mirror of
https://github.com/bitwarden/server.git
synced 2024-12-23 17:07:42 +01:00
[DEVOPS-1204] Migrate unified & it's build pipeline to self-host repo (#2988)
* Remove build self host workflow * Remove docker-unified folder * Add trigger for self host build in separate repo * Change branch * Fix
This commit is contained in:
parent
a6ffadf086
commit
3522d8b084
188
.github/workflows/build-self-host.yml
vendored
188
.github/workflows/build-self-host.yml
vendored
@ -1,188 +0,0 @@
|
||||
---
|
||||
name: Build Self-Host
|
||||
|
||||
on:
|
||||
push:
|
||||
branches-ignore:
|
||||
- "l10n_master"
|
||||
- "gh-pages"
|
||||
paths-ignore:
|
||||
- ".github/workflows/**"
|
||||
workflow_dispatch:
|
||||
pull_request:
|
||||
branches-ignore:
|
||||
- "l10n_master"
|
||||
- "gh-pages"
|
||||
paths:
|
||||
- ".github/workflows/build-self-host.yml"
|
||||
|
||||
jobs:
|
||||
build-docker:
|
||||
name: Build Docker image
|
||||
runs-on: ubuntu-22.04
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||
|
||||
- name: Check Branch to Publish
|
||||
env:
|
||||
PUBLISH_BRANCHES: "master,rc,hotfix-rc"
|
||||
id: publish-branch-check
|
||||
run: |
|
||||
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
|
||||
|
||||
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
|
||||
echo "is_publish_branch=true" >> $GITHUB_ENV
|
||||
else
|
||||
echo "is_publish_branch=false" >> $GITHUB_ENV
|
||||
fi
|
||||
|
||||
########## Set up Docker ##########
|
||||
- name: Set up QEMU emulators
|
||||
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
|
||||
|
||||
########## Login to Docker registries ##########
|
||||
- name: Login to Azure - QA Subscription
|
||||
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}
|
||||
|
||||
- name: Login to Azure ACR
|
||||
run: az acr login -n bitwardenqa
|
||||
|
||||
- name: Login to Azure - Prod Subscription
|
||||
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
|
||||
|
||||
- name: Login to Azure ACR
|
||||
run: az acr login -n bitwardenprod
|
||||
|
||||
- name: Login to Azure - CI Subscription
|
||||
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
|
||||
- name: Retrieve github PAT secrets
|
||||
id: retrieve-secret-pat
|
||||
uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
|
||||
with:
|
||||
keyvault: "bitwarden-ci"
|
||||
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
|
||||
|
||||
- name: Retrieve secrets
|
||||
if: ${{ env.is_publish_branch == 'true' }}
|
||||
id: retrieve-secrets
|
||||
uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
|
||||
with:
|
||||
keyvault: "bitwarden-ci"
|
||||
secrets: "docker-password,
|
||||
docker-username,
|
||||
dct-delegate-2-repo-passphrase,
|
||||
dct-delegate-2-key"
|
||||
|
||||
- name: Log into Docker
|
||||
if: ${{ env.is_publish_branch == 'true' }}
|
||||
env:
|
||||
DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
|
||||
DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
|
||||
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
|
||||
|
||||
- name: Setup Docker Trust
|
||||
if: ${{ env.is_publish_branch == 'true' }}
|
||||
env:
|
||||
DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
|
||||
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
|
||||
DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
|
||||
run: |
|
||||
mkdir -p ~/.docker/trust/private
|
||||
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
|
||||
echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
|
||||
echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV
|
||||
|
||||
########## Generate image tag and build Docker image ##########
|
||||
- name: Generate Docker image tag
|
||||
id: tag
|
||||
run: |
|
||||
IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name
|
||||
if [[ "$IMAGE_TAG" == "master" ]]; then
|
||||
IMAGE_TAG=dev
|
||||
elif [[ "$IMAGE_TAG" == "rc" ]] || [[ "$IMAGE_TAG" == "hotfix-rc" ]]; then
|
||||
IMAGE_TAG=beta
|
||||
fi
|
||||
|
||||
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Generate tag list
|
||||
id: tag-list
|
||||
env:
|
||||
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
|
||||
run: |
|
||||
if [ "$IMAGE_TAG" = "dev" ] || [ "$IMAGE_TAG" = "beta" ]; then
|
||||
echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG},bitwardenprod.azurecr.io/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
|
||||
else
|
||||
echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG},bitwardenprod.azurecr.io/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
|
||||
fi
|
||||
|
||||
- name: Build Docker image
|
||||
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3.2.0
|
||||
with:
|
||||
context: .
