chore: publish 0.3.0+1.26.0 release

.drone.yml

@@ -3,7 +3,7 @@ kind: pipeline
 name: deploy to swarm-test.autonomic.zone
 steps:
   - name: deployment
-    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    image: decentral1se/stack-ssh-deploy:latest
     settings:
       host: swarm-test.autonomic.zone
       stack: vaultwarden
@@ -34,7 +34,7 @@ steps:
         from_secret: drone_abra-bot_token
       fork: true
       repositories:
-        - toolshed/auto-recipes-catalogue-json
+        - coop-cloud/auto-recipes-catalogue-json
 
 trigger:
   event: tag

.env.sample

@@ -3,8 +3,6 @@ TYPE=vaultwarden
 DOMAIN=vaultwarden.example.com
 LETS_ENCRYPT_ENV=production
 
-COMPOSE_FILE="compose.yml"
-
 WEBSOCKET_ENABLED=true
 SIGNUPS_ALLOWED=true
 
@@ -15,45 +13,11 @@ LOG_LEVEL=warn
 
 SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
 
-TX="Europe/Berlin"
-
-## DB settings
-#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
-#SECRET_DB_PASSWORD_VERSION=v1
-#SECRET_DB_ROOT_PASSWORD_VERSION=v1
-
-## SMTP settings
+# SMTP settings
 #COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
 #SECRET_SMTP_PASSWORD_VERSION=v1
-#SMTP_ENABLED=1
-#SMTP_FROM=noreply@example.com
-#SMTP_USERNAME=noreply@example.com
-#SMTP_HOST=mail.example.com
+#SMTP_FROM=
+#SMTP_USERNAME=
+#SMTP_HOST=
 #SMTP_PORT=587
 #SMTP_SECURITY=starttls
-
-## SSO Setup Start ##
-
-## SSO Required Setup
-#COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
-#SSO_ENABLED=false ## Activate the SSO
-
-## the OpenID Connect Discovery endpoint of your SSO. Should not include the /.well-known/openid-configuration part and no trailing / ${SSO_AUTHORITY}/.well-known/openid-configuration must return a JSON document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse (with an HTTP status code 200 OK!)
-#SSO_AUTHORITY=
-#SSO_CLIENT_ID=             
-#SSO_CLIENT_SECRET= 
-#SSO_ONLY=false ## disable email+Master password authentication
-
-## SSO Optional Setup
-#SSO_SIGNUPS_MATCH_EMAIL=true ##: On SSO Signup if a user with a matching email already exists make the association (default true)
-#SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false ## Allow unknown email verification status (default false). Allowing this with SSO_SIGNUPS_MATCH_EMAIL open potential account takeover.
-#SSO_SCOPES= ##Optional, allow to override scopes if needed (default "email profile")
-#SSO_AUTHORIZE_EXTRA_PARAMS= ## Optional, allow to add extra parameter to the authorize redirection (default "")
-#SSO_PKCE=true ## Activate PKCE for the Auth Code flow (default true).
-#SSO_AUDIENCE_TRUSTED= ##Optional, Regex to trust additional audience for the IdToken (client_id is always trusted). Use single quote when writing the regex: '^$'.
-#SSO_MASTER_PASSWORD_POLICY ## Optional Master password policy (enforceOnLogin is not supported).
-#SSO_AUTH_ONLY_NOT_SESSION ## Enable to use SSO only for authentication not session lifecycle
-#SSO_CLIENT_CACHE_EXPIRATION=0 ## Cache calls to the discovery endpoint, duration in seconds, 0 to disable (default 0);
-#SSO_DEBUG_TOKENS=false ## Log all tokens for easier debugging (default false, LOG_LEVEL=debug or LOG_LEVEL=info,vaultwarden::sso=debug need to be set)
-
-## SSO Setup End ##

README.md

@@ -8,8 +8,8 @@
 * **Status**: 2, beta
 * **Image**: [`vaultwarden/server`](https://hub.docker.com/vaultwarden/server), 4, upstream
 * **Healthcheck**: 3
-* **Backups**: Yes
-* **Email**: Yes
+* **Backups**: No
+* **Email**: No
 * **Tests**: No
 * **SSO**: No
 
