From d6650450737c617f94880713e2b336cf789b5ecf Mon Sep 17 00:00:00 2001 From: Tianyu Liu Date: Fri, 25 Apr 2025 12:49:13 +0200 Subject: [PATCH] Add basic vaultwarden installation --- vaultwarden/acme.sh | 27 +++++++++++ vaultwarden/deploy.sh | 43 +++++++++++++++++ vaultwarden/vaultwarden_sample | 66 ++++++++++++++++++++++++++ vaultwarden/vaultwarden_sample_haproxy | 66 ++++++++++++++++++++++++++ 4 files changed, 202 insertions(+) create mode 100755 vaultwarden/acme.sh create mode 100755 vaultwarden/deploy.sh create mode 100644 vaultwarden/vaultwarden_sample create mode 100644 vaultwarden/vaultwarden_sample_haproxy diff --git a/vaultwarden/acme.sh b/vaultwarden/acme.sh new file mode 100755 index 0000000..5318f1a --- /dev/null +++ b/vaultwarden/acme.sh @@ -0,0 +1,27 @@ +curl https://get.acme.sh | sh -s email=liu.tianyu93@hotmail.com + +DOMAIN="vw.jamesvillage.dev" +SSL_PATH=$HOME/.config/ssl/$DOMAIN +mkdir -p $SSL_PATH + +export NAMECHEAP_USERNAME="james77676166" +export NAMECHEAP_API_KEY="afcbbc60dcf8431cb0529db06b4dfac7" +export NAMECHEAP_SOURCEIP="188.245.147.192" + +$HOME/.acme.sh/acme.sh --issue --dns dns_namecheap -d $DOMAIN \ + --fullchain-file "$SSL_PATH/fullchain.cer" \ + --key-file "$SSL_PATH/privkey.key" \ + --reloadcmd "cat $SSL_PATH/privkey.key $SSL_PATH/fullchain.cer > $SSL_PATH/fullchain.pem" + +cp vaultwarden_sample_haproxy vaultwarden + +# sed -i \ +# -e "s|my_domain\.tld|$DOMAIN|g" \ +# -e "s|/path/to/certificate/letsencrypt/live/vaultwarden\.example\.tld/fullchain\.pem|$SSL_PATH/fullchain.cer|g" \ +# -e "s|/path/to/certificate/letsencrypt/live/vaultwarden\.example\.tld/privkey\.pem|$SSL_PATH/privkey.key|g" \ +# vaultwarden + +sudo mv vaultwarden /etc/nginx/sites-available +sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled +sudo systemctl reload nginx + diff --git a/vaultwarden/deploy.sh b/vaultwarden/deploy.sh new file mode 100755 index 0000000..0bc90e7 --- /dev/null +++ b/vaultwarden/deploy.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +set -e + +CONTAINER_NAME="vaultwarden" +PORT="8885" +DOMAIN="https://vw.jamesvillage.dev" + +DATA_FOLDER="$HOME/.local/share/vaultwarden/data" +mkdir -p $DATA_FOLDER + +systemctl --user stop container-$CONTAINER_NAME.service + +# if podman container exists "$CONTAINER_NAME"; then +# echo "Stop and delete existing container $CONTAINER_NAME" +# if podman inspect -f '{{.State.Running}}' "$CONTAINER_NAME" | grep -q true; then +# podman stop "$CONTAINER_NAME" +# fi +# podman rm "$CONTAINER_NAME" +# fi + +podman create \ + --name vaultwarden \ + --restart=unless-stopped \ + -e DOMAIN=$DOMAIN \ + -e SHOW_PASSWORD_HINT=false \ + -p $PORT:80 \ + -v $DATA_FOLDER:/data \ + docker.io/vaultwarden/server:latest + +podman generate systemd \ + --new \ + --name $CONTAINER_NAME \ + --files \ + --restart-policy=always + +USER_SYSTEMD="$HOME/.config/systemd/user" +mkdir -p $USER_SYSTEMD +cp container-$CONTAINER_NAME.service $USER_SYSTEMD +systemctl --user daemon-reload +systemctl --user enable --now container-$CONTAINER_NAME.service + +sudo loginctl enable-linger $USER \ No newline at end of file diff --git a/vaultwarden/vaultwarden_sample b/vaultwarden/vaultwarden_sample new file mode 100644 index 0000000..5c26bee --- /dev/null +++ b/vaultwarden/vaultwarden_sample @@ -0,0 +1,66 @@ +# The `upstream` directives ensure that you have a http/1.1 connection +# This enables the keepalive option and better performance +# +# Define the server IP and ports here. +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server 127.0.0.1:8885; + keepalive 2; +} + +# Needed to support websocket connections +# See: https://nginx.org/en/docs/http/websocket.html +# Instead of "close" as stated in the above link we send an empty value. +# Else all keepalive connections will not work. +map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name my_domain.tld; + + return 301 https://$host$request_uri; +} + +server { + # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on` + listen 443 ssl; + listen [::]:443 ssl; + server_name my_domain.tld; + + # Specify SSL Config when needed + ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; + ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem; + ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; + #add_header Strict-Transport-Security "max-age=31536000;"; + + client_max_body_size 525M; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + proxy_pass http://vaultwarden-default; + } + + # Optionally add extra authentication besides the ADMIN_TOKEN + # Remove the comments below `#` and create the htpasswd_file to have it active + # + #location /admin { + # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ + # auth_basic "Private"; + # auth_basic_user_file /path/to/htpasswd_file; + # + # proxy_pass http://vaultwarden-default; + #} +} \ No newline at end of file diff --git a/vaultwarden/vaultwarden_sample_haproxy b/vaultwarden/vaultwarden_sample_haproxy new file mode 100644 index 0000000..6b51a10 --- /dev/null +++ b/vaultwarden/vaultwarden_sample_haproxy @@ -0,0 +1,66 @@ +# The `upstream` directives ensure that you have a http/1.1 connection +# This enables the keepalive option and better performance +# +# Define the server IP and ports here. +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server 127.0.0.1:8885; + keepalive 2; +} + +# Needed to support websocket connections +# See: https://nginx.org/en/docs/http/websocket.html +# Instead of "close" as stated in the above link we send an empty value. +# Else all keepalive connections will not work. +map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; +} + +# Redirect HTTP to HTTPS +# server { +# listen 80; +# listen [::]:80; +# server_name my_domain.tld; + +# return 301 https://$host$request_uri; +# } + +server { + # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on` + listen 127.0.0.1:80; + # listen [::]:80; + # server_name my_domain.tld; + + # Specify SSL Config when needed + # ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; + # ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem; + # ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; + #add_header Strict-Transport-Security "max-age=31536000;"; + + client_max_body_size 525M; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location / { + proxy_pass http://vaultwarden-default; + } + + # Optionally add extra authentication besides the ADMIN_TOKEN + # Remove the comments below `#` and create the htpasswd_file to have it active + # + #location /admin { + # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ + # auth_basic "Private"; + # auth_basic_user_file /path/to/htpasswd_file; + # + # proxy_pass http://vaultwarden-default; + #} +} \ No newline at end of file