.drone.yml

@@ -1,40 +0,0 @@
----
-kind: pipeline
-name: deploy to swarm-test.autonomic.zone
-steps:
-  - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
-    settings:
-      host: swarm-test.autonomic.zone
-      stack: vaultwarden
-      generate_secrets: true
-      purge: true
-      deploy_key:
-        from_secret: drone_ssh_swarm_test
-      networks:
-        - proxy
-    environment:
-      DOMAIN: vaultwarden.swarm-test.autonomic.zone
-      STACK_NAME: vaultwarden
-      LETS_ENCRYPT_ENV: production
-      APP_ENTRYPOINT_VERSION: v1
-      SECRET_ADMIN_TOKEN_VERSION: v1
-trigger:
-  branch:
-    - main
----
-kind: pipeline
-name: generate recipe catalogue
-steps:
-  - name: release a new version
-    image: plugins/downstream
-    settings:
-      server: https://build.coopcloud.tech
-      token:
-        from_secret: drone_abra-bot_token
-      fork: true
-      repositories:
-        - toolshed/auto-recipes-catalogue-json
-
-trigger:
-  event: tag

.env.sample

@@ -3,8 +3,6 @@ TYPE=vaultwarden
 DOMAIN=vaultwarden.example.com
 LETS_ENCRYPT_ENV=production
 
-COMPOSE_FILE="compose.yml"
-
 WEBSOCKET_ENABLED=true
 SIGNUPS_ALLOWED=true
 
@@ -14,20 +12,3 @@ LOG_FILE=/data/vaultwarden.log
 LOG_LEVEL=warn
 
 SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
-
-TX="Europe/Berlin"
-
-## DB settings
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
-#SECRET_DB_PASSWORD_VERSION=v1
-#SECRET_DB_ROOT_PASSWORD_VERSION=v1
-
-## SMTP settings
-#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
-#SECRET_SMTP_PASSWORD_VERSION=v1
-#SMTP_ENABLED=1
-#SMTP_FROM=noreply@example.com
-#SMTP_USERNAME=noreply@example.com
-#SMTP_HOST=mail.example.com
-#SMTP_PORT=587
-#SMTP_SECURITY=starttls

README.md

@@ -8,8 +8,8 @@
 * **Status**: 2, beta
 * **Image**: [`vaultwarden/server`](https://hub.docker.com/vaultwarden/server), 4, upstream
 * **Healthcheck**: 3
-* **Backups**: Yes
+* **Backups**: No
-* **Email**: Yes
+* **Email**: No
 * **Tests**: No
 * **SSO**: No
 
@@ -20,19 +20,14 @@
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
 3. `abra app new vaultwarden`
-4. `abra app config YOURAPPDOMAIN`
+4. `abra app YOURAPPDOMAIN config`
-5. `abra app cmd -l YOURAPPDOMAIN insert_vaultwarden_admin_token` will insert a hashed `admin_token` as password as recommended by vaultwarden. Will echo the admin_token to your cli.
+5. `abra app YOURAPPDOMAIN deploy`
-6. `abra app secret insert YOURAPPDOMAIN smtp_password v1 "super-secret-password"` SMTP config and password needed for user email invites
-5. `abra app deploy YOURAPPDOMAIN`
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
 
 ## Tips & Tricks
 
-### Using MariaDB instead of SQLite
-Just comment in the `DB settings` section in your .env
-
 ### Wiring up `fail2ban`
 
 You need the following logging config:

abra.sh

@@ -1,49 +1 @@
-export APP_ENTRYPOINT_VERSION=v4
+export APP_ENTRYPOINT_VERSION=v1
-APP_DIR="app:/data"
-
-insert_vaultwarden_admin_token() {
-  if ! command -v argon2 &> /dev/null; then
-    echo "argon2 is required on your local machine to hash the admin token."
-    echo "It could not be found in your PATH, please install argon2 to proceed."
-    echo "For example: On a debian/ubuntu system, run `apt install argon2`"
-    exit 1
-  fi
-  PASS=$(openssl rand 64 | openssl enc -A -base64)
-  # -e: output encoded hash, -id: use Argon2id, -k: memory cost, -t: time cost, -p: parallelism
-  HASH=$(echo -n "$PASS" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
-
-  if abra app secret insert -C "$APP_NAME" admin_token v1 "$HASH"; then
-    echo "Vaultwarden Admin Token is:"
-    echo "$PASS"
-    echo "TAKE NOTE OF IT NOW, WILL NEVER BE SHOWN AGAIN!"
-  else
-    echo "Failed to insert admin token."
-    exit 1
-  fi
-}
-
-_backup_app() {
-  # Copied _abra_backup_dir to make UX better on restore and backup
-  {
-    abra__src_="$1"
-    abra__dst_="-"
-  }
-
-  # shellcheck disable=SC2154
-  FILENAME="$(basename "$1").tar"
-
-  debug "Copying '$1' to '$FILENAME'"
-
-  silence
-  mkdir -p /tmp/abra
-  sub_app_cp > /tmp/abra/$FILENAME
-  unsilence
-}
-
-abra_backup_app() {
-  # shellcheck disable=SC2154
-  ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
-  # Cant be FILENAME as that gets changed by something
-  _backup_app $APP_DIR
-  success "Backed up 'app' to $ARK_FILENAME"
-}

