nixos/vaultwarden: backup all rsa_keys

The official documentation mentions rsa_key* as what should be backed up (https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#the-rsa_key-files). My particular install has rsa_key.pem and rsa_key.pub.pem so the existing command fails when trying to copy rsa_key.der. This change better aligns with the official documentation.
2024-06-08 12:34:59 -07:00 · 2024-06-08 12:34:59 -07:00 · 72406a54e7
commit 72406a54e7
parent 900d8043bb
2 changed files with 15 additions and 7 deletions
--- a/nixos/modules/services/security/vaultwarden/backup.sh
+++ b/nixos/modules/services/security/vaultwarden/backup.sh
@ -1,17 +1,21 @@
 #!/usr/bin/env bash

+# Allow use of !() when copying to not copy certain files
+shopt -s extglob
+
 # Based on: https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
 if [ ! -d "$BACKUP_FOLDER" ]; then
  echo "Backup folder '$BACKUP_FOLDER' does not exist" >&2
  exit 1
 fi

-if [[ ! -f "$DATA_FOLDER"/db.sqlite3 ]]; then
-  echo "Could not find SQLite database file '$DATA_FOLDER/db.sqlite3'" >&2
-  exit 1
+if [[ -f "$DATA_FOLDER"/db.sqlite3 ]]; then
+  sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'"
 fi

-sqlite3 "$DATA_FOLDER"/db.sqlite3 ".backup '$BACKUP_FOLDER/db.sqlite3'"
-cp "$DATA_FOLDER"/rsa_key.{der,pem,pub.der} "$BACKUP_FOLDER"
-cp -r "$DATA_FOLDER"/attachments "$BACKUP_FOLDER"
-cp -r "$DATA_FOLDER"/icon_cache "$BACKUP_FOLDER"
+if [ ! -d "$DATA_FOLDER" ]; then
+  echo "No data folder (yet). This will happen on first launch if backup is triggered before vaultwarden has started."
+  exit 0
+fi
+
+cp -r "$DATA_FOLDER"/!(db.*) "$BACKUP_FOLDER"/
--- a/nixos/tests/vaultwarden.nix
+++ b/nixos/tests/vaultwarden.nix
@ -205,6 +205,10 @@ builtins.mapAttrs (k: v: makeVaultwardenTest k v) {
          server.succeed('[ -d "/var/lib/vaultwarden/backups" ]')
          server.succeed('[ -f "/var/lib/vaultwarden/backups/db.sqlite3" ]')
          server.succeed('[ -d "/var/lib/vaultwarden/backups/attachments" ]')
+          server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pem" ]')
+          server.succeed('[ -f "/var/lib/vaultwarden/backups/rsa_key.pub.pem" ]')
+          # Ensure only the db backed up with the backup command exists and not the other db files.
+          server.succeed('[ ! -f "/var/lib/vaultwarden/backups/db.sqlite3-shm" ]')
    '';
  };
 }