From 250662c65e0d04f96708d5860e45fcd2088a4c2f Mon Sep 17 00:00:00 2001
From: Tianyu Liu <liu.tianyu93@hotmail.com>
Date: Sat, 3 May 2025 23:00:55 +0200
Subject: [PATCH] Add first final version of vw deployment and haproxy

---
 haproxy/haproxy_config.sh              |  6 ++-
 vaultwarden/deploy.sh                  | 32 ++++++++++++-
 vaultwarden/env.sh                     | 27 ++++++-----
 vaultwarden/haproxy.sh                 | 32 -------------
 vaultwarden/uninstall.sh               | 23 +++++++++
 vaultwarden/vaultwarden_sample         | 66 --------------------------
 vaultwarden/vaultwarden_sample_haproxy | 66 --------------------------
 7 files changed, 74 insertions(+), 178 deletions(-)
 delete mode 100755 vaultwarden/haproxy.sh
 create mode 100755 vaultwarden/uninstall.sh
 delete mode 100644 vaultwarden/vaultwarden_sample
 delete mode 100644 vaultwarden/vaultwarden_sample_haproxy

diff --git a/haproxy/haproxy_config.sh b/haproxy/haproxy_config.sh
index 844ed56..8ae304f 100755
--- a/haproxy/haproxy_config.sh
+++ b/haproxy/haproxy_config.sh
@@ -19,6 +19,7 @@ echo "$AUTOCONFIG_BEGIN" | sudo tee -a $HAPROXY_CFG > /dev/null
 if [ -z "$(ls -A $HAPROXY_SERVICE_DIR 2>/dev/null)" ]; then
     echo "No services found under $HAPROXY_SERVICE_DIR. Skipping autoconfig."
     echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
+    sudo systemctl restart haproxy
     exit 0
 fi
 
@@ -90,4 +91,7 @@ EOF
 
 echo "$BACKEND_BLOCK" | sudo tee -a $HAPROXY_CFG > /dev/null
 
-echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
\ No newline at end of file
+echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
+
+echo "Config complete. restart haproxy."
+sudo systemctl restart haproxy
\ No newline at end of file
diff --git a/vaultwarden/deploy.sh b/vaultwarden/deploy.sh
index 9ceb8ad..a31e44d 100755
--- a/vaultwarden/deploy.sh
+++ b/vaultwarden/deploy.sh
@@ -22,6 +22,12 @@ podman create \
     --restart=unless-stopped \
     -e DOMAIN=https://$DOMAIN \
     -e SHOW_PASSWORD_HINT=false \
+    -e SMTP_HOST=$SMTP_HOST \
+    -e SMTP_FROM=$SMTP_FROM \
+    -e SMTP_PORT=$SMTP_PORT \
+    -e SMTP_SECURITY=$SMTP_SECURITY \
+    -e SMTP_USERNAME=$SMTP_USERNAME \
+    -e SMTP_PASSWORD=$SMTP_PASSWORD \
     -p $PORT:80 \
     -v $DATA_FOLDER:/data \
     docker.io/vaultwarden/server:latest
@@ -33,12 +39,34 @@ podman generate systemd \
     --container-prefix=vaultwarden \
     --restart-policy=always
 
-USER_SYSTEMD="$HOME/.config/systemd/user"
 mkdir -p $USER_SYSTEMD
-cp vaultwarden-$CONTAINER_NAME.service $USER_SYSTEMD
+mv vaultwarden-$CONTAINER_NAME.service $USER_SYSTEMD
 systemctl --user daemon-reload
 systemctl --user enable --now vaultwarden-$CONTAINER_NAME.service
 
