Vaultwarden bundle
This commit is contained in:
parent
e841b2c48a
commit
36412c2768
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- url: ../common.git
|
|
@ -0,0 +1,3 @@
|
||||||
|
Kind = "service-defaults"
|
||||||
|
Name = "[[ .vaultwarden.instance ]][[ .consul.suffix ]]"
|
||||||
|
Protocol = "http"
|
|
@ -0,0 +1,16 @@
|
||||||
|
[[ $c := merge .vaultwarden . -]]
|
||||||
|
Kind = "service-intentions"
|
||||||
|
Name = "[[ $c.instance ]][[ $c.consul.suffix ]]"
|
||||||
|
Sources = [
|
||||||
|
{
|
||||||
|
Name = "[[ $c.traefik.instance ]]"
|
||||||
|
Permissions = [
|
||||||
|
{
|
||||||
|
Action = "allow"
|
||||||
|
HTTP {
|
||||||
|
Methods = ["GET", "HEAD", "POST", "PUT", "DELETE"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
|
@ -0,0 +1,72 @@
|
||||||
|
FROM rust:alpine AS build
|
||||||
|
|
||||||
|
ARG VAULTWARDEN_FEATURES=[[ join .vaultwarden.server.features "," ]] \
|
||||||
|
VAULTWARDEN_SERVER_VERSION=1.29.2 \
|
||||||
|
VAULTWARDEN_WEB_VERSION=2023.9.1
|
||||||
|
|
||||||
|
RUN set -euxo pipefail &&\
|
||||||
|
apk --no-cache upgrade &&\
|
||||||
|
apk --no-cache add \
|
||||||
|
curl \
|
||||||
|
ca-certificates \
|
||||||
|
tar \
|
||||||
|
musl-dev \
|
||||||
|
[[- if has .vaultwarden.server.features "postgresql" ]]
|
||||||
|
postgresql15-dev \
|
||||||
|
[[- end ]]
|
||||||
|
[[- if has .vaultwarden.server.features "mysql" ]]
|
||||||
|
mariadb-dev \
|
||||||
|
[[- end ]]
|
||||||
|
[[- if has .vaultwarden.server.features "sqlite" ]]
|
||||||
|
sqlite-dev \
|
||||||
|
[[- end ]]
|
||||||
|
&&\
|
||||||
|
cd /tmp &&\
|
||||||
|
curl -sSLO https://github.com/dani-garcia/vaultwarden/archive/refs/tags/${VAULTWARDEN_SERVER_VERSION}.tar.gz &&\
|
||||||
|
tar xvzf ${VAULTWARDEN_SERVER_VERSION}.tar.gz &&\
|
||||||
|
cd vaultwarden-${VAULTWARDEN_SERVER_VERSION} &&\
|
||||||
|
rustup target add x86_64-unknown-linux-musl &&\
|
||||||
|
cargo build --features=${VAULTWARDEN_FEATURES} --profile "release" --target "x86_64-unknown-linux-musl" &&\
|
||||||
|
find ./target -type f -name vaultwarden &&\
|
||||||
|
# Move vaultwarden bin to copy it easily in the runtime stage \
|
||||||
|
mv ./target/x86_64-unknown-linux-musl/release/vaultwarden / &&\
|
||||||
|
chown root:root /vaultwarden &&\
|
||||||
|
chmod 755 /vaultwarden &&\
|
||||||
|
cd ../ &&\
|
||||||
|
curl -sSLO https://github.com/dani-garcia/bw_web_builds/releases/download/v${VAULTWARDEN_WEB_VERSION}/bw_web_v${VAULTWARDEN_WEB_VERSION}.tar.gz &&\
|
||||||
|
tar xvzf bw_web_v${VAULTWARDEN_WEB_VERSION}.tar.gz &&\
|
||||||
|
mv web-vault / &&\
|
||||||
|
chown -R root:root /web-vault
|
||||||
|
|
||||||
|
FROM [[ .docker.repo ]][[ .docker.base_images.alpine.image ]]
|
||||||
|
MAINTAINER [[ .docker.maintainer ]]
|
||||||
|
|
||||||
|
ENV ROCKET_PROFILE=release \
|
||||||
|
ROCKET_ADDRESS=0.0.0.0 \
|
||||||
|
ROCKET_PORT=8234 \
|
||||||
|
DATA_FOLDER=/data \
|
||||||
|
DATABASE_URL=/data/db.sqlite3
|
||||||
|
|
||||||
|
COPY --from=build /vaultwarden /usr/local/bin/
|
||||||
|
COPY --from=build /web-vault /opt/vaultwarden/web-vault
|
||||||
|
|
||||||
|
RUN set -euxo pipefail &&\
|
||||||
|
apk --no-cache upgrade &&\
|
||||||
|
apk --no-cache add \
|
||||||
|
ca-certificates \
|
||||||
|
curl \
|
||||||
|
openssl \
|
||||||
|
tzdata \
|
||||||
|
&&\
|
||||||
|
addgroup -g 8234 vaultwarden &&\
|
||||||
|
adduser --system --ingroup vaultwarden --disabled-password --uid 8234 --home /opt/vaultwarden --shell /sbin/nologin vaultwarden &&\
|
||||||
|
mkdir /data &&\
|
||||||
|
chown vaultwarden:vaultwarden /data
|
||||||
|
|
||||||
|
WORKDIR /opt/vaultwarden
|
||||||
|
|
||||||
|
USER vaultwarden
|
||||||
|
|
||||||
|
EXPOSE 8234
|
||||||
|
|
||||||
|
CMD ["vaultwarden"]
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -euo pipefail
|
||||||
|
|
||||||
|
[[- template "common/vault.mkpgrole.sh.tpl"
|
||||||
|
dict "ctx" .
