|
2 | 2 | set -eu |
3 | 3 |
|
4 | 4 | # If arguments are provided, run bw with them (passthrough mode) |
| 5 | +# This keeps the image usable as a plain CLI. |
5 | 6 | if [ "$#" -gt 0 ]; then |
6 | 7 | exec bw "$@" |
7 | 8 | fi |
8 | 9 |
|
9 | | -# Server mode |
| 10 | +# --- Server mode (for bw serve) --- |
10 | 11 |
|
11 | 12 | if [ -z "${BW_HOST:-}" ]; then |
12 | 13 | echo "BW_HOST is required" >&2 |
|
16 | 17 | # Point CLI to the desired server (US/EU/self-hosted) |
17 | 18 | bw config server "${BW_HOST}" |
18 | 19 |
|
19 | | -# Login/unlock |
20 | | -if [ -n "${BW_CLIENTID:-}" ] && [ -n "${BW_CLIENTSECRET:-}" ]; then |
| 20 | +login_with_apikey() { |
21 | 21 | echo "Using API key to log in" |
22 | 22 | # bw reads BW_CLIENTID and BW_CLIENTSECRET from env |
23 | | - bw login --apikey --raw >/dev/null 2>&1 || true |
24 | | - if [ -n "${BW_PASSWORD:-}" ]; then |
25 | | - export BW_SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw)" |
26 | | - fi |
27 | | -else |
| 23 | + bw login --apikey --raw >/dev/null 2>&1 |
| 24 | +} |
| 25 | + |
| 26 | +login_with_user() { |
28 | 27 | if [ -z "${BW_USER:-}" ] || [ -z "${BW_PASSWORD:-}" ]; then |
29 | 28 | echo "BW_USER and BW_PASSWORD are required when not using API key" >&2 |
30 | 29 | exit 2 |
31 | 30 | fi |
32 | 31 | echo "Using username/password to log in" |
33 | | - export BW_SESSION="$(bw login "${BW_USER}" --passwordenv BW_PASSWORD --raw)" |
| 32 | + BW_SESSION="$(bw login "${BW_USER}" --passwordenv BW_PASSWORD --raw)" |
| 33 | + export BW_SESSION |
| 34 | +} |
| 35 | + |
| 36 | +unlock_with_password() { |
| 37 | + if [ -z "${BW_PASSWORD:-}" ]; then |
| 38 | + echo "BW_PASSWORD is required to unlock vault" >&2 |
| 39 | + return 1 |
| 40 | + fi |
| 41 | + BW_SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw)" |
| 42 | + export BW_SESSION |
| 43 | +} |
| 44 | + |
| 45 | +# Initial login + unlock so the vault starts in an unlocked state. |
| 46 | +if [ -n "${BW_CLIENTID:-}" ] && [ -n "${BW_CLIENTSECRET:-}" ]; then |
| 47 | + login_with_apikey |
| 48 | + # Use password to derive a session so CLI/server can operate without prompts. |
| 49 | + unlock_with_password || { |
| 50 | + echo "Initial unlock failed; Bitwarden vault remains locked." >&2 |
| 51 | + } |
| 52 | +else |
| 53 | + login_with_user |
34 | 54 | fi |
35 | 55 |
|
36 | | -# Ensure session is valid if possible |
37 | | -bw unlock --check >/dev/null 2>&1 || true |
| 56 | +# Background watchdog: keep the vault unlocked even when Bitwarden/Vaultwarden |
| 57 | +# applies short auto-lock timeouts (no \"never\" option). |
| 58 | +keep_unlocked() { |
| 59 | + # We intentionally ignore transient errors here; ESO will surface issues |
| 60 | + # and the pod can be restarted by Kubernetes if needed. |
| 61 | + while true; do |
| 62 | + if ! bw unlock --check >/dev/null 2>&1; then |
| 63 | + echo "Vault appears locked; attempting re-unlock..." >&2 |
| 64 | + if [ -n "${BW_CLIENTID:-}" ] && [ -n "${BW_CLIENTSECRET:-}" ]; then |
| 65 | + bw login --apikey --raw >/dev/null 2>&1 || true |
| 66 | + fi |
| 67 | + unlock_with_password || true |
| 68 | + fi |
| 69 | + sleep "${BW_UNLOCK_INTERVAL:-300}" |
| 70 | + done |
| 71 | +} |
| 72 | + |
| 73 | +# After initial login/unlock, we don't want set -e to kill the container |
| 74 | +# because of a transient failure inside keep_unlocked. |
| 75 | +set +e |
| 76 | +keep_unlocked & |
38 | 77 |
|
39 | 78 | echo 'Running `bw serve` on 0.0.0.0:8087' |
40 | 79 | exec bw serve --hostname 0.0.0.0 |
0 commit comments