From 1d4de5ede7b48b29935e1dad8c5aa44799ef98dd Mon Sep 17 00:00:00 2001
From: thorstenspille <thorsten@spille-edv.de>
Date: Sat, 21 Jan 2023 02:30:09 +0100
Subject: [PATCH] Add vaultwarden container

---
 conf/zamba.conf.example                |   9 ++
 src/vaultwarden/constants-service.conf |  29 +++++
 src/vaultwarden/install-service.sh     | 162 +++++++++++++++++++++++++
 3 files changed, 200 insertions(+)
 create mode 100644 src/vaultwarden/constants-service.conf
 create mode 100644 src/vaultwarden/install-service.sh

diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example
index cab7d4c..127f9a4 100644
--- a/conf/zamba.conf.example
+++ b/conf/zamba.conf.example
@@ -170,3 +170,12 @@ frontenddomain=${LXC_HOSTNAME}.${LXC_DOMAIN}
 meshdomain=mesh.${LXC_DOMAIN}
 adminemail=rmm@${LXC_DOMAIN}
 
+############### vaultwarden Section ###############
+VW_SMTP_HOST=mail.bashclub.org
+VW_SMTP_FROM="vaultwarden@bashclub.org"
+VW_SMTP_FROM_NAME="Vaultwarden Password Manager"
+VW_SMTP_PORT=587
+VW_SMTP_SSL=true
+VW_SMTP_EXPLICIT_TLS=false
+VW_SMTP_USERNAME=vaultwarden@bashclub.org
+VW_SMTP_PASSWORD='<yourEmailPassword>'
\ No newline at end of file
diff --git a/src/vaultwarden/constants-service.conf b/src/vaultwarden/constants-service.conf
new file mode 100644
index 0000000..fe2b115
--- /dev/null
+++ b/src/vaultwarden/constants-service.conf
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+# This file contains the project constants on service level
+
+# Debian Version, which will be installed
+LXC_TEMPLATE_VERSION="debian-11-standard"
+
+# Create sharefs mountpoint
+LXC_MP="0"
+
+# Create unprivileged container
+LXC_UNPRIVILEGED="1"
+
+# enable nesting feature
+LXC_NESTING="1"
+
+# Defines the name from the SQL database
+VAULTWARDEN_DB_NAME="vaultwarden"
+
+# Defines the name from the SQL user
+VAULTWARDEN_DB_USR="vaultwarden"
+
+# Build a strong password for the SQL user - could be overwritten with something fixed
+VAULTWARDEN_DB_PWD="$(random_password)"
\ No newline at end of file
diff --git a/src/vaultwarden/install-service.sh b/src/vaultwarden/install-service.sh
new file mode 100644
index 0000000..0ffa636
--- /dev/null
+++ b/src/vaultwarden/install-service.sh
@@ -0,0 +1,162 @@
+#!/bin/bash
+
+# Authors:
+# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
+# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
+# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
+
+source /root/functions.sh
+source /root/zamba.conf
+source /root/constants-service.conf
+
+admin_token=$(openssl rand -base64 48)
+
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -qq postgresql nginx git ssl-cert
+
+systemctl enable --now postgresql
+
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mkdir /opt/vaultwarden
+mkdir -p /var/lib/vaultwarden/data
+useradd vaultwarden
+chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
+mv output/vaultwarden /opt/vaultwarden
+mv output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+
+su - postgres <<EOF
+psql -c "CREATE USER ${VAULTWARDEN_DB_USR} WITH PASSWORD '${VAULTWARDEN_DB_PWD}';"
+psql -c "CREATE DATABASE ${VAULTWARDEN_DB_NAME} ENCODING UTF8 TEMPLATE template0 OWNER ${VAULTWARDEN_DB_USR};"
+echo "Postgres User ${VAULTWARDEN_DB_USR} and database ${VAULTWARDEN_DB_NAME} created."
+EOF
+
+cat << EOF > /var/lib/vaultwarden/.env
+DATABASE_URL=postgresql://vaultwarden:${VAULTWARDEN_DB_PWD}@localhost:5432/vaultwarden
+DOMAIN=https://${LXC_HOSTNAME}.${LXC_DOMAIN}
+ORG_CREATION_USERS=admin@$LXC_DOMAIN
+# Use `openssl rand -base64 48` to generate
+ADMIN_TOKEN=$admin_token
+# Uncomment this once vaults restored
+SIGNUPS_ALLOWED=false
+INVITATIONS_ALLOWED=false
+SMTP_HOST=$VW_SMTP_HOST
+SMTP_FROM=$VW_SMTP_FROM
+SMTP_FROM_NAME="$VW_SMTP_FROM_NAME"
+SMTP_PORT=$VW_SMTP_PORT          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
+SMTP_SSL=$VW_SMTP_SSL          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
+SMTP_EXPLICIT_TLS=$VW_SMTP_EXPLICIT_TLS # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
+SMTP_USERNAME=$VW_SMTP_USERNAME
+SMTP_PASSWORD=$VW_SMTP_PASSWORD
+SMTP_TIMEOUT=15
+EOF
+
+cat << EOF > /etc/systemd/system/vaultwarden.service
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target
+
+[Service]
+User=vaultwarden
+Group=vaultwarden
+EnvironmentFile=/var/lib/vaultwarden/.env
+ExecStart=/opt/vaultwarden/vaultwarden
+LimitNOFILE=1048576
+LimitNPROC=64
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+WorkingDirectory=/var/lib/vaultwarden
+ReadWriteDirectories=/var/lib/vaultwarden
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat << EOF > /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+DPkg::Post-Invoke {"/var/lib/vaultwarden/update.sh";};
+EOF
+
+cat << EOF > /var/lib/vaultwarden/update.sh
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+chmod +x docker-image-extract
+./docker-image-extract vaultwarden/server:alpine
+mv output/vaultwarden /opt/vaultwarden
+systemctl stop vaultwarden.service
+cp -rlf output/web-vault /var/lib/vaultwarden/
+rm -Rf output
+rm -Rf docker-image-extract
+systemctl start vaultwarden.service
+EOF
+
+chmod +x /etc/apt/apt.conf.d/80-vaultwarden-apt-hook
+chmod +x /var/lib/vaultwarden/update.sh
+
+cat << EOF > /etc/nginx/conf.d/default.conf
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    server_tokens off;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log /var/log/nginx/vaultwarden.error.log;
+
+    location /.well-known/ {
+        root /var/www/html;
+    }
+
+    return 301 https://${LXC_HOSTNAME}.${LXC_DOMAIN}\$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name ${LXC_HOSTNAME}.${LXC_DOMAIN};
+    
+    server_tokens off;
+    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+
+    ssl_protocols TLSv1.3 TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM;
+    ssl_dhparam /etc/nginx/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 180m;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    resolver 1.1.1.1 1.0.0.1;
+
+    add_header Strict-Transport-Security "max-age=31536000" always;
+
+    access_log /var/log/nginx/vaultwarden.access.log;
+    error_log  /var/log/nginx/vaultwarden.error.log;
+
+    client_max_body_size 50M;
+
+    location / {
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header Host \$host;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_pass http://127.0.0.1:8000;
+        proxy_read_timeout 90;
+    }
+}
+
+EOF
+openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+systemctl daemon-reload
+systemctl enable --now vaultwarden
+systemctl restart nginx
\ No newline at end of file