diff --git a/bitwarden-vaultwarden/readme.md b/bitwarden-vaultwarden/readme.md new file mode 100644 index 0000000..c575e60 --- /dev/null +++ b/bitwarden-vaultwarden/readme.md @@ -0,0 +1,250 @@ +# Credits +99% of this guide was written by [DoTheEvo](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/bitwarden_rs) + +The only reason I'm including it here is because bitwarden_rs has changed it's name and repo to vaultwarden. +The docker-compose.yml has been modified to reflect this change. Using the older docker-compose.yml in +DoTheEvo's guide will not get you the latest version. + +# Vaultwarden in docker + +![logo](https://i.imgur.com/tT3FQLJ.png) + +# Purpose & Overview + +Password manager. + +* [Official site](https://bitwarden.com/) +* [Github](https://github.com/dani-garcia/bitwarden_rs) +* [DockerHub](https://hub.docker.com/r/bitwardenrs/server) + +Bitwarden is a modern popular open source password manager +with wide cross platform support. + +But the official Bitwarden server is bit over-engineered, +requiring Microsoft SQL server among other things, +which makes it not an ideal fit for smaller deployments + +So here is where Bitwarden_rs by Daniel García comes in.
+It is a Bitwarden API implementation written in Rust. +It's very resource efficient, uses about 10MB of RAM, +and close to no CPU.
+Webapp part is build using Rocket, a web framework for Rust, +and user data are stored in a simple sqlite database file. + +All the client apps are still officials coming from bitwarden, +only the server is a different implementation. + +# Files and directory structure + +``` +/home/ +└── ~/ + └── docker/ + └── bitwarden/ + ├── bitwarden-data/ + ├── .env + ├── docker-compose.yml + └── bitwarden-backup-script.sh +``` + +* `bitwarden-data/` - a directory where bitwarden will store its database and other data +* `.env` - a file containing environment variables for docker compose +* `docker-compose.yml` - a docker compose file, telling docker how to run the container +* `bitwarden-backup-script.sh` - a backup script if you want it + +You only need to provide the files.
+The directory is created by docker compose on the first run. + +# docker-compose + +[Documentation](https://github.com/dani-garcia/bitwarden_rs/wiki/Using-Docker-Compose) on compose. + +`docker-compose.yml` + +```yml +version: "3" +services: + vaultwarden: + image: vaultwarden/server:latest + container_name: bitwarden + hostname: bitwarden + restart: unless-stopped + env_file: .env + volumes: + - ./vaultwarden-data/:/data/ + +networks: + default: + external: + name: $DOCKER_MY_NETWORK +``` + +`.env` +```bash +# GENERAL +MY_DOMAIN=example.com +DOCKER_MY_NETWORK=caddy_net +TZ=Europe/Bratislava + +# BITWARDEN +DOMAIN=https://passwd.example.com +ADMIN_TOKEN=YdLo1TM4MYEQ948GOVZ29IF4fABSrZMpk9 +SIGNUPS_ALLOWED=false +WEBSOCKET_ENABLED=true + +# USING SENDGRID FOR SENDING EMAILS +SMTP_SSL=true +SMTP_EXPLICIT_TLS=true +SMTP_HOST=smtp.sendgrid.net +SMTP_PORT=465 +SMTP_FROM=admin@example.com +SMTP_USERNAME=apikey +SMTP_PASSWORD= +``` + +**All containers must be on the same network**.
+Which is named in the `.env` file.
+If one does not exist yet: `docker network create caddy_net` + +# Reverse proxy + +Caddy v2 is used, details +[here](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/caddy_v2).