compose.mariadb.yml

@@ -1,51 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    environment:
-    # DATABASE_URL with secret db_password is being set by entrypoint.sh.tmpl
-    - MYSQL_HOST=db
-    - MYSQL_DATABASE=vaultwarden
-    - MYSQL_USER=vaultwarden
-    - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-    secrets:
-      - db_password
-
-  db:
-    image: "mariadb:10.11" # or "mysql"
-    environment:
-      - MYSQL_DATABASE=vaultwarden
-      - MYSQL_USER=vaultwarden
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
-      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}#
-    secrets:
-      - db_root_password
-      - db_password
-    volumes:
-      - "mariadb:/var/lib/mysql"
-    networks:
-      - internal
-    deploy:
-      labels:
-        backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} > /var/lib/mysql/backup.sql'
-        backupbot.backup.volumes.mariadb.path: "backup.sql"
-        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
-    healthcheck:
-      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
-      interval: 5s
-      timeout: 10s
-      retries: 0
-      start_period: 1m
-
-secrets:
-  db_root_password:
-    external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
-  db_password:
-    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-
-volumes:
-  mariadb:

compose.smtp.yml

@@ -1,20 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    secrets:
-      - smtp_password
-    environment:
-      - "SMTP_ENABLED"
-      - "SMTP_PASSWORD_FILE=/run/secrets/smtp_password"
-      - "SMTP_FROM"
-      - "SMTP_USERNAME"
-      - "SMTP_HOST"
-      - "SMTP_PORT"
-      - "SMTP_SECURITY"
-
-secrets:
-  smtp_password:
-    external: true
-    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

compose.yml

@@ -3,10 +3,9 @@ version: "3.8"
 
 services:
   app:
-    image: vaultwarden/server:1.34.1
+    image: vaultwarden/server:1.26.0
     networks:
       - proxy
-      - internal
     environment:
       - "DOMAIN=https://$DOMAIN"
       - "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
@@ -16,13 +15,11 @@ services:
       - "EXTENDED_LOGGING=$EXTENDED_LOGGING"
       - "LOG_FILE=$LOG_FILE"
       - "LOG_LEVEL=$LOG_LEVEL"
-      - "TX=${TX:-Europe/Berlin}"
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
     entrypoint: /docker-entrypoint.sh
-    # entrypoint: ['tail', '-f', '/dev/null']
     command: /start.sh
     secrets:
       - admin_token
@@ -42,9 +39,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=2.1.0+1.34.1"
+        - "coop-cloud.${STACK_NAME}.version=0.1.1+1.26.0"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/data"
 
 volumes:
   vaultwarden_data:
@@ -52,7 +47,6 @@ volumes:
 networks:
   proxy:
     external: true
-  internal:
 
 configs:
   app_entrypoint:

entrypoint.sh.tmpl

@@ -1,24 +1,6 @@
 #!/bin/bash
 
 set -e
-umask 027
-
-# set DATABASE_URL with db_password
-set_db_url() {
-   if test -f "/var/run/secrets/db_password"; then
-      pwd=`cat /var/run/secrets/db_password`
-      if [ -z $pwd ]; then
-         echo >&2 "error: /var/run/secrets/db_password is empty"
-         exit 1
-      fi
-      echo "entrypoint.sh setting DATABASE_URL"
-      export "DATABASE_URL"="mysql://vaultwarden:${pwd}@db/vaultwarden"
-      unset "pwd"
-   else
-      echo >&2 "error: /var/run/secrets/db_password does not exist"
-      exit 1
-   fi
-}
 
 file_env() {
    local var="$1"
@@ -42,19 +24,8 @@ file_env() {
    unset "$fileVar"
 }
 
-if [ -n "${MYSQL_HOST}" ]; then
-   set_db_url
-fi
-
 file_env "ADMIN_TOKEN"
 
-{{ if eq (env "SMTP_ENABLED") "1" }}
-file_env "SMTP_PASSWORD"
-{{ end }}
-
-# remove world permissions on data
-chmod -R o= /data
-
 # upstream startup command
 # https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
 /start.sh

release/1.0.0+1.32.3

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.1+1.32.5

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.2+1.32.5

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.3+1.32.5

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.4+1.32.7

@@ -1 +0,0 @@
-bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.

release/2.0.0+1.33.2

@@ -1,15 +0,0 @@
-=== SMTP SETTINGS ===
-This release contains a *breaking change* if you use SMTP with vaultwarden.
-
-See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/9 for more.
-
-TLDR; Please add `SMTP_ENABLED=1` to your .env to continue using SMTP.
-
-=== PERMISSIONS ===
-
-Previously, the data directory including the main private key had read
-permissions enabled for all host users. This release fixes that. Please review
-your Vaultwarden keys if other users on your Co-op Cloud host may have had
-access to these files.
-
-See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/7 for more.