increase healthcheck retries

Reviewed-on: #11

.drone.yml

@@ -0,0 +1,40 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: vaultwarden
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: vaultwarden.swarm-test.autonomic.zone
+      STACK_NAME: vaultwarden
+      LETS_ENCRYPT_ENV: production
+      APP_ENTRYPOINT_VERSION: v1
+      SECRET_ADMIN_TOKEN_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -1,7 +1,33 @@
 TYPE=vaultwarden
 
 DOMAIN=vaultwarden.example.com
-
-## Domain aliases
-#EXTRA_DOMAINS=', `www.vaultwarden.example.com`'
 LETS_ENCRYPT_ENV=production
+
+COMPOSE_FILE="compose.yml"
+
+WEBSOCKET_ENABLED=true
+SIGNUPS_ALLOWED=true
+
+USE_SYSLOG=true
+EXTENDED_LOGGING=true
+LOG_FILE=/data/vaultwarden.log
+LOG_LEVEL=warn
+
+SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
+
+TX="Europe/Berlin"
+
+## DB settings
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
+#SECRET_DB_PASSWORD_VERSION=v1
+#SECRET_DB_ROOT_PASSWORD_VERSION=v1
+
+## SMTP settings
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#SECRET_SMTP_PASSWORD_VERSION=v1
+#SMTP_ENABLED=1
+#SMTP_FROM=noreply@example.com
+#SMTP_USERNAME=noreply@example.com
+#SMTP_HOST=mail.example.com
+#SMTP_PORT=587
+#SMTP_SECURITY=starttls

README.md

@@ -1,30 +1,49 @@
 # vaultwarden
 
-TODO
+> Open source password manager
 
 <!-- metadata -->
 
 * **Category**: Apps
-* **Status**:
-* **Image**:
-* **Healthcheck**:
-* **Backups**:
-* **Email**:
-* **Tests**:
-* **SSO**:
+* **Status**: 2, beta
+* **Image**: [`vaultwarden/server`](https://hub.docker.com/vaultwarden/server), 4, upstream
+* **Healthcheck**: 3
+* **Backups**: Yes
+* **Email**: Yes
+* **Tests**: No
+* **SSO**: No
 
 <!-- endmetadata -->
 
-## Basic usage
+## Quick start
 
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
-3. `abra app new ${REPO_NAME} --secrets` (optionally with `--pass` if you'd like
-   to save secrets in `pass`)
-4. `abra app YOURAPPDOMAIN config` - be sure to change `$DOMAIN` to something that resolves to
-   your Docker swarm box
-5. `abra app YOURAPPDOMAIN deploy`
-6. Open the configured domain in your browser to finish set-up
+3. `abra app new vaultwarden`
+4. `abra app config YOURAPPDOMAIN`
+5. `abra app cmd -l YOURAPPDOMAIN insert_vaultwarden_admin_token` will insert a hashed `admin_token` as password as recommended by vaultwarden. Will echo the admin_token to your cli.
+6. `abra app secret insert YOURAPPDOMAIN smtp_password v1 "super-secret-password"` SMTP config and password needed for user email invites
+5. `abra app deploy YOURAPPDOMAIN`
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
+
+## Tips & Tricks
+
+### Using MariaDB instead of SQLite
+Just comment in the `DB settings` section in your .env
+
+### Wiring up `fail2ban`
+
+You need the following logging config:
+
+```
+USE_SYSLOG=true
+EXTENDED_LOGGING=true
+LOG_FILE=/data/vaultwarden.log
+LOG_LEVEL=warn
+```
+
+Then follow [this guide](https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup).
+
+And you must use `COMPOSE_FILE="$COMPOSE_FILE:compose.host.yml"` in your traefik config to get real IPs.

abra.sh

@@ -0,0 +1,49 @@
+export APP_ENTRYPOINT_VERSION=v4
+APP_DIR="app:/data"
+
+insert_vaultwarden_admin_token() {
+  if ! command -v argon2 &> /dev/null; then
+    echo "argon2 is required on your local machine to hash the admin token."
+    echo "It could not be found in your PATH, please install argon2 to proceed."
+    echo "For example: On a debian/ubuntu system, run `apt install argon2`"
+    exit 1
+  fi
+  PASS=$(openssl rand 64 | openssl enc -A -base64)
+  # -e: output encoded hash, -id: use Argon2id, -k: memory cost, -t: time cost, -p: parallelism
+  HASH=$(echo -n "$PASS" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
+
+  if abra app secret insert -C "$APP_NAME" admin_token v1 "$HASH"; then
+    echo "Vaultwarden Admin Token is:"
+    echo "$PASS"
+    echo "TAKE NOTE OF IT NOW, WILL NEVER BE SHOWN AGAIN!"
+  else
+    echo "Failed to insert admin token."
+    exit 1
+  fi
+}
+
+_backup_app() {
+  # Copied _abra_backup_dir to make UX better on restore and backup
+  {
+    abra__src_="$1"
+    abra__dst_="-"
+  }
+
+  # shellcheck disable=SC2154
+  FILENAME="$(basename "$1").tar"
+
+  debug "Copying '$1' to '$FILENAME'"
+
+  silence
+  mkdir -p /tmp/abra
+  sub_app_cp > /tmp/abra/$FILENAME
+  unsilence
+}
+
+abra_backup_app() {
+  # shellcheck disable=SC2154
+  ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
+  # Cant be FILENAME as that gets changed by something
+  _backup_app $APP_DIR
+  success "Backed up 'app' to $ARK_FILENAME"
+}

