Merge pull request 'add solution to missing argon2 error message' (#11) from argon2-doc into main

Reviewed-on: coop-cloud/vaultwarden#11

.drone.yml

@@ -0,0 +1,40 @@
+---
+kind: pipeline
+name: deploy to swarm-test.autonomic.zone
+steps:
+  - name: deployment
+    image: git.coopcloud.tech/coop-cloud/stack-ssh-deploy:latest
+    settings:
+      host: swarm-test.autonomic.zone
+      stack: vaultwarden
+      generate_secrets: true
+      purge: true
+      deploy_key:
+        from_secret: drone_ssh_swarm_test
+      networks:
+        - proxy
+    environment:
+      DOMAIN: vaultwarden.swarm-test.autonomic.zone
+      STACK_NAME: vaultwarden
+      LETS_ENCRYPT_ENV: production
+      APP_ENTRYPOINT_VERSION: v1
+      SECRET_ADMIN_TOKEN_VERSION: v1
+trigger:
+  branch:
+    - main
+---
+kind: pipeline
+name: generate recipe catalogue
+steps:
+  - name: release a new version
+    image: plugins/downstream
+    settings:
+      server: https://build.coopcloud.tech
+      token:
+        from_secret: drone_abra-bot_token
+      fork: true
+      repositories:
+        - toolshed/auto-recipes-catalogue-json
+
+trigger:
+  event: tag

.env.sample

@@ -3,6 +3,8 @@ TYPE=vaultwarden
 DOMAIN=vaultwarden.example.com
 LETS_ENCRYPT_ENV=production
 
+COMPOSE_FILE="compose.yml"
+
 WEBSOCKET_ENABLED=true
 SIGNUPS_ALLOWED=true
 
@@ -12,3 +14,20 @@ LOG_FILE=/data/vaultwarden.log
 LOG_LEVEL=warn
 
 SECRET_ADMIN_TOKEN_VERSION=v1 # length=48
+
+TX="Europe/Berlin"
+
+## DB settings
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mariadb.yml"
+#SECRET_DB_PASSWORD_VERSION=v1
+#SECRET_DB_ROOT_PASSWORD_VERSION=v1
+
+## SMTP settings
+#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml"
+#SECRET_SMTP_PASSWORD_VERSION=v1
+#SMTP_ENABLED=1
+#SMTP_FROM=noreply@example.com
+#SMTP_USERNAME=noreply@example.com
+#SMTP_HOST=mail.example.com
+#SMTP_PORT=587
+#SMTP_SECURITY=starttls

README.md

@@ -8,8 +8,8 @@
 * **Status**: 2, beta
 * **Image**: [`vaultwarden/server`](https://hub.docker.com/vaultwarden/server), 4, upstream
 * **Healthcheck**: 3
-* **Backups**: No
-* **Email**: No
+* **Backups**: Yes
+* **Email**: Yes
 * **Tests**: No
 * **SSO**: No
 
@@ -20,14 +20,19 @@
 1. Set up Docker Swarm and [`abra`]
 2. Deploy [`coop-cloud/traefik`]
 3. `abra app new vaultwarden`
-4. `abra app YOURAPPDOMAIN config`
-5. `abra app YOURAPPDOMAIN deploy`
+4. `abra app config YOURAPPDOMAIN`
+5. `abra app cmd -l YOURAPPDOMAIN insert_vaultwarden_admin_token` will insert a hashed `admin_token` as password as recommended by vaultwarden. Will echo the admin_token to your cli.
+6. `abra app secret insert YOURAPPDOMAIN smtp_password v1 "super-secret-password"` SMTP config and password needed for user email invites
+5. `abra app deploy YOURAPPDOMAIN`
 
 [`abra`]: https://git.coopcloud.tech/coop-cloud/abra
 [`coop-cloud/traefik`]: https://git.coopcloud.tech/coop-cloud/traefik
 
 ## Tips & Tricks
 
+### Using MariaDB instead of SQLite
+Just comment in the `DB settings` section in your .env
+
 ### Wiring up `fail2ban`
 
