From 5c0042d455b57e7dd5aa1dad7576a4748e43c46b Mon Sep 17 00:00:00 2001
From: Adithya Nair <adtya@adtya.xyz>
Date: Sun, 1 Dec 2024 12:31:03 +0530
Subject: [PATCH] setup vaultwarden

---
 modules/conduwuit.nix   | 11 +++++++----
 modules/vaultwarden.nix | 18 ++++++++++++++----
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/modules/conduwuit.nix b/modules/conduwuit.nix
index 1808e31..0de20b5 100644
--- a/modules/conduwuit.nix
+++ b/modules/conduwuit.nix
@@ -89,8 +89,9 @@ let
         Type = "notify";
         DynamicUser = true;
         EnvironmentFile = serviceDefinition.environmentFiles;
-        AmbientCapabilities = [ ];
-        CapabilityBoundingSet = [ ];
+        AmbientCapabilities = [ "" ];
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
         DevicePolicy = "closed";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
@@ -134,9 +135,11 @@ let
         ];
         SystemCallErrorNumber = "EPERM";
         StateDirectory = "conduwuit-${name}";
+        StateDirectoryMode = "0700";
         RuntimeDirectory = "conduwuit-${name}";
-        RuntimeDirectoryMode = "0750";
-        ExecStart = "${serviceDefinition.package}/bin/conduit --config ${configFile}";
+        RuntimeDirectoryMode = "0700";
+        UMask = "0077";
+        ExecStart = "${lib.getExe serviceDefinition.package} --config ${configFile}";
         Restart = "on-failure";
         RestartSec = 10;
         StartLimitBurst = 5;
diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix
index db47f1b..7b918c0 100644
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -7,11 +7,14 @@ in
   options.recipes.vaultwarden = {
     enable = lib.mkEnableOption "vaultwarden";
 
-    environment = lib.mkOption {
+    config = lib.mkOption {
       type = lib.types.attrsOf lib.types.str;
       description = "Vaultwarden is configured using environment variables";
-      default = { };
-      example = { RUST_BACKTRACE = true; };
+      default = {
+        ROCKET_ADDRESS = "::1"; # default to localhost
+        ROCKET_PORT = 8222;
+      };
+      example = { DOMAIN = "https://example.com"; SIGNUPS_ALLOWED = false; };
     };
 
     environmentFiles = lib.mkOption {
@@ -22,6 +25,13 @@ in
     };
 
     package = lib.mkPackageOption pkgs "vaultwarden" { };
+
+    databaseBackend = lib.mkOption {
+      type = lib.types.enum [ "sqlite" "mysql" "postgresql" ];
+      default = "sqlite";
+      example = "postgresql";
+      description = "The kind of database backend to use";
+    };
   };
 
   config = lib.mkIf (cfg.enable == true) {
@@ -86,7 +96,7 @@ in
         RuntimeDirectory = "vaultwarden";
         RuntimeDirectoryMode = "0700";
         UMask = "0077";
-        ExecStart = lib.getExe cfg.package;
+        ExecStart = lib.getExe (cfg.package.override { dbBackend = cfg.databaseBackend; });
         Restart = "on-failure";
         RestartSec = 10;
         StartLimitBurst = 5;