Compare commits
No commits in common. "main" and "main" have entirely different histories.
40
.drone.yml
40
.drone.yml
@ -1,40 +0,0 @@
|
||||
---
|
||||
kind: pipeline
|
||||
name: deploy to swarm-test.autonomic.zone
|
||||
steps:
|
||||
- name: deployment
|
||||
image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
|
||||
settings:
|
||||
host: swarm-test.autonomic.zone
|
||||
stack: vaultwarden
|
||||
generate_secrets: true
|
||||
purge: true
|
||||
deploy_key:
|
||||
from_secret: drone_ssh_swarm_test
|
||||
networks:
|
||||
- proxy
|
||||
environment:
|
||||
DOMAIN: vaultwarden.swarm-test.autonomic.zone
|
||||
STACK_NAME: vaultwarden
|
||||
LETS_ENCRYPT_ENV: production
|
||||
APP_ENTRYPOINT_VERSION: v1
|
||||
SECRET_ADMIN_TOKEN_VERSION: v1
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
---
|
||||
kind: pipeline
|
||||
name: generate recipe catalogue
|
||||
steps:
|
||||
- name: release a new version
|
||||
image: plugins/downstream
|
||||
settings:
|
||||
server: https://build.coopcloud.tech
|
||||
token:
|
||||
from_secret: drone_abra-bot_token
|
||||
fork: true
|
||||
repositories:
|
||||
- toolshed/auto-recipes-catalogue-json
|
||||
|
||||
trigger:
|
||||
event: tag
|
||||
19
.env.sample
19
.env.sample
@ -3,8 +3,6 @@ TYPE=vaultwarden
|
||||
DOMAIN=vaultwarden.example.com
|
||||
LETS_ENCRYPT_ENV=production
|
||||
|
||||
COMPOSE_FILE="compose.yml"
|
||||
|
||||
WEBSOCKET_ENABLED=true
|
||||
SIGNUPS_ALLOWED=true
|
||||
|
||||
@ -14,20 +12,3 @@ LOG_FILE=/data/vaultwarden.log
|
||||
LOG_LEVEL=warn
|
||||
|
||||
SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
|
||||
|
||||
TX="Europe/Berlin"
|
||||
|
||||
## DB settings
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
|
||||
#SECRET_DB_PASSWORD_VERSION=v1
|
||||
#SECRET_DB_ROOT_PASSWORD_VERSION=v1
|
||||
|
||||
## SMTP settings
|
||||
#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
|
||||
#SECRET_SMTP_PASSWORD_VERSION=v1
|
||||
#SMTP_ENABLED=1
|
||||
#SMTP_FROM=noreply@example.com
|
||||
#SMTP_USERNAME=noreply@example.com
|
||||
#SMTP_HOST=mail.example.com
|
||||
#SMTP_PORT=587
|
||||
#SMTP_SECURITY=starttls
|
||||
|
||||
13
README.md
13
README.md
@ -8,8 +8,8 @@
|
||||
* **Status**: 2, beta
|
||||
* **Image**: [`vaultwarden/server`](https://hub.docker.com/vaultwarden/server), 4, upstream
|
||||
* **Healthcheck**: 3
|
||||
* **Backups**: Yes
|
||||
* **Email**: Yes
|
||||
* **Backups**: No
|
||||
* **Email**: No
|
||||
* **Tests**: No
|
||||
* **SSO**: No
|
||||
|
||||
@ -20,19 +20,14 @@
|
||||
1. Set up Docker Swarm and [`abra`]
|
||||
2. Deploy [`coop-cloud/traefik`]
|
||||
3. `abra app new vaultwarden`
|
||||
4. `abra app config YOURAPPDOMAIN`
|
||||
5. `abra app cmd -l YOURAPPDOMAIN insert_vaultwarden_admin_token` will insert a hashed `admin_token` as password as recommended by vaultwarden. Will echo the admin_token to your cli.