|
||||||
|
"config" (dict "role" .vaultwarden.instance "database" "postgres")
|
||||||
|
]]
|
|
@ -0,0 +1 @@
|
||||||
|
[[ template "common/mv_conf.sh.tpl" dict "ctx" . "services" (dict "vaultwarden" .vaultwarden.instance) ]]
|
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
vaultwarden:
|
||||||
|
instance: vaultwarden
|
||||||
|
server:
|
||||||
|
count: 1
|
||||||
|
image: vaultwarden/server:1.29.2
|
||||||
|
#image: danielberteaud/vaultwarden:latest
|
||||||
|
features:
|
||||||
|
- postgresql
|
||||||
|
resources:
|
||||||
|
cpu: 80
|
||||||
|
memory: 128
|
||||||
|
|
||||||
|
consul:
|
||||||
|
connect:
|
||||||
|
upstreams:
|
||||||
|
- service_name: '[[ .mail.smtp_service_name ]]'
|
||||||
|
local_bind_port: 25
|
||||||
|
|
||||||
|
env:
|
||||||
|
ORG_EVENTS_ENABLED: 'true'
|
||||||
|
EVENTS_DAYS_RETAIN: 720
|
||||||
|
SIGNUPS_VERIFY: 'true'
|
||||||
|
SMTP_HOST: localhost
|
||||||
|
SMTP_PORT: 25
|
||||||
|
SMTP_FROM: vaultwarden-no-reply@[[ .consul.domain ]]
|
||||||
|
SMTP_SECURITY: off
|
||||||
|
TRASH_AUTO_DELETE_DAYS: 7
|
||||||
|
INCOMPLETE_2FA_TIME_LIMIT: 5
|
||||||
|
USER_ATTACHMENT_LIMIT: 204800
|
||||||
|
|
||||||
|
public_url: https://vaultwarden.example.org/
|
||||||
|
traefik:
|
||||||
|
middlewares: []
|
||||||
|
admin:
|
||||||
|
traefik:
|
||||||
|
middlewares: []
|
||||||
|
volumes:
|
||||||
|
data:
|
||||||
|
type: csi
|
||||||
|
source: vaultwarden-data
|
|
@ -0,0 +1,4 @@
|
||||||
|
[[ $c := merge .vaultwarden . ]]
|
||||||
|
path "[[ $c.vault.prefix ]]database/creds/[[ $c.instance ]]" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
|
@ -0,0 +1,103 @@
|
||||||
|
[[ $c := merge .vaultwarden.server . -]]
|
||||||
|
job "[[ .vaultwarden.instance ]]" {
|
||||||
|
|
||||||
|
[[ template "common/job_start.tpl" $c ]]
|
||||||
|
|
||||||
|
group "vaultwarden" {
|
||||||
|
count = [[ $c.count ]]
|
||||||
|
|
||||||
|
network {
|
||||||
|
mode = "bridge"
|
||||||
|
}
|
||||||
|
|
||||||
|
volume "data" {
|
||||||
|
type = [[ .vaultwarden.volumes.data.type | toJSON ]]
|
||||||
|
source = [[ .vaultwarden.volumes.data.source | toJSON ]]
|
||||||
|
attachment_mode = "file-system"
|
||||||
|
access_mode = "multi-node-multi-writer"
|
||||||
|
}
|
||||||
|
|
||||||
|
service {
|
||||||
|
name = "[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]"
|
||||||
|
port = 8234
|
||||||
|
|
||||||
|
[[ template "common/connect.tpl" $c ]]
|
||||||
|
|
||||||
|
check {
|
||||||
|
type = "http"
|
||||||
|
path = "/alive"
|
||||||
|
expose = true
|
||||||
|
interval = "5s"
|
||||||
|
timeout = "3s"
|
||||||
|
|
||||||
|
check_restart {
|
||||||
|
limit = 20
|
||||||
|
grace = "20s"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
tags = [
|
||||||
|
[[- $a := merge .vaultwarden.admin . ]]
|
||||||
|
"[[ $c.traefik.instance ]].enable=true",
|
||||||
|
[[- if ne $c.traefik.instance $a.traefik.instance ]]
|
||||||
|
"[[ $a.traefik.instance ]].enable=true",
|
||||||
|
[[- end ]]
|
||||||
|
# Admin interface
|
||||||
|
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]]-admin.rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`) && PathPrefix(`[[ (urlParse $c.public_url).Path | regexp.Replace "/$" "" ]]/admin`)",
