baldnerd/password-manager-server-appliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Working, but incomplete

Browse Source
This commit is contained in:
Robbie Ferguson
2025-07-11 13:51:53 -04:00
parent d95bb1b94b
commit a7e6715082
3 changed files with 52 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -11,8 +11,8 @@ A hardened, self-hosted password manager appliance based on Vaultwarden. Designe
- 🛡️ Fully self-hosted on Debian 12
- 🔐 Vaultwarden (Bitwarden-compatible)
- 💾 MariaDB backend
- 🧠 Supports .env override system via web-based setup
- 🌐 NGINX reverse proxy + PHP-based first-time setup wizard
- 🧠 Supports .env override system via web-based administration
- 🌐 NGINX reverse proxy + PHP-based first-time activation wizard
- 🔑 Multi-user access, browser extensions, mobile app compatibility
---
@ -22,14 +22,14 @@ A hardened, self-hosted password manager appliance based on Vaultwarden. Designe
| Path | Purpose |
|------|---------|
| `/opt/vaultwarden/.env` | Core Vaultwarden environment settings |
| `/var/lib/vaultwarden/.env.user` | User-defined config written via the setup wizard |
| `/var/lib/vaultwarden/.setup-complete` | Flag file that disables the setup wizard after first-time config |
| `/var/lib/vaultwarden/.env.user` | User-defined config written via the activation tool |
| `/var/lib/vaultwarden/.setup-complete` | Flag file that disables the activation wizard after first-time config |
| `/opt/vaultwarden/.env.merged` | Combined environment used by the wrapper |
| `/usr/local/bin/vaultwarden` | Vaultwarden binary |
| `/usr/local/bin/vaultwarden-wrapper` | Wrapper that merges .env and .env.user |
| `/etc/systemd/system/vaultwarden.service` | Systemd unit to manage Vaultwarden as a service |
| `/var/www/html/setup/` | First-time setup wizard served via PHP |
| `/var/www/html/vaultinfo/index.html` | Installer-complete welcome page served on `/` |
| `/var/www/html/activate/` | First-time activation tool, served via PHP |
| `/var/www/html/vaultinfo/index.html` | Installer-complete welcome page (not currently used) |
---
@ -43,7 +43,7 @@ On a fresh Debian 12 system, clone the password-manager repository and then run:
After installation:
- Access the appliance at `http://<your-appliance-ip>/`
- Go to `/setup` to complete first-time configuration
- Go to `/activate` to complete first-time configuration
- After submitting the form, Vaultwarden will use your custom settings
---
@ -51,21 +51,21 @@ After installation:
## 🧠 Configuration Flow
1. Installer creates `/opt/vaultwarden/.env` (default config)
2. User config is stored via `/setup` in `/var/lib/vaultwarden/.env.user`
2. Admin Token is created by visiting `/activation` and is stored in `/var/lib/vaultwarden/.env.user`
3. `vaultwarden-wrapper` merges both files into `.env.merged`
4. Systemd launches Vaultwarden using the wrapper
---
## 🔁 To Re-run Setup
## 🔁 To Re-run Activation
To prevent a bad actor from modifying your configuration by re-running the /setup tool, a file `.setup-complete` is created to tell the system to no longer allow the configuration to be saved. You can, if needed, delete the `.setup-complete` file to re-run the configuration:
To prevent a bad actor from modifying your configuration by re-running the /activate tool, a file `.setup-complete` is created to tell the system to no longer allow the configuration to be saved. You can, if needed, delete the `.setup-complete` file to re-run the configuration:
```bash
rm /var/lib/vaultwarden/.setup-complete
```
Then visit `/setup` in your browser again.
Then visit `/activate` in your browser again.
---
@ -105,7 +105,7 @@ If you need to reset your environment to retry installing after a failed install
This will:
* Remove Vaultwarden and its related system user
* Delete configuration files and setup data
* Delete configuration files and activation data
* Uninstall MariaDB and clear its databases
* Remove any sudo rules added by the installer

0
setup/index.php → activate/index.php
View File

74
installer.sh
View File

@ -92,7 +92,7 @@ fi
# Update system and install dependencies
echo "Installing dependencies..."
apt update && apt upgrade -y
apt install -y curl gnupg2 software-properties-common apt-transport-https lsb-release mariadb-server mariadb-client nginx unzip ufw git build-essential pkg-config libssl-dev libmariadb-dev libmariadb-dev-compat sudo xxd
apt install -y curl gnupg2 software-properties-common apt-transport-https lsb-release mariadb-server mariadb-client nginx unzip ufw git build-essential pkg-config libssl-dev libmariadb-dev libmariadb-dev-compat sudo xxd openssl
ufw allow OpenSSH
ufw allow 'Nginx Full'
@ -240,40 +240,31 @@ if [ -f /etc/nginx/sites-enabled/default ]; then
rm -f /etc/nginx/sites-enabled/default
fi
# Basic NGINX placeholder config
# HTTPS self-signed cert
mkdir -p /etc/ssl/private
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vaultwarden-selfsigned.key -out /etc/ssl/certs/vaultwarden-selfsigned.crt -subj "/CN=localhost"
# NGINX vhost config
cat <<"EOF" > /etc/nginx/sites-available/vaultwarden
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_certificate /etc/ssl/certs/vaultwarden-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/vaultwarden-selfsigned.key;
root /var/www/html/vaultinfo;
index index.php;
# Main landing page
location / {
try_files $uri $uri/ /index.php?$args;
}
# Serve PHP files
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
# Setup interface
location /setup {
root /var/www/html;
index index.php;
location ~ ^/setup/.*\.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
}
# Vaultwarden Admin Panel
location ^~ /admin/ {
proxy_pass http://127.0.0.1:8080/admin/;
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
@ -283,11 +274,21 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
}
# Vaultwarden static files (referenced from root!)
location ~ ^/(bootstrap|admin|vaultwarden|.*\.(css|js|png|ico|woff2?)$) {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
# Serve PHP files
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
# First-Run Activation
location /activate {
root /var/www/html;
index index.php;
location ~ ^/activate/.*\.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
}
# WebSocket
@ -297,6 +298,11 @@ server {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
}
}
EOF
@ -326,10 +332,10 @@ chmod 640 /var/lib/vaultwarden/.env.user
# Download and deploy setup wizard
echo "Installing PHP and deploying setup page..."
apt install -y php php-fpm php-cli php-common php-mbstring php-json php-curl php-xml php-zip php-gd
apt install -y php php-fpm php-cli php-common php-mbstring php-json php-curl php-xml php-zip php-gd php-bcmath
cd "$INSTALLER_DIR"
cp -R ./setup /var/www/html/
chown -R www-data:www-data /var/www/html/setup
cp -R ./activate /var/www/html/
chown -R www-data:www-data /var/www/html/activate
# Welcome page with /setup condition check
cat <<"EOF" > /var/www/html/vaultinfo/index.php