Merge pull request #1170 from knhash/vaultwarden_again

[vaultwarden] Rewrite, Using pre-built binaries
Uberspace · Jan 7, 2022 · 1d84af2 · 1d84af2
2 parents 36c0b67 + 6bfb06e
commit 1d84af2
Showing 1 changed file with 95 additions and 100 deletions.
diff --git a/source/guide_bitwarden.rst b/source/guide_bitwarden.rst
@@ -1,6 +1,7 @@
 .. highlight:: console
 
 .. author:: Achim | pxlfrk <hallo@pxlfrk.de>
+.. author:: knhash <https://knhash.in>
 
 .. tag:: passwordmanager
 .. tag:: rust
@@ -13,14 +14,14 @@
       :align: center
 
 ############
-Vaultwarden
+vaultwarden
 ############
 
 .. tag_list::
 
 Bitwarden_ is an open source password manager. Your vault is encrypted with your master key, so even if your server is compromised the hacker will only get some unreadable gibberish. Hosting your own Bitwarden server can be useful if you are paranoid about the server security and want to be in full control, or want the premium features for free because you have a webspace anyway.
 
-.. note :: The installation of the official `bitwarden server repository`_ via docker is heavy, difficult and relies on docker, which `isn't supported`_ at uberspace due to the fact of shared hosting. In this guide we'll use the Rust implementation `Vaultwarden`_ (formerly Bitwarden_rs) of the Bitwarden API, so you can still use the official clients.
+.. note :: The installation of the official `bitwarden server repository`_ via docker is heavy, difficult and relies on docker, which `isn't supported`_ at uberspace due to the fact of shared hosting. In this guide we'll use the Rust implementation `vaultwarden`_ (formerly Bitwarden_rs) of the Bitwarden API, so you can still use the official clients.
 
 ----
 
@@ -40,15 +41,6 @@ vaultwarden is released under the GNU General Public License_ version 3.
 Prerequisites
 =============
 
-We're using :manual:`Node.js <lang-nodejs>` in the stable version 14:
-
-::
-
- [isabell@stardust ~]$ uberspace tools version use node 14
- Selected Node.js version 14
- The new configuration is adapted immediately. Minor updates will be applied automatically.
- [isabell@stardust ~]$
-
 If you want to use vaultwarden with your own domain you need to set up your domain first:
 
 .. include:: includes/web-domain-list.rst
@@ -57,85 +49,58 @@ If you want to use vaultwarden with your own domain you need to set up your doma
 Installation
 ============
 
-Install Vaultwarden
+Install vaultwarden
 --------------------
 
-Clone the repository into your home directory. It will create the directory ``~/vaultwarden`` automatically.
-
-
-.. warning :: At the moment (current date: 12.05.2021) there is an unofficial patch of some dependencies that have not yet made it into all the official repositories. You can find the discussion about it `on GitHub <https://github.com/Uberspace/lab/issues/708>`_. Therefore you have to use the special branch `async`_ to install vaultwarden currently. Make sure to check back and update your installation, once all dependencies have been updated.
-
-
-.. code-block:: console
-
- [isabell@stardust ~]$ git clone https://github.com/dani-garcia/vaultwarden.git
- [isabell@stardust ~]$ cd vaultwarden
- [isabell@stardust vaultwarden]$ git checkout origin/async
- [isabell@stardust vaultwarden]$
-
-In order to build vaultwarden successfully you'll need to set an environment variable pointing to the sqlite3 header files:
-
-.. code-block:: console
-
- [isabell@stardust ~]$ export SQLITE3_LIB_DIR=/var/lib64
+We will be installing vaultwarden by extracting a standalone, statically-linked binary from the official Docker image.
 
-``cd`` into the automatically created folder and create the ``data`` directory:
+Create a directory in ``/home/isabell`` for vaultwarden and its files.
 
