fix: remove world access to existing data

.drone.yml

@@ -34,7 +34,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - coop-cloud/auto-recipes-catalogue-json
+        - toolshed/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -15,6 +15,8 @@ LOG_LEVEL=warn
 
 SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
 
+TX="Europe/Berlin"
+
 ## DB settings
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
 #SECRET_DB_PASSWORD_VERSION=v1

abra.sh

@@ -1,4 +1,4 @@
-export APP_ENTRYPOINT_VERSION=v2
+export APP_ENTRYPOINT_VERSION=v4
 APP_DIR="app:/data"
 
 insert_vaultwarden_admin_token() {

compose.mariadb.yml

@@ -29,9 +29,9 @@ services:
       - internal
     deploy:
       labels:
-        backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $MYSQL_DATABASE > /var/lib/mysql/backup.sql'
+        backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} > /var/lib/mysql/backup.sql'
         backupbot.backup.volumes.mariadb.path: "backup.sql"
-        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $MYSQL_DATABASE < /var/lib/mysql/backup.sql'
+        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
     healthcheck:
       test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
       interval: 5s

compose.yml

@@ -3,7 +3,7 @@ version: "3.8"
 
 services:
   app:
-    image: vaultwarden/server:1.32.5
+    image: vaultwarden/server:1.33.2
     networks:
       - proxy
       - internal
@@ -16,6 +16,7 @@ services:
       - "EXTENDED_LOGGING=$EXTENDED_LOGGING"
       - "LOG_FILE=$LOG_FILE"
       - "LOG_LEVEL=$LOG_LEVEL"
+      - "TX=${TX:-Europe/Berlin}"
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
@@ -41,7 +42,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=1.0.2+1.32.5"
+        - "coop-cloud.${STACK_NAME}.version=1.1.0+1.33.2"
         - "backupbot.backup=true"
         - "backupbot.backup.path=/data"
 

entrypoint.sh.tmpl

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 set -e
+umask 027
 
 # set DATABASE_URL with db_password
 set_db_url() {
@@ -48,6 +49,9 @@ fi
 file_env "ADMIN_TOKEN"
 file_env "SMTP_PASSWORD"
 
+# remove world permissions on data
+chmod -R o= /data
+
 # upstream startup command
 # https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
 /start.sh

release/1.0.0+1.32.3

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.1+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.2+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.3+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.4+1.32.7

@@ -0,0 +1 @@
+bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.