tliu93/linux-install-helper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add first final version of vw deployment and haproxy

Browse Source
This commit is contained in:
Tianyu Liu
2025-05-03 23:00:55 +02:00
parent d2f8acb02b
commit 250662c65e
7 changed files with 74 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
haproxy/haproxy_config.sh
View File

@@ -19,6 +19,7 @@ echo "$AUTOCONFIG_BEGIN" | sudo tee -a $HAPROXY_CFG > /dev/null
if [ -z "$(ls -A $HAPROXY_SERVICE_DIR 2>/dev/null)" ]; then if [ -z "$(ls -A $HAPROXY_SERVICE_DIR 2>/dev/null)" ]; then
echo "No services found under $HAPROXY_SERVICE_DIR. Skipping autoconfig." echo "No services found under $HAPROXY_SERVICE_DIR. Skipping autoconfig."
echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
sudo systemctl restart haproxy
exit 0 exit 0
fi fi
@@ -90,4 +91,7 @@ EOF
echo "$BACKEND_BLOCK" | sudo tee -a $HAPROXY_CFG > /dev/null echo "$BACKEND_BLOCK" | sudo tee -a $HAPROXY_CFG > /dev/null
echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
echo "Config complete. restart haproxy."
sudo systemctl restart haproxy

32
vaultwarden/deploy.sh
View File

@@ -22,6 +22,12 @@ podman create \
--restart=unless-stopped \ --restart=unless-stopped \
-e DOMAIN=https://$DOMAIN \ -e DOMAIN=https://$DOMAIN \
-e SHOW_PASSWORD_HINT=false \ -e SHOW_PASSWORD_HINT=false \
-e SMTP_HOST=$SMTP_HOST \
-e SMTP_FROM=$SMTP_FROM \
-e SMTP_PORT=$SMTP_PORT \
-e SMTP_SECURITY=$SMTP_SECURITY \
-e SMTP_USERNAME=$SMTP_USERNAME \
-e SMTP_PASSWORD=$SMTP_PASSWORD \
-p $PORT:80 \ -p $PORT:80 \
-v $DATA_FOLDER:/data \ -v $DATA_FOLDER:/data \
docker.io/vaultwarden/server:latest docker.io/vaultwarden/server:latest
@@ -33,12 +39,34 @@ podman generate systemd \
--container-prefix=vaultwarden \ --container-prefix=vaultwarden \
--restart-policy=always --restart-policy=always
USER_SYSTEMD="$HOME/.config/systemd/user"
mkdir -p $USER_SYSTEMD mkdir -p $USER_SYSTEMD
cp vaultwarden-$CONTAINER_NAME.service $USER_SYSTEMD mv vaultwarden-$CONTAINER_NAME.service $USER_SYSTEMD
systemctl --user daemon-reload systemctl --user daemon-reload
systemctl --user enable --now vaultwarden-$CONTAINER_NAME.service systemctl --user enable --now vaultwarden-$CONTAINER_NAME.service
sudo loginctl enable-linger $USER sudo loginctl enable-linger $USER
# generate haproxy blocks
sudo mkdir -p $SERVICE_DIR
echo "crt $SSL_PATH/fullchain.pem" | sudo tee $SERVICE_DIR/cert.block > /dev/null
ACL_CFG=$(cat <<EOF
acl is_vw hdr(host) -i $DOMAIN
use_backend vw_backend if is_vw
EOF
)
echo "$ACL_CFG" | sudo tee $SERVICE_DIR/acl.block > /dev/null
BACKEND_CFG=$(cat <<EOF
backend vw_backend
mode http
option httpchk GET /
option forwardfor
# Set the Source IP in the X-Real-IP header
http-request set-header X-Real-IP %[src]
server vwhttp 127.0.0.1:$PORT alpn http/1.1 check
EOF
)
echo "$BACKEND_CFG" | sudo tee $SERVICE_DIR/backend.block > /dev/null
echo "Deploy completed, manually run haproxy to generate new config."
# on local, allow ufw port from wireguard # on local, allow ufw port from wireguard

