From a7e6715082c431e5bbcb73507db02300dad0a458 Mon Sep 17 00:00:00 2001 From: baldnerd Date: Fri, 11 Jul 2025 13:51:53 -0400 Subject: [PATCH] Working, but incomplete --- README.md | 24 ++++++------ {setup => activate}/index.php | 0 installer.sh | 74 +++++++++++++++++++---------------- 3 files changed, 52 insertions(+), 46 deletions(-) rename {setup => activate}/index.php (100%) diff --git a/README.md b/README.md index 5566976..4d73a55 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,8 @@ A hardened, self-hosted password manager appliance based on Vaultwarden. Designe - 🛡️ Fully self-hosted on Debian 12 - 🔐 Vaultwarden (Bitwarden-compatible) - 💾 MariaDB backend -- 🧠 Supports .env override system via web-based setup -- 🌐 NGINX reverse proxy + PHP-based first-time setup wizard +- 🧠 Supports .env override system via web-based administration +- 🌐 NGINX reverse proxy + PHP-based first-time activation wizard - 🔑 Multi-user access, browser extensions, mobile app compatibility --- @@ -22,14 +22,14 @@ A hardened, self-hosted password manager appliance based on Vaultwarden. Designe | Path | Purpose | |------|---------| | `/opt/vaultwarden/.env` | Core Vaultwarden environment settings | -| `/var/lib/vaultwarden/.env.user` | User-defined config written via the setup wizard | -| `/var/lib/vaultwarden/.setup-complete` | Flag file that disables the setup wizard after first-time config | +| `/var/lib/vaultwarden/.env.user` | User-defined config written via the activation tool | +| `/var/lib/vaultwarden/.setup-complete` | Flag file that disables the activation wizard after first-time config | | `/opt/vaultwarden/.env.merged` | Combined environment used by the wrapper | | `/usr/local/bin/vaultwarden` | Vaultwarden binary | | `/usr/local/bin/vaultwarden-wrapper` | Wrapper that merges .env and .env.user | | `/etc/systemd/system/vaultwarden.service` | Systemd unit to manage Vaultwarden as a service | -| `/var/www/html/setup/` | First-time setup wizard served via PHP | -| `/var/www/html/vaultinfo/index.html` | Installer-complete welcome page served on `/` | +| `/var/www/html/activate/` | First-time activation tool, served via PHP | +| `/var/www/html/vaultinfo/index.html` | Installer-complete welcome page (not currently used) | --- @@ -43,7 +43,7 @@ On a fresh Debian 12 system, clone the password-manager repository and then run: After installation: - Access the appliance at `http:///` -- Go to `/setup` to complete first-time configuration +- Go to `/activate` to complete first-time configuration - After submitting the form, Vaultwarden will use your custom settings --- @@ -51,21 +51,21 @@ After installation: ## 🧠 Configuration Flow 1. Installer creates `/opt/vaultwarden/.env` (default config) -2. User config is stored via `/setup` in `/var/lib/vaultwarden/.env.user` +2. Admin Token is created by visiting `/activation` and is stored in `/var/lib/vaultwarden/.env.user` 3. `vaultwarden-wrapper` merges both files into `.env.merged` 4. Systemd launches Vaultwarden using the wrapper --- -## 🔁 To Re-run Setup +## 🔁 To Re-run Activation -To prevent a bad actor from modifying your configuration by re-running the /setup tool, a file `.setup-complete` is created to tell the system to no longer allow the configuration to be saved. You can, if needed, delete the `.setup-complete` file to re-run the configuration: +To prevent a bad actor from modifying your configuration by re-running the /activate tool, a file `.setup-complete` is created to tell the system to no longer allow the configuration to be saved. You can, if needed, delete the `.setup-complete` file to re-run the configuration: ```bash rm /var/lib/vaultwarden/.setup-complete ``` -Then visit `/setup` in your browser again. +Then visit `/activate` in your browser again. --- @@ -105,7 +105,7 @@ If you need to reset your environment to retry installing after a failed install This will: * Remove Vaultwarden and its related system user -* Delete configuration files and setup data +* Delete configuration files and activation data * Uninstall MariaDB and clear its databases * Remove any sudo rules added by the installer diff --git a/setup/index.php b/activate/index.php similarity index 100% rename from setup/index.php rename to activate/index.php diff --git a/installer.sh b/installer.sh index 608392a..6f6d58d 100755 --- a/installer.sh +++ b/installer.sh @@ -92,7 +92,7 @@ fi # Update system and install dependencies echo "Installing dependencies..." apt update && apt upgrade -y -apt install -y curl gnupg2 software-properties-common apt-transport-https lsb-release mariadb-server mariadb-client nginx unzip ufw git build-essential pkg-config libssl-dev libmariadb-dev libmariadb-dev-compat sudo xxd +apt install -y curl gnupg2 software-properties-common apt-transport-https lsb-release mariadb-server mariadb-client nginx unzip ufw git build-essential pkg-config libssl-dev libmariadb-dev libmariadb-dev-compat sudo xxd openssl ufw allow OpenSSH ufw allow 'Nginx Full' @@ -240,40 +240,31 @@ if [ -f /etc/nginx/sites-enabled/default ]; then rm -f /etc/nginx/sites-enabled/default fi -# Basic NGINX placeholder config +# HTTPS self-signed cert +mkdir -p /etc/ssl/private +openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vaultwarden-selfsigned.key -out /etc/ssl/certs/vaultwarden-selfsigned.crt -subj "/CN=localhost" + +# NGINX vhost config cat <<"EOF" > /etc/nginx/sites-available/vaultwarden server { listen 80 default_server; + listen [::]:80 default_server; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; server_name _; + ssl_certificate /etc/ssl/certs/vaultwarden-selfsigned.crt; + ssl_certificate_key /etc/ssl/private/vaultwarden-selfsigned.key; + root /var/www/html/vaultinfo; index index.php; - # Main landing page location / { - try_files $uri $uri/ /index.php?$args; - } - - # Serve PHP files - location ~ \.php$ { - include snippets/fastcgi-php.conf; - fastcgi_pass unix:/run/php/php8.2-fpm.sock; - } - - # Setup interface - location /setup { - root /var/www/html; - index index.php; - - location ~ ^/setup/.*\.php$ { - include snippets/fastcgi-php.conf; - fastcgi_pass unix:/run/php/php8.2-fpm.sock; - } - } - - # Vaultwarden Admin Panel - location ^~ /admin/ { - proxy_pass http://127.0.0.1:8080/admin/; + proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; @@ -283,11 +274,21 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } - # Vaultwarden static files (referenced from root!) - location ~ ^/(bootstrap|admin|vaultwarden|.*\.(css|js|png|ico|woff2?)$) { - proxy_pass http://127.0.0.1:8080; - proxy_http_version 1.1; - proxy_set_header Host $host; + # Serve PHP files + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + } + + # First-Run Activation + location /activate { + root /var/www/html; + index index.php; + + location ~ ^/activate/.*\.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + } } # WebSocket @@ -297,6 +298,11 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + } } EOF @@ -326,10 +332,10 @@ chmod 640 /var/lib/vaultwarden/.env.user # Download and deploy setup wizard echo "Installing PHP and deploying setup page..." -apt install -y php php-fpm php-cli php-common php-mbstring php-json php-curl php-xml php-zip php-gd +apt install -y php php-fpm php-cli php-common php-mbstring php-json php-curl php-xml php-zip php-gd php-bcmath cd "$INSTALLER_DIR" -cp -R ./setup /var/www/html/ -chown -R www-data:www-data /var/www/html/setup +cp -R ./activate /var/www/html/ +chown -R www-data:www-data /var/www/html/activate # Welcome page with /setup condition check cat <<"EOF" > /var/www/html/vaultinfo/index.php