From a04313de0fb846ac2ae0bc4fd9a97328c668c407 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= <patrickdgro@gmail.com>
Date: Mon, 29 Jan 2024 17:27:42 +0100
Subject: [PATCH] feat: distributed config feat: vaultwarden smtp config

---
 .../vaultwarden/generated/maddyPasswd.age     | Bin 0 -> 725 bytes
 .../secrets/vaultwarden/vaultwarden-env.age   | Bin 1098 -> 938 bytes
 modules/config/default.nix                    |   1 +
 modules/distributed-config.nix                |  66 ++++++++++++++++++
 modules/services/vaultwarden.nix              |  31 +++++++-
 5 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 hosts/elisabeth/secrets/vaultwarden/generated/maddyPasswd.age
 create mode 100644 modules/distributed-config.nix

diff --git a/hosts/elisabeth/secrets/vaultwarden/generated/maddyPasswd.age b/hosts/elisabeth/secrets/vaultwarden/generated/maddyPasswd.age
new file mode 100644
index 0000000000000000000000000000000000000000..cd92789c9f54bb1271b925a501fdca08f3573623
GIT binary patch
literal 725
zcmY+<yRMU9003a)$f|KNrfx>8v=j<mjFe0Hp@kOO(x1c}X=y3<0xc8<U%<%|W8Br~
zrpCd+$rm_-F)<EjGHz<T#LH+L9L^Jb`7CEyUq*|x+-%)Ax*DermN$|5wb~3P$!4b}
z7*bPM1f5CHBdS$pS8;zo@<R~nQ31kr*9x2@S`cmr2Z*G=gr1Bo!eyo?j(1vW#ZQ}~
zzRc6utVeOoN?GIb)E{z-f5OJi>l>VG*Jk69KVfQ2(D8IGP+NmZ7^`qevUVpkJa(Lo
zsJy_zs;uUcKD9U$sz@5fhFpMh)6ghO0ZUVv&|%u+)e_anfk3C8kCtuCZGh1U%M=_J
z6g8$AP>!7$Ql1XY0K?1~=CfWyx3CehlfAC1pj0DL6>cl5NNd6M&7u@+-V{@4R_oO`
zB<3qN(@39Xx4uM0ydk@!+=eGCG7pE_QH_ZSN}VtKWY?7JJOfs1>KR<TMCEM1hrZHn
zv`{y3wTUhk2+2q&VKMWuokXsuLwnD!6G#Da+$a?kb|sDz#sQuC%HV|c|Apr!I(IOU
zW^*uB+l;Y+rCX|AXPBn*Ef9LMe2-!64XV-zNLnIn;}D8QfeSe*K+H%5N(}~_VD+Qa
zUu&Qg@m-ua|Ew!@CtX_E5-D(Q-`na%rC6nv5>AuX=OWdkczQo4S^%ln>oskvbwn9e
z!6?#HX=PJ-Z`<m#tX)+DV!gnW4b52bwu+&He7SK(ft$P8?OT5iFC0I9eg5N%OYgsG
z*U!Fs^yya`Ee|j6n&0}<`18dlZ^66YJM8G(@zG)a^z^~c9}gbBxq0gQOVhYN`QY8j
L5AHo{Kezt^{LS}2

literal 0
HcmV?d00001

diff --git a/hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age b/hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age
index 43b954a63037e28e5421d7f379764ed9343732ba..a546320c0773d8ac4e383ad73dcd8c05a6913b5d 100644
GIT binary patch
literal 938
zcmY+<-;3J>0Kjql#kTHXvfJbkg|LCl#V$>nGzsdtq)mTanjcGZNs9_inx;vUG)dF6
zsZ1T{=>`*~AajGg44h*K>fJVQoOllOVfy035PjGQ#}rX^I3_q@r+e_>{(<j@Z_6~&
zhNp*#A6b3xKtD907*3^U0Tsb8m<0T`QtRZiwfsP!bknhQMJ8Zbv{jJ{SZkiZY`;ks
z@j@@tPYt_DsaecdG)u$_t&+=yIa)P!l{d4fEoiVPAf*5yMzX8l7kn#D`v{f;)VkP{
zDS#R}Xx$JvvSyBqe6OZrh|2h`sxunO1YLwz#3aHgQ#2VSCA$_fge62WB#87KBMF%z
z4hlNr5l*H=%lJ4bLpeH7eRPx6ESgqj1W-1Q&zaRqL8tY6Cv0@;gSL>gY)Q6?&6tTf
z(9KgChcY~jri?_u9I3@*9GUILVmFL)P?c1qIX=pPcEPJ^a)LSIlGm?nvar|{A`zg_
z;d~Ea`fWDuu(|*?ZITJAT@8yy$ssTpI2g*cB3aBg94Mu8jDuwwc*#)m9BG0y+n66U
zm@y+wu*mBve8z4MB8F}S{Y}>YUtxyvhH7GEhJ)S!0Sj#x>d@V>oVA@6JP};3Og6K*
zlFwk1RGqfwBE8(Vc!!b_e3Z@j4HdVuaRJO>npw^w9-@>OVxZOTTWx|UK63y}o1xJf
z7{CjiS9&O5c#3{-)&qf}%VLLtr&C~SqFE!5GXE>u1Ujtca*(G95GmnYlT~VbSmX@^
zce^wp2L&dTPNxAV4myoY$L1n4LSeQ6$GK|R8)iwzpdjD%1+wNOU_2QIXzJcS$M*k9
zPoF-{tzNnH=*ka`cdvi{#q?X{srACn+kbu)Zr!u|+3lO*lW!j1wPWEo{QUbkyc4e@
zPrSIX_SD(khqg;oTd!<vE9`mTl&*cAU;d{0(9*ZskuT-z)lu*6CpYEx?|UCBPcNkN
zA3nZ!<KSN_0q4y0)ms&5<u3Wt#a)*-zT>Z*d0tPoPrv@`y1KmBe(BD8m$v+P5qSHY
zem;8m#3f+g<s<I7kKQ1+t$uu%eT|)EZ|qpU@Xq48SiUz!JhyxGYWnKQrI#1yFPvHf
xX0MrQFjYQwNBnu6`gGsX2Y(T7oL%@@-u~*^=z}ef99^2R{)kTey>fE@%)gOMQdj^0

