Add first final version of vw deployment and haproxy

2025-05-03 23:00:55 +02:00
parent d2f8acb02b
commit 250662c65e
7 changed files with 74 additions and 178 deletions
--- a/haproxy/haproxy_config.sh
+++ b/haproxy/haproxy_config.sh
@@ -19,6 +19,7 @@ echo "$AUTOCONFIG_BEGIN" | sudo tee -a $HAPROXY_CFG > /dev/null
 if [ -z "$(ls -A $HAPROXY_SERVICE_DIR 2>/dev/null)" ]; then
    echo "No services found under $HAPROXY_SERVICE_DIR. Skipping autoconfig."
    echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
+    sudo systemctl restart haproxy
    exit 0
 fi

@@ -90,4 +91,7 @@ EOF

 echo "$BACKEND_BLOCK" | sudo tee -a $HAPROXY_CFG > /dev/null

-echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
+echo "$AUTOCONFIG_END" | sudo tee -a $HAPROXY_CFG > /dev/null
+
+echo "Config complete. restart haproxy."
+sudo systemctl restart haproxy
--- a/vaultwarden/deploy.sh
+++ b/vaultwarden/deploy.sh
@@ -22,6 +22,12 @@ podman create \
    --restart=unless-stopped \
    -e DOMAIN=https://$DOMAIN \
    -e SHOW_PASSWORD_HINT=false \
+    -e SMTP_HOST=$SMTP_HOST \
+    -e SMTP_FROM=$SMTP_FROM \
+    -e SMTP_PORT=$SMTP_PORT \
+    -e SMTP_SECURITY=$SMTP_SECURITY \
+    -e SMTP_USERNAME=$SMTP_USERNAME \
+    -e SMTP_PASSWORD=$SMTP_PASSWORD \
    -p $PORT:80 \
    -v $DATA_FOLDER:/data \
    docker.io/vaultwarden/server:latest
@@ -33,12 +39,34 @@ podman generate systemd \
    --container-prefix=vaultwarden \
    --restart-policy=always

-USER_SYSTEMD="$HOME/.config/systemd/user"
 mkdir -p $USER_SYSTEMD
-cp vaultwarden-$CONTAINER_NAME.service $USER_SYSTEMD
+mv vaultwarden-$CONTAINER_NAME.service $USER_SYSTEMD
 systemctl --user daemon-reload
 systemctl --user enable --now vaultwarden-$CONTAINER_NAME.service