compose.mariadb.yml

@@ -0,0 +1,51 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+    # DATABASE_URL with secret db_password is being set by entrypoint.sh.tmpl
+    - MYSQL_HOST=db
+    - MYSQL_DATABASE=vaultwarden
+    - MYSQL_USER=vaultwarden
+    - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+    secrets:
+      - db_password
+
+  db:
+    image: "mariadb:10.11" # or "mysql"
+    environment:
+      - MYSQL_DATABASE=vaultwarden
+      - MYSQL_USER=vaultwarden
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}#
+    secrets:
+      - db_root_password
+      - db_password
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - internal
+    deploy:
+      labels:
+        backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} > /var/lib/mysql/backup.sql'
+        backupbot.backup.volumes.mariadb.path: "backup.sql"
+        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
+    healthcheck:
+      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
+      interval: 30s
+      timeout: 10s
+      retries: 30
+      start_period: 1m
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
+volumes:
+  mariadb:

compose.smtp.yml

@@ -0,0 +1,20 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - "SMTP_ENABLED"
+      - "SMTP_PASSWORD_FILE=/run/secrets/smtp_password"
+      - "SMTP_FROM"
+      - "SMTP_USERNAME"
+      - "SMTP_HOST"
+      - "SMTP_PORT"
+      - "SMTP_SECURITY"
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

compose.yml

@@ -3,37 +3,49 @@ version: "3.8"
 
 services:
   app:
-    image: vaultwarden/server:1.25.0
+    image: vaultwarden/server:1.34.3
     networks:
       - proxy
+      - internal
     environment:
       - "DOMAIN=https://$DOMAIN"
-      - "WEBSOCKET_ENABLED=true"
-      - "ADMIN_TOKEN=test"
-      # - SIGNUPS_ALLOWED: $$cap_register_enabled
-      # - ADMIN_TOKEN: $$cap_admin_token
+      - "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
+      - "SIGNUPS_ALLOWED=$SIGNUPS_ALLOWED"
+      - "ADMIN_TOKEN_FILE=/run/secrets/admin_token"
+      - "USE_SYSLOG=$USE_SYSLOG"
+      - "EXTENDED_LOGGING=$EXTENDED_LOGGING"
+      - "LOG_FILE=$LOG_FILE"
+      - "LOG_LEVEL=$LOG_LEVEL"
+      - "TX=${TX:-Europe/Berlin}"
+    configs:
+      - source: app_entrypoint
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
+    # entrypoint: ['tail', '-f', '/dev/null']
+    command: /start.sh
+    secrets:
+      - admin_token
     volumes:
       - vaultwarden_data:/data
+    healthcheck:
+      test: curl -f http://localhost/alive || exit 1
+      interval: 30s
+      timeout: 10s
+      retries: 30
+      start_period: 1m
     deploy:
       restart_policy:
         condition: on-failure
       labels:
         - "traefik.enable=true"
         - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+1.25.0"
-        ## Redirect from EXTRA_DOMAINS to DOMAIN
-        #- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        #- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-    # healthcheck:
-    #   test: ["CMD", "curl", "-f", "http://localhost"]
-    #   interval: 30s
-    #   timeout: 10s
-    #   retries: 10
-    #   start_period: 1m
+        - "coop-cloud.${STACK_NAME}.version=2.1.1+1.34.3"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/data"
 
 volumes:
   vaultwarden_data:
@@ -41,3 +53,15 @@ volumes:
 networks:
   proxy:
     external: true
+  internal:
+
+configs:
+  app_entrypoint:
+    name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
+
+secrets:
+  admin_token:
+    external: true
+    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_VERSION}

entrypoint.sh.tmpl

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -e
+umask 027
+
+# set DATABASE_URL with db_password
+set_db_url() {
+   if test -f "/var/run/secrets/db_password"; then
+      pwd=`cat /var/run/secrets/db_password`
+      if [ -z $pwd ]; then
+         echo >&2 "error: /var/run/secrets/db_password is empty"
+         exit 1
+      fi
+      echo "entrypoint.sh setting DATABASE_URL"
+      export "DATABASE_URL"="mysql://vaultwarden:${pwd}@db/vaultwarden"
+      unset "pwd"
+   else
+      echo >&2 "error: /var/run/secrets/db_password does not exist"
+      exit 1
+   fi
+}
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+   local def="${2:-}"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   local val="$def"
+
+   if [ "${!var:-}" ]; then
+      val="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      val="$(< "${!fileVar}")"
+   fi
+
+   export "$var"="$val"
+   unset "$fileVar"
+}
+
+if [ -n "${MYSQL_HOST}" ]; then
+   set_db_url
+fi
+
+file_env "ADMIN_TOKEN"
+
+{{ if eq (env "SMTP_ENABLED") "1" }}
+file_env "SMTP_PASSWORD"
+{{ end }}
+
+# remove world permissions on data
+chmod -R o= /data
+
+# upstream startup command
+# https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
+/start.sh

release/1.0.0+1.32.3

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.1+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.2+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.3+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.4+1.32.7

@@ -0,0 +1 @@
+bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.

release/2.0.0+1.33.2

@@ -0,0 +1,15 @@
+=== SMTP SETTINGS ===
+This release contains a *breaking change* if you use SMTP with vaultwarden.
+
+See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/9 for more.
+
+TLDR; Please add `SMTP_ENABLED=1` to your .env to continue using SMTP.
+
+=== PERMISSIONS ===
+
+Previously, the data directory including the main private key had read
+permissions enabled for all host users. This release fixes that. Please review
+your Vaultwarden keys if other users on your Co-op Cloud host may have had
+access to these files.
+
+See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/7 for more.