|
||||
file: docker-unified/Dockerfile
|
||||
platforms: |
|
||||
linux/amd64,
|
||||
linux/arm/v7,
|
||||
linux/arm64/v8
|
||||
push: true
|
||||
tags: ${{ steps.tag-list.outputs.tags }}
|
||||
secrets: |
|
||||
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
|
||||
|
||||
- name: Log out of Docker and disable Docker Notary
|
||||
if: ${{ env.is_publish_branch == 'true' }}
|
||||
run: |
|
||||
docker logout
|
||||
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
|
||||
|
||||
check-failures:
|
||||
name: Check for failures
|
||||
if: always()
|
||||
runs-on: ubuntu-22.04
|
||||
needs: build-docker
|
||||
steps:
|
||||
- name: Check if any job failed
|
||||
if: |
|
||||
github.ref == 'refs/heads/master'
|
||||
|| github.ref == 'refs/heads/rc'
|
||||
|| github.ref == 'refs/heads/hotfix-rc'
|
||||
env:
|
||||
BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
|
||||
run: |
|
||||
if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Login to Azure - CI subscription
|
||||
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
|
||||
if: failure()
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
|
||||
- name: Retrieve secrets
|
||||
id: retrieve-secrets
|
||||
uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
|
||||
if: failure()
|
||||
with:
|
||||
keyvault: "bitwarden-ci"
|
||||
secrets: "devops-alerts-slack-webhook-url"
|
||||
|
||||
- name: Notify Slack on failure
|
||||
uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
|
||||
if: failure()
|
||||
env:
|
||||
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
|
||||
with:
|
||||
status: ${{ job.status }}
|
33
.github/workflows/build.yml
vendored
33
.github/workflows/build.yml
vendored
@ -528,6 +528,39 @@ jobs:
|
||||
path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
|
||||
if-no-files-found: error
|
||||
|
||||
trigger-self-host-build:
|
||||
name: Trigger self-host build
|
||||
runs-on: ubuntu-22.04
|
||||
needs:
|
||||
- build-docker
|
||||
steps:
|
||||
- name: Login to Azure - CI Subscription
|
||||
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
|
||||
- name: Retrieve github PAT secrets
|
||||
id: retrieve-secret-pat
|
||||
uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
|
||||
with:
|
||||
keyvault: "bitwarden-ci"
|
||||
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
|
||||
|
||||
- name: Trigger self-host build
|
||||
uses: actions/github-script@v6
|
||||
with:
|
||||
github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
|
||||
script: |
|
||||
await github.rest.actions.createWorkflowDispatch({
|
||||
owner: 'bitwarden',
|
||||
repo: 'self-host',
|
||||
workflow_id: 'build-self-host.yml',
|
||||
ref: 'DEVOPS-1204-Migrate_Build_pipeline_to_self-host_repo',
|
||||
inputs: {
|
||||
server_branch: '${{ github.ref }}'
|
||||
}
|
||||
})
|
||||
|
||||
check-failures:
|
||||
name: Check for failures
|
||||
if: always()
|
||||
|
@ -1,3 +0,0 @@
|
||||
COMPOSE_PROJECT_NAME=bitwarden
|
||||
REGISTRY=bitwarden
|
||||
TAG=dev
|
@ -1,283 +0,0 @@
|
||||
# syntax = docker/dockerfile:1.2
|
||||
###############################################
|
||||
# Build stage #
|
||||
###############################################
|
||||
FROM --platform=$BUILDPLATFORM debian AS web-setup
|
||||
|
||||
# Add packages
|
||||
RUN apt-get update && apt-get install -y \
|
||||
curl \
|
||||
jq \
|
||||
unzip \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
WORKDIR /tmp
|
||||
|
||||
# Download tags from 'clients' repository
|
||||
RUN --mount=type=secret,id=GH_PAT,target=/etc/secrets/GH_PAT if [ -e "/etc/secrets/GH_PAT" ]; then \
|
||||
curl --header "Authorization: token $(cat /etc/secrets/GH_PAT)" \
|
||||
https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json ; else \
|
||||
curl https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json ; fi
|
||||
|
||||
RUN cat tags.json
|
||||
|
||||
# Grab last tag/release of the 'web' client
|
||||
RUN cat tags.json | jq -r 'last(.[] | select(.ref|test("refs/tags/web-v[0-9]{4}.[0-9]{1,2}.[0-9]+"))) | .ref | split("/")[2]' > tag.txt
|
||||
|
||||
# Extract the version of the 'web' client
|
||||
RUN cat tag.txt | grep -o -E "[0-9]{4}\.[0-9]{1,2}\.[0-9]+" > version.txt
|
||||
|
||||
# Download the built release artifact for the 'web' client
|
||||
RUN TAG=$(cat tag.txt) \
|
||||
&& VERSION=$(cat version.txt) \
|
||||
&& curl -L https://github.com/bitwarden/clients/releases/download/$TAG/web-$VERSION-selfhosted-COMMERCIAL.zip -O
|
||||
|
||||
# Unzip the 'web' client to /tmp/build
|
||||
RUN VERSION=$(cat version.txt) \
|
||||
&& unzip web-$VERSION-selfhosted-COMMERCIAL.zip
|
||||
|
||||
###############################################
|
||||
# Build stage #
|
||||
###############################################
|
||||
FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS dotnet-build
|
||||
|
||||
# Docker buildx supplies the value for this arg
|
||||
ARG TARGETPLATFORM
|
||||
|
||||
# Determine proper runtime value for .NET
|
||||
# We put the value in a file to be read by later layers.
|
||||
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
|
||||
RID=linux-x64 ; \
|
||||
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
|
||||
RID=linux-arm64 ; \
|
||||
elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
|
||||
RID=linux-arm ; \
|
||||
fi \
|
||||
&& echo "RID=$RID" > /tmp/rid.txt
|
||||
|
||||
# Add packages
|
||||
RUN apt-get update && apt-get install -y \
|
||||
npm \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN npm install -g gulp
|
||||
|
||||
# Copy csproj files as distinct layers
|
||||
WORKDIR /source
|
||||
COPY src/Admin/*.csproj ./src/Admin/
|
||||
COPY src/Api/*.csproj ./src/Api/
|
||||
COPY src/Events/*.csproj ./src/Events/
|
||||
COPY src/Icons/*.csproj ./src/Icons/
|
||||
COPY src/Identity/*.csproj ./src/Identity/
|
||||
COPY src/Notifications/*.csproj ./src/Notifications/
|
||||
COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
|
||||
COPY bitwarden_license/src/Scim/*.csproj ./bitwarden_license/src/Scim/
|
||||
COPY src/Core/*.csproj ./src/Core/
|
||||
COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
|
||||
COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
|
||||
COPY src/SharedWeb/*.csproj ./src/SharedWeb/
|
||||
COPY util/Migrator/*.csproj ./util/Migrator/
|
||||
COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
|
||||
COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
|
||||
COPY util/SqliteMigrations/*.csproj ./util/SqliteMigrations/
|
||||
COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
|
||||
COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/*.csproj ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
|
||||
COPY Directory.Build.props .