+Bitwarden_rs documentation has a +[section on reverse proxy.](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples) + +`Caddyfile` +``` +bitwarden.{$MY_DOMAIN} { + encode gzip + + header { + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + # Prevent search engines from indexing (optional) + X-Robots-Tag "none" + # Server name removing + -Server + } + + # Notifications redirected to the websockets server + reverse_proxy /notifications/hub bitwarden:3012 + + # Proxy the Root directory to Rocket + reverse_proxy bitwarden:80 +} +``` + +# Forward port 3012 TCP on your router + +[WebSocket](https://youtu.be/2Nt-ZrNP22A) protocol is used for notifications +so that all web based clients, including desktop app, +can immediately sync when a change happens on the server. + +* environment variable `WEBSOCKET_ENABLED=true` needs to be set in the `.env` file
+* reverse proxy needs to route `/notifications/hub` to port 3012
+* your router/firewall needs to **forward port 3012** to the docker host, +same as port 80 and 443 are forwarded + +To test if websocket works, have the desktop app open +and make changes through browser extension, or through the website. +Changes should immediately appear in the desktop app. If it's not working, +you need to manually sync for changes to appear. + +# Extra info + +**Bitwarden can be managed** at `/admin` and entering `ADMIN_TOKEN` +set in the `.env` file. Especially if sign ups are disabled it is the only way +to invite users. + +**Push notifications** are not working at this moment. +[Github issue](https://github.com/dani-garcia/bitwarden_rs/issues/126).
+The purpose of [Push notifications](https://www.youtube.com/watch?v=8D1NAezC-Dk) +is the same as WebSocket notifications, to tell the clients that a change +happened on the server so that they are synced immediately. +But they are for apps on mobile devices and it would likely take releasing and +maintaining own bitwarden_rs version of the Android/iOS mobile apps +to have them working.
+So you better manually sync before making changes. + +--- + +![interface-pic](https://i.imgur.com/5LxEUsA.png) + +# Update + +[Watchtower](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/watchtower) +updates the image automatically. + +Manual image update: + +- `docker-compose pull`
+- `docker-compose up -d`
+- `docker image prune` + +# Backup and restore + +#### Backup + +Using [borg](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/borg_backup) +that makes daily snapshot of the entire directory. + +#### Restore + +* down the bitwarden container `docker-compose down`
+* delete the entire bitwarden directory
+* from the backup copy back the bitwarden directory
+* start the container `docker-compose up -d` + +# Backup of just user data + +Users data daily export using the +[official procedure.](https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault)
+For bitwarden_rs it means sqlite database dump and backing up `attachments` directory.
+ +Daily [borg](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/borg_backup) run +takes care of backing up the directory. +So only database dump is needed.
+The created backup sqlite3 file is overwritten on every run of the script, +but that's ok since borg is making daily snapshots. + +#### Create a backup script + +Placed inside `bitwarden` directory on the host. + +`bitwarden-backup-script.sh` +```bash +#!/bin/bash + +# CREATE SQLITE BACKUP +docker container exec bitwarden sqlite3 /data/db.sqlite3 ".backup '/data/BACKUP.bitwarden.db.sqlite3'" +``` + +the script must be **executable** - `chmod +x bitwarden-backup-script.sh` + +#### Cronjob + +Running on the host, so that the script will be periodically run. + +* `su` - switch to root +* `crontab -e` - add new cron job
+* `0 21 * * * /home/bastard/docker/bitwarden/bitwarden-backup-script.sh`
+ runs it every day [at 21:00](https://crontab.guru/#0_21_*_*_*) +* `crontab -l` - list cronjobs to check + +# Restore the user data + +Assuming clean start. + +* start the bitwarden container: `docker-compose up -d` +* let it run so it creates its file structure +* down the container `docker-compose down` +* in `bitwarden/bitwarden-data/`
+ replace `db.sqlite3` with the backup one `BACKUP.bitwarden.db.sqlite3`
+ replace `attachments` directory with the one from the borg repository +* start the container `docker-compose up -d` + +Again, the above steps are based on the +[official procedure.](https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault) diff --git a/seafile/README.md b/seafile/README.md index 36ca857..7c69b32 100644 --- a/seafile/README.md +++ b/seafile/README.md @@ -132,3 +132,13 @@ Set ```enabled=true``` Set ```share_name = /``` Remember to do a docker-compose restart and a caddy exec restart after modifying seafile conf files! + +### Maintainance - Freeing Space +When you delete files in seafile and empty trash in the web UI, it doesn't free up space on your server. +After emptying trash in the webUI you should run the garbage collector w/ the command below to free up space. + +``` +docker exec seafile /scripts/gc.sh +``` + +