 .. code-block:: console
 
- [isabell@stardust ~]$ cd vaultwarden
- [isabell@stardust vaultwarden]$ mkdir data
- [isabell@stardust vaultwarden]$
-
-Build the server executable:
-
-.. note :: If that doesn't work the first time and the build failed, **just try again until it's done**. Further ignore compiler-warnings regarding unused imports as they sould be gone as soon as the dependencies are updated (see linked Issue above). The build process of vaultwarden can take from 10 to 25 minutes will consume almost the entire system memory. Preferably stop other running services on your uberspace temporarily to prevent running into system memory issues.
-
-.. code-block:: console
-
- [isabell@stardust vaultwarden]$ cargo build -j 1 --release --features sqlite
-
-In the next step we will download the latest build for the web vault. Check `this page`_ for the newest build number and **replace it** in the following snippet:
+ [isabell@stardust ~]$ mkdir ~/vaultwarden
+ [isabell@stardust ~]$
 
-.. note :: If you don't want to use the web-vault feature (web-app access to your vaults) for any security reasons you can skip this step. Please note that without the web-vault, newly created users can't verify their email address. So it would be best to disable the web-vault after you've created your user accounts. Add the following line to your ``env`` file later if you do so:
-  ``WEB_VAULT_ENABLED=false``
+Download the Docker Image Extractor
 
 .. code-block:: console
- :emphasize-lines: 1,2
-
- [isabell@stardust vaultwarden]$ wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.22.3/bw_web_v2.22.3.tar.gz
- [isabell@stardust vaultwarden]$ tar -xvzf bw_web_v2.22.3.tar.gz
- [isabell@stardust vaultwarden]$ rm -r bw_web_v*.tar.gz
 
+ [isabell@stardust ~]$ wget -O ~/vaultwarden/docker-image-extract https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
+ [isabell@stardust ~]$
 
-Generate an ``openssl -base64`` key now and save it temporarily, you'll need it in the next step.
+Change into the ``~/vaultwarden`` directory. Fetch and extract the binary from the appropriate image.
 
 .. code-block:: console
 
- [isabell@stardust vaultwarden]$  openssl rand -base64 48
- Ig/8bZXhqVFK11F2tQZTfODO/6QpCHE3DGyCH/2Eh40xUWMFC13J6nJVPLlyU3nO
+  [isabell@stardust ~]$ cd ~/vaultwarden
+  [isabell@stardust vaultwarden]$ chmod +x docker-image-extract
+  [isabell@stardust vaultwarden]$ ./docker-image-extract vaultwarden/server:alpine
+  Getting API token...
+  Getting image manifest for vaultwarden/server:alpine...
+  Downloading layer 8516f4cd818630cd60fa18254b072f8d9c3748bdb56f6e2527dc1c204e8e017c...
+  Extracting layer...
+  ...
+  Image contents extracted into ./output.
+  [isabell@stardust vaultwarden]$
 
-Use your favourite editor to create ``~/vaultwarden/.env`` with the following content:
+Setup E-Mail for notifications.
+Use your favourite editor to create ``~/vaultwarden/output/.env`` with the following content:
 
 .. code-block:: ini
- :emphasize-lines: 1,4,5,8,9,11
-
- ADMIN_TOKEN=PASTE YOUR TOKEN GENERATED ABOVE HERE
- ROCKET_PORT=62714
+ :emphasize-lines: 1,2,5,6,7
 
  SMTP_HOST=stardust.uberspace.de
  SMTP_FROM=isabell@uber.space
  SMTP_PORT=587
  SMTP_SSL=true
  SMTP_USERNAME=isabell@uber.space
  SMTP_PASSWORD=MySuperSecretPassword
-
  DOMAIN=https://isabell.uber.space
 
-Replace the mail placeholder variables with your valid IMAP credentials, otherwise the Vaultwarden server will not be able to send you mail notifications or tokens to verify newly created user accounts.
+Replace the mail placeholder variables with your valid SMTP credentials, otherwise the vaultwarden server will not be able to send you mail notifications or tokens to verify newly created user accounts.
 ``SMTP_USERNAME`` and ``SMTP_PASSWORD`` must be the login data from a valid mail account. Replace the server domain with your final URL.
 