27
vaultwarden/env.sh
View File

@@ -1,11 +1,16 @@
export NAMECHEAP_USERNAME="" EMAIL=""
export NAMECHEAP_API_KEY="" CONTAINER_NAME="vaultwarden"
export NAMECHEAP_SOURCEIP="" PORT="8880"
DATA_FOLDER="$HOME/.local/share/vaultwarden/data"
export EMAIL="" DOMAIN=""
export CONTAINER_NAME="" SMTP_HOST=""
export PORT="" SMTP_FROM=""
export DATA_FOLDER="" SMTP_PORT=""
export DOMAIN="" SMTP_SECURITY=""
export SSL_PATH=$HOME/.config/ssl/$DOMAIN SMTP_USERNAME=""
export HAPROXY_CFG="/etc/haproxy/haproxy.cfg" SMTP_PASSWORD=""
SSL_PATH=$HOME/.config/ssl/$DOMAIN
USER_SYSTEMD="$HOME/.config/systemd/user"
HAPROXY_CFG_DIR="/etc/haproxy"
HAPROXY_CFG="$HAPROXY_CFG_DIR/haproxy.cfg"
SERVICE_DIR="$HAPROXY_CFG_DIR/services/$DOMAIN"

32
vaultwarden/haproxy.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
. ./env.sh
BLOCK_BEGIN="# === BEGIN vaultwarden config ==="
BLOCK_END="# === END vaultwarden config ==="
CONFIG=$(cat <<EOF
$BLOCK_BEGIN
frontend http_redirect
bind *:80
acl is_vw hdr(host) -i $DOMAIN
http-request redirect scheme https code 301 if is_vw
frontend vw_https
bind *:443 ssl crt $SSL_PATH/fullchain.pem alpn h2,http/1.1
mode http
acl is_vw hdr(host) -i $DOMAIN
use_backend vw_backend if is_vw
backend vw_backend
mode http
option httpchk GET /
server home 10.238.75.62:8885 check inter 5s fall 3 rise 2
server local 127.0.0.1:8885 check backup
$BLOCK_END
EOF
)
sudo sed -i "/$BLOCK_BEGIN/,/$BLOCK_END/d" "$HAPROXY_CFG"
echo "$CONFIG" | sudo tee -a "$HAPROXY_CFG" > /dev/null
sudo systemctl reload haproxy

23
vaultwarden/uninstall.sh Executable file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
. env.sh
if systemctl --user list-units --full --all | grep -q "vaultwarden-${CONTAINER_NAME}.service"; then
systemctl --user stop vaultwarden-${CONTAINER_NAME}.service
fi
if podman container exists "$CONTAINER_NAME"; then
echo "Stop and delete existing container $CONTAINER_NAME"
if podman inspect -f '{{.State.Running}}' "$CONTAINER_NAME" | grep -q true; then
podman stop "$CONTAINER_NAME"
fi
podman rm "$CONTAINER_NAME"
fi
systemctl --user disable --now vaultwarden-$CONTAINER_NAME.service
rm $USER_SYSTEMD/vaultwarden-$CONTAINER_NAME.service
systemctl --user daemon-reload
sudo rm -r $SERVICE_DIR
echo "Uninstall complete. Manually run haproxy config to rebuild config."

66
vaultwarden/vaultwarden_sample
View File

@@ -1,66 +0,0 @@
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8885;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name my_domain.tld;
return 301 https://$host$request_uri;
}
server {
# For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
listen 443 ssl;
listen [::]:443 ssl;
server_name my_domain.tld;
# Specify SSL Config when needed
ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
#add_header Strict-Transport-Security "max-age=31536000;";
client_max_body_size 525M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://vaultwarden-default;
}
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_pass http://vaultwarden-default;
#}
}

66
vaultwarden/vaultwarden_sample_haproxy
View File

@@ -1,66 +0,0 @@
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 64k;
server 127.0.0.1:8885;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
# server {
# listen 80;
# listen [::]:80;
# server_name my_domain.tld;
# return 301 https://$host$request_uri;
# }
server {
# For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
listen 127.0.0.1:80;
# listen [::]:80;
# server_name my_domain.tld;
# Specify SSL Config when needed
# ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
# ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
# ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
#add_header Strict-Transport-Security "max-age=31536000;";
client_max_body_size 525M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://vaultwarden-default;
}
# Optionally add extra authentication besides the ADMIN_TOKEN
# Remove the comments below `#` and create the htpasswd_file to have it active
#
#location /admin {
# # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /path/to/htpasswd_file;
#
# proxy_pass http://vaultwarden-default;
#}
}