@@ -21,8 +21,6 @@
 2. Deploy [`coop-cloud/traefik`]
 3. `abra app new vaultwarden`
 4. `abra app config YOURAPPDOMAIN`
-5. `abra app cmd -l YOURAPPDOMAIN insert_vaultwarden_admin_token` will insert a hashed `admin_token` as password as recommended by vaultwarden. Will echo the admin_token to your cli.
-6. `abra app secret insert YOURAPPDOMAIN smtp_password v1 "super-secret-password"` SMTP config and password needed for user email invites
 5. `abra app deploy YOURAPPDOMAIN`
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
@@ -30,9 +28,6 @@
 
 ## Tips & Tricks
 
-### Using MariaDB instead of SQLite
-Just comment in the `DB settings` section in your .env
-
 ### Wiring up `fail2ban`
 
 You need the following logging config:

abra.sh

@@ -1,27 +1,6 @@
-export APP_ENTRYPOINT_VERSION=v4
+export APP_ENTRYPOINT_VERSION=v1
 APP_DIR="app:/data"
 
-insert_vaultwarden_admin_token() {
-  if ! command -v argon2 &> /dev/null; then
-    echo "argon2 is required on your local machine to hash the admin token."
-    echo "It could not be found in your PATH, please install argon2 to proceed."
-    echo "For example: On a debian/ubuntu system, run `apt install argon2`"
-    exit 1
-  fi
-  PASS=$(openssl rand 64 | openssl enc -A -base64)
-  # -e: output encoded hash, -id: use Argon2id, -k: memory cost, -t: time cost, -p: parallelism
-  HASH=$(echo -n "$PASS" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
-
-  if abra app secret insert -C "$APP_NAME" admin_token v1 "$HASH"; then
-    echo "Vaultwarden Admin Token is:"
-    echo "$PASS"
-    echo "TAKE NOTE OF IT NOW, WILL NEVER BE SHOWN AGAIN!"
-  else
-    echo "Failed to insert admin token."
-    exit 1
-  fi
-}
-
 _backup_app() {
   # Copied _abra_backup_dir to make UX better on restore and backup
   {

compose.mariadb.yml

@@ -1,51 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    environment:
-    # DATABASE_URL with secret db_password is being set by entrypoint.sh.tmpl
-    - MYSQL_HOST=db
-    - MYSQL_DATABASE=vaultwarden
-    - MYSQL_USER=vaultwarden
-    - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-    secrets:
-      - db_password
-
-  db:
-    image: "mariadb:10.11" # or "mysql"
-    environment:
-      - MYSQL_DATABASE=vaultwarden
-      - MYSQL_USER=vaultwarden
-      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
-      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
-      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}#
-    secrets:
-      - db_root_password
-      - db_password
-    volumes:
-      - "mariadb:/var/lib/mysql"
-    networks:
-      - internal
-    deploy:
-      labels:
-        backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} > /var/lib/mysql/backup.sql'
-        backupbot.backup.volumes.mariadb.path: "backup.sql"
-        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
-    healthcheck:
-      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
-      interval: 30s
-      timeout: 10s
-      retries: 30
-      start_period: 1m
-
-secrets:
-  db_root_password:
-    external: true
-    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
-  db_password:
-    external: true
-    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
-
-volumes:
-  mariadb:

compose.smtp.yml

@@ -1,18 +1,17 @@
 ---
 version: "3.8"
-
+  
 services:
   app:
+    environment:
+      - SMTP_FROM
+      - SMTP_HOST
+      - SMTP_PORT
+      - SMTP_SECURITY
+      - SMTP_USERNAME
+      - SMTP_PASSWORD_FILE=/run/secrets/smtp_password
     secrets:
       - smtp_password
-    environment:
-      - "SMTP_ENABLED"
-      - "SMTP_PASSWORD_FILE=/run/secrets/smtp_password"
-      - "SMTP_FROM"
-      - "SMTP_USERNAME"
-      - "SMTP_HOST"
-      - "SMTP_PORT"
-      - "SMTP_SECURITY"
 
 secrets:
   smtp_password:

