mirror of
https://github.com/community-scripts/ProxmoxVE.git
synced 2025-11-04 10:22:50 +00:00
Create vaultwarden-v5-install.sh
This commit is contained in:
tteckster
GitHub
204
install/vaultwarden-v5-install.sh
Normal file
204
install/vaultwarden-v5-install.sh
Normal file
@@ -0,0 +1,204 @@
|
||||
#!/usr/bin/env bash
|
||||
if [ "$VERBOSE" == "yes" ]; then set -x; fi
|
||||
YW=$(echo "\033[33m")
|
||||
RD=$(echo "\033[01;31m")
|
||||
BL=$(echo "\033[36m")
|
||||
GN=$(echo "\033[1;92m")
|
||||
CL=$(echo "\033[m")
|
||||
RETRY_NUM=10
|
||||
RETRY_EVERY=3
|
||||
NUM=$RETRY_NUM
|
||||
CM="${GN}✓${CL}"
|
||||
CROSS="${RD}✗${CL}"
|
||||
BFR="\\r\\033[K"
|
||||
HOLD="-"
|
||||
set -o errexit
|
||||
set -o errtrace
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
shopt -s expand_aliases
|
||||
alias die='EXIT=$? LINE=$LINENO error_exit'
|
||||
trap die ERR
|
||||
silent() { "$@" > /dev/null 2>&1; }
|
||||
function error_exit() {
|
||||
trap - ERR
|
||||
local reason="Unknown failure occurred."
|
||||
local msg="${1:-$reason}"
|
||||
local flag="${RD}‼ ERROR ${CL}$EXIT@$LINE"
|
||||
echo -e "$flag $msg" 1>&2
|
||||
exit $EXIT
|
||||
}
|
||||
|
||||
function msg_info() {
|
||||
local msg="$1"
|
||||
echo -ne " ${HOLD} ${YW}${msg}..."
|
||||
}
|
||||
|
||||
function msg_ok() {
|
||||
local msg="$1"
|
||||
echo -e "${BFR} ${CM} ${GN}${msg}${CL}"
|
||||
}
|
||||
|
||||
function msg_error() {
|
||||
local msg="$1"
|
||||
echo -e "${BFR} ${CROSS} ${RD}${msg}${CL}"
|
||||
}
|
||||
|
||||
msg_info "Setting up Container OS "
|
||||
sed -i "/$LANG/ s/\(^# \)//" /etc/locale.gen
|
||||
locale-gen >/dev/null
|
||||
while [ "$(hostname -I)" = "" ]; do
|
||||
echo 1>&2 -en "${CROSS}${RD} No Network! "
|
||||
sleep $RETRY_EVERY
|
||||
((NUM--))
|
||||
if [ $NUM -eq 0 ]; then
|
||||
echo 1>&2 -e "${CROSS}${RD} No Network After $RETRY_NUM Tries${CL}"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
msg_ok "Set up Container OS"
|
||||
msg_ok "Network Connected: ${BL}$(hostname -I)"
|
||||
|
||||
set +e
|
||||
alias die=''
|
||||
if nc -zw1 8.8.8.8 443; then msg_ok "Internet Connected"; else
|
||||
msg_error "Internet NOT Connected"
|
||||
read -r -p "Would you like to continue anyway? <y/N> " prompt
|
||||
if [[ $prompt == "y" || $prompt == "Y" || $prompt == "yes" || $prompt == "Yes" ]]; then
|
||||
echo -e " ⚠️ ${RD}Expect Issues Without Internet${CL}"
|
||||
else
|
||||
echo -e " 🖧 Check Network Settings"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
RESOLVEDIP=$(nslookup "github.com" | awk -F':' '/^Address: / { matched = 1 } matched { print $2}' | xargs)
|
||||
if [[ -z "$RESOLVEDIP" ]]; then msg_error "DNS Lookup Failure"; else msg_ok "DNS Resolved github.com to $RESOLVEDIP"; fi
|
||||
alias die='EXIT=$? LINE=$LINENO error_exit'
|
||||
set -e
|
||||
|
||||
msg_info "Updating Container OS"
|
||||
$STD apt-get update
|
||||
$STD apt-get -y upgrade
|
||||
msg_ok "Updated Container OS"
|
||||
|
||||
msg_info "Installing Dependencies"
|
||||
$STD apt-get update
|
||||
$STD apt-get -qqy install \
|
||||
git \
|
||||
build-essential \
|
||||
pkgconf \
|
||||
libssl-dev \
|
||||
libmariadb-dev-compat \
|
||||
libpq-dev \
|
||||
curl \
|
||||
sudo
|
||||
msg_ok "Installed Dependencies"
|
||||
|
||||
WEBVAULT=$(curl -s https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest |
|
||||
grep "tag_name" |
|
||||
awk '{print substr($2, 2, length($2)-3) }')
|
||||
|
||||
VAULT=$(curl -s https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest |
|
||||
grep "tag_name" |
|
||||
awk '{print substr($2, 2, length($2)-3) }')
|
||||
|
||||
msg_info "Installing Rust"