|
||||
6. `abra app secret insert YOURAPPDOMAIN smtp_password v1 "super-secret-password"` SMTP config and password needed for user email invites
|
||||
5. `abra app deploy YOURAPPDOMAIN`
|
||||
4. `abra app YOURAPPDOMAIN config`
|
||||
5. `abra app YOURAPPDOMAIN deploy`
|
||||
|
||||
[`abra`]: https://git.coopcloud.tech/coop-cloud/abra
|
||||
[`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
|
||||
|
||||
## Tips & Tricks
|
||||
|
||||
### Using MariaDB instead of SQLite
|
||||
Just comment in the `DB settings` section in your .env
|
||||
|
||||
### Wiring up `fail2ban`
|
||||
|
||||
You need the following logging config:
|
||||
|
||||
50
abra.sh
50
abra.sh
@ -1,49 +1 @@
|
||||
export APP_ENTRYPOINT_VERSION=v4
|
||||
APP_DIR="app:/data"
|
||||
|
||||
insert_vaultwarden_admin_token() {
|
||||
if ! command -v argon2 &> /dev/null; then
|
||||
echo "argon2 is required on your local machine to hash the admin token."
|
||||
echo "It could not be found in your PATH, please install argon2 to proceed."
|
||||
echo "For example: On a debian/ubuntu system, run `apt install argon2`"
|
||||
exit 1
|
||||
fi
|
||||
PASS=$(openssl rand 64 | openssl enc -A -base64)
|
||||
# -e: output encoded hash, -id: use Argon2id, -k: memory cost, -t: time cost, -p: parallelism
|
||||
HASH=$(echo -n "$PASS" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
|
||||
|
||||
if abra app secret insert -C "$APP_NAME" admin_token v1 "$HASH"; then
|
||||
echo "Vaultwarden Admin Token is:"
|
||||
echo "$PASS"
|
||||
echo "TAKE NOTE OF IT NOW, WILL NEVER BE SHOWN AGAIN!"
|
||||
else
|
||||
echo "Failed to insert admin token."
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
_backup_app() {
|
||||
# Copied _abra_backup_dir to make UX better on restore and backup
|
||||
{
|
||||
abra__src_="$1"
|
||||
abra__dst_="-"
|
||||
}
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
FILENAME="$(basename "$1").tar"
|
||||
|
||||
debug "Copying '$1' to '$FILENAME'"
|
||||
|
||||
silence
|
||||
mkdir -p /tmp/abra
|
||||
sub_app_cp > /tmp/abra/$FILENAME
|
||||
unsilence
|
||||
}
|
||||
|
||||
abra_backup_app() {
|
||||
# shellcheck disable=SC2154
|
||||
ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
|
||||
# Cant be FILENAME as that gets changed by something
|
||||
_backup_app $APP_DIR
|
||||
success "Backed up 'app' to $ARK_FILENAME"
|
||||
}
|
||||
export APP_ENTRYPOINT_VERSION=v1
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
environment:
|
||||
# DATABASE_URL with secret db_password is being set by entrypoint.sh.tmpl
|
||||
- MYSQL_HOST=db
|
||||
- MYSQL_DATABASE=vaultwarden
|
||||
- MYSQL_USER=vaultwarden
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
secrets:
|
||||
- db_password
|
||||
|
||||
db:
|
||||
image: "mariadb:10.6" # or "mysql"
|
||||
environment:
|
||||
- MYSQL_DATABASE=vaultwarden
|
||||
- MYSQL_USER=vaultwarden
|
||||
- MYSQL_PASSWORD_FILE=/run/secrets/db_password
|
||||
- MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
|
||||
- MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}#
|
||||
secrets:
|
||||
- db_root_password
|
||||
- db_password
|
||||
volumes:
|
||||
- "mariadb:/var/lib/mysql"
|
||||
networks:
|
||||
- internal
|
||||
deploy:
|
||||
labels:
|
||||
backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} > /var/lib/mysql/backup.sql'
|
||||
backupbot.backup.volumes.mariadb.path: "backup.sql"
|
||||
backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)" ping']
|
||||
interval: 5s
|
||||
timeout: 10s
|
||||
retries: 0
|
||||
start_period: 1m
|
||||
|
||||
secrets:
|
||||
db_root_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
|
||||
db_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
|
||||
|
||||
volumes:
|
||||
mariadb:
|
||||
@ -1,20 +0,0 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
secrets:
|
||||
- smtp_password
|
||||
environment:
|
||||
- "SMTP_ENABLED"
|
||||
- "SMTP_PASSWORD_FILE=/run/secrets/smtp_password"
