nixos/vaultwarden: backup all rsa_keys

[caffineehacker]

The official documentation mentions rsa_key* as what should be backed up (https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#the-rsa_key-files). My particular install has rsa_key.pem and rsa_key.pub.pem so the existing command fails when trying to copy rsa_key.der. This change better aligns with the official documentation.

Description of changes

This is a simple change to just copy all rsa_key.* files instead of specific extensions. This commit to vaultwarden actually removed the use of .der files: dani-garcia/vaultwarden@46e0f3c

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[caffineehacker]

@dotlambda @SuperSandro2000 looks like this didn't get auto assigned

[SuperSandro2000]

My particular install has rsa_key.pem and rsa_key.pub.pem so the existing command fails when trying to copy rsa_key.der. This change better aligns with the official documentation.

same for mine

[SuperSandro2000]

LGTM

[dotlambda]

Why don't we backup sends and config.json?

[caffineehacker]

Why don't we backup sends and config.json?

We probably should, but note that config.json is only there if the user has changed settings via the admin page (I think, may get created in other ways, but it won't be in every install). We should probably do a command that copies everything in data except the sqlite files. I can take a look at making that work tomorrow.

[SuperSandro2000]

Lets merge #292857 first, to know if the backups work at all.

[caffineehacker]

@SuperSandro2000 What are your thoughts on doing the same logic before doing the sqlite dump? Technically this backup script could be used with another backing DB (although a lot less useful). I know the script still continues executing, but it does produce error messages in the logs.

[SuperSandro2000]

sure, why not

[SuperSandro2000]

Can you rebase to draw in the above PR and adjust the test accordingly? That would be awesome

[caffineehacker]

Can you rebase to draw in the above PR and adjust the test accordingly? That would be awesome

Done. I've done some further refinements which should reduce unnecessary errors. I'm on the fence as to whether not having the script return code 0 if the data directory doesn't exist is the right thing or not. It doesn't fail the tests to not have it, but it does show up in red during testing and in the journald logs.

[caffineehacker]

Please let me know if there is anything else waiting on me before this can be merged. No rush, just want to make sure I didn't miss an action item.