mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 16:33:15 +00:00
nixos/vaultwarden: assert valid backupDir path
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
This commit is contained in:
parent
0af9d835c2
commit
1d5188b3b4
@ -7,6 +7,8 @@ let
|
||||
|
||||
StateDirectory = if lib.versionOlder config.system.stateVersion "24.11" then "bitwarden_rs" else "vaultwarden";
|
||||
|
||||
dataDir = "/var/lib/${StateDirectory}";
|
||||
|
||||
# Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER).
|
||||
nameToEnvVar = name:
|
||||
let
|
||||
@ -25,7 +27,7 @@ let
|
||||
configEnv = lib.concatMapAttrs (name: value: lib.optionalAttrs (value != null) {
|
||||
${nameToEnvVar name} = if lib.isBool value then lib.boolToString value else toString value;
|
||||
}) cfg.config;
|
||||
in { DATA_FOLDER = "/var/lib/${StateDirectory}"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
|
||||
in { DATA_FOLDER = dataDir; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
|
||||
WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
|
||||
} // configEnv;
|
||||
|
||||
@ -160,10 +162,16 @@ in {
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [ {
|
||||
assertion = cfg.backupDir != null -> cfg.dbBackend == "sqlite";
|
||||
message = "Backups for database backends other than sqlite will need customization";
|
||||
} ];
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.backupDir != null -> cfg.dbBackend == "sqlite";
|
||||
message = "Backups for database backends other than sqlite will need customization";
|
||||
}
|
||||
{
|
||||
assertion = !(lib.hasPrefix dataDir cfg.backupDir);
|
||||
message = "Backup directory can not be in ${dataDir}";
|
||||
}
|
||||
];
|
||||
|
||||
users.users.vaultwarden = {
|
||||
inherit group;
|
||||
@ -224,7 +232,7 @@ in {
|
||||
systemd.services.backup-vaultwarden = lib.mkIf (cfg.backupDir != null) {
|
||||
description = "Backup vaultwarden";
|
||||
environment = {
|
||||
DATA_FOLDER = "/var/lib/${StateDirectory}";
|
||||
DATA_FOLDER = dataDir;
|
||||
BACKUP_FOLDER = cfg.backupDir;
|
||||
};
|
||||
path = with pkgs; [ sqlite ];
|
||||
|
@ -122,7 +122,7 @@ let
|
||||
};
|
||||
|
||||
sqlite = {
|
||||
services.vaultwarden.backupDir = "/var/lib/vaultwarden/backups";
|
||||
services.vaultwarden.backupDir = "/srv/backups/vaultwarden";
|
||||
|
||||
environment.systemPackages = [ pkgs.sqlite ];
|
||||
};
|
||||
@ -205,12 +205,12 @@ builtins.mapAttrs (k: v: makeVaultwardenTest k v) {
|
||||
server.start_job("backup-vaultwarden.service")
|
||||
|
||||
with subtest("Check that backup exists"):
|
||||
server.succeed('[ -d "/var/lib/vaultwarden/backups" ]')
|
||||
server.succeed('[ -f "/var/lib/vaultwarden/backups/db.sqlite3" ]')
|
||||
server.succeed('[ -d "/var/lib/vaultwarden/backups/attachments" ]')
|
||||
server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pem" ]')
|
||||
server.succeed('[ -d "/srv/backups/vaultwarden" ]')
|
||||
server.succeed('[ -f "/srv/backups/vaultwarden/db.sqlite3" ]')
|
||||
server.succeed('[ -d "/srv/backups/vaultwarden/attachments" ]')
|
||||
server.succeed('[ -f "/srv/backups/vaultwarden/rsa_key.pem" ]')
|
||||
# Ensure only the db backed up with the backup command exists and not the other db files.
|
||||
server.succeed('[ ! -f "/var/lib/vaultwarden/backups/db.sqlite3-shm" ]')
|
||||
server.succeed('[ ! -f "/srv/backups/vaultwarden/db.sqlite3-shm" ]')
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user