From f23d3e7088e36ac32f0c3510c75b4fc012cc77ee Mon Sep 17 00:00:00 2001 From: tteckster Date: Sat, 31 Dec 2022 11:24:33 -0500 Subject: [PATCH] Create vaultwarden-v5-install.sh --- install/vaultwarden-v5-install.sh | 204 ++++++++++++++++++++++++++++++ 1 file changed, 204 insertions(+) create mode 100644 install/vaultwarden-v5-install.sh diff --git a/install/vaultwarden-v5-install.sh b/install/vaultwarden-v5-install.sh new file mode 100644 index 00000000..510d78c1 --- /dev/null +++ b/install/vaultwarden-v5-install.sh @@ -0,0 +1,204 @@ +#!/usr/bin/env bash +if [ "$VERBOSE" == "yes" ]; then set -x; fi +YW=$(echo "\033[33m") +RD=$(echo "\033[01;31m") +BL=$(echo "\033[36m") +GN=$(echo "\033[1;92m") +CL=$(echo "\033[m") +RETRY_NUM=10 +RETRY_EVERY=3 +NUM=$RETRY_NUM +CM="${GN}✓${CL}" +CROSS="${RD}✗${CL}" +BFR="\\r\\033[K" +HOLD="-" +set -o errexit +set -o errtrace +set -o nounset +set -o pipefail +shopt -s expand_aliases +alias die='EXIT=$? LINE=$LINENO error_exit' +trap die ERR +silent() { "$@" > /dev/null 2>&1; } +function error_exit() { + trap - ERR + local reason="Unknown failure occurred." + local msg="${1:-$reason}" + local flag="${RD}‼ ERROR ${CL}$EXIT@$LINE" + echo -e "$flag $msg" 1>&2 + exit $EXIT +} + +function msg_info() { + local msg="$1" + echo -ne " ${HOLD} ${YW}${msg}..." +} + +function msg_ok() { + local msg="$1" + echo -e "${BFR} ${CM} ${GN}${msg}${CL}" +} + +function msg_error() { + local msg="$1" + echo -e "${BFR} ${CROSS} ${RD}${msg}${CL}" +} + +msg_info "Setting up Container OS " +sed -i "/$LANG/ s/\(^# \)//" /etc/locale.gen +locale-gen >/dev/null +while [ "$(hostname -I)" = "" ]; do + echo 1>&2 -en "${CROSS}${RD} No Network! " + sleep $RETRY_EVERY + ((NUM--)) + if [ $NUM -eq 0 ]; then + echo 1>&2 -e "${CROSS}${RD} No Network After $RETRY_NUM Tries${CL}" + exit 1 + fi +done +msg_ok "Set up Container OS" +msg_ok "Network Connected: ${BL}$(hostname -I)" + +set +e +alias die='' +if nc -zw1 8.8.8.8 443; then msg_ok "Internet Connected"; else + msg_error "Internet NOT Connected" + read -r -p "Would you like to continue anyway? " prompt + if [[ $prompt == "y" || $prompt == "Y" || $prompt == "yes" || $prompt == "Yes" ]]; then + echo -e " ⚠️ ${RD}Expect Issues Without Internet${CL}" + else + echo -e " 🖧 Check Network Settings" + exit 1 + fi +fi +RESOLVEDIP=$(nslookup "github.com" | awk -F':' '/^Address: / { matched = 1 } matched { print $2}' | xargs) +if [[ -z "$RESOLVEDIP" ]]; then msg_error "DNS Lookup Failure"; else msg_ok "DNS Resolved github.com to $RESOLVEDIP"; fi +alias die='EXIT=$? LINE=$LINENO error_exit' +set -e + +msg_info "Updating Container OS" +$STD apt-get update +$STD apt-get -y upgrade +msg_ok "Updated Container OS" + +msg_info "Installing Dependencies" +$STD apt-get update +$STD apt-get -qqy install \ + git \ + build-essential \ + pkgconf \ + libssl-dev \ + libmariadb-dev-compat \ + libpq-dev \ + curl \ + sudo +msg_ok "Installed Dependencies" + +WEBVAULT=$(curl -s https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest | + grep "tag_name" | + awk '{print substr($2, 2, length($2)-3) }') + +VAULT=$(curl -s https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest | + grep "tag_name" | + awk '{print substr($2, 2, length($2)-3) }') + +msg_info "Installing Rust" +wget -qL https://sh.rustup.rs +$STD bash index.html -y --profile minimal +echo 'export PATH=~/.cargo/bin:$PATH' >>~/.bashrc +export PATH=~/.cargo/bin:$PATH +rm index.html +msg_ok "Installed Rust" + +msg_info "Building Vaultwarden ${VAULT} (Patience)" +$STD git clone https://github.com/dani-garcia/vaultwarden +cd vaultwarden +$STD cargo build --features "sqlite,mysql,postgresql" --release +msg_ok "Built Vaultwarden ${VAULT}" + +$STD addgroup --system vaultwarden +$STD adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden +mkdir -p /opt/vaultwarden/bin +mkdir -p /opt/vaultwarden/data +cp target/release/vaultwarden /opt/vaultwarden/bin/ + +msg_info "Downloading Web-Vault ${WEBVAULT}" +$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/$WEBVAULT/bw_web_$WEBVAULT.tar.gz +$STD tar -xzf bw_web_$WEBVAULT.tar.gz -C /opt/vaultwarden/ +msg_ok "Downloaded Web-Vault ${WEBVAULT}" + +cat </opt/vaultwarden/.env +ADMIN_TOKEN=$(openssl rand -base64 48) +ROCKET_ADDRESS=0.0.0.0 +DATA_FOLDER=/opt/vaultwarden/data +DATABASE_MAX_CONNS=10 +WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault +WEB_VAULT_ENABLED=true +EOF + +msg_info "Creating Service" +chown -R vaultwarden:vaultwarden /opt/vaultwarden/ +chown root:root /opt/vaultwarden/bin/vaultwarden +chmod +x /opt/vaultwarden/bin/vaultwarden +chown -R root:root /opt/vaultwarden/web-vault/ +chmod +r /opt/vaultwarden/.env + +service_path="/etc/systemd/system/vaultwarden.service" +echo "[Unit] +Description=Bitwarden Server (Powered by Vaultwarden) +Documentation=https://github.com/dani-garcia/vaultwarden +After=network.target +[Service] +User=vaultwarden +Group=vaultwarden +EnvironmentFile=-/opt/vaultwarden/.env +ExecStart=/opt/vaultwarden/bin/vaultwarden +LimitNOFILE=65535 +LimitNPROC=4096 +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=strict +DevicePolicy=closed +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictNamespaces=yes +RestrictRealtime=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes +WorkingDirectory=/opt/vaultwarden +ReadWriteDirectories=/opt/vaultwarden/data +AmbientCapabilities=CAP_NET_BIND_SERVICE +[Install] +WantedBy=multi-user.target" >$service_path +systemctl daemon-reload +$STD systemctl enable --now vaultwarden.service +msg_ok "Created Service" + +PASS=$(grep -w "root" /etc/shadow | cut -b6) +if [[ $PASS != $ ]]; then + msg_info "Customizing Container" + rm /etc/motd + rm /etc/update-motd.d/10-uname + touch ~/.hushlogin + GETTY_OVERRIDE="/etc/systemd/system/container-getty@1.service.d/override.conf" + mkdir -p $(dirname $GETTY_OVERRIDE) + cat <$GETTY_OVERRIDE +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin root --noclear --keep-baud tty%I 115200,38400,9600 \$TERM +EOF + systemctl daemon-reload + systemctl restart $(basename $(dirname $GETTY_OVERRIDE) | sed 's/\.d//') + msg_ok "Customized Container" +fi +if [[ "${SSH_ROOT}" == "yes" ]]; then + sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + systemctl restart sshd +fi + +msg_info "Cleaning up" +$STD apt-get autoremove +$STD apt-get autoclean +msg_ok "Cleaned"