-.. note :: You can configure any type of service here, you're not limited to an uberspace IMAP user. If you prefer e.g. gmail refer to their documentations for ``SMTP_Port`` etc. accordingly.
+.. note :: You can configure any type of service here, you're not limited to an uberspace SMTP user. If you prefer e.g. gmail refer to their documentations for ``SMTP_PORT`` etc. accordingly.
 
 You can edit other options, look into .env.template to see a list of available options.
 
@@ -146,7 +111,18 @@ Configuration
 Setup web backend
 -----------------
 
-.. note:: Enter the port ``62714`` as configured in the ``env`` file before.
+.. note::
+    vaultwarden will run on port 8000.
+
+If you want to set a different port, set the environment variable ``ROCKET_PORT`` in the previously configured ``~/vaultwarden/output/.env`` like so:
+
+.. code-block:: ini
+ :emphasize-lines: 3
+
+ ...
+ DOMAIN=https://isabell.uber.space
+ ROCKET_PORT=<your port number>
+
 
 If you want to use a subdomain refer to the :manual:`web-backend manual <web-backends>`.
 
@@ -155,15 +131,15 @@ If you want to use a subdomain refer to the :manual:`web-backend manual <web-bac
 Setup web vault
 ---------------
 
-Now it's time to test if everything works. If there is no error, you are good to go. You should be able to access your vault on ``https://isabell.uber.space``
+Now it's time to test if everything works.
 
 .. code-block:: console
 
- [isabell@stardust ~]$ cd ~/vaultwarden
- [isabell@stardust vaultwarden]$ ./target/release/vaultwarden
+ [isabell@stardust ~]$ cd ~/vaultwarden/output
+ [isabell@stardust output]$ ./vaultwarden
  /--------------------------------------------------------------------\
  |                       Starting Vaultwarden                         |
- |                  Version 1.21.0-436d8860 (HEAD)                    |
+ |                          Version 1.23.1                            |
  |--------------------------------------------------------------------|
  | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
  | official channels to report bugs/features, regardless of client.   |
@@ -172,8 +148,12 @@ Now it's time to test if everything works. If there is no error, you are good to
  | Report suspected bugs/issues in the software itself at:            |
  |   https://github.com/dani-garcia/vaultwarden/issues/new            |
  \--------------------------------------------------------------------/
+ Running migration 20180711181453
+ Running migration 20180827172114
+ ...
+ [2021-12-29 10:40:35.407][start][INFO] Rocket has launched from http://0.0.0.0:8000
 
- [2021-09-08 13:37:42][start][INFO] Rocket has launched from http://0.0.0.0:62714
+If there is no error, you are good to go. You should be able to access your vault on ``https://isabell.uber.space``
 
 Setup daemon
 ------------
@@ -182,21 +162,23 @@ Use your favourite editor to create ``~/etc/services.d/vaultwarden.ini`` with th
 
 .. code-block:: ini
 
- [program:vaultwarden]
- directory=%(ENV_HOME)s/vaultwarden
- command=%(ENV_HOME)s/vaultwarden/target/release/vaultwarden
- autostart=yes
- autorestart=yes
+  [program:vaultwarden]
+  directory=%(ENV_HOME)s/vaultwarden/output/
+  command=%(ENV_HOME)s/vaultwarden/output/vaultwarden
+  autostart=yes
+  autorestart=yes
+  startsecs=60
 
 .. include:: includes/supervisord.rst
 
-If it's not in state RUNNING, check your configuration.
+If it's not in state RUNNING, check your configuration. You can check the service's log file using ``supervisorctl tail -f vaultwarden``.
+
 
 
 Finishing installation
 ======================
 
-Your done. Point your Browser to your installation URL ``https://isabell.uber.space`` and create your user. You can access the admin panel via ``https://isabell.uber.space/admin`` and log in using the openssl token you created during the installation process.
+You are done. Point your Browser to your installation URL ``https://isabell.uber.space`` and create your user.
 