|
||||
|
||||
# Restore Admin project dependencies and tools
|
||||
WORKDIR /source/src/Admin
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Restore Api project dependencies and tools
|
||||
WORKDIR /source/src/Api
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Restore Events project dependencies and tools
|
||||
WORKDIR /source/src/Events
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Restore Icons project dependencies and tools
|
||||
WORKDIR /source/src/Icons
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Restore Identity project dependencies and tools
|
||||
WORKDIR /source/src/Identity
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Restore Notifications project dependencies and tools
|
||||
WORKDIR /source/src/Notifications
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Restore Sso project dependencies and tools
|
||||
WORKDIR /source/bitwarden_license/src/Sso
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Restore Scim project dependencies and tools
|
||||
WORKDIR /source/bitwarden_license/src/Scim
|
||||
RUN . /tmp/rid.txt && dotnet restore -r $RID
|
||||
|
||||
# Copy required project files
|
||||
WORKDIR /source
|
||||
COPY src/Admin/. ./src/Admin/
|
||||
COPY src/Api/. ./src/Api/
|
||||
COPY src/Events/. ./src/Events/
|
||||
COPY src/Icons/. ./src/Icons/
|
||||
COPY src/Identity/. ./src/Identity/
|
||||
COPY src/Notifications/. ./src/Notifications/
|
||||
COPY bitwarden_license/src/Sso/. ./bitwarden_license/src/Sso/
|
||||
COPY bitwarden_license/src/Scim/. ./bitwarden_license/src/Scim/
|
||||
COPY src/Core/. ./src/Core/
|
||||
COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
|
||||
COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
|
||||
COPY src/SharedWeb/. ./src/SharedWeb/
|
||||
COPY util/Migrator/. ./util/Migrator/
|
||||
COPY util/MySqlMigrations/. ./util/MySqlMigrations/
|
||||
COPY util/PostgresMigrations/. ./util/PostgresMigrations/
|
||||
COPY util/SqliteMigrations/. ./util/SqliteMigrations/
|
||||
COPY util/EfShared/. ./util/EfShared/
|
||||
COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
|
||||
COPY bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
|
||||
COPY .git/. ./.git/
|
||||
|
||||
# Build Admin app
|
||||
WORKDIR /source/src/Admin
|
||||
RUN npm install
|
||||
RUN gulp --gulpfile "gulpfile.js" build
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
|
||||
|
||||
# Build Api app
|
||||
WORKDIR /source/src/Api
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
|
||||
|
||||
# Build Events app
|
||||
WORKDIR /source/src/Events
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
|
||||
|
||||
# Build Icons app
|
||||
WORKDIR /source/src/Icons
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
|
||||
|
||||
# Build Identity app
|
||||
WORKDIR /source/src/Identity
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Identity --no-restore --no-self-contained -r $RID
|
||||
|
||||
# Build Notifications app
|
||||
WORKDIR /source/src/Notifications
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-restore --no-self-contained -r $RID
|
||||
|
||||
# Build Sso app
|
||||
WORKDIR /source/bitwarden_license/src/Sso
|
||||
RUN npm install
|
||||
RUN gulp --gulpfile "gulpfile.js" build
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
|
||||
|
||||
# Build Scim app
|
||||
WORKDIR /source/bitwarden_license/src/Scim
|
||||
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
|
||||
|
||||
###############################################
|
||||
# App stage #
|
||||
###############################################
|
||||
FROM mcr.microsoft.com/dotnet/aspnet:6.0
|
||||
ARG TARGETPLATFORM
|
||||
LABEL com.bitwarden.product="bitwarden"
|
||||
LABEL com.bitwarden.project="unified"
|
||||
ENV ASPNETCORE_ENVIRONMENT=Production
|
||||
ENV BW_ENABLE_ADMIN=true
|
||||
ENV BW_ENABLE_API=true
|
||||
ENV BW_ENABLE_EVENTS=false
|
||||
ENV BW_ENABLE_ICONS=true
|
||||
ENV BW_ENABLE_IDENTITY=true
|
||||
ENV BW_ENABLE_NOTIFICATIONS=true
|
||||
ENV BW_ENABLE_SCIM=false
|
||||
ENV BW_ENABLE_SSO=false
|
||||
ENV BW_DB_FILE="/etc/bitwarden/vault.db"
|
||||
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
|
||||
ENV globalSettings__selfHosted="true"
|
||||
ENV globalSettings__unifiedDeployment="true"
|
||||
ENV globalSettings__pushRelayBaseUri="https://push.bitwarden.com"
|
||||
ENV globalSettings__baseServiceUri__internalAdmin="http://localhost:5000"
|
||||
ENV globalSettings__baseServiceUri__internalApi="http://localhost:5001"
|
||||
ENV globalSettings__baseServiceUri__internalEvents="http://localhost:5003"
|
||||
ENV globalSettings__baseServiceUri__internalIcons="http://localhost:5004"
|
||||
ENV globalSettings__baseServiceUri__internalIdentity="http://localhost:5005"
|
||||
ENV globalSettings__baseServiceUri__internalNotifications="http://localhost:5006"
|
||||
ENV globalSettings__baseServiceUri__internalSso="http://localhost:5007"
|
||||
ENV globalSettings__baseServiceUri__internalScim="http://localhost:5002"
