nixos/vaultwarden: assert valid backupDir path

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
This commit is contained in:
Sefa Eyeoglu 2024-07-09 16:18:06 +02:00
parent 0af9d835c2
commit 1d5188b3b4
No known key found for this signature in database
GPG Key ID: E13DFD4B47127951
2 changed files with 20 additions and 12 deletions

View File

@ -7,6 +7,8 @@ let
StateDirectory = if lib.versionOlder config.system.stateVersion "24.11" then "bitwarden_rs" else "vaultwarden";
dataDir = "/var/lib/${StateDirectory}";
# Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER).
nameToEnvVar = name:
let
@ -25,7 +27,7 @@ let
configEnv = lib.concatMapAttrs (name: value: lib.optionalAttrs (value != null) {
${nameToEnvVar name} = if lib.isBool value then lib.boolToString value else toString value;
}) cfg.config;
in { DATA_FOLDER = "/var/lib/${StateDirectory}"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
in { DATA_FOLDER = dataDir; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
} // configEnv;
@ -160,10 +162,16 @@ in {
};
config = lib.mkIf cfg.enable {
assertions = [ {
assertion = cfg.backupDir != null -> cfg.dbBackend == "sqlite";
message = "Backups for database backends other than sqlite will need customization";
} ];
assertions = [
{
assertion = cfg.backupDir != null -> cfg.dbBackend == "sqlite";
message = "Backups for database backends other than sqlite will need customization";
}
{
assertion = !(lib.hasPrefix dataDir cfg.backupDir);
message = "Backup directory can not be in ${dataDir}";
}
];
users.users.vaultwarden = {
inherit group;
@ -224,7 +232,7 @@ in {
systemd.services.backup-vaultwarden = lib.mkIf (cfg.backupDir != null) {
description = "Backup vaultwarden";
environment = {
DATA_FOLDER = "/var/lib/${StateDirectory}";
DATA_FOLDER = dataDir;
BACKUP_FOLDER = cfg.backupDir;
};
path = with pkgs; [ sqlite ];

View File

@ -122,7 +122,7 @@ let
};
sqlite = {
services.vaultwarden.backupDir = "/var/lib/vaultwarden/backups";
services.vaultwarden.backupDir = "/srv/backups/vaultwarden";
environment.systemPackages = [ pkgs.sqlite ];
};
@ -205,12 +205,12 @@ builtins.mapAttrs (k: v: makeVaultwardenTest k v) {
server.start_job("backup-vaultwarden.service")
with subtest("Check that backup exists"):
server.succeed('[ -d "/var/lib/vaultwarden/backups" ]')
server.succeed('[ -f "/var/lib/vaultwarden/backups/db.sqlite3" ]')
server.succeed('[ -d "/var/lib/vaultwarden/backups/attachments" ]')
server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pem" ]')
server.succeed('[ -d "/srv/backups/vaultwarden" ]')
server.succeed('[ -f "/srv/backups/vaultwarden/db.sqlite3" ]')
server.succeed('[ -d "/srv/backups/vaultwarden/attachments" ]')
server.succeed('[ -f "/srv/backups/vaultwarden/rsa_key.pem" ]')
# Ensure only the db backed up with the backup command exists and not the other db files.
server.succeed('[ ! -f "/var/lib/vaultwarden/backups/db.sqlite3-shm" ]')
server.succeed('[ ! -f "/srv/backups/vaultwarden/db.sqlite3-shm" ]')
'';
};
}