Vaultwarden: Enable HTTPS by default (#4197)

Author: tremor021

frontend/public/json/vaultwarden.json

@@ -1,56 +1,55 @@
 {
-    "name": "Vaultwarden",
-    "slug": "vaultwarden",
-    "categories": [
-        6
-    ],
-    "date_created": "2024-05-02",
-    "type": "ct",
-    "updateable": true,
-    "privileged": false,
-    "interface_port": 8000,
-    "documentation": null,
-    "website": "https://github.com/dani-garcia/vaultwarden/",
-    "logo": "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon-white.svg",
-    "config_path": "/opt/vaultwarden/.env",
-    "description": "Vaultwarden is a self-hosted password manager which provides secure and encrypted password storage. It uses client-side encryption and provides access to passwords through a web interface and mobile apps.",
-    "install_methods": [
-        {
-            "type": "default",
-            "script": "ct/vaultwarden.sh",
-            "resources": {
-                "cpu": 4,
-                "ram": 6144,
-                "hdd": 6,
-                "os": "debian",
-                "version": "12"
-            }
-        },
-        {
-            "type": "alpine",
-            "script": "ct/alpine-vaultwarden.sh",
-            "resources": {
-                "cpu": 1,
-                "ram": 256,
-                "hdd": 0.5,
-                "os": "alpine",
-                "version": "3.21"
-            }
-        }
-    ],
-    "default_credentials": {
-        "username": null,
-        "password": null
+  "name": "Vaultwarden",
+  "slug": "vaultwarden",
+  "categories": [
+    6
+  ],
+  "date_created": "2024-05-02",
+  "type": "ct",
+  "updateable": true,
+  "privileged": false,
+  "interface_port": 8000,
+  "documentation": "https://github.com/dani-garcia/vaultwarden/wiki",
+  "website": "https://github.com/dani-garcia/vaultwarden/",
+  "logo": "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon-white.svg",
+  "config_path": "/opt/vaultwarden/.env",
+  "description": "Vaultwarden is a self-hosted password manager which provides secure and encrypted password storage. It uses client-side encryption and provides access to passwords through a web interface and mobile apps.",
+  "install_methods": [
+    {
+      "type": "default",
+      "script": "ct/vaultwarden.sh",
+      "resources": {
+        "cpu": 4,
+        "ram": 6144,
+        "hdd": 6,
+        "os": "debian",
+        "version": "12"
+      }
     },
-    "notes": [
-        {
-            "text": "Vaultwarden needs to be behind a proxy (Nginx Proxy Manager, Caddy, etc) to obtain HTTPS and to allow clients to connect. If you try to open the web page directly on the new container, the web site will not load",
-            "type": "warning"
-        },
-        {
-            "text": "To set the Admin Token, run the command below (or type update) in the LXC Console.",
-            "type": "info"
-        }
-    ]
+    {
+      "type": "alpine",
+      "script": "ct/alpine-vaultwarden.sh",
+      "resources": {
+        "cpu": 1,
+        "ram": 256,
+        "hdd": 0.5,
+        "os": "alpine",
+        "version": "3.21"
+      }
+    }
+  ],
+  "default_credentials": {
+    "username": null,
+    "password": null
+  },
+  "notes": [
+    {
+      "text": "Application uses self-signed certificate for HTTPS to work and is enabled by default. If you need a different setup, please read the documentation.",
+      "type": "warning"
+    },
+    {
+      "text": "To set the Admin Token, run the command below (or type update) in the LXC Console.",
+      "type": "info"
+    }
+  ]
 }
-

install/alpine-vaultwarden-install.sh

@@ -28,6 +28,11 @@ $STD apk add vaultwarden
 sed -i -e 's|export WEB_VAULT_ENABLED=.*|export WEB_VAULT_ENABLED=true|' /etc/conf.d/vaultwarden
 echo -e "export ADMIN_TOKEN=''" >>/etc/conf.d/vaultwarden
 echo -e "export ROCKET_ADDRESS=0.0.0.0" >>/etc/conf.d/vaultwarden
+echo -e "export ROCKET_TLS='{certs=\"/etc/ssl/certs/vaultwarden-selfsigned.crt\",key=\"/etc/ssl/private/vaultwarden-selfsigned.key\"}'"
+$STD openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/vaultwarden-selfsigned.key -out /etc/ssl/certs/vaultwarden-selfsigned.crt -subj "/C=US/O=Vaultwarden/O
+U=Domain Control Validated/CN=localhost"
+chown vaultwarden:vaultwarden /etc/ssl/certs/vaultwarden-selfsigned.crt
+chown vaultwarden:vaultwarden /etc/ssl/private/vaultwarden-selfsigned.key
 msg_ok "Installed Alpine-Vaultwarden"
 
 msg_info "Installing Web-Vault"

install/vaultwarden-install.sh

@@ -15,28 +15,23 @@ update_os
 
 msg_info "Installing Dependencies"
 $STD apt-get update
-$STD apt-get -qqy install \
-  git \
+$STD apt-get install -y git \
   build-essential \
   pkgconf \
   libssl-dev \
   libmariadb-dev-compat \
   libpq-dev \
-  argon2
+  argon2 \
+  ssl-cert
 msg_ok "Installed Dependencies"
 
-WEBVAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest |
-  grep "tag_name" |
-  awk '{print substr($2, 2, length($2)-3) }')
-
-VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest |
-  grep "tag_name" |
-  awk '{print substr($2, 2, length($2)-3) }')
+WEBVAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
+VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
 
 msg_info "Installing Rust"
 curl -fsSL https://sh.rustup.rs -o rustup-init.sh
 $STD bash rustup-init.sh -y --profile minimal
-echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc
+echo 'export PATH="$HOME/.cargo/bin:$PATH"' >>~/.bashrc
 export PATH="$HOME/.cargo/bin:$PATH"
 rm rustup-init.sh
 msg_ok "Installed Rust"
@@ -54,19 +49,23 @@ mkdir -p /opt/vaultwarden/data
 cp target/release/vaultwarden /opt/vaultwarden/bin/
 
 msg_info "Downloading Web-Vault ${WEBVAULT}"
-$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/$WEBVAULT/bw_web_$WEBVAULT.tar.gz
-$STD tar -xzf bw_web_$WEBVAULT.tar.gz -C /opt/vaultwarden/
+$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/"$WEBVAULT"/bw_web_"$WEBVAULT".tar.gz
+$STD tar -xzf bw_web_"$WEBVAULT".tar.gz -C /opt/vaultwarden/
 msg_ok "Downloaded Web-Vault ${WEBVAULT}"
 
 cat <<EOF >/opt/vaultwarden/.env
 ADMIN_TOKEN=''
 ROCKET_ADDRESS=0.0.0.0
+ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}'
 DATA_FOLDER=/opt/vaultwarden/data
 DATABASE_MAX_CONNS=10
 WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
 WEB_VAULT_ENABLED=true
 EOF
 
+mv /etc/ssl/certs/ssl-cert-snakeoil.pem /opt/vaultwarden/
+mv /etc/ssl/private/ssl-cert-snakeoil.key /opt/vaultwarden/
+
 msg_info "Creating Service"
 chown -R vaultwarden:vaultwarden /opt/vaultwarden/
 chown root:root /opt/vaultwarden/bin/vaultwarden