Working, but incomplete
This commit is contained in:
24
README.md
24
README.md
@ -11,8 +11,8 @@ A hardened, self-hosted password manager appliance based on Vaultwarden. Designe
|
||||
- 🛡️ Fully self-hosted on Debian 12
|
||||
- 🔐 Vaultwarden (Bitwarden-compatible)
|
||||
- 💾 MariaDB backend
|
||||
- 🧠 Supports .env override system via web-based setup
|
||||
- 🌐 NGINX reverse proxy + PHP-based first-time setup wizard
|
||||
- 🧠 Supports .env override system via web-based administration
|
||||
- 🌐 NGINX reverse proxy + PHP-based first-time activation wizard
|
||||
- 🔑 Multi-user access, browser extensions, mobile app compatibility
|
||||
|
||||
---
|
||||
@ -22,14 +22,14 @@ A hardened, self-hosted password manager appliance based on Vaultwarden. Designe
|
||||
| Path | Purpose |
|
||||
|------|---------|
|
||||
| `/opt/vaultwarden/.env` | Core Vaultwarden environment settings |
|
||||
| `/var/lib/vaultwarden/.env.user` | User-defined config written via the setup wizard |
|
||||
| `/var/lib/vaultwarden/.setup-complete` | Flag file that disables the setup wizard after first-time config |
|
||||
| `/var/lib/vaultwarden/.env.user` | User-defined config written via the activation tool |
|
||||
| `/var/lib/vaultwarden/.setup-complete` | Flag file that disables the activation wizard after first-time config |
|
||||
| `/opt/vaultwarden/.env.merged` | Combined environment used by the wrapper |
|
||||
| `/usr/local/bin/vaultwarden` | Vaultwarden binary |
|
||||
| `/usr/local/bin/vaultwarden-wrapper` | Wrapper that merges .env and .env.user |
|
||||
| `/etc/systemd/system/vaultwarden.service` | Systemd unit to manage Vaultwarden as a service |
|
||||
| `/var/www/html/setup/` | First-time setup wizard served via PHP |
|
||||
| `/var/www/html/vaultinfo/index.html` | Installer-complete welcome page served on `/` |
|
||||
| `/var/www/html/activate/` | First-time activation tool, served via PHP |
|
||||
| `/var/www/html/vaultinfo/index.html` | Installer-complete welcome page (not currently used) |
|
||||
|
||||
---
|
||||
|
||||
@ -43,7 +43,7 @@ On a fresh Debian 12 system, clone the password-manager repository and then run:
|
||||
|
||||
After installation:
|
||||
- Access the appliance at `http://<your-appliance-ip>/`
|
||||
- Go to `/setup` to complete first-time configuration
|
||||
- Go to `/activate` to complete first-time configuration
|
||||
- After submitting the form, Vaultwarden will use your custom settings
|
||||
|
||||
---
|
||||
@ -51,21 +51,21 @@ After installation:
|
||||
## 🧠 Configuration Flow
|
||||
|
||||
1. Installer creates `/opt/vaultwarden/.env` (default config)
|
||||
2. User config is stored via `/setup` in `/var/lib/vaultwarden/.env.user`
|
||||
2. Admin Token is created by visiting `/activation` and is stored in `/var/lib/vaultwarden/.env.user`
|
||||
3. `vaultwarden-wrapper` merges both files into `.env.merged`
|
||||
4. Systemd launches Vaultwarden using the wrapper
|
||||
|
||||
---
|
||||
|
||||
## 🔁 To Re-run Setup
|
||||
## 🔁 To Re-run Activation
|
||||
|
||||
To prevent a bad actor from modifying your configuration by re-running the /setup tool, a file `.setup-complete` is created to tell the system to no longer allow the configuration to be saved. You can, if needed, delete the `.setup-complete` file to re-run the configuration:
|
||||
To prevent a bad actor from modifying your configuration by re-running the /activate tool, a file `.setup-complete` is created to tell the system to no longer allow the configuration to be saved. You can, if needed, delete the `.setup-complete` file to re-run the configuration:
|
||||
|
||||
```bash
|
||||
rm /var/lib/vaultwarden/.setup-complete
|
||||
```
|
||||
|
||||
Then visit `/setup` in your browser again.
|
||||
Then visit `/activate` in your browser again.
