nixos/vaultwarden: add more systemd service hardening; move state dir in 24.05

[fsnkty]

Description of changes

added systemd service hardening to vaultwarden and backup-vaultwarden.
change state directory defaults to /var/lib/vaultwarden over /var/lib/bitwarden_rs when system.stateVersion is >= 24.05

removed changes.
ReadWritePaths = [ "/var/lib/bitwarden_rs" ]; I thought was a requirement when protectSystem is strict but I guess that's not the case when stateDirectory is used?
The following should have no affect
removed with, mostly to address the top level use of with lib; but also removed some pointless uses ( like on lists a single item long).
removed now pointless lib.mdDoc
applied the rfc style formatting.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[SuperSandro2000]

Please drop the reformatting. Also the lib.mdDoc changes while technically no longer needed, will be eventually be removed by a treewide change and only add noise to the PR and cause conflicts with other PRs open.

[SuperSandro2000]

Please also include the backup hardening options from f7b63db#diff-8245e51bae8611eb979f6b30b0938c936f8d046396b7d3bb9c204b2cb7ad4b74

[fsnkty]

Please drop the reformatting. Also the lib.mdDoc changes while technically no longer needed, will be eventually be removed by a treewide change and only add noise to the PR and cause conflicts with other PRs open.

1. Will do
2. Yeah am now aware from another comment on a different PR, I had asked around about why there was seemingly no plan to treewide remove lib.mdDoc before hand so had just thrown it in if i was making a pr for something else. any suggestions on how i can better keep up with the plans for things like this? Will also remove this, thanks.

[fsnkty]

ah forgot to update the following commit replacing with oops!

[SuperSandro2000]

2. Yeah am now aware from another comment on a different PR, I had asked around about why there was seemingly no plan to treewide remove lib.mdDoc before hand so had just thrown it in if i was making a pr for something else. any suggestions on how i can better keep up with the plans for things like this? Will also remove this, thanks.

I don't know, it just made the PR pretty big and harder for me to review

[fsnkty]

to fixup

sighs you'd think I'd have figured how to rename a commit by now.

[fsnkty]

rebasing onto master. backup-vaultwarden's ReadOnlyDirectories had mkIf and hasPrefix from no where, adding lib. ? seems to be me misunderstanding git again.

for now ill make what i can source configEnv.DATA_FOLDER, I'm going to drop the move to vaultwarden over bitwarden_rs in the path in this commit as that seems like it should be done separately. the 2nd commit does this dependent on state version but i have low confidence in the quality of my solution, explanation of potential issues with it would be appreciated.

there should also be a release note for this breaking change right?

[fsnkty]

been using this seemingly without issue since I made the push. systems on 24.05 (host "library" here
I don't use the included backup service however so confirmation from anyone using it would be great :)

changes addressed

[SuperSandro2000]

I don't use the included backup service however so confirmation from anyone using it would be great :)

We can merge #292857 first to get a test.

[fsnkty]

with #292857 being merged ( thanks sandro ) how do we go about getting this PR tested with it?

[leona-ya]

I rebased this PR on master for testing and ran nixosTests.vaultwarden.

It seems that every tests fails with

server # [   17.057818] vaultwarden[1060]: Error: Rocket.
server # [   17.059276] vaultwarden[1060]: [CAUSE] Bind(
server # [   17.059876] vaultwarden[1060]:     Os {
server # [   17.071526] vaultwarden[1060]:         code: 13,
server # [   17.072214] vaultwarden[1060]:         kind: PermissionDenied,
server # [   17.072977] vaultwarden[1060]:         message: "Permission denied",
server # [   17.073809] vaultwarden[1060]:     },

and additionally the vaultwarden.mysql test shows

mysql-start[970]: 2024-06-16  9:49:56 59 [Warning] Aborted connection 59 to db: 'bitwarden' user: 'bitwardenuser' host: 'localhost' (Got an error reading communication packets)

but unsure whether this is just because vaultwarden doesn't start at all.

[leona-ya]

This should by now be 24.11 probably.

[SuperSandro2000]

My plan is to first merge hexa's PR and then sort out what's left over in this one.

[SuperSandro2000]

@fsnkty can you please rebase on master?

[fsnkty]

well that push was a disaster, evidently I am unable to rebase on master xP
I wont have the time or setup to work on this for the foreseeable future so its likely best you handle this however you see fit in another PR @SuperSandro2000
just to note I agree with @leona-ya's change request to change the minimum state version up a stage