|
||||
ENV globalSettings__baseServiceUri__internalVault="http://localhost:8080"
|
||||
ENV globalSettings__identityServer__certificatePassword="default_cert_password"
|
||||
ENV globalSettings__dataProtection__directory="/etc/bitwarden/data-protection"
|
||||
ENV globalSettings__attachment__baseDirectory="/etc/bitwarden/attachments"
|
||||
ENV globalSettings__send__baseDirectory="/etc/bitwarden/attachments/send"
|
||||
ENV globalSettings__licenseDirectory="/etc/bitwarden/licenses"
|
||||
ENV globalSettings__logDirectoryByProject="false"
|
||||
ENV globalSettings__logRollBySizeLimit="1073741824"
|
||||
|
||||
# Add packages
|
||||
RUN apt-get update && apt-get install -y \
|
||||
curl \
|
||||
nginx \
|
||||
openssl \
|
||||
supervisor \
|
||||
tzdata \
|
||||
unzip \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Create required directories
|
||||
RUN mkdir -p /etc/bitwarden/attachments/send
|
||||
RUN mkdir -p /etc/bitwarden/data-protection
|
||||
RUN mkdir -p /etc/bitwarden/licenses
|
||||
RUN mkdir -p /etc/bitwarden/logs
|
||||
RUN mkdir -p /etc/supervisor
|
||||
RUN mkdir -p /etc/supervisor.d
|
||||
RUN mkdir -p /var/log/bitwarden
|
||||
RUN mkdir -p /var/log/nginx/logs
|
||||
RUN mkdir -p /etc/nginx/http.d
|
||||
RUN mkdir -p /var/run/nginx
|
||||
RUN mkdir -p /var/lib/nginx/tmp
|
||||
RUN touch /var/run/nginx/nginx.pid
|
||||
RUN mkdir -p /app
|
||||
|
||||
# Copy all apps from dotnet-build stage
|
||||
WORKDIR /app
|
||||
COPY --from=dotnet-build /app ./
|
||||
|
||||
# Copy Web files from web-setup stage
|
||||
COPY --from=web-setup /tmp/build /app/Web
|
||||
|
||||
# Set up supervisord
|
||||
COPY docker-unified/supervisord/*.ini /etc/supervisor.d/
|
||||
COPY docker-unified/supervisord/supervisord.conf /etc/supervisor/supervisord.conf
|
||||
RUN rm -f /etc/supervisord.conf
|
||||
|
||||
# Set up nginx
|
||||
COPY docker-unified/nginx/nginx.conf /etc/nginx
|
||||
COPY docker-unified/nginx/proxy.conf /etc/nginx
|
||||
COPY docker-unified/nginx/mime.types /etc/nginx
|
||||
COPY docker-unified/nginx/security-headers.conf /etc/nginx
|
||||
COPY docker-unified/nginx/security-headers-ssl.conf /etc/nginx
|
||||
COPY docker-unified/nginx/logrotate.sh /
|
||||
RUN chmod +x /logrotate.sh
|
||||
|
||||
# Copy configuration templates
|
||||
COPY docker-unified/hbs/nginx-config.hbs /etc/hbs/
|
||||
COPY docker-unified/hbs/app-id.hbs /etc/hbs/
|
||||
COPY docker-unified/hbs/config.yaml /etc/hbs/
|
||||
|
||||
# Download hbs tool for generating final configurations
|
||||
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then curl -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/v1.3.0/hbs_linux-x64_dotnet.zip; fi
|
||||
RUN if [ "$TARGETPLATFORM" = "linux/arm/v7" ] ; then curl -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/v1.3.0/hbs_linux-armv7_dotnet.zip; fi
|
||||
RUN if [ "$TARGETPLATFORM" = "linux/arm64" ] ; then curl -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/v1.3.0/hbs_linux-arm64_dotnet.zip; fi
|
||||
|
||||
# Extract hbs
|
||||
RUN unzip hbs.zip -d /usr/local/bin && rm hbs.zip
|
||||
RUN chmod +x /usr/local/bin/hbs
|
||||
|
||||
# Copy entrypoint script and make it executable
|
||||
COPY docker-unified/entrypoint.sh /entrypoint.sh
|
||||
RUN chmod +x /entrypoint.sh
|
||||
|
||||
VOLUME ["/etc/bitwarden"]
|
||||
|
||||
WORKDIR /app
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
@ -1,56 +0,0 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
bitwarden:
|
||||
depends_on:
|
||||
- db
|
||||
env_file:
|
||||
- settings.env
|
||||
image: ${REGISTRY:-bitwarden}/self-host:${TAG:-beta}
|
||||
restart: always
|
||||
ports:
|
||||
- "80:8080"
|
||||
- "443:8443"
|
||||
volumes:
|
||||
- bitwarden:/etc/bitwarden
|
||||
- logs:/var/log/bitwarden
|
||||
|
||||
# MariaDB Example
|
||||
db:
|
||||
environment:
|
||||
MARIADB_USER: "bitwarden"
|
||||
MARIADB_PASSWORD: "super_strong_password"
|
||||
MARIADB_DATABASE: "bitwarden_vault"
|
||||
MARIADB_RANDOM_ROOT_PASSWORD: "true"
|
||||
image: mariadb:10
|
||||
restart: always
|
||||
volumes:
|
||||
- data:/var/lib/mysql
|
||||
|
||||
# PostgreSQL Example
|
||||
# db:
|
||||
# environment:
|
||||
# POSTGRES_USER: "bitwarden"
|
||||
# POSTGRES_PASSWORD: "super_strong_password"
|
||||
# POSTGRES_DB: "bitwarden_vault"
|
||||
# image: postgres:14
|
||||
# restart: always
|
||||
# volumes:
|
||||
# - data:/var/lib/postgresql/data
|
||||
|
||||
# MS SQL Server Example
|
||||
# Docs: https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-docker-container-deployment
|
||||
# db:
|
||||
# environment:
|
||||
# MSSQL_SA_PASSWORD: "super_strong_password"
|
||||
# ACCEPT_EULA: Y
|
||||
# image: mcr.microsoft.com/mssql/server:2019-latest
|
||||
# restart: always
|
||||
# volumes:
|
||||
# - data:/var/opt/mssql
|
||||
|
||||
volumes:
|
||||
bitwarden:
|
||||
logs:
|
||||
data:
|
@ -1,108 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Set up user group
|
||||