 You need the following logging config:

abra.sh

@@ -1 +1,49 @@
-export APP_ENTRYPOINT_VERSION=v1
+export APP_ENTRYPOINT_VERSION=v4
+APP_DIR="app:/data"
+
+insert_vaultwarden_admin_token() {
+  if ! command -v argon2 &> /dev/null; then
+    echo "argon2 is required on your local machine to hash the admin token."
+    echo "It could not be found in your PATH, please install argon2 to proceed."
+    echo "For example: On a debian/ubuntu system, run `apt install argon2`"
+    exit 1
+  fi
+  PASS=$(openssl rand 64 | openssl enc -A -base64)
+  # -e: output encoded hash, -id: use Argon2id, -k: memory cost, -t: time cost, -p: parallelism
+  HASH=$(echo -n "$PASS" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
+
+  if abra app secret insert -C "$APP_NAME" admin_token v1 "$HASH"; then
+    echo "Vaultwarden Admin Token is:"
+    echo "$PASS"
+    echo "TAKE NOTE OF IT NOW, WILL NEVER BE SHOWN AGAIN!"
+  else
+    echo "Failed to insert admin token."
+    exit 1
+  fi
+}
+
+_backup_app() {
+  # Copied _abra_backup_dir to make UX better on restore and backup
+  {
+    abra__src_="$1"
+    abra__dst_="-"
+  }
+
+  # shellcheck disable=SC2154
+  FILENAME="$(basename "$1").tar"
+
+  debug "Copying '$1' to '$FILENAME'"
+
+  silence
+  mkdir -p /tmp/abra
+  sub_app_cp > /tmp/abra/$FILENAME
+  unsilence
+}
+
+abra_backup_app() {
+  # shellcheck disable=SC2154
+  ARK_FILENAME="$ABRA_BACKUP_DIR/${abra__app_}_app_$(date +%F).tar.gz"
+  # Cant be FILENAME as that gets changed by something
+  _backup_app $APP_DIR
+  success "Backed up 'app' to $ARK_FILENAME"
+}

compose.mariadb.yml

@@ -0,0 +1,51 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment:
+    # DATABASE_URL with secret db_password is being set by entrypoint.sh.tmpl
+    - MYSQL_HOST=db
+    - MYSQL_DATABASE=vaultwarden
+    - MYSQL_USER=vaultwarden
+    - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+    secrets:
+      - db_password
+
+  db:
+    image: "mariadb:10.6" # or "mysql"
+    environment:
+      - MYSQL_DATABASE=vaultwarden
+      - MYSQL_USER=vaultwarden
+      - MYSQL_PASSWORD_FILE=/run/secrets/db_password
+      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/db_root_password
+      - MAX_DB_CONNECTIONS=${MAX_DB_CONNECTIONS:-100}#
+    secrets:
+      - db_root_password
+      - db_password
+    volumes:
+      - "mariadb:/var/lib/mysql"
+    networks:
+      - internal
+    deploy:
+      labels:
+        backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} > /var/lib/mysql/backup.sql'
+        backupbot.backup.volumes.mariadb.path: "backup.sql"
+        backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" $${MYSQL_DATABASE} < /var/lib/mysql/backup.sql'
+    healthcheck:
+      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping']
+      interval: 5s
+      timeout: 10s
+      retries: 0
+      start_period: 1m
+
+secrets:
+  db_root_password:
+    external: true
+    name: ${STACK_NAME}_db_root_password_${SECRET_DB_ROOT_PASSWORD_VERSION}
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+
+volumes:
+  mariadb:

compose.smtp.yml

@@ -0,0 +1,20 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - smtp_password
+    environment:
+      - "SMTP_ENABLED"
+      - "SMTP_PASSWORD_FILE=/run/secrets/smtp_password"
+      - "SMTP_FROM"
+      - "SMTP_USERNAME"
+      - "SMTP_HOST"
+      - "SMTP_PORT"
+      - "SMTP_SECURITY"
+
+secrets:
+  smtp_password:
+    external: true
+    name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}