|
||||||
|
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]]-admin.entrypoints=[[ join $a.traefik.entrypoints "," ]]",
|
||||||
|
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]]-admin.priority=200",
|
||||||
|
"[[ $a.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $a.consul.suffix ]].middlewares=[[ template "common/traefik_middlewares.tpl" $a.traefik ]]",
|
||||||
|
|
||||||
|
# Main interface
|
||||||
|
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].rule=Host(`[[ (urlParse $c.public_url).Hostname ]]`)
|
||||||
|
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]] && PathPrefix(`[[ (urlParse $c.public_url).Path ]]`)[[ end ]]",
|
||||||
|
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].entrypoints=[[ join $c.traefik.entrypoints "," ]]",
|
||||||
|
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].priority=100",
|
||||||
|
"[[ $c.traefik.instance ]].http.middlewares.[[ .vaultwarden.instance ]]-csp[[ $c.consul.suffix ]].headers.contentSecurityPolicy=default-src 'self'; img-src 'self' data: https://www.gravatar.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory",
|
||||||
|
[[- if not ((urlParse $c.public_url).Path | regexp.Match "^/?$") ]]
|
||||||
|
"[[ $c.traefik.instance ]].http.middlewares.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]-prefix.stripprefix.prefixes=[[ (urlParse $c.public_url).Path ]]",
|
||||||
|
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].middlewares=[[ .vaultwarden.instance ]]-csp[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]],[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]-prefix",
|
||||||
|
[[- else ]]
|
||||||
|
"[[ $c.traefik.instance ]].http.routers.[[ .vaultwarden.instance ]][[ $c.consul.suffix ]].middlewares=[[ .vaultwarden.instance ]]-csp[[ $c.consul.suffix ]],[[ template "common/traefik_middlewares.tpl" $c.traefik ]]",
|
||||||
|
[[- end ]]
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
[[ template "common/task.wait_for.tpl" $c ]]
|
||||||
|
|
||||||
|
task "vaultwarden" {
|
||||||
|
driver = [[ $c.nomad.driver | toJSON ]]
|
||||||
|
user = 8234
|
||||||
|
|
||||||
|
config {
|
||||||
|
image = [[ $c.image | toJSON ]]
|
||||||
|
pids_limit = 100
|
||||||
|
readonly_rootfs = true
|
||||||
|
}
|
||||||
|
|
||||||
|
vault {
|
||||||
|
policies = ["[[ .vaultwarden.instance ]][[ $c.consul.suffix ]]"]
|
||||||
|
env = false
|
||||||
|
disable_file = true
|
||||||
|
}
|
||||||
|
|
||||||
|
env {
|
||||||
|
ROCKET_ADDRESS = "127.0.0.1"
|
||||||
|
ROCKET_PORT = 8234
|
||||||
|
IP_HEADER = "X-Forwarded-for"
|
||||||
|
DOMAIN = [[ $c.public_url | toJSON ]]
|
||||||
|
DB_CONNECTION_RETRIES = 0
|
||||||
|
[[ template "common/proxy_env.tpl" $c ]]
|
||||||
|
}
|
||||||
|
|
||||||
|
[[ template "common/file_env.tpl" $c.env ]]
|
||||||
|
|
||||||
|
volume_mount {
|
||||||
|
volume = "data"
|
||||||
|
destination = "/data"
|
||||||
|
}
|
||||||
|
|
||||||
|
[[ template "common/resources.tpl" $c.resources ]]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue