Merge pull request #26 from tteck/dev

Vaultwarden
This commit is contained in:
tteckster 2022-02-05 06:48:30 -05:00 committed by GitHub
commit 2274223a2b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 334 additions and 0 deletions

View file

@ -770,3 +770,28 @@ bash /etc/webmin/uninstall.sh
___________________________________________________________________________________________
</details>
<details>
<summary markdown="span">Vaultwarden LXC</summary>
<p align="center"><img src="https://avatars1.githubusercontent.com/u/15990069?s=200&v=4" width="100" height="100"/></p>
<h1 align="center" id="heading"> Vaultwarden LXC </h1>
To create a new Proxmox Vaultwarden LXC, run the following in the Proxmox web shell.
```
bash -c "$(wget -qLO - https://raw.githubusercontent.com/tteck/Proxmox/main/ct/vault_container.sh)"
```
It builds from source, which takes time and resources. After the installation, resources can be set to Normal Settings. I've left most of the installation process viewable since the rust install needs user input (requires a "enter" key press), and the lengthy time to complete the full installation.
<h3 align="center" id="heading">⚡ Normal Settings: 512Mib RAM - 8GB Storage - 1vCPU ⚡</h3>
Be Patient, let the script do it's work. Hopefully, you'll eventually see "Successfully created a Vaultwarden LXC Container"
**Vaultwarden Interface - IP:8000**
____________________________________________________________________________________________
</details>