 sudo loginctl enable-linger $USER

+# generate haproxy blocks
+sudo mkdir -p $SERVICE_DIR
+echo "crt $SSL_PATH/fullchain.pem" | sudo tee $SERVICE_DIR/cert.block > /dev/null
+ACL_CFG=$(cat <<EOF
+acl is_vw hdr(host) -i $DOMAIN
+use_backend vw_backend if is_vw
+EOF
+)
+echo "$ACL_CFG" | sudo tee $SERVICE_DIR/acl.block > /dev/null
+BACKEND_CFG=$(cat <<EOF
+backend vw_backend
+    mode http
+    option httpchk GET /
+    option forwardfor
+    # Set the Source IP in the X-Real-IP header
+    http-request set-header X-Real-IP %[src]
+    server vwhttp 127.0.0.1:$PORT alpn http/1.1 check
+EOF
+)
+echo "$BACKEND_CFG" | sudo tee $SERVICE_DIR/backend.block > /dev/null
+
+echo "Deploy completed, manually run haproxy to generate new config."
+
 # on local, allow ufw port from wireguard
--- a/vaultwarden/env.sh
+++ b/vaultwarden/env.sh
@@ -1,11 +1,16 @@
-export NAMECHEAP_USERNAME=""
-export NAMECHEAP_API_KEY=""
-export NAMECHEAP_SOURCEIP=""
-
-export EMAIL=""
-export CONTAINER_NAME=""
-export PORT=""
-export DATA_FOLDER=""
-export DOMAIN=""
-export SSL_PATH=$HOME/.config/ssl/$DOMAIN
-export HAPROXY_CFG="/etc/haproxy/haproxy.cfg"
+EMAIL=""
+CONTAINER_NAME="vaultwarden"
+PORT="8880"
+DATA_FOLDER="$HOME/.local/share/vaultwarden/data"
+DOMAIN=""
+SMTP_HOST=""
+SMTP_FROM=""
+SMTP_PORT=""
+SMTP_SECURITY=""
+SMTP_USERNAME=""
+SMTP_PASSWORD=""
+SSL_PATH=$HOME/.config/ssl/$DOMAIN
+USER_SYSTEMD="$HOME/.config/systemd/user"
+HAPROXY_CFG_DIR="/etc/haproxy"
+HAPROXY_CFG="$HAPROXY_CFG_DIR/haproxy.cfg"
+SERVICE_DIR="$HAPROXY_CFG_DIR/services/$DOMAIN"
--- a/vaultwarden/haproxy.sh
+++ b/vaultwarden/haproxy.sh
@@ -1,32 +0,0 @@
-#!/bin/bash
-
-. ./env.sh
-BLOCK_BEGIN="# === BEGIN vaultwarden config ==="
-BLOCK_END="# === END vaultwarden config ==="
-
-CONFIG=$(cat <<EOF
-$BLOCK_BEGIN
-frontend http_redirect
-    bind *:80
-    acl is_vw hdr(host) -i $DOMAIN
-    http-request redirect scheme https code 301 if is_vw
-frontend vw_https
-    bind *:443 ssl crt $SSL_PATH/fullchain.pem alpn h2,http/1.1
-    mode http
-    acl is_vw hdr(host) -i $DOMAIN
-    use_backend vw_backend if is_vw
-
-backend vw_backend
-    mode http
-    option httpchk GET /
-    server home 10.238.75.62:8885 check inter 5s fall 3 rise 2
-    server local 127.0.0.1:8885 check backup
-$BLOCK_END
-EOF
-)
-
-sudo sed -i "/$BLOCK_BEGIN/,/$BLOCK_END/d" "$HAPROXY_CFG"
-
-echo "$CONFIG" | sudo tee -a "$HAPROXY_CFG" > /dev/null
-
-sudo systemctl reload haproxy
--- a/vaultwarden/uninstall.sh
+++ b/vaultwarden/uninstall.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+. env.sh
+
+if systemctl --user list-units --full --all | grep -q "vaultwarden-${CONTAINER_NAME}.service"; then
+  systemctl --user stop vaultwarden-${CONTAINER_NAME}.service
+fi
+
+if podman container exists "$CONTAINER_NAME"; then
+    echo "Stop and delete existing container $CONTAINER_NAME"
+    if podman inspect -f '{{.State.Running}}' "$CONTAINER_NAME" | grep -q true; then
+        podman stop "$CONTAINER_NAME"
+    fi
+    podman rm "$CONTAINER_NAME"
+fi
+
+systemctl --user disable --now vaultwarden-$CONTAINER_NAME.service
+rm $USER_SYSTEMD/vaultwarden-$CONTAINER_NAME.service
+systemctl --user daemon-reload
+
+sudo rm -r $SERVICE_DIR
+
+echo "Uninstall complete. Manually run haproxy config to rebuild config."
--- a/vaultwarden/vaultwarden_sample
+++ b/vaultwarden/vaultwarden_sample
@@ -1,66 +0,0 @@
-# The `upstream` directives ensure that you have a http/1.1 connection
-# This enables the keepalive option and better performance
-#
-# Define the server IP and ports here.
-upstream vaultwarden-default {
-  zone vaultwarden-default 64k;
-  server 127.0.0.1:8885;
-  keepalive 2;
-}
-
-# Needed to support websocket connections
-# See: https://nginx.org/en/docs/http/websocket.html
-# Instead of "close" as stated in the above link we send an empty value.
-# Else all keepalive connections will not work.
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      "";
-}
-
-# Redirect HTTP to HTTPS
-server {
-    listen 80;
-    listen [::]:80;
-    server_name my_domain.tld;
-
-    return 301 https://$host$request_uri;
-}
-
-server {
-    # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name my_domain.tld;
-
-    # Specify SSL Config when needed
-    ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
-    ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    #add_header Strict-Transport-Security "max-age=31536000;";
-
-    client_max_body_size 525M;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-
-    location / {
-      proxy_pass http://vaultwarden-default;
-    }
-
-    # Optionally add extra authentication besides the ADMIN_TOKEN
-    # Remove the comments below `#` and create the htpasswd_file to have it active
-    #
-    #location /admin {
-    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
-    #  auth_basic "Private";
-    #  auth_basic_user_file /path/to/htpasswd_file;
-    #
-    #  proxy_pass http://vaultwarden-default;
-    #}
-}
--- a/vaultwarden/vaultwarden_sample_haproxy
+++ b/vaultwarden/vaultwarden_sample_haproxy
@@ -1,66 +0,0 @@
-# The `upstream` directives ensure that you have a http/1.1 connection
-# This enables the keepalive option and better performance
-#
-# Define the server IP and ports here.
-upstream vaultwarden-default {
-  zone vaultwarden-default 64k;
-  server 127.0.0.1:8885;
-  keepalive 2;
-}
-
-# Needed to support websocket connections
-# See: https://nginx.org/en/docs/http/websocket.html
-# Instead of "close" as stated in the above link we send an empty value.
-# Else all keepalive connections will not work.
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    ''      "";
-}
-
-# Redirect HTTP to HTTPS
-# server {
-#     listen 80;
-#     listen [::]:80;
-#     server_name my_domain.tld;
-
-#     return 301 https://$host$request_uri;
-# }
-
-server {
-    # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
-    listen 127.0.0.1:80;
-    # listen [::]:80;
-    # server_name my_domain.tld;
-
-    # Specify SSL Config when needed
-    # ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    # ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
-    # ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
-    #add_header Strict-Transport-Security "max-age=31536000;";
-
-    client_max_body_size 525M;
-
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto $scheme;
-
-    location / {
-      proxy_pass http://vaultwarden-default;
-    }
-
-    # Optionally add extra authentication besides the ADMIN_TOKEN
-    # Remove the comments below `#` and create the htpasswd_file to have it active
-    #
-    #location /admin {
-    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
-    #  auth_basic "Private";
-    #  auth_basic_user_file /path/to/htpasswd_file;
-    #
-    #  proxy_pass http://vaultwarden-default;
-    #}
-}