 Best practices
 ==============
@@ -208,17 +190,16 @@ You can create a backup of the database manually. ``cd`` to your project folder,
 
 .. code-block:: console
 
- [isabell@stardust ~]$ cd ~/vaultwarden/data
- [isabell@stardust data]$ mkdir db-backup
- [isabell@stardust data]$ sqlite3 ~/vaultwarden/data/db.sqlite3 ".backup '$HOME/vaultwarden/data/db-backup/backup.sqlite3'"
+ [isabell@stardust ~]$ mkdir ~/vaultwarden/output/data/db-backup
+ [isabell@stardust ~]$ sqlite3 ~/vaultwarden/output/data/db.sqlite3 ".backup '$HOME/vaultwarden/output/data/db-backup/backup.sqlite3'"
 
 .. note ::  You could run this command through a CRON job everyday - note that it will overwrite the same backup.sqlite3 file each time. If you want to save every version of the backup, please read further.
 
 Alternatively, you can do the backup with a timestamp and it can be useful if you don't want that the CRON job overwrites the backup file. ``$(date +%Y-%m-%d)`` in the file name in the following command will generate a name with current year, month and day.
 
 .. code-block:: console
 
- [isabell@stardust data]$ sqlite3 ~/vaultwarden/data/db.sqlite3 ".backup '$HOME/vaultwarden/data/db-backup/$(date +%Y-%m-%d).sqlite3'"
+ [isabell@stardust ~]$ sqlite3 ~/vaultwarden/output/data/db.sqlite3 ".backup '$HOME/vaultwarden/output/data/db-backup/$(date +%Y-%m-%d).sqlite3'"
 
 Restore up your vault manually
 ------------------------------
@@ -243,7 +224,7 @@ Disable registration and invitations
 
 By default, vaultwarden allows any anonymous user to register new accounts on the server without first being invited. **This is necessary to create your first user on the server**, but it's recommended to disable it in the admin panel (if the admin panel is enabled) or with the environment variable to prevent attackers from creating accounts on your vaultwarden server.
 
-Use your favourite editor to edit ``~/vaultwarden/.env`` and add the following content:
+Use your favourite editor to edit ``~/vaultwarden/output/.env`` and add the following content:
 
 .. code-block:: ini
 
@@ -267,42 +248,55 @@ In addition to ``SIGNUPS_ALLOWED=false`` you can create an except for specific d
 Disable password hint display
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Vaultwarden displays password hints on the login page to accommodate small/local deployments that do not have SMTP configured, which could be abused by an attacker to facilitate password-guessing attacks against users on the server. This can be disabled in the admin panel by unchecking the ``Show password hints option`` or with the environment variable:
+vaultwarden displays password hints on the login page to accommodate small/local deployments that do not have SMTP configured, which could be abused by an attacker to facilitate password-guessing attacks against users on the server. This can be disabled in the admin panel by unchecking the ``Show password hints option`` or with the environment variable:
 
-Use your favourite editor to edit ``~/vaultwarden/.env`` and add the the following content:
+Use your favourite editor to edit ``~/vaultwarden/output/.env`` and add the the following content:
 
 .. code-block:: ini
 
  SHOW_PASSWORD_HINT=false
 
-Update
-======
+Updates
+=======
 
 .. note:: Check the update feed_ regularly to stay informed about the newest version.
+.. warning ::  Be careful while upgrading. Have a `backup of the data`_ before attempting upgrade.
+
 
-Updating vaultwarden is really easy. Just stop the server, pull everything and download the new web vault, build the executable and start the server again. To get the download link for the newest version of the web-vault look here web-vault-feed_.
+Updating vaultwarden is really easy.
+  - Stop the server
+  - Backup ``data`` and ``.env``
+  - Pull latest image and extract binary
+  - Replace ``data`` and ``.env``
+  - Start the server again
+
+To get the download link for the newest version of the web-vault look here web-vault-feed_.
 