PGID="${PGID:-1000}"
|
||||
addgroup --gid $PGID bitwarden
|
||||
|
||||
# Set up user
|
||||
PUID="${PUID:-1000}"
|
||||
adduser --no-create-home --shell /bin/bash --disabled-password --uid $PUID --gid $PGID --gecos "" bitwarden
|
||||
|
||||
# Translate environment variables for application settings
|
||||
VAULT_SERVICE_URI=https://$BW_DOMAIN
|
||||
MYSQL_CONNECTION_STRING="server=$BW_DB_SERVER;port=${BW_DB_PORT:-3306};database=$BW_DB_DATABASE;user=$BW_DB_USERNAME;password=$BW_DB_PASSWORD"
|
||||
POSTGRESQL_CONNECTION_STRING="Host=$BW_DB_SERVER;Port=${BW_DB_PORT:-5432};Database=$BW_DB_DATABASE;Username=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD"
|
||||
SQLSERVER_CONNECTION_STRING="Server=$BW_DB_SERVER,${BW_DB_PORT:-1433};Database=$BW_DB_DATABASE;User Id=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD;Encrypt=True;TrustServerCertificate=True"
|
||||
SQLITE_CONNECTION_STRING="Data Source=$BW_DB_FILE;"
|
||||
INTERNAL_IDENTITY_KEY=$(openssl rand -hex 30)
|
||||
OIDC_IDENTITY_CLIENT_KEY=$(openssl rand -hex 30)
|
||||
DUO_AKEY=$(openssl rand -hex 30)
|
||||
|
||||
export globalSettings__baseServiceUri__vault=${globalSettings__baseServiceUri__vault:-$VAULT_SERVICE_URI}
|
||||
export globalSettings__installation__id=$BW_INSTALLATION_ID
|
||||
export globalSettings__installation__key=$BW_INSTALLATION_KEY
|
||||
export globalSettings__internalIdentityKey=${globalSettings__internalIdentityKey:-$INTERNAL_IDENTITY_KEY}
|
||||
export globalSettings__oidcIdentityClientKey=${globalSettings__oidcIdentityClientKey:-$OIDC_IDENTITY_CLIENT_KEY}
|
||||
export globalSettings__duo__aKey=${globalSettings__duo__aKey:-$DUO_AKEY}
|
||||
|
||||
export globalSettings__databaseProvider=$BW_DB_PROVIDER
|
||||
export globalSettings__mysql__connectionString=${globalSettings__mysql__connectionString:-$MYSQL_CONNECTION_STRING}
|
||||
export globalSettings__postgreSql__connectionString=${globalSettings__postgreSql__connectionString:-$POSTGRESQL_CONNECTION_STRING}
|
||||
export globalSettings__sqlServer__connectionString=${globalSettings__sqlServer__connectionString:-$SQLSERVER_CONNECTION_STRING}
|
||||
export globalSettings__sqlite__connectionString=${globalSettings__sqlite__connectionString:-$SQLITE_CONNECTION_STRING}
|
||||
|
||||
if [ "$BW_ENABLE_SSL" = "true" ]; then
|
||||
export globalSettings__baseServiceUri__internalVault=https://localhost:${BW_PORT_HTTPS:-8443}
|
||||
else
|
||||
export globalSettings__baseServiceUri__internalVault=http://localhost:${BW_PORT_HTTP:-8080}
|
||||
fi
|
||||
|
||||
# Generate Identity certificate
|
||||
if [ ! -f /etc/bitwarden/identity.pfx ]; then
|
||||
openssl req \
|
||||
-x509 \
|
||||
-newkey rsa:4096 \
|
||||
-sha256 \
|
||||
-nodes \
|
||||
-keyout /etc/bitwarden/identity.key \
|
||||
-out /etc/bitwarden/identity.crt \
|
||||
-subj "/CN=Bitwarden IdentityServer" \
|
||||
-days 36500
|
||||
|
||||
openssl pkcs12 \
|
||||
-export \
|
||||
-out /etc/bitwarden/identity.pfx \
|
||||
-inkey /etc/bitwarden/identity.key \
|
||||
-in /etc/bitwarden/identity.crt \
|
||||
-passout pass:$globalSettings__identityServer__certificatePassword
|
||||
|
||||
rm /etc/bitwarden/identity.crt
|
||||
rm /etc/bitwarden/identity.key
|
||||
fi
|
||||
|
||||
cp /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
|
||||
cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
|
||||
|
||||
# Generate SSL certificates
|
||||
if [ "$BW_ENABLE_SSL" = "true" -a ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
|
||||
openssl req \
|
||||
-x509 \
|
||||
-newkey rsa:4096 \
|
||||
-sha256 \
|
||||
-nodes \
|
||||
-days 36500 \
|
||||
-keyout /etc/bitwarden/${BW_SSL_KEY:-ssl.key} \
|
||||
-out /etc/bitwarden/${BW_SSL_CERT:-ssl.crt} \
|
||||
-reqexts SAN \
|
||||
-extensions SAN \
|
||||
-config <(cat /usr/lib/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true")) \
|
||||
-subj "/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN=${BW_DOMAIN:-localhost}"
|
||||
fi
|
||||
|
||||
# Launch a loop to rotate nginx logs on a daily basis
|
||||
/bin/sh -c "/logrotate.sh loop >/dev/null 2>&1 &"
|
||||
|
||||
/usr/local/bin/hbs
|
||||
|
||||
# Enable/Disable services
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_ADMIN}/" /etc/supervisor.d/admin.ini
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_API}/" /etc/supervisor.d/api.ini
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_EVENTS}/" /etc/supervisor.d/events.ini
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_ICONS}/" /etc/supervisor.d/icons.ini
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_IDENTITY}/" /etc/supervisor.d/identity.ini
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_NOTIFICATIONS}/" /etc/supervisor.d/notifications.ini
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_SCIM}/" /etc/supervisor.d/scim.ini
|
||||
sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini
|
||||
|
||||
chown -R $PUID:$PGID \
|
||||
/app \
|
||||
/etc/bitwarden \
|
||||
/etc/nginx/http.d \
