vaultwarden: add bitwarden directory sync

2023-12-26 00:33:43 +01:00 · 2023-12-26 00:33:43 +01:00 · 67d9373ad1
parent aa1b19d964
commit 67d9373ad1
2 changed files with 51 additions and 2 deletions
--- a/hosts/vaultwarden/default.nix
+++ b/hosts/vaultwarden/default.nix
@ -18,6 +18,46 @@
      ];
    };

+    bitwarden-directory-connector = {
+      enable = true;
+      inherit (config.services.vaultwarden) domain;
+      ldap = {
+        ad = false;
+        hostname = "auth.c3d2.de";
+        port = 636;
+        rootPath = "dc=c3d2,dc=de";
+        ssl = true;
+        startTls = false;
+        username = "uid=search,ou=users,dc=c3d2,dc=de";
+      };
+      secrets = {
+        bitwarden = {
+          client_path_id = config.sops.secrets."bwdc/client-id".path;
+          client_path_secret = config.sops.secrets."bwdc/client-secret".path;
+        };
+        ldap = config.sops.secrets."bwdc/ldap-password".path;
+      };
+      sync = {
+        creationDateAttribute = "";
+        groups = true;
+        groupFilter = "(cn=vaultwarden-*)";
+        groupNameAttribute = "cn";
+        groupObjectClass = "groupOfNames";
+        groupPath = "ou=groups";
+        largeImport = false;
+        memberAttribute = "member";
+        overwriteExisting = false;
+        removeDisabled = true;
+        revisionDateAttribute = "";
+        useEmailPrefixSuffix = false;
+        userEmailAttribute = "mail";
+        userFilter = "(isMemberOf=cn=vaultwarden-users,ou=groups,dc=c3d2,dc=de)";
+        userObjectClass = "person";
+        userPath = "ou=users";
+        users = true;
+      };
+    };
+
    nginx = {
      enable = true;
      virtualHosts."vaultwarden.c3d2.de" = {
@ -26,6 +66,8 @@
      };
    };

+    portunus.addToHosts = true;
+
    postgresql = {
      package = pkgs.postgresql_16;
      upgrade.stopServices = [ "vaultwarden" ];
@ -54,6 +96,9 @@
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
+      "bwdc/client-id".owner = "bwdc";
+      "bwdc/client-secret".owner = "bwdc";
+      "bwdc/ldap-password".owner = "bwdc";
      "vaultwarden/environment".owner = "vaultwarden";
    };
  };
--- a/hosts/vaultwarden/secrets.yaml
+++ b/hosts/vaultwarden/secrets.yaml
@ -1,3 +1,7 @@
+bwdc:
+    client-id: ENC[AES256_GCM,data:pFDg11xfXbx/X40z7Rs9Ps35GuK9ncBbB25VYZJMaRyv17fCbMaVJmnvlnFZOkVidg==,iv:SG7QcH/QHJtEAd6eHzakMIHVs5W6EiaPNsh+G9Zku9A=,tag:ZEL1UGJy9lR9himlbGpSoA==,type:str]
+    client-secret: ENC[AES256_GCM,data:41ivEval7TegKbYl+Bla2Dgs2h+P1kTBKUr39qPD,iv:BvsO1GcwGbhYCN92yjSFMZiIhX7s3KlrGd0mJEXN1hA=,tag:G2EbHWjz2N5cqOM9MWqStQ==,type:str]
+    ldap-password: ENC[AES256_GCM,data:DXVH3RNBH+1OguL/yAFPvFUoU1EocEi4TQBT5qVFBF4=,iv:A7IPtApfow+0mWTpNSsZVPWzBw7WjvN4NEAgn9Q8cvY=,tag:7VcvkOjpaDfdPF6fyBbZiQ==,type:str]
 restic:
    password: ENC[AES256_GCM,data:3t8PjT9cOsv4D6rhRwFSyehsQzofXaXqt/EXK7FiBPg=,iv:HlyNiUsmlma47BhNvLeuew4lx4uldDqL/O8fIsSFOPU=,tag:LBDt+WTU2+z+LfWQ8hqoIw==,type:str]
    repositories:
@ -28,8 +32,8 @@ sops:
            YVljODQybmFBaENvdlZtcGJNaXdyWjAK7TenBrprqo++EzurqXqatEJncCU5g0JH
            9aUpNebhTuauCJQcObj89tjx0EKuafe7Nn2wgiV3hNPIGa4+YXnsSw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-20T22:31:55Z"
-    mac: ENC[AES256_GCM,data:jK6Bdee8wsTp6etUJzrwgw8yNGJ8iqYYt0aE1tPmnM4aU9mu/Fhj9kidPLIl5ghBYqapXuiFre/jivrldDfQ/xMNntSpMlYqqjgFCPlgCvDUI0auXfIdKGGB5jORzN7i3z2LPm4vX6mFTol5vdOsHzA2dg/KqOGca9zhrbbDKU8=,iv:NAKLcSGNiEjzvlU8YXAbEPpJWFn7erNQ1Lz6NeYxV/Y=,tag:+LqcZL2CUHRnYMAuAMdPpw==,type:str]
+    lastmodified: "2023-12-25T19:09:35Z"
+    mac: ENC[AES256_GCM,data:rsQw8nYs78jCTKWHhwOuU8d3SS2pCnKpCo6U3RpWCGIdKMFq8QGBgarycAZgxbGc9ErEct4K4XhZ0pcX5qJgRFPE6YhDuRnKm/kQkmgXe63wPncQhUUq0U3P9q/G1Hs3uJbMyWgnjQQ2Vo8sv9mTbseS8ettbuJUNjK6mnblzIM=,iv:476qCdupCylLCvd9tb+VIDtbbqlw1Z/tezQh/d4jjIo=,tag:azw4aUqFD6zszCCYAny/KA==,type:str]
    pgp:
        - created_at: "2023-12-20T20:48:53Z"
          enc: |-