 sudo loginctl enable-linger $USER
 
+# generate haproxy blocks
+sudo mkdir -p $SERVICE_DIR
+echo "crt $SSL_PATH/fullchain.pem" | sudo tee $SERVICE_DIR/cert.block > /dev/null
+ACL_CFG=$(cat <<EOF
+acl is_vw hdr(host) -i $DOMAIN
+use_backend vw_backend if is_vw
+EOF
+)
+echo "$ACL_CFG" | sudo tee $SERVICE_DIR/acl.block > /dev/null
+BACKEND_CFG=$(cat <<EOF
+backend vw_backend
+    mode http
+    option httpchk GET /
+    option forwardfor
+    # Set the Source IP in the X-Real-IP header
+    http-request set-header X-Real-IP %[src]
+    server vwhttp 127.0.0.1:$PORT alpn http/1.1 check
+EOF
+)
+echo "$BACKEND_CFG" | sudo tee $SERVICE_DIR/backend.block > /dev/null
+
+echo "Deploy completed, manually run haproxy to generate new config."
+
 # on local, allow ufw port from wireguard
\ No newline at end of file
diff --git a/vaultwarden/env.sh b/vaultwarden/env.sh
index c7c6b26..ac768e4 100644
--- a/vaultwarden/env.sh
+++ b/vaultwarden/env.sh
@@ -1,11 +1,16 @@
-export NAMECHEAP_USERNAME=""
-export NAMECHEAP_API_KEY=""
-export NAMECHEAP_SOURCEIP=""
-
-export EMAIL=""
-export CONTAINER_NAME=""
-export PORT=""
-export DATA_FOLDER=""
-export DOMAIN=""
-export SSL_PATH=$HOME/.config/ssl/$DOMAIN
-export HAPROXY_CFG="/etc/haproxy/haproxy.cfg"
\ No newline at end of file
+EMAIL=""
+CONTAINER_NAME="vaultwarden"
+PORT="8880"
+DATA_FOLDER="$HOME/.local/share/vaultwarden/data"
+DOMAIN=""
+SMTP_HOST=""
+SMTP_FROM=""
+SMTP_PORT=""
+SMTP_SECURITY=""
+SMTP_USERNAME=""
+SMTP_PASSWORD=""
+SSL_PATH=$HOME/.config/ssl/$DOMAIN
+USER_SYSTEMD="$HOME/.config/systemd/user"
+HAPROXY_CFG_DIR="/etc/haproxy"
+HAPROXY_CFG="$HAPROXY_CFG_DIR/haproxy.cfg"
+SERVICE_DIR="$HAPROXY_CFG_DIR/services/$DOMAIN"
\ No newline at end of file
diff --git a/vaultwarden/haproxy.sh b/vaultwarden/haproxy.sh
deleted file mode 100755
index 3e20b1e..0000000
--- a/vaultwarden/haproxy.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-
-. ./env.sh
-BLOCK_BEGIN="# === BEGIN vaultwarden config ==="
-BLOCK_END="# === END vaultwarden config ==="
-
-CONFIG=$(cat <<EOF
-$BLOCK_BEGIN
-frontend http_redirect
-    bind *:80
-    acl is_vw hdr(host) -i $DOMAIN
-    http-request redirect scheme https code 301 if is_vw
-frontend vw_https
-    bind *:443 ssl crt $SSL_PATH/fullchain.pem alpn h2,http/1.1
-    mode http
-    acl is_vw hdr(host) -i $DOMAIN
-    use_backend vw_backend if is_vw
-
-backend vw_backend
-    mode http
-    option httpchk GET /
-    server home 10.238.75.62:8885 check inter 5s fall 3 rise 2
-    server local 127.0.0.1:8885 check backup
-$BLOCK_END
-EOF
-)
-
-sudo sed -i "/$BLOCK_BEGIN/,/$BLOCK_END/d" "$HAPROXY_CFG"
-
-echo "$CONFIG" | sudo tee -a "$HAPROXY_CFG" > /dev/null
-
-sudo systemctl reload haproxy
diff --git a/vaultwarden/uninstall.sh b/vaultwarden/uninstall.sh
new file mode 100755
index 0000000..730ccb4
--- /dev/null
+++ b/vaultwarden/uninstall.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. env.sh
+
+if systemctl --user list-units --full --all | grep -q "vaultwarden-${CONTAINER_NAME}.service"; then
+  systemctl --user stop vaultwarden-${CONTAINER_NAME}.service
+fi
+
+if podman container exists "$CONTAINER_NAME"; then
+    echo "Stop and delete existing container $CONTAINER_NAME"
+    if podman inspect -f '{{.State.Running}}' "$CONTAINER_NAME" | grep -q true; then
+        podman stop "$CONTAINER_NAME"
+    fi
+    podman rm "$CONTAINER_NAME"
+fi
+
+systemctl --user disable --now vaultwarden-$CONTAINER_NAME.service
+rm $USER_SYSTEMD/vaultwarden-$CONTAINER_NAME.service
+systemctl --user daemon-reload
+
+sudo rm -r $SERVICE_DIR
+
+echo "Uninstall complete. Manually run haproxy config to rebuild config."
\ No newline at end of file
diff --git a/vaultwarden/vaultwarden_sample b/vaultwarden/vaultwarden_sample