|
||||
/etc/supervisor \
|
||||
/etc/supervisor.d \
|
||||
/var/lib/nginx \
|
||||
/var/log \
|
||||
/var/run/nginx \
|
||||
/run
|
||||
|
||||
exec setpriv --reuid=$PUID --regid=$PGID --init-groups /usr/bin/supervisord
|
@ -1,15 +0,0 @@
|
||||
{
|
||||
"trustedFacets": [
|
||||
{
|
||||
"version": {
|
||||
"major": 1,
|
||||
"minor": 0
|
||||
},
|
||||
"ids": [
|
||||
"{{{String.Coalesce env.globalSettings__baseServiceUri__vault "https://localhost"}}}",
|
||||
"ios:bundle-id:com.8bit.bitwarden",
|
||||
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
@ -1,7 +0,0 @@
|
||||
helper_categories:
|
||||
- String
|
||||
templates:
|
||||
- src: /etc/hbs/app-id.hbs
|
||||
dest: /app/Web/app-id.json
|
||||
- src: /etc/hbs/nginx-config.hbs
|
||||
dest: /etc/nginx/http.d/bitwarden.conf
|
@ -1,196 +0,0 @@
|
||||
server {
|
||||
listen {{{String.Coalesce env.BW_PORT_HTTP "8080"}}} default_server;
|
||||
#listen [::]:{{{String.Coalesce env.BW_PORT_HTTP "8080"}}} default_server;
|
||||
server_name {{{String.Coalesce env.BW_DOMAIN "localhost"}}};
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL "true")}}
|
||||
|
||||
return 301 https://{{{String.Coalesce env.BW_DOMAIN "localhost"}}}:{{{String.Coalesce env.BW_PORT_HTTPS "8443"}}}$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
|
||||
#listen [::]:{{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
|
||||
server_name {{{String.Coalesce env.BW_DOMAIN "localhost"}}};
|
||||
|
||||
ssl_certificate /etc/bitwarden/{{{String.Coalesce env.BW_SSL_CERT "ssl.crt"}}};
|
||||
ssl_certificate_key /etc/bitwarden/{{{String.Coalesce env.BW_SSL_KEY "ssl.key"}}};
|
||||
ssl_session_timeout 30m;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_tickets off;
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL_DH "true")}}
|
||||
|
||||
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
|
||||
ssl_dhparam /etc/bitwarden/{{{String.Coalesce env.BW_SSL_DH_CERT "dh.pem"}}};
|
||||
{{/if}}
|
||||
|
||||
ssl_protocols {{{String.Coalesce env.BW_SSL_PROTOCOLS "TLSv1.2"}}};
|
||||
ssl_ciphers "{{{String.Coalesce env.BW_SSL_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}}";
|
||||
# Enables server-side protection from BEAST attacks
|
||||
ssl_prefer_server_ciphers on;
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL_CA "true")}}
|
||||
|
||||
# OCSP Stapling ---
|
||||
# Fetch OCSP records from URL in ssl_certificate and cache them
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/bitwarden/{{{String.Coalesce env.BW_SSL_CA_CERT "ca.crt"}}};
|
||||
resolver 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 valid=300s;
|
||||
{{/if}}
|
||||
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
include /etc/nginx/security-headers.conf;
|
||||
{{#if (String.IsNotNullOrWhitespace env.BW_REAL_IPS)}}
|
||||
|
||||
{{#each (String.Split env.BW_REAL_IPS ",")}}
|
||||
set_real_ip_from {{{String.Trim .}}};
|
||||
{{/each}}
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
{{/if}}
|
||||
|
||||
location / {
|
||||
root /app/Web;
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL "true")}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
include /etc/nginx/security-headers.conf;
|
||||
add_header Content-Security-Policy "{{{String.Coalesce env.BW_CSP "default-src 'self'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory; object-src 'self' blob:;"}}}";
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Robots-Tag "noindex, nofollow";
|
||||
}
|
||||
|
||||
location /alive {
|
||||
default_type text/plain;
|
||||
return 200 $date_gmt;
|
||||
}
|
||||
|
||||
location = /app-id.json {
|
||||
root /app/Web;
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL "true")}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
include /etc/nginx/security-headers.conf;
|
||||
proxy_hide_header Content-Type;
|
||||
add_header Content-Type $fido_content_type;
|
||||
}
|
||||
|
||||
location = /duo-connector.html {
|
||||
root /app/Web;
|
||||
}
|
||||
|
||||
location = /webauthn-connector.html {
|
||||
root /app/Web;
|
||||
}
|
||||
|
||||
location = /webauthn-fallback-connector.html {
|
||||
root /app/Web;
|
||||
}
|
||||
|
||||
location = /sso-connector.html {
|
||||
root /app/Web;
|
||||
}
|
||||
|
||||
location = /captcha-connector.html {
|
||||
root /app/Web;
|
||||
}
|
||||
|
||||
location = /captcha-mobile-connector.html {
|
||||
root /app/Web;
|
||||
}
|
||||
|
||||
location /attachments/ {
|
||||
alias /etc/bitwarden/attachments/;
|
||||
}
|
||||
{{#if (String.Equal env.BW_ENABLE_API "true")}}
|
||||
|
||||
location /api/ {
|
||||
proxy_pass http://localhost:5001/;
|
||||
}
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_ICONS "true")}}
|
||||
|
||||
location /icons/ {
|
||||
{{#if (String.Equal env.BW_ICONS_PROXY_TO_CLOUD "true")}}
|
||||
proxy_pass https://icons.bitwarden.net/;
|
||||
proxy_set_header Host icons.bitwarden.net;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_ssl_server_name on;