|
||||
|
||||
---
|
||||
|
||||
@ -105,7 +105,7 @@ If you need to reset your environment to retry installing after a failed install
|
||||
This will:
|
||||
|
||||
* Remove Vaultwarden and its related system user
|
||||
* Delete configuration files and setup data
|
||||
* Delete configuration files and activation data
|
||||
* Uninstall MariaDB and clear its databases
|
||||
* Remove any sudo rules added by the installer
|
||||
|
||||
|
74
installer.sh
74
installer.sh
@ -92,7 +92,7 @@ fi
|
||||
# Update system and install dependencies
|
||||
echo "Installing dependencies..."
|
||||
apt update && apt upgrade -y
|
||||
apt install -y curl gnupg2 software-properties-common apt-transport-https lsb-release mariadb-server mariadb-client nginx unzip ufw git build-essential pkg-config libssl-dev libmariadb-dev libmariadb-dev-compat sudo xxd
|
||||
apt install -y curl gnupg2 software-properties-common apt-transport-https lsb-release mariadb-server mariadb-client nginx unzip ufw git build-essential pkg-config libssl-dev libmariadb-dev libmariadb-dev-compat sudo xxd openssl
|
||||
|
||||
ufw allow OpenSSH
|
||||
ufw allow 'Nginx Full'
|
||||
@ -240,40 +240,31 @@ if [ -f /etc/nginx/sites-enabled/default ]; then
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
fi
|
||||
|
||||
# Basic NGINX placeholder config
|
||||
# HTTPS self-signed cert
|
||||
mkdir -p /etc/ssl/private
|
||||
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vaultwarden-selfsigned.key -out /etc/ssl/certs/vaultwarden-selfsigned.crt -subj "/CN=localhost"
|
||||
|
||||
# NGINX vhost config
|
||||
cat <<"EOF" > /etc/nginx/sites-available/vaultwarden
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl default_server;
|
||||
listen [::]:443 ssl default_server;
|
||||
server_name _;
|
||||
|
||||
ssl_certificate /etc/ssl/certs/vaultwarden-selfsigned.crt;
|
||||
ssl_certificate_key /etc/ssl/private/vaultwarden-selfsigned.key;
|
||||
|
||||
root /var/www/html/vaultinfo;
|
||||
index index.php;
|
||||
|
||||
# Main landing page
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
}
|
||||
|
||||
# Serve PHP files
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
|
||||
# Setup interface
|
||||
location /setup {
|
||||
root /var/www/html;
|
||||
index index.php;
|
||||
|
||||
location ~ ^/setup/.*\.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
}
|
||||
|
||||
# Vaultwarden Admin Panel
|
||||
location ^~ /admin/ {
|
||||
proxy_pass http://127.0.0.1:8080/admin/;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
@ -283,11 +274,21 @@ server {
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# Vaultwarden static files (referenced from root!)
|
||||
location ~ ^/(bootstrap|admin|vaultwarden|.*\.(css|js|png|ico|woff2?)$) {
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
# Serve PHP files
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
|
||||
# First-Run Activation
|
||||
location /activate {
|
||||
root /var/www/html;
|
||||
index index.php;
|
||||
|
||||
location ~ ^/activate/.*\.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
}
|
||||
|
||||
# WebSocket
|
||||
@ -297,6 +298,11 @@ server {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
@ -326,10 +332,10 @@ chmod 640 /var/lib/vaultwarden/.env.user
|
||||
|
||||
# Download and deploy setup wizard
|
||||
echo "Installing PHP and deploying setup page..."
|
||||
apt install -y php php-fpm php-cli php-common php-mbstring php-json php-curl php-xml php-zip php-gd
|
||||
apt install -y php php-fpm php-cli php-common php-mbstring php-json php-curl php-xml php-zip php-gd php-bcmath
|
||||
cd "$INSTALLER_DIR"
|
||||
cp -R ./setup /var/www/html/
|
||||
chown -R www-data:www-data /var/www/html/setup
|
||||
cp -R ./activate /var/www/html/
|
||||
chown -R www-data:www-data /var/www/html/activate
|
||||
|
||||
# Welcome page with /setup condition check
|
||||
cat <<"EOF" > /var/www/html/vaultinfo/index.php
|
||||
|
Reference in New Issue
Block a user