literal 1098
zcmZwC`%fDM007`EPK6rDMr0;LM+X_qoTZQJajkBX_IiDBJ$iS&wpKu{?Qy;9wY|32
z*CC0KNwT5QNnExVH?!;kB0dr^GqNmkZiBHQWP;8JY-S75F|&n0vXEuEAD8$SeEArT
z)v(D(rX<OHD%qIIaN4|HrP-qn8X!n-R=dzt+~~5k23<BgZxwynTp-J#mLMbKO)ik&
zbg%P(fM=s2gjN;9#*&n#{4rlV<dZ>4f)yH9vR)ly0+K0HCXGX~qL5q^BOVD7pVvqR
zs7W345pmk0wwNO&4)jSJ9H9lHhbWR573!i*B9V6Ex;P~<R)p~&Ig2Mjsh}8DAkA?K
z^rm&XTo%$M@`ea$g6*avt8L<hWSAE-Nf8$n&tq1|&hf5-+G3<7J`i*XEm~WKNg54s
zh5>;%=4}zW2pMC%7|h~632^I0UPaj4v8(`-egF=ebb8)OI1GrLRxqa6Vs_%9=+b-L
z1q&%*=wlX?Pk3cQZ4n}7%9eI_k+~cJAd1QD2_;)d)(Szvq}I(MR3aZkjIivE8B``O
zRpdz;({(uv&Vrbw6(WFwM!yLAOBl|gAskY=^zk$y{QpY_v?5-rRfu`~K1>P*XhSK;
zkx)p=5nea}+npRPr6ir!@26BEVnXa`jAFcL7^Pi0UkWv%NHnZuBA6VO$yO+(cw(MH
z#AbZ-$`Oi&%dkwARns!*Q~P#BI=w9_iAngJ7Fg#=ga7rSKoUxT7N7<7)3~uzFaS+h
zrodSFya@=I+?-0I(WrB><fL1jZYyJz^-U=WbEFe+Om+md4m?1zByBV&V1$wap@?dJ
z=f@8xFJAs`js;&_p@epE^zPfvu?;8lyAK})?__@cdJS0{mhUedJoH}i{1QGfG*s57
zDtoQ!WxY@$mlLk2s(oyw;>XUH1|DcPG8eA-uKsYMZMm`H;77YRz-;yYUm7~l!O_jr
zPXNKE;-I_w)=b?f%C<g4S65@b${2H}W^wueHuTo~^#}D=s(NlMjLz6=>!!wkW_}ws
ze}ANU{m-^Kd`m;~Ir9Nkue5o~)WVU^qG#t9Cv8hN$!F>-q3(-4vwu%a5e-6eqTDk?
zj-8o3yH3tHLc#6d^j8$Fl@D4P_6}Vt+gR0y?Wz1yE8b;o-3!N=d&l2>{@4P)uXwY1
z++l&7-5Tli;;SdG!-q#!em}akrtr_?{Y2r}pnre)>ZxXcj-qYZy`Q_MC#OE`J=BpO
zvF{t0UOYB_9=vcxM7AL{b5GuW1=KfxGV*5oTDo!BmHVLc)K9hdDozhxdPA(e@!XCu
z-7~@8md<P%7~aA3U%uLJ{c!G&j$KtZp5FGw&UcnJ%{I?hwAW9Dh^_1S#g(t(=R*Bs
R-~P4zh1mNi`m&Xy{{r!CscHZK

diff --git a/modules/config/default.nix b/modules/config/default.nix
index 00deb00..e542515 100644
--- a/modules/config/default.nix
+++ b/modules/config/default.nix
@@ -22,6 +22,7 @@
     ../meta.nix
     ../smb-mounts.nix
     ../deterministic-ids.nix
+    ../distributed-config.nix
     ../optional/iwd.nix
     ./impermanence
 
diff --git a/modules/distributed-config.nix b/modules/distributed-config.nix
new file mode 100644
index 0000000..c1f8d2a
--- /dev/null
+++ b/modules/distributed-config.nix
@@ -0,0 +1,66 @@
+{
+  config,
+  lib,
+  nodes,
+  ...
+}: let
+  inherit
+    (lib)
+    attrNames
+    concatMap
+    concatStringsSep
+    foldl'
+    getAttrFromPath
+    mkMerge
+    mkOption
+    mkOptionType
+    optionals
+    recursiveUpdate
+    setAttrByPath
+    types
+    ;
+
+  nodeName = config.node.name;
+  mkForwardedOption = path:
+    mkOption {
+      type = mkOptionType {
+        name = "Same type that the receiving option `${concatStringsSep "." path}` normally accepts.";
+        merge = _loc: defs:
+          builtins.filter
+          (x: builtins.isAttrs x -> ((x._type or "") != "__distributed_config_empty"))
+          (map (x: x.value) defs);
+      };
+      default = {_type = "__distributed_config_empty";};
+      description = ''
+        Anything specified here will be forwarded to `${concatStringsSep "." path}`
+        on the given node. Forwarding happens as-is to the raw values,
+        so validity can only be checked on the receiving node.
+      '';
+    };
+
+  forwardedOptions = [
+    ["age" "secrets"]
+    ["services" "maddy" "ensureCredentials"]
+  ];
+
+  attrsForEachOption = f: (foldl' (acc: path: recursiveUpdate acc (setAttrByPath path (f path))) {} forwardedOptions);
+in {
+  options.nodes = mkOption {
+    description = "Options forwareded to the given node.";
+    default = {};
+    type = types.attrsOf (types.submodule {
+      options = attrsForEachOption mkForwardedOption;
+    });
+  };
+
+  config = let
+    mergeConfigFromOthers = let
+      getConfig = path: otherNode: let
+        cfg = nodes.${otherNode}.config.nodes.${nodeName} or null;
+      in
+        optionals (cfg != null) (getAttrFromPath path cfg);
+    in
+      path: mkMerge (concatMap (getConfig path) (attrNames nodes));
+  in
+    attrsForEachOption mergeConfigFromOthers;
+}
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index f281847..1600528 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  nodes,
   ...
 }: let
   vaultwardenDomain = "pw.${config.secrets.secrets.global.domains.web}";
@@ -51,6 +52,29 @@ in {
       ];
     };
   };
+  age.secrets.maddyPasswd = {
+    generator.script = "alnum";
+    group = "vaultwarden";
+  };
+
+  nodes.maddy = {
+    age.secrets.vaultwardenPasswd = {
+      inherit (config.age.secrets.maddyPasswd) rekeyFile;
+      inherit (nodes.maddy.config.services.maddy) group;
+      mode = "640";
+    };
+    services.maddy.ensureCredentials = {
+      "vaultwarden@${config.secrets.secrets.global.domains.mail_public}".passwordFile = nodes.maddy.config.age.secrets.vaultwardenPasswd.path;
+    };
+  };
+  system.activationScripts.systemd_env_smtp_passwd = {
+    text = ''
+      echo "SMTP_PASSWORD=$(< ${lib.escapeShellArg config.age.secrets.maddyPasswd.path})" > /run/vaultwarden_smtp_passwd
+    '';
+    deps = ["agenix"];
+  };
+
+  systemd.services.vaultwarden.serviceConfig.EnvironmentFile = ["/run/vaultwarden_smtp_passwd"];
 
   services.vaultwarden = {
     enable = true;
@@ -71,9 +95,12 @@ in {
       invitationOrgName = "Vaultwarden";
       domain = "https://${vaultwardenDomain}";
 
-      smtpEmbedImages = true;
-      smtpSecurity = "force_tls";
+      smtpHost = "smtp.${config.secrets.secrets.global.domains.mail_public}";
+      smtpFrom = "vaultwarden@${config.secrets.secrets.global.domains.mail_public}";
       smtpPort = 465;
+      smtpSecurity = "force_tls";
+      smtpUsername = "vaultwarden@${config.secrets.secrets.global.domains.mail_public}";
+      smtpEmbedImages = true;
     };
     environmentFile = config.age.secrets.vaultwarden-env.path;
   };