Merge pull request #325861 from Scrumplex/nixos/vaultwarden/fix-backup-24.11

2024-11-22 06:53:01 +00:00 · 2024-08-06 14:02:56 +02:00 · 2024-08-06 14:02:56 +02:00 · 5d43833452
commit 5d43833452
parent b772ff98cd 1d5188b3b4
2 changed files with 20 additions and 12 deletions
--- a/nixos/modules/services/security/vaultwarden/default.nix
+++ b/nixos/modules/services/security/vaultwarden/default.nix
@ -7,6 +7,8 @@ let

  StateDirectory = if lib.versionOlder config.system.stateVersion "24.11" then "bitwarden_rs" else "vaultwarden";

+  dataDir = "/var/lib/${StateDirectory}";
+
  # Convert name from camel case (e.g. disable2FARemember) to upper case snake case (e.g. DISABLE_2FA_REMEMBER).
  nameToEnvVar = name:
    let
@ -25,7 +27,7 @@ let
      configEnv = lib.concatMapAttrs (name: value: lib.optionalAttrs (value != null) {
        ${nameToEnvVar name} = if lib.isBool value then lib.boolToString value else toString value;
      }) cfg.config;
-    in { DATA_FOLDER = "/var/lib/${StateDirectory}"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
+    in { DATA_FOLDER = dataDir; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
      WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
    } // configEnv;

@ -160,10 +162,16 @@ in {
  };

  config = lib.mkIf cfg.enable {
-    assertions = [ {
+    assertions = [
+      {
        assertion = cfg.backupDir != null -> cfg.dbBackend == "sqlite";
        message = "Backups for database backends other than sqlite will need customization";
-    } ];
+      }
+      {
+        assertion = !(lib.hasPrefix dataDir cfg.backupDir);
+        message = "Backup directory can not be in ${dataDir}";
+      }
+    ];

    users.users.vaultwarden = {
      inherit group;
@ -224,7 +232,7 @@ in {
    systemd.services.backup-vaultwarden = lib.mkIf (cfg.backupDir != null) {
      description = "Backup vaultwarden";
      environment = {
-        DATA_FOLDER = "/var/lib/${StateDirectory}";
+        DATA_FOLDER = dataDir;
        BACKUP_FOLDER = cfg.backupDir;
      };
      path = with pkgs; [ sqlite ];
--- a/nixos/tests/vaultwarden.nix
+++ b/nixos/tests/vaultwarden.nix
@ -122,7 +122,7 @@ let
          };

          sqlite = {
-            services.vaultwarden.backupDir = "/var/lib/vaultwarden/backups";
+            services.vaultwarden.backupDir = "/srv/backups/vaultwarden";

            environment.systemPackages = [ pkgs.sqlite ];
          };
@ -205,12 +205,12 @@ builtins.mapAttrs (k: v: makeVaultwardenTest k v) {
          server.start_job("backup-vaultwarden.service")

      with subtest("Check that backup exists"):
-          server.succeed('[ -d "/var/lib/vaultwarden/backups" ]')
-          server.succeed('[ -f "/var/lib/vaultwarden/backups/db.sqlite3" ]')
-          server.succeed('[ -d "/var/lib/vaultwarden/backups/attachments" ]')
-          server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pem" ]')
+          server.succeed('[ -d "/srv/backups/vaultwarden" ]')
+          server.succeed('[ -f "/srv/backups/vaultwarden/db.sqlite3" ]')
+          server.succeed('[ -d "/srv/backups/vaultwarden/attachments" ]')
+          server.succeed('[ -f "/srv/backups/vaultwarden/rsa_key.pem" ]')
          # Ensure only the db backed up with the backup command exists and not the other db files.
-          server.succeed('[ ! -f "/var/lib/vaultwarden/backups/db.sqlite3-shm" ]')
+          server.succeed('[ ! -f "/srv/backups/vaultwarden/db.sqlite3-shm" ]')
    '';
  };
 }