deleted file mode 100644
index 5c26bee..0000000
--- a/vaultwarden/vaultwarden_sample
+++ /dev/null
@@ -1,66 +0,0 @@
-# The `upstream` directives ensure that you have a http/1.1 connection
-# This enables the keepalive option and better performance
-#
-# Define the server IP and ports here.
-upstream vaultwarden-default {
-  zone vaultwarden-default 64k;
-  server 127.0.0.1:8885;
-  keepalive 2;
-}
-
-# Needed to support websocket connections
-# See: https://nginx.org/en/docs/http/websocket.html
-# Instead of "close" as stated in the above link we send an empty value.
-# Else all keepalive connections will not work.
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      "";
-}
-
-# Redirect HTTP to HTTPS
-server {
-    listen 80;
-    listen [::]:80;
-    server_name my_domain.tld;
-
-    return 301 https://$host$request_uri;
-}
-
-server {
-    # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name my_domain.tld;
-
-    # Specify SSL Config when needed
-    ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
-    ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    #add_header Strict-Transport-Security "max-age=31536000;";
-
-    client_max_body_size 525M;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-
-    location / {
-      proxy_pass http://vaultwarden-default;
-    }
-
-    # Optionally add extra authentication besides the ADMIN_TOKEN
-    # Remove the comments below `#` and create the htpasswd_file to have it active
-    #
-    #location /admin {
-    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
-    #  auth_basic "Private";
-    #  auth_basic_user_file /path/to/htpasswd_file;
-    #
-    #  proxy_pass http://vaultwarden-default;
-    #}
-}
\ No newline at end of file
diff --git a/vaultwarden/vaultwarden_sample_haproxy b/vaultwarden/vaultwarden_sample_haproxy
deleted file mode 100644
index 6b51a10..0000000
--- a/vaultwarden/vaultwarden_sample_haproxy
+++ /dev/null
@@ -1,66 +0,0 @@
-# The `upstream` directives ensure that you have a http/1.1 connection
-# This enables the keepalive option and better performance
-#
-# Define the server IP and ports here.
-upstream vaultwarden-default {
-  zone vaultwarden-default 64k;
-  server 127.0.0.1:8885;
-  keepalive 2;
-}
-
-# Needed to support websocket connections
-# See: https://nginx.org/en/docs/http/websocket.html
-# Instead of "close" as stated in the above link we send an empty value.
-# Else all keepalive connections will not work.
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      "";
-}
-
-# Redirect HTTP to HTTPS
-# server {
-#     listen 80;
-#     listen [::]:80;
-#     server_name my_domain.tld;
-
-#     return 301 https://$host$request_uri;
-# }
-
-server {
-    # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
-    listen 127.0.0.1:80;
-    # listen [::]:80;
-    # server_name my_domain.tld;
-
-    # Specify SSL Config when needed
-    # ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    # ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
-    # ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    #add_header Strict-Transport-Security "max-age=31536000;";
-
-    client_max_body_size 525M;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-
-    location / {
-      proxy_pass http://vaultwarden-default;
-    }
-
-    # Optionally add extra authentication besides the ADMIN_TOKEN
-    # Remove the comments below `#` and create the htpasswd_file to have it active
-    #
-    #location /admin {
-    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
-    #  auth_basic "Private";
-    #  auth_basic_user_file /path/to/htpasswd_file;
-    #
-    #  proxy_pass http://vaultwarden-default;
-    #}
-}
\ No newline at end of file