nixos-config/patches/vaultwarden.patch

diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix
index b2920931f..443b8421b 100644
--- a/nixos/modules/services/security/vaultwarden/default.nix
+++ b/nixos/modules/services/security/vaultwarden/default.nix
@@ -23,7 +23,7 @@ let
       configEnv = lib.concatMapAttrs (name: value: lib.optionalAttrs (value != null) {
         ${nameToEnvVar name} = if lib.isBool value then lib.boolToString value else toString value;
       }) cfg.config;
-    in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
+    in { DATA_FOLDER = cfg.dataDir; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
       WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
     } // configEnv;

@@ -163,6 +163,16 @@ in {
       defaultText = lib.literalExpression "pkgs.vaultwarden.webvault";
       description = "Web vault package to use.";
     };
+
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/bitwarden_rs";
+      description = ''
+        The directury in which vaultwarden will keep its state. If left as the default value
+        this directory will automatically be created before the vaultwarden server starts, otherwise
+        the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.
+      '';
+    };
   };

   config = lib.mkIf cfg.enable {
@@ -180,28 +190,32 @@ in {
     systemd.services.vaultwarden = {
       after = [ "network.target" ];
       path = with pkgs; [ openssl ];
-      serviceConfig = {
-        User = user;
-        Group = group;
-        EnvironmentFile = [ configFile ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile;
-        ExecStart = "${vaultwarden}/bin/vaultwarden";
-        LimitNOFILE = "1048576";
-        PrivateTmp = "true";
-        PrivateDevices = "true";
-        ProtectHome = "true";
-        ProtectSystem = "strict";
-        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-        StateDirectory = "bitwarden_rs";
-        StateDirectoryMode = "0700";
-        Restart = "always";
-      };
+      serviceConfig = lib.mkMerge [
+        (lib.mkIf (cfg.dataDir == "/var/lib/bitwarden_rs") {
+          StateDirectory = "bitwarden_rs";
+          StateDirectoryMode = "0700";
+        })
+        {
+          User = user;
+          Group = group;
+          EnvironmentFile = [ configFile ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile;
+          ExecStart = "${vaultwarden}/bin/vaultwarden";
+          LimitNOFILE = "1048576";
+          PrivateTmp = "true";
+          PrivateDevices = "true";
+          ProtectHome = "true";
+          ProtectSystem = "strict";
+          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+          Restart = "always";
+        }
+      ];
       wantedBy = [ "multi-user.target" ];
     };

     systemd.services.backup-vaultwarden = lib.mkIf (cfg.backupDir != null) {
       description = "Backup vaultwarden";
       environment = {
-        DATA_FOLDER = "/var/lib/bitwarden_rs";
+        DATA_FOLDER = cfg.dataDir;
         BACKUP_FOLDER = cfg.backupDir;
       };
       path = with pkgs; [ sqlite ];
update system 2023-04-08 22:47:50 +03:00			`diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix`
upgrade system 2024-04-23 21:37:10 +03:00			`index b2920931f..443b8421b 100644`
update system 2023-04-08 22:47:50 +03:00			`--- a/nixos/modules/services/security/vaultwarden/default.nix`
			`+++ b/nixos/modules/services/security/vaultwarden/default.nix`
upgrade system 2024-04-23 21:37:10 +03:00			`@@ -23,7 +23,7 @@ let`
			`configEnv = lib.concatMapAttrs (name: value: lib.optionalAttrs (value != null) {`
			`${nameToEnvVar name} = if lib.isBool value then lib.boolToString value else toString value;`
update system 2023-04-08 22:47:50 +03:00			`}) cfg.config;`
upgrade system 2024-04-23 21:37:10 +03:00			`- in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) \|\| configEnv.WEB_VAULT_ENABLED == "true") {`
			`+ in { DATA_FOLDER = cfg.dataDir; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) \|\| configEnv.WEB_VAULT_ENABLED == "true") {`
update system 2023-04-08 22:47:50 +03:00			`WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";`
			`} // configEnv;`
update vaultwarden config 2023-04-25 17:20:58 +03:00
upgrade system 2024-04-23 21:37:10 +03:00			`@@ -163,6 +163,16 @@ in {`
			`defaultText = lib.literalExpression "pkgs.vaultwarden.webvault";`
			`description = "Web vault package to use.";`
update system 2023-04-08 22:47:50 +03:00			`};`
upgrade system 2024-04-23 21:37:10 +03:00			`+`
			`+ dataDir = lib.mkOption {`
			`+ type = lib.types.str;`
update system 2023-04-08 22:47:50 +03:00			`+ default = "/var/lib/bitwarden_rs";`
			`+ description = ''`
			`+ The directury in which vaultwarden will keep its state. If left as the default value`
			`+ this directory will automatically be created before the vaultwarden server starts, otherwise`
			`+ the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.`
			`+ '';`
			`+ };`
upgrade system 2024-04-23 21:37:10 +03:00			`};`