compose.yml

@@ -3,9 +3,10 @@ version: "3.8"
 
 services:
   app:
-    image: vaultwarden/server:1.26.0
+    image: vaultwarden/server:1.33.2
     networks:
       - proxy
+      - internal
     environment:
       - "DOMAIN=https://$DOMAIN"
       - "WEBSOCKET_ENABLED=$WEBSOCKET_ENABLED"
@@ -15,11 +16,13 @@ services:
       - "EXTENDED_LOGGING=$EXTENDED_LOGGING"
       - "LOG_FILE=$LOG_FILE"
       - "LOG_LEVEL=$LOG_LEVEL"
+      - "TX=${TX:-Europe/Berlin}"
     configs:
       - source: app_entrypoint
         target: /docker-entrypoint.sh
         mode: 0555
     entrypoint: /docker-entrypoint.sh
+    # entrypoint: ['tail', '-f', '/dev/null']
     command: /start.sh
     secrets:
       - admin_token
@@ -39,7 +42,9 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.1+1.26.0"
+        - "coop-cloud.${STACK_NAME}.version=2.0.0+1.33.2"
+        - "backupbot.backup=true"
+        - "backupbot.backup.path=/data"
 
 volumes:
   vaultwarden_data:
@@ -47,6 +52,7 @@ volumes:
 networks:
   proxy:
     external: true
+  internal:
 
 configs:
   app_entrypoint:

entrypoint.sh.tmpl

@@ -1,6 +1,24 @@
 #!/bin/bash
 
 set -e
+umask 027
+
+# set DATABASE_URL with db_password
+set_db_url() {
+   if test -f "/var/run/secrets/db_password"; then
+      pwd=`cat /var/run/secrets/db_password`
+      if [ -z $pwd ]; then
+         echo >&2 "error: /var/run/secrets/db_password is empty"
+         exit 1
+      fi
+      echo "entrypoint.sh setting DATABASE_URL"
+      export "DATABASE_URL"="mysql://vaultwarden:${pwd}@db/vaultwarden"
+      unset "pwd"
+   else
+      echo >&2 "error: /var/run/secrets/db_password does not exist"
+      exit 1
+   fi
+}
 
 file_env() {
    local var="$1"
@@ -24,8 +42,19 @@ file_env() {
    unset "$fileVar"
 }
 
+if [ -n "${MYSQL_HOST}" ]; then
+   set_db_url
+fi
+
 file_env "ADMIN_TOKEN"
 
+{{ if eq (env "SMTP_ENABLED") "1" }}
+file_env "SMTP_PASSWORD"
+{{ end }}
+
+# remove world permissions on data
+chmod -R o= /data
+
 # upstream startup command
 # https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
 /start.sh

release/1.0.0+1.32.3

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.1+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.2+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.3+1.32.5

@@ -0,0 +1 @@
+ATTENTION: this version is not automatically upgradeable due to missing entrypoint version increase. Please upgrade to at least 1.0.4+1.32.7 directly.

release/1.0.4+1.32.7

@@ -0,0 +1 @@
+bugfix release for missing increase of entrypoint version for the last 4 releases. Also upgraded vaultwarden bugfix release.

release/2.0.0+1.33.2

@@ -0,0 +1,15 @@
+=== SMTP SETTINGS ===
+This release contains a *breaking change* if you use SMTP with vaultwarden.
+
+See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/9 for more.
+
+TLDR; Please add `SMTP_ENABLED=1` to your .env to continue using SMTP.
+
+=== PERMISSIONS ===
+
+Previously, the data directory including the main private key had read
+permissions enabled for all host users. This release fixes that. Please review
+your Vaultwarden keys if other users on your Co-op Cloud host may have had
+access to these files.
+
+See https://git.coopcloud.tech/coop-cloud/vaultwarden/pulls/7 for more.