compose.sso.yml

@@ -1,21 +0,0 @@
----
-version: "3.8"
-
-services:
-  app:
-    environment:
-      - SSO_ENABLED
-      - SSO_AUTHORITY
-      - SSO_CLIENT_ID
-      - SSO_CLIENT_SECRET
-      - SSO_ONLY
-      - SSO_SIGNUPS_MATCH_EMAIL
-      - SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
-      - SSO_SCOPES
-      - SSO_AUTHORIZE_EXTRA_PARAMS
-      - SSO_PKCE
-      - SSO_AUDIENCE_TRUSTED
-      - SSO_MASTER_PASSWORD_POLICY
-      - SSO_AUTH_ONLY_NOT_SESSION
-      - SSO_CLIENT_CACHE_EXPIRATION
-      - SSO_DEBUG_TOKENS

compose.yml

@@ -3,10 +3,9 @@ version: "3.8"
 
 services:
   app:
-    image: vaultwarden/server:1.35.2
+    image: vaultwarden/server:1.26.0
     networks:
       - proxy
-      - internal
     environment:
       - "DOMAIN=https://$DOMAIN"
       - "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
@@ -16,13 +15,11 @@ services:
       - "EXTENDED_LOGGING=$EXTENDED_LOGGING"
       - "LOG_FILE=$LOG_FILE"
       - "LOG_LEVEL=$LOG_LEVEL"
-      - "TX=${TX:-Europe/Berlin}"
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
     entrypoint: /docker-entrypoint.sh
-    # entrypoint: ['tail', '-f', '/dev/null']
     command: /start.sh
     secrets:
       - admin_token
@@ -30,10 +27,9 @@ services:
       - vaultwarden_data:/data
     healthcheck:
       test: curl -f http://localhost/alive || exit 1
-      interval: 30s
-      timeout: 10s
-      retries: 30
-      start_period: 1m
+      interval: 5s
+      timeout: 3s
+      retries: 10
     deploy:
       restart_policy:
         condition: on-failure
@@ -43,9 +39,7 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=3.0.0+1.35.2"
-        - "backupbot.backup=true"
-        - "backupbot.backup.path=/data"
+        - "coop-cloud.${STACK_NAME}.version=0.3.0+1.26.0"
 
 volumes:
   vaultwarden_data:
@@ -53,7 +47,6 @@ volumes:
 networks:
   proxy:
     external: true
-  internal:
 
 configs:
   app_entrypoint:

entrypoint.sh.tmpl

@@ -1,24 +1,6 @@
 #!/bin/bash
 
 set -e
-umask 027
-
-# set DATABASE_URL with db_password
-set_db_url() {
-   if test -f "/var/run/secrets/db_password"; then
-      pwd=`cat /var/run/secrets/db_password`
-      if [ -z $pwd ]; then
-         echo >&2 "error: /var/run/secrets/db_password is empty"
-         exit 1
-      fi
-      echo "entrypoint.sh setting DATABASE_URL"
-      export "DATABASE_URL"="mysql://vaultwarden:${pwd}@db/vaultwarden"
-      unset "pwd"
-   else
-      echo >&2 "error: /var/run/secrets/db_password does not exist"
-      exit 1
-   fi
-}
 
 file_env() {
    local var="$1"
@@ -42,19 +24,8 @@ file_env() {
    unset "$fileVar"
 }
 
-if [ -n "${MYSQL_HOST}" ]; then
-   set_db_url
-fi
-
 file_env "ADMIN_TOKEN"
 
-{{ if eq (env "SMTP_ENABLED") "1" }}
-file_env "SMTP_PASSWORD"
-{{ end }}
-
-# remove world permissions on data
-chmod -R o= /data
-
 # upstream startup command
 # https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
 /start.sh

release/1.0.0+1.32.3

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.1+1.32.5

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.2+1.32.5

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.3+1.32.5

@@ -1 +0,0 @@
-ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.4+1.32.7

@@ -1 +0,0 @@
-bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.

release/2.0.0+1.33.2

@@ -1,15 +0,0 @@
-=== SMTP SETTINGS ===
-This release contains a *breaking change* if you use SMTP with vaultwarden.
-
-See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/9 for more.
-
-TLDR; Please add `SMTP_ENABLED=1` to your .env to continue using SMTP.
-
-=== PERMISSIONS ===
-
-Previously, the data directory including the main private key had read
-permissions enabled for all host users. This release fixes that. Please review
-your Vaultwarden keys if other users on your Co-op Cloud host may have had
-access to these files.
-
-See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/7 for more.

release/3.0.0+1.35.2

@@ -1,4 +0,0 @@
-Allows support for 2026.1+ clients.
-
-This release includes options for SSO. Check out the release notes for
-more infomation.