			`config = lib.mkIf cfg.enable {`
			`@@ -180,28 +190,32 @@ in {`
			`systemd.services.vaultwarden = {`
update system 2023-04-08 22:47:50 +03:00			`after = [ "network.target" ];`
			`path = with pkgs; [ openssl ];`
			`- serviceConfig = {`
			`- User = user;`
			`- Group = group;`
upgrade system 2024-04-23 21:37:10 +03:00			`- EnvironmentFile = [ configFile ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile;`
update system 2023-04-08 22:47:50 +03:00			`- ExecStart = "${vaultwarden}/bin/vaultwarden";`
			`- LimitNOFILE = "1048576";`
			`- PrivateTmp = "true";`
			`- PrivateDevices = "true";`
			`- ProtectHome = "true";`
			`- ProtectSystem = "strict";`
			`- AmbientCapabilities = "CAP_NET_BIND_SERVICE";`
			`- StateDirectory = "bitwarden_rs";`
			`- StateDirectoryMode = "0700";`
			`- Restart = "always";`
			`- };`
upgrade system 2024-04-23 21:37:10 +03:00			`+ serviceConfig = lib.mkMerge [`
			`+ (lib.mkIf (cfg.dataDir == "/var/lib/bitwarden_rs") {`
update system 2023-04-08 22:47:50 +03:00			`+ StateDirectory = "bitwarden_rs";`
			`+ StateDirectoryMode = "0700";`
			`+ })`
			`+ {`
			`+ User = user;`
			`+ Group = group;`
upgrade system 2024-04-23 21:37:10 +03:00			`+ EnvironmentFile = [ configFile ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile;`
update system 2023-04-08 22:47:50 +03:00			`+ ExecStart = "${vaultwarden}/bin/vaultwarden";`
			`+ LimitNOFILE = "1048576";`
			`+ PrivateTmp = "true";`
			`+ PrivateDevices = "true";`
			`+ ProtectHome = "true";`
			`+ ProtectSystem = "strict";`
			`+ AmbientCapabilities = "CAP_NET_BIND_SERVICE";`
			`+ Restart = "always";`
			`+ }`
			`+ ];`
			`wantedBy = [ "multi-user.target" ];`
			`};`
update vaultwarden config 2023-04-25 17:20:58 +03:00
upgrade system 2024-04-23 21:37:10 +03:00			`systemd.services.backup-vaultwarden = lib.mkIf (cfg.backupDir != null) {`
update system 2023-04-08 22:47:50 +03:00			`description = "Backup vaultwarden";`
			`environment = {`
			`- DATA_FOLDER = "/var/lib/bitwarden_rs";`
update vaultwarden config 2023-04-25 17:20:58 +03:00			`+ DATA_FOLDER = cfg.dataDir;`
update system 2023-04-08 22:47:50 +03:00			`BACKUP_FOLDER = cfg.backupDir;`
			`};`
			`path = with pkgs; [ sqlite ];`