Compare commits
35 Commits
0.3.0+1.26
...
issue-6
| Author | SHA1 | Date | |
|---|---|---|---|
| cab11b0e2a | |||
| 938e4671b4 | |||
| 96c7c18029 | |||
936d2c7044
|
|||
| 705f81dfb2 | |||
| 913b973b6b | |||
| 9e66edca72 | |||
| 40d49eb4c3 | |||
| 6cf7412473 | |||
| 20ddaec548 | |||
| e29a5a9ce3 | |||
| 3274ef6feb | |||
| c48778f942 | |||
| d52c9d220e | |||
| 7de85bb0b5 | |||
| 2c76e6640f | |||
| b286befb98 | |||
| b47b82d15a | |||
| b0d701b0e8 | |||
| 7f60d33d21 | |||
| 57a40cfaa1 | |||
| 373db38548 | |||
| 4c50e82865 | |||
| 06c0d8ffd4 | |||
| 371fa36d15 | |||
| c3dbb3e4dd | |||
| 8ef06543d2 | |||
| c59446cca2 | |||
| 88210401bd | |||
| 94a6b11bc8 | |||
| e98ebf7440 | |||
| 16e12cd293 | |||
| d5ef9db98f | |||
| 03f734de7d | |||
| 28d0e9498b |
@ -3,7 +3,7 @@ kind: pipeline
|
||||
name: deploy to swarm-test.autonomic.zone
|
||||
steps:
|
||||
- name: deployment
|
||||
image: decentral1se/stack-ssh-deploy:latest
|
||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||
settings:
|
||||
host: swarm-test.autonomic.zone
|
||||
stack: vaultwarden
|
||||
@ -34,7 +34,7 @@ steps:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- coop-cloud/auto-recipes-catalogue-json
|
||||
- toolshed/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
||||
|
||||
18
.env.sample
18
.env.sample
@ -3,6 +3,8 @@ TYPE=vaultwarden
|
||||
DOMAIN=vaultwarden.example.com
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
COMPOSE_FILE="compose.yml"
|
||||
|
||||
WEBSOCKET_ENABLED=true
|
||||
SIGNUPS_ALLOWED=true
|
||||
|
||||
@ -12,3 +14,19 @@ LOG_FILE=/data/vaultwarden.log
|
||||
LOG_LEVEL=warn
|
||||
|
||||
SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
|
||||
|
||||
TX="Europe/Berlin"
|
||||
|
||||
## DB settings
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
|
||||
#SECRET_DB_PASSWORD_VERSION=v1
|
||||
#SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||
|
||||
## SMTP settings
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
|
||||
#SECRET_SMTP_PASSWORD_VERSION=v1
|
||||
#SMTP_FROM=noreply@example.com
|
||||
#SMTP_USERNAME=noreply@example.com
|
||||
#SMTP_HOST=mail.example.com
|
||||
#SMTP_PORT=587
|
||||
#SMTP_SECURITY=starttls
|
||||
|
||||
@ -8,8 +8,8 @@
|
||||
* **Status**: 2, beta
|
||||
* **Image**: [`vaultwarden/server`](https://hub.docker.com/vaultwarden/server), 4, upstream
|
||||
* **Healthcheck**: 3
|
||||
* **Backups**: No
|
||||
* **Email**: No
|
||||
* **Backups**: Yes
|
||||
* **Email**: Yes
|
||||
* **Tests**: No
|
||||
* **SSO**: No
|
||||
|
||||
@ -21,6 +21,8 @@
|
||||
2. Deploy [`coop-cloud/traefik`]
|
||||
3. `abra app new vaultwarden`
|
||||
4. `abra app config YOURAPPDOMAIN`
|
||||
5. `abra app cmd -l YOURAPPDOMAIN insert_vaultwarden_admin_token` will insert a hashed `admin_token` as password as recommended by vaultwarden. Will echo the admin_token to your cli.
|
||||
6. `abra app secret insert YOURAPPDOMAIN smtp_password v1 "super-secret-password"` SMTP config and password needed for user email invites
|
||||
5. `abra app deploy YOURAPPDOMAIN`
|
||||
|
||||
[`abra`]: https://git.coopcloud.tech/coop-cloud/abra
|
||||
@ -28,6 +30,9 @@
|
||||
|
||||
## Tips & Tricks
|
||||
|
||||
### Using MariaDB instead of SQLite
|
||||
Just comment in the `DB settings` section in your .env
|
||||
|
||||
### Wiring up `fail2ban`
|
||||
|
||||
You need the following logging config:
|
||||
|
||||
21
abra.sh
21
abra.sh
@ -1,6 +1,25 @@
|
||||
export APP_ENTRYPOINT_VERSION=v1
|
||||
export APP_ENTRYPOINT_VERSION=v4
|
||||
APP_DIR="app:/data"
|
||||
|
||||
insert_vaultwarden_admin_token() {
|
||||
if ! command -v argon2 &> /dev/null; then
|
||||
echo "argon2 could not be found, please install it to proceed."
|
||||
exit 1
|
||||
fi
|
||||
PASS=$(openssl rand 64 | openssl enc -A -base64)
|
||||
# -e: output encoded hash, -id: use Argon2id, -k: memory cost, -t: time cost, -p: parallelism
|
||||
HASH=$(echo -n "$PASS" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
|
||||
|
||||
if abra app secret insert -C "$APP_NAME" admin_token v1 "$HASH"; then
|
||||
echo "Vaultwarden Admin Token is:"
|
||||
echo "$PASS"
|
||||
echo "TAKE NOTE OF IT NOW, WILL NEVER BE SHOWN AGAIN!"