|
||||
{{else}}
|
||||
proxy_pass http://localhost:5004/;
|
||||
{{/if}}
|
||||
}
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_NOTIFICATIONS "true")}}
|
||||
|
||||
location /notifications/ {
|
||||
proxy_pass http://localhost:5006/;
|
||||
}
|
||||
|
||||
location /notifications/hub {
|
||||
proxy_pass http://localhost:5006/hub;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
}
|
||||
|
||||
location /notifications/anonymous-hub {
|
||||
proxy_pass http://localhost:5006/anonymous-hub;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $http_connection;
|
||||
}
|
||||
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_EVENTS "true")}}
|
||||
|
||||
location /events/ {
|
||||
proxy_pass http://localhost:5003/;
|
||||
}
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_SSO "true")}}
|
||||
|
||||
location /sso {
|
||||
proxy_pass http://localhost:5007;
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL "true")}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
include /etc/nginx/security-headers.conf;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
}
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_IDENTITY "true")}}
|
||||
|
||||
location /identity {
|
||||
proxy_pass http://localhost:5005;
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL "true")}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
include /etc/nginx/security-headers.conf;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
}
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_ADMIN "true")}}
|
||||
|
||||
location /admin {
|
||||
proxy_pass http://localhost:5000;
|
||||
{{#if (String.Equal env.BW_ENABLE_SSL "true")}}
|
||||
include /etc/nginx/security-headers-ssl.conf;
|
||||
{{/if}}
|
||||
include /etc/nginx/security-headers.conf;
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
}
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_SCIM "true")}}
|
||||
|
||||
location /scim/ {
|
||||
proxy_pass http://localhost:5002/;
|
||||
}
|
||||
{{/if}}
|
||||
{{#if (String.Equal env.BW_ENABLE_KEY_CONNECTOR "true")}}
|
||||
|
||||
location /key-connector/ {
|
||||
proxy_pass {{{env.BW_KEY_CONNECTOR_INTERNAL_URL}}}/;
|
||||
}
|
||||
{{/if}}
|
||||
}
|
@ -1,15 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
while true
|
||||
do
|
||||
[ "$1" = "loop" ] && sleep $((24 * 3600 - (`date +%_H` * 3600 + `date +%_M` * 60 + `date +%_S`)))
|
||||
ts=$(date +%Y%m%d_%H%M%S)
|
||||
mv /var/log/nginx/access.log /var/log/nginx/access.$ts.log
|
||||
mv /var/log/nginx/error.log /var/log/nginx/error.$ts.log
|
||||
kill -USR1 `cat /var/run/nginx/nginx.pid`
|
||||
sleep 1
|
||||
gzip /var/log/nginx/access.$ts.log
|
||||
gzip /var/log/nginx/error.$ts.log
|
||||
find /var/log/nginx/ -name "*.gz" -mtime +32 -delete
|
||||
[ "$1" != "loop" ] && break
|
||||
done
|
@ -1,138 +0,0 @@
|
||||
types {
|
||||
|
||||
# Data interchange
|
||||
|
||||
application/atom+xml atom;
|
||||
application/json json map topojson;
|
||||
application/ld+json jsonld;
|
||||
application/rss+xml rss;
|
||||
application/vnd.geo+json geojson;
|
||||
application/xml rdf xml;
|
||||
|
||||
|
||||
# JavaScript
|
||||
|
||||
# Normalize to standard type.
|
||||
# https://tools.ietf.org/html/rfc4329#section-7.2
|
||||
application/javascript js;
|
||||
|
||||
|
||||
# Manifest files
|
||||
|
||||
application/manifest+json webmanifest;
|
||||
application/x-web-app-manifest+json webapp;
|
||||
text/cache-manifest appcache;
|
||||
|
||||
|
||||
# Media files
|
||||
|
||||
audio/midi mid midi kar;
|
||||
audio/mp4 aac f4a f4b m4a;
|
||||
audio/mpeg mp3;
|
||||
audio/ogg oga ogg opus;
|
||||
audio/x-realaudio ra;
|
||||
audio/x-wav wav;
|
||||
image/bmp bmp;
|
||||
image/gif gif;
|
||||
image/jpeg jpeg jpg;
|
||||
image/jxr jxr hdp wdp;
|
||||
image/png png;
|
||||
image/svg+xml svg svgz;
|
||||
image/tiff tif tiff;
|
||||
image/vnd.wap.wbmp wbmp;
|
||||
image/webp webp;
|
||||
image/x-jng jng;
|
||||
video/3gpp 3gp 3gpp;
|
||||
video/mp4 f4p f4v m4v mp4;
|
||||
video/mpeg mpeg mpg;
|
||||
video/ogg ogv;
|
||||
video/quicktime mov;
|
||||
video/webm webm;
|
||||
video/x-flv flv;
|
||||
video/x-mng mng;
|
||||
video/x-ms-asf asf asx;
|
||||
video/x-ms-wmv wmv;
|
||||
video/x-msvideo avi;
|
||||
|
||||
# Serving `.ico` image files with a different media type
|
||||
# prevents Internet Explorer from displaying then as images:
|
||||
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
|
||||
|
||||
image/x-icon cur ico;
|
||||
|
||||
|
||||
# Microsoft Office
|
||||
|
||||
application/msword doc;
|
||||
application/vnd.ms-excel xls;
|
||||
application/vnd.ms-powerpoint ppt;
|
||||
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
|
||||
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
|
||||
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
|
||||
|
||||
|
||||
# Web fonts
|
||||
|
||||
application/font-woff woff;
|
||||
application/font-woff2 woff2;
|
||||
application/vnd.ms-fontobject eot;
