--- title: Migrating vaultwarden to nixos description: How I migrated my vaultwarden installation to nixos date: 2023-12-20 tags: - nix - vaultwarden --- ## Introduction I am migrating several services from a k3s kubernetes cluster to a nixos server. Here is how I performed the operation with my [vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager. ## Vaultwarden with nixos Vaultwarden is packaged on nixos, but I am used to the hosting the container image and upgrading it at my own pace so I am sticking with it for now. Here is the module I wrote to deploy a vaultwarden container, configure postgresql and borg backups in `apps/vaultwarden/app.nix`: ```nix { config, lib, pkgs, ... }: { imports = [ ../../lib/nginx.nix ../../lib/postgresql.nix ]; environment.etc = { "borg-vaultwarden-db.key" = { mode = "0400"; source = ./borg-db.key; }; "borg-vaultwarden-storage.key" = { mode = "0400"; source = ./borg-storage.key; }; }; services = { borgbackup.jobs = let defaults = { compression = "auto,zstd"; doInit = true; encryption.mode = "none"; prune.keep = { daily = 14; weekly = 4; monthly = 3; }; startAt = "daily"; }; in { "vaultwarden-db" = defaults // { environment.BORG_RSH = "ssh -i /etc/borg-vaultwarden-db.key"; paths = "/tmp/vaultwarden.sql"; postHook = "rm -f /tmp/vaultwarden.sql"; preHook = ''rm -f /tmp/vaultwarden.sql; /run/current-system/sw/bin/pg_dump -h localhost -U vaultwarden -d vaultwarden > /tmp/vaultwarden.sql''; repo = "ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-db"; }; "vaultwarden-storage" = defaults // { environment.BORG_RSH = "ssh -i /etc/borg-vaultwarden-storage.key"; paths = "/srv/vaultwarden"; repo = "ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-storage"; }; }; nginx.virtualHosts = let commons = { forceSSL = true; locations = { "/" = { proxyPass = "http://127.0.0.1:8083"; }; }; }; in { "pass.adyxax.org" = commons // { sslCertificate = "/etc/nginx/adyxax.org.crt"; sslCertificateKey = "/etc/nginx/adyxax.org.key"; }; }; postgresql = { ensureUsers = [{ name = "vaultwarden"; ensureDBOwnership = true; }]; ensureDatabases = ["vaultwarden"]; }; }; virtualisation.oci-containers.containers = { vaultwarden = { environment = { ADMIN_TOKEN = builtins.readFile ./argon-token.key; DATABASE_MAX_CONNS = "2"; DATABASE_URL = "postgres://vaultwarden:" + (lib.removeSuffix "\n" (builtins.readFile ./database-password.key)) + "@10.88.0.1/vaultwarden?sslmode=disable"; }; image = "vaultwarden/server:1.30.1"; ports = ["127.0.0.1:8083:80"]; volumes = [ "/srv/vaultwarden/:/data" ]; }; }; } ``` ## Dependencies ### Borg Borg needs to be running on another server with the following configuration stored in my `apps/vaultwarden/borg.nix` file: ```nix { config, pkgs, ... }: { imports = [ ../../lib/borg.nix ]; users.users.borg.openssh.authorizedKeys.keys = [ ("command=\"borg serve --restrict-to-path /srv/borg/vaultwarden-db\",restrict " + (builtins.readFile ./borg-db.key.pub)) ("command=\"borg serve --restrict-to-path /srv/borg/vaultwarden-storage\",restrict " + (builtins.readFile ./borg-storage.key.pub)) ]; } ``` ### PostgreSQL My postgreSQL module defines the following global configuration: ```nix { config, lib, pkgs, ... }: { networking.firewall.interfaces."podman0".allowedTCPPorts = [ 5432 ]; services.postgresql = { enable = true; enableTCPIP = true; package = pkgs.postgresql_15; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust # podman host all all 10.88.0.0/16 scram-sha-256 ''; }; } ``` Since for now I am running nothing outside of containers on this server, I am trusting the unix socket connections. Depending on what you are doing you might want a stronger auth-method there. ### Nginx My nginx module defines the following global configuration: ```nix { config, lib, pkgs, ... }: { environment.etc = let permissions = { mode = "0400"; uid= config.ids.uids.nginx; }; in { "nginx/adyxax.org.crt" = permissions // { source = ../../01-legacy/adyxax.org.crt; }; "nginx/adyxax.org.key" = permissions // { source = ../../01-legacy/adyxax.org.key; }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { clientMaxBodySize = "40M"; enable = true; enableReload = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; }; } ``` ### Secrets There are several secrets referenced in the configuration, these are all git-crypted files: - argon-token.key - borg-db.key - borg-storage.key - database-password.key ## Migration process The first step is obviously to deploy this new configuration to the server, then I need to login and manually restore the backups. ```sh make run host=myth.adyxax.org ``` The container will be failing because no password is set on the database user yet, so I stop it: ```sh systemctl stop podman-vaultwarden ``` There are two backup jobs for vaultwarden: one for its storage and the second one for the database. ```sh export BORG_RSH="ssh -i /etc/borg-vaultwarden-storage.key" borg list ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-storage borg extract ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-storage::dalinar-vaultwarden-storage-2023-11-19T00:00:01 mv srv/vaultwarden /srv/ ``` ```sh export BORG_RSH="ssh -i /etc/borg-vaultwarden-db.key" borg list ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-db borg extract ssh://borg@gcp.adyxax.org/srv/borg/vaultwarden-db::dalinar-vaultwarden-db-2023-11-19T00:00:01 psql -h localhost -U postgres -d vaultwarden ``` Restoring the data itself is done with the psql shell: ```sql ALTER USER vaultwarden WITH PASSWORD 'XXXXX'; \i tmp/vaultwarden.sql ``` Afterwards I clean up the database dump and restart vaultwarden: ```sh rm -rf tmp/ systemctl start podman-vaultwarden ``` To wrap this up I migrate the DNS records to the new host, update my monitoring system and clean up the namespace on the k3s server. ## Conclusion Automating things with nixos is satisfying, but it does not abstract all the sysadmin's work away. I am not quite satisfied with my borg configuration entries. I should be able to write this more elegantly when I find the time, but it works.