 
 .. code-block:: console
 
  [isabell@stardust ~]$ cd ~/vaultwarden
  [isabell@stardust vaultwarden]$ supervisorctl stop vaultwarden
- [isabell@stardust vaultwarden]$ git pull origin async
- [isabell@stardust vaultwarden]$ mv web-vault web-vault.old && mkdir web-vault
- [isabell@stardust vaultwarden]$ wget new-release.tar.gz
- [isabell@stardust vaultwarden]$ tar -xvzf new-release.tar.gz
- [isabell@stardust vaultwarden]$ rm new-release.tar.gz
- [isabell@stardust vaultwarden]$ cargo build -j 1 --release --features sqlite
- ....
+ vaultwarden: stopped
+ [isabell@stardust vaultwarden]$ mkdir upgrade
+ [isabell@stardust vaultwarden]$ cp output/data/ upgrade/. -r
+ [isabell@stardust vaultwarden]$ cp output/.env upgrade/.
+ [isabell@stardust vaultwarden]$ ./docker-image-extract vaultwarden/server:alpine
+ Getting API token...
+ Getting image manifest for vaultwarden/server:alpine...
+ Fetching and extracting layer 97518928ae5f3d52d4164b314a7e73654eb686ecd8aafa0b79acd980773a740d...
+ ...
+ Image contents extracted into ./output.
+ [isabell@stardust vaultwarden]$ cp upgrade/data/ output/. -r
+ [isabell@stardust vaultwarden]$ cp upgrade/.env output/.
+ [isabell@stardust vaultwarden]$ rm -rf upgrade
+ [isabell@stardust vaultwarden]$ supervisorctl start vaultwarden
+ vaultwarden: started
  [isabell@stardust vaultwarden]$
 
-.. include:: includes/supervisord.rst
-
-If it's not in state RUNNING, check your configuration. You can check the service's log file using ``supervisorctl tail -f vaultwarden``.
-
 Acknowledgements
 ================
-This guide is based on the official `vaultwarden documentation`_ as well as the `bitwarden_rs guide from Tom Schneider <https://vigonotion.com/blog/install-bitwarden-rs-on-uberspace/>`_.
+This guide is based on the official `vaultwarden documentation`_. Previously, it was based on the `bitwarden_rs guide from Tom Schneider <https://vigonotion.com/blog/install-bitwarden-rs-on-uberspace/>`_.
 
 .. _async: https://github.com/dani-garcia/vaultwarden/tree/async
 .. _At the moment: https://github.com/dani-garcia/bitwarden_rs/pull/728
@@ -314,12 +308,13 @@ This guide is based on the official `vaultwarden documentation`_ as well as the
 .. _isn't supported: https://wiki.uberspace.de/faq#docker
 .. _rust toolchain: https://rustup.rs/
 .. _this page: https://github.com/dani-garcia/bw_web_builds/releases
-.. _vaultwarden documentation: https://github.com/dani-garcia/vaultwarden/wiki/Building-binary
-.. _Vaultwarden: https://github.com/dani-garcia/vaultwarden
+.. _vaultwarden documentation: https://github.com/dani-garcia/vaultwarden/wiki/Pre-built-binaries#extracting-binaries-without-docker-installed
+.. _vaultwarden: https://github.com/dani-garcia/vaultwarden
 .. _web-vault-feed: https://github.com/dani-garcia/bw_web_builds/releases
+.. _backup of the data: https://github.com/dani-garcia/vaultwarden/wiki/General-%28not-docker%29#backup
 
 ----
 
-Tested with vaultwarden 1.22.2 and Web-Vault v2.22.3, Uberspace 7.11.4
+Tested with vaultwarden 1.23.1 and Web-Vault v2.25.0, Uberspace 7.12
 
 .. author_list::