Add basic vaultwarden installation

vaultwarden/acme.sh

@@ -0,0 +1,27 @@
+curl https://get.acme.sh | sh -s email=liu.tianyu93@hotmail.com
+
+DOMAIN="vw.jamesvillage.dev"
+SSL_PATH=$HOME/.config/ssl/$DOMAIN
+mkdir -p $SSL_PATH
+
+export NAMECHEAP_USERNAME="james77676166"
+export NAMECHEAP_API_KEY="afcbbc60dcf8431cb0529db06b4dfac7"
+export NAMECHEAP_SOURCEIP="188.245.147.192"
+
+$HOME/.acme.sh/acme.sh --issue --dns dns_namecheap -d $DOMAIN \
+    --fullchain-file "$SSL_PATH/fullchain.cer" \
+    --key-file "$SSL_PATH/privkey.key" \
+    --reloadcmd "cat $SSL_PATH/privkey.key $SSL_PATH/fullchain.cer > $SSL_PATH/fullchain.pem"
+
+cp vaultwarden_sample_haproxy vaultwarden
+
+# sed -i \
+#   -e "s|my_domain\.tld|$DOMAIN|g" \
+#   -e "s|/path/to/certificate/letsencrypt/live/vaultwarden\.example\.tld/fullchain\.pem|$SSL_PATH/fullchain.cer|g" \
+#   -e "s|/path/to/certificate/letsencrypt/live/vaultwarden\.example\.tld/privkey\.pem|$SSL_PATH/privkey.key|g" \
+#   vaultwarden
+
+sudo mv vaultwarden /etc/nginx/sites-available
+sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled
+sudo systemctl reload nginx
+

vaultwarden/deploy.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+set -e
+
+CONTAINER_NAME="vaultwarden"
+PORT="8885"
+DOMAIN="https://vw.jamesvillage.dev"
+
+DATA_FOLDER="$HOME/.local/share/vaultwarden/data"
+mkdir -p $DATA_FOLDER
+
+systemctl --user stop container-$CONTAINER_NAME.service
+
+# if podman container exists "$CONTAINER_NAME"; then
+#     echo "Stop and delete existing container $CONTAINER_NAME"
+#     if podman inspect -f '{{.State.Running}}' "$CONTAINER_NAME" | grep -q true; then
+#         podman stop "$CONTAINER_NAME"
+#     fi
+#     podman rm "$CONTAINER_NAME"
+# fi
+
+podman create \
+    --name vaultwarden \
+    --restart=unless-stopped \
+    -e DOMAIN=$DOMAIN \
+    -e SHOW_PASSWORD_HINT=false \
+    -p $PORT:80 \
+    -v $DATA_FOLDER:/data \
+    docker.io/vaultwarden/server:latest
+
+podman generate systemd \
+    --new \
+    --name $CONTAINER_NAME \
+    --files \
+    --restart-policy=always
+
+USER_SYSTEMD="$HOME/.config/systemd/user"
+mkdir -p $USER_SYSTEMD
+cp container-$CONTAINER_NAME.service $USER_SYSTEMD
+systemctl --user daemon-reload
+systemctl --user enable --now container-$CONTAINER_NAME.service
+
+sudo loginctl enable-linger $USER

vaultwarden/vaultwarden_sample

@@ -0,0 +1,66 @@
+# The `upstream` directives ensure that you have a http/1.1 connection
+# This enables the keepalive option and better performance
+#
+# Define the server IP and ports here.
+upstream vaultwarden-default {
+  zone vaultwarden-default 64k;
+  server 127.0.0.1:8885;
+  keepalive 2;
+}
+
+# Needed to support websocket connections
+# See: https://nginx.org/en/docs/http/websocket.html
+# Instead of "close" as stated in the above link we send an empty value.
+# Else all keepalive connections will not work.
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      "";
+}
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name my_domain.tld;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name my_domain.tld;
+
+    # Specify SSL Config when needed
+    ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+    ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
+    ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+    #add_header Strict-Transport-Security "max-age=31536000;";
+
+    client_max_body_size 525M;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    location / {
+      proxy_pass http://vaultwarden-default;
+    }
+
+    # Optionally add extra authentication besides the ADMIN_TOKEN
+    # Remove the comments below `#` and create the htpasswd_file to have it active
+    #
+    #location /admin {
+    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
+    #  auth_basic "Private";
+    #  auth_basic_user_file /path/to/htpasswd_file;
+    #
+    #  proxy_pass http://vaultwarden-default;
+    #}
+}

vaultwarden/vaultwarden_sample_haproxy

@@ -0,0 +1,66 @@
+# The `upstream` directives ensure that you have a http/1.1 connection
+# This enables the keepalive option and better performance
+#
+# Define the server IP and ports here.
+upstream vaultwarden-default {
+  zone vaultwarden-default 64k;
+  server 127.0.0.1:8885;
+  keepalive 2;
+}
+
+# Needed to support websocket connections
+# See: https://nginx.org/en/docs/http/websocket.html
+# Instead of "close" as stated in the above link we send an empty value.
+# Else all keepalive connections will not work.
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      "";
+}
+
+# Redirect HTTP to HTTPS
+# server {
+#     listen 80;
+#     listen [::]:80;
+#     server_name my_domain.tld;
+
+#     return 301 https://$host$request_uri;
+# }
+
+server {
+    # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
+    listen 127.0.0.1:80;
+    # listen [::]:80;
+    # server_name my_domain.tld;
+
+    # Specify SSL Config when needed
+    # ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+    # ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
+    # ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
+    #add_header Strict-Transport-Security "max-age=31536000;";
+
+    client_max_body_size 525M;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    location / {
+      proxy_pass http://vaultwarden-default;
+    }
+
+    # Optionally add extra authentication besides the ADMIN_TOKEN
+    # Remove the comments below `#` and create the htpasswd_file to have it active
+    #
+    #location /admin {
+    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
+    #  auth_basic "Private";
+    #  auth_basic_user_file /path/to/htpasswd_file;
+    #
+    #  proxy_pass http://vaultwarden-default;
+    #}
+}