path or package)";
};
in
attrsOf (either confAtom (listOf confAtom));
json_string = string: builtins.replaceStrings ["\""] ["\\\""] string;
in {
imports = [];
options.services.bitwarden_directory_connector = {
enable = mkEnableOption "Bitwarden Directory Connector";
package = mkOption {
type = types.package;
default = pkgs.bitwarden-directory-connector;
defaultText = literalExpression "pkgs.bitwarden-directory-connector";
description = lib.mdDoc "Reference to the Bitwarden Directory Connector package";
example = literalExpression "pkgs.bitwarden-directory-connector-example";
};
binary_name = mkOption {
type = types.str;
description = lib.mdDoc "The main binary for the connector.";
default = "bitwarden-directory-connector";
};
domain = mkOption {
type = types.str;
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessable on.";
example = "https://vaultwarden.example.com";
};
user = mkOption {
type = types.str;
description = lib.mdDoc "User to run the program.";
default = "bwdc";
};
directory = mkOption {
type = types.str;
description = lib.mdDoc "Folder to store the config file.";
default = "/etc/bitwarden/bwdc";
};
pw_env = mkOption {
type = types.str;
description = lib.mdDoc "The ENV var that the ldap password is stored.";
default = "LDAP_PW";
};
interval = mkOption {
type = types.str;
default = "*:0,15,30,45";
description = lib.mdDoc "When to run the connector, OnCalendar syntax.";
};
ldap = mkOption {
description = lib.mdDoc "Options to configurate LDAP.";
type = types.submodule {
freeformType = semanticConfType;
options = {
ssl = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Use SSL.";
};
startTls = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Use STARTTLS.";
};
sslAllowUnauthorized = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "";
};
port = mkOption {
type = types.int;
default = 389;
description = lib.mdDoc "Port LDAP is accessable on";
};
currentUser = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Unknown what this does.";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Is Active Directory.";
};
pagedSearch = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "The LDAP server paginates search results.";
};
hostname = mkOption {
type = types.str;
description = lib.mdDoc "The host the LDAP is accessable on.";
example = "ldap.example.com";
};
rootPath = mkOption {
type = types.str;
description = lib.mdDoc "Root path for LDAP";
example = "dc=example,dc=com";
};
username = mkOption {
type = types.str;
description = lib.mdDoc "The user to authenticate as.";
example = "cn=admin,dc=example,dc=com";
};
};
};
};
sync = mkOption {
description = lib.mdDoc "Options to configurate what gets synced.";
type = types.submodule {
freeformType = semanticConfType;
options = {
removeDisabled = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
};
overwriteExisting = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
};
largeImport = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
};
memberAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists members in a LDAP group.";
example = "uniqueMember";
};
creationDateAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists a users creation date.";
example = "whenCreated";
};
useEmailPrefixSuffix = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
};
emailPrefixAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that has a users username.";
default = "accountName";
};
emailSuffix = mkOption {
type = types.str;
description = lib.mdDoc "Suffix for the email, normally @example.com.";
default = "@example.com";
};
users = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Sync users.";
};
userPath = mkOption {
type = types.str;
description = lib.mdDoc "User directory, relative to root.";
default = "ou=users";
};
userObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that users will have.";
default = "inetOrgPerson";
};
userEmailAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a users email.";
default = "mail";
};
userFilter = mkOption {
type = types.str;
description = lib.mdDoc "Filter for users.";
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
default = "";
};
groups = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Sync groups.";
};
groupPath = mkOption {
type = types.str;
description = lib.mdDoc "Group directory, relative to root.";
default = "ou=groups";
};
groupObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that groups will have.";
default = "groupOfNames";
};
groupNameAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a name of group.";
default = "cn";
};
groupFilter = mkOption {
type = types.str;
description = lib.mdDoc "Filter for groups.";
example = "(cn=sales)";
default = "";
};
};
};
};
env = {
ldap = mkOption rec {
type = types.str;
description = "Auth for the LDAP, has value defined in {option}`pw_env";
};
bitwarden = mkOption rec {
type = types.str;
description = "Auth for Bitwarden, has BW_CLIENTID and BW_CLIENTSECRET";
};
};
};
config = mkIf cfg.enable {
users.groups."${cfg.user}" = {};
users.users."${cfg.user}" = {
createHome = true;
isSystemUser = true;
home = "${cfg.directory}";
group = "${cfg.user}";
homeMode = "711";
};
systemd = {
timers.bitwarden_directory_connector = {
description = "Sync timer for Bitwarden Directory Connector";
wantedBy = ["timers.target"];
partOf = ["bitwarden_directory_connector.service"];
timerConfig = {
OnCalendar = cfg.interval;
Unit = "bitwarden_directory_connector.service";
Persistent = true;
};
};
services.bitwarden_directory_connector = {
description = "Main process for Bitwarden Directory Connector";
wantedBy = ["multi-user.target"];
after = ["network-online.target"];
wants = [];
path = [pkgs.jq];
environment = {
BITWARDENCLI_CONNECTOR_APPDATA_DIR = cfg.directory;
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
};
serviceConfig = {
Type = "oneshot";
User = "${cfg.user}";
Group = "${cfg.user}";
ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
# create the config file
${cfg.package}/bin/${cfg.binary_name} data-file
${cfg.package}/bin/${cfg.binary_name} config server ${cfg.domain}
# now login to set credentials
${cfg.package}/bin/${cfg.binary_name} login
jq '.authenticatedAccounts[0] as $account
| .[$account].directoryConfigurations.ldap |= $ldap_data
| .[$account].directorySettings.organizationId |= $orgID
| .[$account].directorySettings.sync |= $sync_data' \
--argjson ldap_data ${escapeShellArg ldap_data} \
--arg orgID "''${BW_CLIENTID//organization.}" \
--argjson sync_data ${escapeShellArg sync_data} \
${escapeShellArg cfg.directory}/data.json \
> ${escapeShellArg cfg.directory}/data.json.tmp
mv -f -- ${escapeShellArg cfg.directory}/data.json.tmp ${escapeShellArg cfg.directory}/data.json
# final config
${cfg.package}/bin/${cfg.binary_name} config directory 0
${cfg.package}/bin/${cfg.binary_name} config ldap.password --secretenv ${cfg.pw_env}
'';
ExecStart = ''${cfg.package}/bin/${cfg.binary_name} sync'';
EnvironmentFile = [
"${cfg.env.ldap}"
"${cfg.env.bitwarden}"
];
};
};
};
};
meta = with lib; {
maintainers = with maintainers; [Silver-Golden];
};
}