162
ct/vault_container.sh Normal file
View file

@ -0,0 +1,162 @@
#!/usr/bin/env bash
while true; do
read -p "This will create a New Vaultwarden LXC Container. Proceed(y/n)?" yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
set -o errexit
set -o errtrace
set -o nounset
set -o pipefail
shopt -s expand_aliases
alias die='EXIT=$? LINE=$LINENO error_exit'
CHECKMARK='\033[0;32m\xE2\x9C\x94\033[0m'
trap die ERR
trap cleanup EXIT
function error_exit() {
trap - ERR
local DEFAULT='Unknown failure occured.'
local REASON="\e[97m${1:-$DEFAULT}\e[39m"
local FLAG="\e[91m[ERROR] \e[93m$EXIT@$LINE"
msg "$FLAG $REASON"
[ ! -z ${CTID-} ] && cleanup_ctid
exit $EXIT
}
function warn() {
local REASON="\e[97m$1\e[39m"
local FLAG="\e[93m[WARNING]\e[39m"
msg "$FLAG $REASON"
}
function info() {
local REASON="$1"
local FLAG="\e[36m[INFO]\e[39m"
msg "$FLAG $REASON"
}
function msg() {
local TEXT="$1"
echo -e "$TEXT"
}
function cleanup_ctid() {
if [ ! -z ${MOUNT+x} ]; then
pct unmount $CTID
fi
if $(pct status $CTID &>/dev/null); then
if [ "$(pct status $CTID | awk '{print $2}')" == "running" ]; then
pct stop $CTID
fi
pct destroy $CTID
elif [ "$(pvesm list $STORAGE --vmid $CTID)" != "" ]; then
pvesm free $ROOTFS
fi
}
function cleanup() {
popd >/dev/null
rm -rf $TEMP_DIR
}
function load_module() {
if ! $(lsmod | grep -Fq $1); then
modprobe $1 &>/dev/null || \
die "Failed to load '$1' module."
fi
MODULES_PATH=/etc/modules
if ! $(grep -Fxq "$1" $MODULES_PATH); then
echo "$1" >> $MODULES_PATH || \
die "Failed to add '$1' module to load at boot."
fi
}
TEMP_DIR=$(mktemp -d)
pushd $TEMP_DIR >/dev/null
wget -qL https://raw.githubusercontent.com/tteck/Proxmox/main/setup/vault_setup.sh
load_module overlay
while read -r line; do
TAG=$(echo $line | awk '{print $1}')
TYPE=$(echo $line | awk '{printf "%-10s", $2}')
FREE=$(echo $line | numfmt --field 4-6 --from-unit=K --to=iec --format %.2f | awk '{printf( "%9sB", $6)}')
ITEM=" Type: $TYPE Free: $FREE "
OFFSET=2
if [[ $((${#ITEM} + $OFFSET)) -gt ${MSG_MAX_LENGTH:-} ]]; then
MSG_MAX_LENGTH=$((${#ITEM} + $OFFSET))
fi
STORAGE_MENU+=( "$TAG" "$ITEM" "OFF" )
done < <(pvesm status -content rootdir | awk 'NR>1')
if [ $((${#STORAGE_MENU[@]}/3)) -eq 0 ]; then
warn "'Container' needs to be selected for at least one storage location."
die "Unable to detect valid storage location."
elif [ $((${#STORAGE_MENU[@]}/3)) -eq 1 ]; then
STORAGE=${STORAGE_MENU[0]}
else
while [ -z "${STORAGE:+x}" ]; do
STORAGE=$(whiptail --title "Storage Pools" --radiolist \
"Which storage pool you would like to use for the container?\n\n" \
16 $(($MSG_MAX_LENGTH + 23)) 6 \
"${STORAGE_MENU[@]}" 3>&1 1>&2 2>&3) || exit
done
fi
info "Using '$STORAGE' for storage location."
CTID=$(pvesh get /cluster/nextid)
info "Container ID is $CTID."
echo -e "${CHECKMARK} \e[1;92m Updating LXC Template List... \e[0m"
pveam update >/dev/null
echo -e "${CHECKMARK} \e[1;92m Downloading LXC Template... \e[0m"
OSTYPE=debian
OSVERSION=${OSTYPE}-11
mapfile -t TEMPLATES < <(pveam available -section system | sed -n "s/.*\($OSVERSION.*\)/\1/p" | sort -t - -k 2 -V)
TEMPLATE="${TEMPLATES[-1]}"
pveam download local $TEMPLATE >/dev/null ||
die "A problem occured while downloading the LXC template."
STORAGE_TYPE=$(pvesm status -storage $STORAGE | awk 'NR>1 {print $2}')
case $STORAGE_TYPE in
dir|nfs)
DISK_EXT=".raw"
DISK_REF="$CTID/"
;;
zfspool)
DISK_PREFIX="subvol"
DISK_FORMAT="subvol"
;;
esac
DISK=${DISK_PREFIX:-vm}-${CTID}-disk-0${DISK_EXT-}
ROOTFS=${STORAGE}:${DISK_REF-}${DISK}
echo -e "${CHECKMARK} \e[1;92m Creating LXC Container... \e[0m"
DISK_SIZE=8G
pvesm alloc $STORAGE $CTID $DISK $DISK_SIZE --format ${DISK_FORMAT:-raw} >/dev/null
if [ "$STORAGE_TYPE" == "zfspool" ]; then
warn "Some containers may not work properly due to ZFS not supporting 'fallocate'."
else
mkfs.ext4 $(pvesm path $ROOTFS) &>/dev/null
fi
ARCH=$(dpkg --print-architecture)
HOSTNAME=vaultwarden
TEMPLATE_STRING="local:vztmpl/${TEMPLATE}"
pct create $CTID $TEMPLATE_STRING -arch $ARCH -features nesting=1 \
-hostname $HOSTNAME -net0 name=eth0,bridge=vmbr0,ip=dhcp -onboot 1 -cores 4 -memory 4096\
-ostype $OSTYPE -rootfs $ROOTFS,size=$DISK_SIZE -storage $STORAGE >/dev/null
MOUNT=$(pct mount $CTID | cut -d"'" -f 2)
ln -fs $(readlink /etc/localtime) ${MOUNT}/etc/localtime
pct unmount $CTID && unset MOUNT
echo -e "${CHECKMARK} \e[1;92m Starting LXC Container... \e[0m"
pct start $CTID
pct push $CTID vault_setup.sh /vault_setup.sh -perms 755
pct exec $CTID /vault_setup.sh
IP=$(pct exec $CTID ip a s dev eth0 | sed -n '/inet / s/\// /p' | awk '{print $2}')
info "Successfully created a Vaultwarden LXC Container to $CTID"
echo -e "\e[1;92m Vaultwarden should be reachable by going to the following URL.
http://${IP}:8000
\e[0m"