|
||||
else
|
||||
echo "Failed to insert admin token."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
_backup_app() {
|
||||
# Copied _abra_backup_dir to make UX better on restore and backup
|
||||
{
|
||||
|
||||
51
compose.mariadb.yml
Normal file
51
compose.mariadb.yml
Normal file
@ -0,0 +1,51 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
# DATABASE_URL with secret db_password is being set by entrypoint.sh.tmpl
|
||||
- MYSQL_HOST=db
|
||||
- MYSQL_DATABASE=vaultwarden
|
||||
- MYSQL_USER=vaultwarden
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
secrets:
|
||||
- db_password
|
||||
|
||||
db:
|
||||
image: "mariadb:10.6" # or "mysql"
|
||||
environment:
|
||||
- MYSQL_DATABASE=vaultwarden
|
||||
- MYSQL_USER=vaultwarden
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
|
||||
- MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}#
|
||||
secrets:
|
||||
- db_root_password
|
||||
- db_password
|
||||
volumes:
|
||||
- "mariadb:/var/lib/mysql"
|
||||
networks:
|
||||
- internal
|
||||
deploy:
|
||||
labels:
|
||||
backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} > /var/lib/mysql/backup.sql'
|
||||
backupbot.backup.volumes.mariadb.path: "backup.sql"
|
||||
backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)" ping']
|
||||
interval: 5s
|
||||
timeout: 10s
|
||||
retries: 0
|
||||
start_period: 1m
|
||||
|
||||
secrets:
|
||||
db_root_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
|
||||
db_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||
|
||||
volumes:
|
||||
mariadb:
|
||||
19
compose.smtp.yml
Normal file
19
compose.smtp.yml
Normal file
@ -0,0 +1,19 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
secrets:
|
||||
- smtp_password
|
||||
environment:
|
||||
- "SMTP_PASSWORD_FILE=/run/secrets/smtp_password"
|
||||
- "SMTP_FROM"
|
||||
- "SMTP_USERNAME"
|
||||
- "SMTP_HOST"
|
||||
- "SMTP_PORT"
|
||||
- "SMTP_SECURITY"
|
||||
|
||||
secrets:
|
||||
smtp_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
|
||||
10
compose.yml
10
compose.yml
@ -3,9 +3,10 @@ version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: vaultwarden/server:1.26.0
|
||||
image: vaultwarden/server:1.33.2
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
environment:
|
||||
- "DOMAIN=https://$DOMAIN"
|
||||
- "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
|
||||
@ -15,11 +16,13 @@ services:
|
||||
- "EXTENDED_LOGGING=$EXTENDED_LOGGING"
|
||||
- "LOG_FILE=$LOG_FILE"
|
||||
- "LOG_LEVEL=$LOG_LEVEL"
|
||||
- "TX=${TX:-Europe/Berlin}"
|
||||
configs:
|
||||
- source: app_entrypoint
|
||||
target: /docker-entrypoint.sh
|
||||
mode: 0555
|
||||
entrypoint: /docker-entrypoint.sh
|
||||
# entrypoint: ['tail', '-f', '/dev/null']
|
||||
command: /start.sh
|
||||
secrets:
|
||||
- admin_token
|
||||
@ -39,7 +42,9 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "coop-cloud.${STACK_NAME}.version=0.2.0+1.26.0"
|
||||
- "coop-cloud.${STACK_NAME}.version=1.1.0+1.33.2"
|
||||
- "backupbot.backup=true"
|
||||
- "backupbot.backup.path=/data"
|
||||
|
||||
volumes:
|
||||
vaultwarden_data:
|
||||
@ -47,6 +52,7 @@ volumes:
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
internal:
|
||||
|
||||
configs:
|
||||
app_entrypoint:
|
||||
|
||||
@ -1,6 +1,24 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
umask 027
|
||||
|
||||
# set DATABASE_URL with db_password
|
||||
set_db_url() {
|
||||
if test -f "/var/run/secrets/db_password"; then
|
||||
pwd=`cat /var/run/secrets/db_password`
|
||||
if [ -z $pwd ]; then
|
||||
echo >&2 "error: /var/run/secrets/db_password is empty"
|
||||
exit 1
|
||||
fi
|
||||
echo "entrypoint.sh setting DATABASE_URL"
|
||||
export "DATABASE_URL"="mysql://vaultwarden:${pwd}@db/vaultwarden"
|
||||
unset "pwd"
|
||||
else
|
||||
echo >&2 "error: /var/run/secrets/db_password does not exist"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
file_env() {
|
||||
local var="$1"
|
||||
@ -24,7 +42,15 @@ file_env() {
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
if [ -n "${MYSQL_HOST}" ]; then
|
||||
set_db_url
|
||||
fi
|
||||
|
||||
file_env "ADMIN_TOKEN"
|
||||
file_env "SMTP_PASSWORD"
|
||||
|
||||
# remove world permissions on data
|
||||
chmod -R o= /data
|
||||
|
||||
# upstream startup command
|
||||
# https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
|
||||
|
||||
1
release/1.0.0+1.32.3
Normal file
1
release/1.0.0+1.32.3
Normal file
@ -0,0 +1 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
1
release/1.0.1+1.32.5
Normal file
1
release/1.0.1+1.32.5
Normal file
@ -0,0 +1 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
1
release/1.0.2+1.32.5
Normal file
1
release/1.0.2+1.32.5
Normal file
@ -0,0 +1 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
1
release/1.0.3+1.32.5
Normal file
1
release/1.0.3+1.32.5
Normal file
@ -0,0 +1 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
1
release/1.0.4+1.32.7
Normal file
1
release/1.0.4+1.32.7
Normal file
@ -0,0 +1 @@
|
||||
bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.
|
||||
Reference in New Issue
Block a user