|
||||
- "SMTP_FROM"
|
||||
- "SMTP_USERNAME"
|
||||
- "SMTP_HOST"
|
||||
- "SMTP_PORT"
|
||||
- "SMTP_SECURITY"
|
||||
|
||||
secrets:
|
||||
smtp_password:
|
||||
external: true
|
||||
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
|
||||
10
compose.yml
10
compose.yml
@ -3,10 +3,9 @@ version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: vaultwarden/server:1.33.2
|
||||
image: vaultwarden/server:1.26.0
|
||||
networks:
|
||||
- proxy
|
||||
- internal
|
||||
environment:
|
||||
- "DOMAIN=https://$DOMAIN"
|
||||
- "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
|
||||
@ -16,13 +15,11 @@ services:
|
||||
- "EXTENDED_LOGGING=$EXTENDED_LOGGING"
|
||||
- "LOG_FILE=$LOG_FILE"
|
||||
- "LOG_LEVEL=$LOG_LEVEL"
|
||||
- "TX=${TX:-Europe/Berlin}"
|
||||
configs:
|
||||
- source: app_entrypoint
|
||||
target: /docker-entrypoint.sh
|
||||
mode: 0555
|
||||
entrypoint: /docker-entrypoint.sh
|
||||
# entrypoint: ['tail', '-f', '/dev/null']
|
||||
command: /start.sh
|
||||
secrets:
|
||||
- admin_token
|
||||
@ -42,9 +39,7 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
|
||||
- "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
|
||||
- "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
||||
- "coop-cloud.${STACK_NAME}.version=2.0.0+1.33.2"
|
||||
- "backupbot.backup=true"
|
||||
- "backupbot.backup.path=/data"
|
||||
- "coop-cloud.${STACK_NAME}.version=0.1.1+1.26.0"
|
||||
|
||||
volumes:
|
||||
vaultwarden_data:
|
||||
@ -52,7 +47,6 @@ volumes:
|
||||
networks:
|
||||
proxy:
|
||||
external: true
|
||||
internal:
|
||||
|
||||
configs:
|
||||
app_entrypoint:
|
||||
|
||||
@ -1,24 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
umask 027
|
||||
|
||||
# set DATABASE_URL with db_password
|
||||
set_db_url() {
|
||||
if test -f "/var/run/secrets/db_password"; then
|
||||
pwd=`cat /var/run/secrets/db_password`
|
||||
if [ -z $pwd ]; then
|
||||
echo >&2 "error: /var/run/secrets/db_password is empty"
|
||||
exit 1
|
||||
fi
|
||||
echo "entrypoint.sh setting DATABASE_URL"
|
||||
export "DATABASE_URL"="mysql://vaultwarden:${pwd}@db/vaultwarden"
|
||||
unset "pwd"
|
||||
else
|
||||
echo >&2 "error: /var/run/secrets/db_password does not exist"
|
||||
exit 1
|
||||
fi
|
||||
}
|
||||
|
||||
file_env() {
|
||||
local var="$1"
|
||||
@ -42,19 +24,8 @@ file_env() {
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
if [ -n "${MYSQL_HOST}" ]; then
|
||||
set_db_url
|
||||
fi
|
||||
|
||||
file_env "ADMIN_TOKEN"
|
||||
|
||||
{{ if eq (env "SMTP_ENABLED") "1" }}
|
||||
file_env "SMTP_PASSWORD"
|
||||
{{ end }}
|
||||
|
||||
# remove world permissions on data
|
||||
chmod -R o= /data
|
||||
|
||||
# upstream startup command
|
||||
# https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
|
||||
/start.sh
|
||||
|
||||
@ -1 +0,0 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
@ -1 +0,0 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
@ -1 +0,0 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
@ -1 +0,0 @@
|
||||
ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.
|
||||
@ -1 +0,0 @@
|
||||
bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.
|
||||
@ -1,15 +0,0 @@
|
||||
=== SMTP SETTINGS ===
|
||||
This release contains a *breaking change* if you use SMTP with vaultwarden.
|
||||
|
||||
See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/9 for more.
|
||||
|
||||
TLDR; Please add `SMTP_ENABLED=1` to your .env to continue using SMTP.
|
||||
|
||||
=== PERMISSIONS ===
|
||||
|
||||
Previously, the data directory including the main private key had read
|
||||
permissions enabled for all host users. This release fixes that. Please review
|
||||
your Vaultwarden keys if other users on your Co-op Cloud host may have had
|
||||
access to these files.
|
||||
|
||||
See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/7 for more.
|
||||
Loading…
x
Reference in New Issue
Block a user