|
5 months ago | |
---|---|---|
.env | 5 months ago | |
README.org | 5 months ago | |
docker-compose.yml | 5 months ago | |
nginx.conf | 1 year ago |
README.org
Gitea
Nginx Setup
Certginx is used for simplicity.
Copy nginx.conf to ./nginx/conf.d/subdomain.domain.com.conf in the Certginx directory.
Then follow the steps here.
Optional Configuration
You can add credentials to connect to the admin panel. If you don't want this NGINX protection, please remove the last block with `location /admin` of your nginx configuration or you will not be able to access the admin panel.
To generate your htpasswd user:
htpasswd -c nginx/htpasswd/.htpasswd your_username
Add this to docker-compose.yml to use your htpasswd users.
- ./nginx/htpasswd:/etc/nginx/htpasswd
Docker Setup
User Configuration
Match the user with your UID and GID.
Environment Variables
Environment variables are in data/docker-config.env.
Full documentation [here](https://github.com/dani-garcia/vaultwarden/blob/main/.env.template).
Docker Backup
Share
Create the shared directory.
mkdir /home/vaultwarden-shared
Add the shared group.
addgroup vaultwarden-shared
Update the permissions of the shared directory for the group.
chown :vaultwarden-shared /home/vaultwarden-shared
Add the users to the shared group (Duplicate this for the other user).
usermod -aG vaultwarden-shared vaultwarden
Update the permissions of the shared directory
chmod 1770 /home/vaultwarden-shared
Sharing the Dump
Update the permission of the file
chown :vaultwarden-shared /path/to/your/dumps.zip
Move the file to your shared directory
cp /home/vaultwarden/backups/* /home/vaultwarden-shared
Script
Automation for the Dumping, encrypt the dumped file with gpg, then move the encrypted file to the shared directory.
#!/bin/bash
GPG_EMAILS=(
"example1@mail.net"
"example2@mail.net"
)
DATA_DIR="/home/vaultwarden/vaultwarden/data"
SHARE_DIR="/home/vaultwarden-shared"
TAR_BACKUP_DIR="/home/vaultwarden/backups"
BACKUP_DURATION_IN_DAYS=28
BACKUP_NAME="bitwarden-$(date '+%Y%m%d-%H%M').tar.xz"
DATA_TO_BACKUP=("db.sqlite3" "rsa_key.pem" "rsa_key.pub.pem" "config.json" "attachments" "sends")
# DO NOT CHANGE BELOW THIS LINE
rm -rf $TAR_BACKUP_DIR
mkdir -p $TAR_BACKUP_DIR
SCRIPT_FOLDER="$( cd "$(dirname "${0}")" >/dev/null 2>&1 ; pwd -P )"
cd ${SCRIPT_FOLDER} && \
/usr/local/bin/docker-compose down || exit 1
for file in "${DATA_TO_BACKUP[@]}"; do
cp -r "${DATA_DIR}/${file}" "${TAR_BACKUP_DIR}" 2>/dev/null
done
cd ${SCRIPT_FOLDER} && \
/usr/local/bin/docker-compose up -d || exit 1
cd ${TAR_BACKUP_DIR} && \
tar -Jcf "${TAR_BACKUP_DIR}/${BACKUP_NAME}" ${DATA_TO_BACKUP[@]} 2>/dev/null
for email in "${GPG_EMAILS[@]}"; do
echo "[$(date '+%Y-%m-%d %H:%M')] Encrypting '${BACKUP_NAME}' for ${email}"
gpg -r ${email} -o "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" -e "${TAR_BACKUP_DIR}/${BACKUP_NAME}" || exit 1
chown :vaultwarden-shared "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" || exit 1
done
rm -rf ${TAR_BACKUP_DIR}
find ${SHARE_DIR} -type f -mtime +${BACKUP_DURATION_IN_DAYS} -delete
for email in "${GPG_EMAILS[@]}"; do
[ -f "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" ] \
&& echo "[$(date '+%Y-%m-%d %H:%M')] Success (${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg)" \
|| echo "[$(date '+%Y-%m-%d %H:%M')] Failed"
done
Automatic Backup
You can use crontab with crontab -e to automate your backups. In the example below you have two backups per day, one at midnight and one at noon.
#!/bin/bash
# m h dom mon dow command
0 0 * * * ${HOME}/path_to_backup_script/backup.sh >> ${HOME}/path_to_backup_folder/backups.log
0 12 * * * ${HOME}/path_to_backup_script/backup.sh >> ${HOME}/path_to_backup_folder/backups.log
Security (fail2ban)
Add /etc/fail2ban/jail.local:
[vaultwarden]
enabled = true
port = 80,443,8081
filter = vaultwarden
action = iptables-allports[name=vaultwarden, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 6
bantime = 30m
findtime = 10m
[vaultwarden-admin]
enabled = true
port = 80,443
filter = vaultwarden-admin
action = iptables-allports[name=vaultwarden-admin, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 2
bantime = 24h
findtime = 24h
Create /etc/fail2ban/filter.d/vaultwarden.local:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
Create /etc/fail2ban/filter.d/vaultwarden-admin.local:
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
Documentation
HTTP Basic Authentication
More informations about the HTTP Basic Authentication