vaultwarden: Add update script to keep web vault in sync

- Adds an update script to fetch the compatible web vault version
- Removes `vaultwarden-vault` from top-level to prevent independent
  updates through e.g. r-ryantm. Istead the vault is now accessible
  at `vaultwarden.webvault`.
- The name webvault was chosen because it is the title of the projects
  README and it makes it clearer, that this is the web UI.

nixos/modules/services/security/vaultwarden/default.nix

@@ -162,8 +162,8 @@ in {
 
     webVaultPackage = mkOption {
       type = package;
-      default = pkgs.vaultwarden-vault;
-      defaultText = literalExpression "pkgs.vaultwarden-vault";
+      default = pkgs.vaultwarden.webvault;
+      defaultText = literalExpression "pkgs.vaultwarden.webvault";
       description = lib.mdDoc "Web vault package to use.";
     };
   };

pkgs/tools/security/vaultwarden/default.nix

@@ -1,8 +1,12 @@
-{ lib, stdenv, rustPlatform, fetchFromGitHub, fetchurl, nixosTests
+{ lib, stdenv, callPackage, rustPlatform, fetchFromGitHub, fetchurl, nixosTests
 , pkg-config, openssl
 , libiconv, Security, CoreServices
 , dbBackend ? "sqlite", libmysqlclient, postgresql }:
 
+let
+  webvault = callPackage ./webvault.nix {};
+in
+
 rustPlatform.buildRustPackage rec {
   pname = "vaultwarden";
   version = "1.26.0";
@@ -34,7 +38,11 @@ rustPlatform.buildRustPackage rec {
 
   buildFeatures = dbBackend;
 
-  passthru.tests = nixosTests.vaultwarden;
+  passthru = {
+    inherit webvault;
+    tests = nixosTests.vaultwarden;
+    updateScript = callPackage ./update.nix {};
+  };
 
   meta = with lib; {
     description = "Unofficial Bitwarden compatible server written in Rust";

pkgs/tools/security/vaultwarden/update.nix

@@ -0,0 +1,22 @@
+{ writeShellScript
+, lib
+, nix-update
+, curl
+, git
+, gnugrep
+, gnused
+, jq
+}:
+
+writeShellScript "update-vaultwarden" ''
+  PATH=${lib.makeBinPath [ curl git gnugrep gnused jq nix-update ]}
+
+  set -euxo pipefail
+
+  VAULTWARDEN_VERSION=$(curl --silent https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest | jq -r '.tag_name')
+  nix-update "vaultwarden" --version "$VAULTWARDEN_VERSION"
+
+  URL="https://raw.githubusercontent.com/dani-garcia/vaultwarden/''${VAULTWARDEN_VERSION}/docker/Dockerfile.j2"
+  WEBVAULT_VERSION=$(curl --silent "$URL" | grep "set vault_version" | sed -E "s/.*\"([^\"]+)\".*/\\1/")
+  nix-update "vaultwarden.webvault" --version "$WEBVAULT_VERSION"
+''

pkgs/tools/security/vaultwarden/webvault.nix

@@ -1,7 +1,7 @@
 { lib, stdenv, fetchurl, nixosTests }:
 
 stdenv.mkDerivation rec {
-  pname = "vaultwarden-vault";
+  pname = "vaultwarden-webvault";
   version = "2022.11.1";
 
   src = fetchurl {

pkgs/top-level/aliases.nix

@@ -1558,6 +1558,7 @@ mapAliases ({
   varnish63 = throw "varnish63 was removed from nixpkgs, because it is unmaintained upstream. Please switch to a different release"; # Added 2021-07-26
   varnish65 = throw "varnish65 was removed from nixpkgs, because it is unmaintained upstream. Please switch to a different release"; # Added 2021-09-15
   varnish70 = throw "varnish70 was removed from nixpkgs, because it was superseded upstream. Please switch to a different release"; # Added 2022-03-17
+  vaultwarden-vault = vaultwarden.webvault; # Added 2022-12-13
   varnish71 = throw "varnish71 was removed from nixpkgs, because it was superseded upstream. Please switch to a different release"; # Added 2022-11-08
   vdirsyncerStable  = vdirsyncer; # Added 2020-11-08, see https://github.com/NixOS/nixpkgs/issues/103026#issuecomment-723428168
   venus = throw "venus has been removed from nixpkgs, as it's unmaintained"; # Added 2021-02-05

pkgs/top-level/all-packages.nix

@@ -37528,8 +37528,6 @@ with pkgs;
   vaultwarden-mysql = vaultwarden.override { dbBackend = "mysql"; };
   vaultwarden-postgresql = vaultwarden.override { dbBackend = "postgresql"; };
 
-  vaultwarden-vault = callPackage ../tools/security/vaultwarden/vault.nix { };
-
   vazir-fonts = callPackage ../data/fonts/vazir-fonts { };
 
   vhs = callPackage ../applications/misc/vhs { };