-
-
Notifications
You must be signed in to change notification settings - Fork 653
/
vaultwarden.sh
353 lines (295 loc) Β· 10.2 KB
/
vaultwarden.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
#!/bin/bash
# T&M Hansson IT AB Β© - 2024, https://www.hanssonit.se/
true
SCRIPT_NAME="Vaultwarden (formerly Bitwarden RS)"
SCRIPT_EXPLAINER="Vaultwarden, formerly known as Bitwarden RS, is an unofficial Bitwarden server API implementation in Rust.
It has less hardware requirements and therefore runs on nearly any hardware."
# shellcheck source=lib.sh
source /var/scripts/fetch_lib.sh
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Check if Bitwarden RS is already installed
if docker ps -a --format '{{.Names}}' | grep -Eq "bitwarden_rs";
then
msg_box "It seems like you have already installed Bitwarden RS.
If you want to reinstall Bitwarden RS, you can execute the following commands:
'sudo docker stop bitwarden_rs'
'sudo docker rm bitwarden_rs'
This command will delete all private data:
'sudo rm -r /home/bitwarden_rs'"
exit 1
fi
# Check if vaultwarden is already installed
if docker ps -a --format '{{.Names}}' | grep -Eq "vaultwarden";
then
msg_box "It seems like you have already installed Vaultwarden.
If you want to reinstall Vaultwarden, you can execute the following commands:
'sudo docker stop vaultwarden'
'sudo docker rm vaultwarden'
This command will delete all private data:
'sudo rm -r /home/vaultwarden'"
exit 1
fi
# Ask for installing
install_popup "$SCRIPT_NAME"
# Second info box
msg_box "Since it's unofficial, you need to really trust the maintainer of the project to install it:
https://github.com/dani-garcia/vaultwarden
You never know what could hide in an unofficial release.
It's always is recommended to install the official Bitwarden by running:
sudo bash /var/scripts/menu.sh --> Additional Apps --> Bitwarden --> Bitwarden
Please only report issues to https://github.com/dani-garcia/vaultwarden"
# Show a second warning
msg_box "Are you really sure?
It's always is recommended to install the official Bitwarden by running:
sudo bash /var/scripts/menu.sh --> Additional Apps --> Bitwarden
You will be offered to abort in the next step"
# Let the user cancel
if ! yesno_box_yes "Are you really sure you want to install $SCRIPT_NAME?"
then
exit
fi
# Ask for domain
SUBDOMAIN=$(input_box_flow "Please enter the Domain that you want to use for Vaultwarden.")
# curl the lib another time to get the correct https_conf
# shellcheck source=lib.sh
source /var/scripts/fetch_lib.sh
# Inform the user
msg_box "Before continuing, please make sure that you have \
edited the DNS settings for $SUBDOMAIN, and opened port 80 and 443 \
directly to this servers IP. A full extensive guide can be found here:
https://www.techandme.se/open-port-80-443
This can be done automatically if you have UPNP enabled in your firewall/router.
You will be offered to use UPNP in the next step.
PLEASE NOTE:
Using other ports than the default 80 and 443 is not supported, \
though it may be possible with some custom modification:
https://help.nextcloud.com/t/domain-refused-to-connect-collabora/91303/17"
# Ask for UPNP
if yesno_box_no "Do you want to use UPNP to open port 80 and 443?"
then
unset FAIL
open_port 80 TCP
open_port 443 TCP
cleanup_open_port
fi
# Check if $SUBDOMAIN exists and is reachable
print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
domain_check_200 "$SUBDOMAIN"
# Check open ports with NMAP
check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# Install Apache2
install_if_not apache2
# Enable Apache2 module's
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
a2enmod headers
a2enmod remoteip
# Only add TLS 1.3 on Ubuntu later than 22.04
if version 22.04 "$DISTRO" 24.04.10
then
TLS13="+TLSv1.3"
fi
if [ -f "$HTTPS_CONF" ]
then
a2dissite "$SUBDOMAIN.conf"
rm -f "$HTTPS_CONF"
fi
if [ ! -f "$HTTPS_CONF" ];
then
cat << HTTPS_CREATE > "$HTTPS_CONF"
<VirtualHost *:443>
ServerName $SUBDOMAIN:443
SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
# Intermediate configuration
SSLEngine on
SSLCompression off
SSLProtocol -all +TLSv1.2 $TLS13
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
ServerSignature off
# Logs
LogLevel warn
CustomLog \${APACHE_LOG_DIR}/access.log combined
ErrorLog \${APACHE_LOG_DIR}/error.log
# Just in case - see below
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# contra mixed content warnings
RequestHeader set X-Forwarded-Proto "https"
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /notifications/hub(.*) ws://127.0.0.1:3012/$1 [P,L]
# basic proxy settings
ProxyRequests off
ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.1:1024/$1$2"
ProxyPass / "http://127.0.0.1:1024/"
ProxyPassReverse / "http://127.0.0.1:1024/"
# Extra (remote) headers
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
# Vaultwarden sets its own CSP
# Header set Content-Security-Policy "frame-ancestors 'self'"
</VirtualHost>
HTTPS_CREATE
if [ -f "$HTTPS_CONF" ];
then
print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
sleep 1
else
print_text_in_color "$IRed" "Unable to create vhost, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
fi
# Install certbot (Let's Encrypt)
install_certbot
# Generate certs and auto-configure if successful
if generate_cert "$SUBDOMAIN"
then
# Generate DHparams cipher
if [ ! -f "$DHPARAMS_SUB" ]
then
openssl dhparam -out "$DHPARAMS_SUB" 2048
fi
print_text_in_color "$IGreen" "Certs are generated!"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
else
# remove settings to be able to start over again
rm -f "$HTTPS_CONF"
last_fail_tls "$SCRIPTS"/apps/tmbitwarden.sh
exit 1
fi
# Install docker
install_docker
# Move data into correct place
if [ -d /home/bitwarden_rs ] && ! [ -d /home/vaultwarden ]
then
mkdir /home/vaultwarden
check_command mv /home/bitwarden_rs/* /home/vaultwarden
rm -r /home/bitwarden_rs
fi
# Create dir for Vaultwarden
mkdir -p /home/vaultwarden
chown nobody -R /home/vaultwarden
chmod -R 770 /home/vaultwarden
# Generate admin password
ADMIN_PASS=$(gen_passwd "$SHUF" "A-Za-z0-9")
# Install docker-container
docker pull vaultwarden/server:latest
docker run -d --name vaultwarden \
--user nobody \
-e ADMIN_TOKEN="$ADMIN_PASS" \
-e SIGNUPS_VERIFY=true \
-e DOMAIN="https://$SUBDOMAIN" \
-e SIGNUPS_ALLOWED=false \
-p 127.0.0.1:1024:1024 \
-e ROCKET_PORT=1024 \
-e WEBSOCKET_ENABLED=true \
-p 127.0.0.1:3012:3012 \
-e LOG_FILE=/data/vaultwarden.log \
-e LOG_LEVEL=warn \
-v /home/vaultwarden/:/data/ \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
--restart always \
vaultwarden/server:latest
# Add prune command
add_dockerprune
# Inform about fail2ban
msg_box "We will now set up fail2ban for you.
You can unban ip addresses by executing the following command:
sudo fail2ban-client set vaultwarden unbanip XX.XX.XX.XX
sudo fail2ban-client set vaultwarden-admin unbanip XX.XX.XX.XX"
# Install fail2ban
install_if_not fail2ban
systemctl stop fail2ban
# Create all needed files
# Vaultwarden conf
rm -f /etc/fail2ban/filter.d/bitwarden_rs.local
cat << BW_CONF > /etc/fail2ban/filter.d/vaultwarden.local
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
BW_CONF
# Vaultwarden jail
rm -f /etc/fail2ban/jail.d/bitwarden_rs.local
cat << BW_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden.local
[vaultwarden]
enabled = true
port = 80,443,8081
filter = vaultwarden
action = iptables-allports[name=vaultwarden]
logpath = /home/vaultwarden/vaultwarden.log
maxretry = 20
bantime = 1209600
findtime = 1800
ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
BW_JAIL_CONF
# Vaultwarden-admin conf
rm -f /etc/fail2ban/filter.d/bitwarden_rs-admin.local
cat << BWA_CONF > /etc/fail2ban/filter.d/vaultwarden-admin.local
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
BWA_CONF
# Vaultwarden-admin jail
rm -f /etc/fail2ban/jail.d/bitwarden_rs-admin.local
cat << BWA_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden-admin.local
[vaultwarden-admin]
enabled = true
port = 80,443
filter = vaultwarden-admin
action = iptables-allports[name=vaultwarden]
logpath = /home/vaultwarden/vaultwarden.log
maxretry = 5
bantime = 1209600
findtime = 1800
ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
BWA_JAIL_CONF
start_if_stopped fail2ban
countdown "Waiting for fail2ban to start... " 5
check_command fail2ban-client reload
# Inform the user
msg_box "Vaultwarden and fail2ban have been successfully installed and configured!"
if ! [ -f /home/vaultwarden/config.json ]
then
while :
do
# Inform the user
msg_box "Please visit https://$SUBDOMAIN/admin to manage all your settings.
Attention! Please note the password for the admin panel: $ADMIN_PASS
Otherwise you will not have access to your Vaultwarden installation and have to reinstall it completely!
It is highly recommended to configure and test the smtp settings for mails first.
Then, if it works, you can easily invite all your user with an e-mail address from this admin-panel.
(You have to click on users in the top-panel)
Please remember to report issues only to https://github.com/dani-garcia/vaultwarden"
# Ask for password
if yesno_box_no "Do you have the admin password now and know how to access the admin-panel?"
then
break
fi
done
fi
exit