|
||||
wget -qL https://sh.rustup.rs
|
||||
$STD bash index.html -y --profile minimal
|
||||
echo 'export PATH=~/.cargo/bin:$PATH' >>~/.bashrc
|
||||
export PATH=~/.cargo/bin:$PATH
|
||||
rm index.html
|
||||
msg_ok "Installed Rust"
|
||||
|
||||
msg_info "Building Vaultwarden ${VAULT} (Patience)"
|
||||
$STD git clone https://github.com/dani-garcia/vaultwarden
|
||||
cd vaultwarden
|
||||
$STD cargo build --features "sqlite,mysql,postgresql" --release
|
||||
msg_ok "Built Vaultwarden ${VAULT}"
|
||||
|
||||
$STD addgroup --system vaultwarden
|
||||
$STD adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden
|
||||
mkdir -p /opt/vaultwarden/bin
|
||||
mkdir -p /opt/vaultwarden/data
|
||||
cp target/release/vaultwarden /opt/vaultwarden/bin/
|
||||
|
||||
msg_info "Downloading Web-Vault ${WEBVAULT}"
|
||||
$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/$WEBVAULT/bw_web_$WEBVAULT.tar.gz
|
||||
$STD tar -xzf bw_web_$WEBVAULT.tar.gz -C /opt/vaultwarden/
|
||||
msg_ok "Downloaded Web-Vault ${WEBVAULT}"
|
||||
|
||||
cat <<EOF >/opt/vaultwarden/.env
|
||||
ADMIN_TOKEN=$(openssl rand -base64 48)
|
||||
ROCKET_ADDRESS=0.0.0.0
|
||||
DATA_FOLDER=/opt/vaultwarden/data
|
||||
DATABASE_MAX_CONNS=10
|
||||
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
|
||||
WEB_VAULT_ENABLED=true
|
||||
EOF
|
||||
|
||||
msg_info "Creating Service"
|
||||
chown -R vaultwarden:vaultwarden /opt/vaultwarden/
|
||||
chown root:root /opt/vaultwarden/bin/vaultwarden
|
||||
chmod +x /opt/vaultwarden/bin/vaultwarden
|
||||
chown -R root:root /opt/vaultwarden/web-vault/
|
||||
chmod +r /opt/vaultwarden/.env
|
||||
|
||||
service_path="/etc/systemd/system/vaultwarden.service"
|
||||
echo "[Unit]
|
||||
Description=Bitwarden Server (Powered by Vaultwarden)
|
||||
Documentation=https://github.com/dani-garcia/vaultwarden
|
||||
After=network.target
|
||||
[Service]
|
||||
User=vaultwarden
|
||||
Group=vaultwarden
|
||||
EnvironmentFile=-/opt/vaultwarden/.env
|
||||
ExecStart=/opt/vaultwarden/bin/vaultwarden
|
||||
LimitNOFILE=65535
|
||||
LimitNPROC=4096
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectHome=true
|
||||
ProtectSystem=strict
|
||||
DevicePolicy=closed
|
||||
ProtectControlGroups=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
LockPersonality=yes
|
||||
WorkingDirectory=/opt/vaultwarden
|
||||
ReadWriteDirectories=/opt/vaultwarden/data
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
[Install]
|
||||
WantedBy=multi-user.target" >$service_path
|
||||
systemctl daemon-reload
|
||||
$STD systemctl enable --now vaultwarden.service
|
||||
msg_ok "Created Service"
|
||||
|
||||
PASS=$(grep -w "root" /etc/shadow | cut -b6)
|
||||
if [[ $PASS != $ ]]; then
|
||||
msg_info "Customizing Container"
|
||||
rm /etc/motd
|
||||
rm /etc/update-motd.d/10-uname
|
||||
touch ~/.hushlogin
|
||||
GETTY_OVERRIDE="/etc/systemd/system/container-getty@1.service.d/override.conf"
|
||||
mkdir -p $(dirname $GETTY_OVERRIDE)
|
||||
cat <<EOF >$GETTY_OVERRIDE
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=-/sbin/agetty --autologin root --noclear --keep-baud tty%I 115200,38400,9600 \$TERM
|
||||
EOF
|
||||
systemctl daemon-reload
|
||||
systemctl restart $(basename $(dirname $GETTY_OVERRIDE) | sed 's/\.d//')
|
||||
msg_ok "Customized Container"
|
||||
fi
|
||||
if [[ "${SSH_ROOT}" == "yes" ]]; then
|
||||
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
|
||||
systemctl restart sshd
|
||||
fi
|
||||
|
||||
msg_info "Cleaning up"
|
||||
$STD apt-get autoremove
|
||||
$STD apt-get autoclean
|
||||
msg_ok "Cleaned"
|
||||
Reference in New Issue
Block a user