147
setup/vault_setup.sh Normal file
View file

@ -0,0 +1,147 @@
#!/usr/bin/env bash
set -o errexit
set -o errtrace
set -o nounset
set -o pipefail
shopt -s expand_aliases
alias die='EXIT=$? LINE=$LINENO error_exit'
CROSS='\033[1;31m\xE2\x9D\x8C\033[0m'
CHECKMARK='\033[0;32m\xE2\x9C\x94\033[0m'
RETRY_NUM=5
RETRY_EVERY=3
NUM=$RETRY_NUM
trap die ERR
trap 'die "Script interrupted."' INT
function error_exit() {
trap - ERR
local DEFAULT='Unknown failure occured.'
local REASON="\e[97m${1:-$DEFAULT}\e[39m"
local FLAG="\e[91m[ERROR:LXC] \e[93m$EXIT@$LINE"
msg "$FLAG $REASON"
exit $EXIT
}
function msg() {
local TEXT="$1"
echo -e "$TEXT"
}
echo -e "${CHECKMARK} \e[1;92m Setting up Container OS... \e[0m"
sed -i "/$LANG/ s/\(^# \)//" /etc/locale.gen
locale-gen >/dev/null
while [ "$(hostname -I)" = "" ]; do
1>&2 echo -e "${CROSS} \e[1;31m No Network: \e[0m $(date)"
sleep $RETRY_EVERY
((NUM--))
if [ $NUM -eq 0 ]
then
1>&2 echo -e "${CROSS} \e[1;31m No Network After $RETRY_NUM Tries \e[0m"
exit 1
fi
done
echo -e "${CHECKMARK} \e[1;92m Network Connected: \e[0m $(hostname -I)"
echo -e "${CHECKMARK} \e[1;92m Updating Container OS... \e[0m"
apt-get update &>/dev/null
apt-get -qqy upgrade &>/dev/null
echo -e "${CHECKMARK} \e[1;92m Installing Dependencies... \e[0m"
apt-get update &>/dev/null
apt-get -qqy install \
git \
nano \
wget \
htop \
pkg-config \
openssl \
libssl1.1 \
libssl-dev \
curl \
sudo &>/dev/null
echo -e "${CHECKMARK} \e[1;92m Installing Build Essentials... \e[0m"
apt-get install -y build-essential &>/dev/null
echo -e "${CHECKMARK} \e[1;92m Installing Rust... \e[0m"
curl https://sh.rustup.rs -sSf | sh
echo 'export PATH=~/.cargo/bin:$PATH' >> ~/.bashrc
export PATH=~/.cargo/bin:$PATH
which rustc &>/dev/null
echo -e "${CHECKMARK} \e[1;92m Installing Node.js... \e[0m"
curl -fsSL https://deb.nodesource.com/setup_16.x | bash - &>/dev/null
apt-get install -y nodejs &>/dev/null
npm -g install npm@7 &>/dev/null
which npm &>/dev/null
npm i npm@latest -g &>/dev/null
echo -e "${CHECKMARK} \e[1;92m Building Vaultwarden... \e[0m"
git clone https://github.com/dani-garcia/vaultwarden && pushd vaultwarden
cargo clean && cargo build --features sqlite --release
file target/release/vaultwarden
echo -e "${CHECKMARK} \e[1;92m Building Web-Vault... \e[0m"
pushd target/release/
git clone --recurse-submodules https://github.com/bitwarden/web.git web-vault.git && cd web-vault.git
git checkout v2.25.1
git submodule update --init --recursive
wget https://raw.githubusercontent.com/dani-garcia/bw_web_builds/master/patches/v2.25.0.patch
git apply v2.25.0.patch
npm ci --legacy-peer-deps && npm audit fix --legacy-peer-deps || true && npm run dist:oss:selfhost
cp -a build ../web-vault
cd ..
mkdir data
echo -e "${CHECKMARK} \e[1;92m Create Systemd Service... \e[0m"
cp ../../.env.template /etc/vaultwarden.env &>/dev/null
cp vaultwarden /usr/bin/vaultwarden &>/dev/null
chmod +x /usr/bin/vaultwarden &>/dev/null
useradd -m -d /var/lib/vaultwarden vaultwarden &>/dev/null
sudo cp -R data /var/lib/vaultwarden/ &>/dev/null
cp -R web-vault /var/lib/vaultwarden/ &>/dev/null
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden &>/dev/null
service_path="/etc/systemd/system/vaultwarden.service" &>/dev/null
echo "[Unit]
Description=Bitwarden Server (Powered by Vaultwarden)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=/etc/vaultwarden.env
ExecStart=/usr/bin/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target" > $service_path
echo -e "${CHECKMARK} \e[1;92m Customizing Container... \e[0m"
rm /etc/motd
rm /etc/update-motd.d/10-uname
touch ~/.hushlogin
GETTY_OVERRIDE="/etc/systemd/system/container-getty@1.service.d/override.conf"
mkdir -p $(dirname $GETTY_OVERRIDE)
cat << EOF > $GETTY_OVERRIDE
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin root --noclear --keep-baud tty%I 115200,38400,9600 \$TERM
EOF
systemctl daemon-reload
systemctl restart $(basename $(dirname $GETTY_OVERRIDE) | sed 's/\.d//')
systemctl enable vaultwarden.service &>/dev/null
systemctl start vaultwarden.service &>/dev/null
echo -e "${CHECKMARK} \e[1;92m Cleanup... \e[0m"
rm -rf /vault_setup.sh /var/{cache,log}/* /var/lib/apt/lists/*