|
||||
|
||||
# Browsers usually ignore the font media types and simply sniff
|
||||
# the bytes to figure out the font type.
|
||||
# https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
|
||||
#
|
||||
# However, Blink and WebKit based browsers will show a warning
|
||||
# in the console if the following font types are served with any
|
||||
# other media types.
|
||||
|
||||
application/x-font-ttf ttc ttf;
|
||||
font/opentype otf;
|
||||
|
||||
|
||||
# Other
|
||||
|
||||
application/java-archive ear jar war;
|
||||
application/mac-binhex40 hqx;
|
||||
application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
|
||||
application/pdf pdf;
|
||||
application/postscript ai eps ps;
|
||||
application/rtf rtf;
|
||||
application/vnd.google-earth.kml+xml kml;
|
||||
application/vnd.google-earth.kmz kmz;
|
||||
application/vnd.wap.wmlc wmlc;
|
||||
application/x-7z-compressed 7z;
|
||||
application/x-bb-appworld bbaw;
|
||||
application/x-bittorrent torrent;
|
||||
application/x-chrome-extension crx;
|
||||
application/x-cocoa cco;
|
||||
application/x-java-archive-diff jardiff;
|
||||
application/x-java-jnlp-file jnlp;
|
||||
application/x-makeself run;
|
||||
application/x-opera-extension oex;
|
||||
application/x-perl pl pm;
|
||||
application/x-pilot pdb prc;
|
||||
application/x-rar-compressed rar;
|
||||
application/x-redhat-package-manager rpm;
|
||||
application/x-sea sea;
|
||||
application/x-shockwave-flash swf;
|
||||
application/x-stuffit sit;
|
||||
application/x-tcl tcl tk;
|
||||
application/x-x509-ca-cert crt der pem;
|
||||
application/x-xpinstall xpi;
|
||||
application/xhtml+xml xhtml;
|
||||
application/xslt+xml xsl;
|
||||
application/zip zip;
|
||||
text/css css;
|
||||
text/csv csv;
|
||||
text/html htm html shtml;
|
||||
text/markdown md;
|
||||
text/mathml mml;
|
||||
text/plain txt;
|
||||
text/vcard vcard vcf;
|
||||
text/vnd.rim.location.xloc xloc;
|
||||
text/vnd.sun.j2me.app-descriptor jad;
|
||||
text/vnd.wap.wml wml;
|
||||
text/vtt vtt;
|
||||
text/x-component htc;
|
||||
|
||||
}
|
@ -1,147 +0,0 @@
|
||||
# nginx Configuration File
|
||||
# http://wiki.nginx.org/Configuration
|
||||
|
||||
daemon off;
|
||||
|
||||
# Run as a less privileged user for security reasons.
|
||||
# user www www;
|
||||
|
||||
# How many worker threads to run;
|
||||
# "auto" sets it to the number of CPU cores available in the system, and
|
||||
# offers the best performance. Don't set it higher than the number of CPU
|
||||
# cores if changing this parameter.
|
||||
|
||||
# The maximum number of connections for Nginx is calculated by:
|
||||
# max_clients = worker_processes * worker_connections
|
||||
worker_processes auto;
|
||||
|
||||
# Maximum open file descriptors per process;
|
||||
# should be > worker_connections.
|
||||
worker_rlimit_nofile 8192;
|
||||
|
||||
events {
|
||||
# When you need > 8000 * cpu_cores connections, you start optimizing your OS,
|
||||
# and this is probably the point at which you hire people who are smarter than
|
||||
# you, as this is *a lot* of requests.
|
||||
worker_connections 8000;
|
||||
}
|
||||
|
||||
# Default error log file
|
||||
# (this is only used when you don't override error_log on a server{} level)
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx/nginx.pid;
|
||||
|
||||
http {
|
||||
# Include proxy and server configuration.
|
||||
include /etc/nginx/proxy.conf;
|
||||
include /etc/nginx/http.d/bitwarden.conf;
|
||||
|
||||
# Hide nginx version information.
|
||||
server_tokens off;
|
||||
|
||||
# Define the MIME types for files.
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
# Update charset_types to match updated mime.types.
|
||||
# text/html is always included by charset module.
|
||||
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
|
||||
charset_types
|
||||
text/css
|
||||
text/plain
|
||||
text/vnd.wap.wml
|
||||
application/javascript
|
||||
application/json
|
||||
application/rss+xml
|
||||
application/xml;
|
||||
|
||||
# Format to use in log files
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
# Default log file
|
||||
# (this is only used when you don't override access_log on a server{} level)
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
# How long to allow each connection to stay idle; longer values are better
|
||||
# for each individual client, particularly for SSL, but means that worker
|
||||
# connections are tied up longer. (Default: 65)
|
||||
keepalive_timeout 20;
|
||||
|
||||
# Speed up file transfers by using sendfile() to copy directly
|
||||
# between descriptors rather than using read()/write().
|
||||
# For performance reasons, on FreeBSD systems w/ ZFS
|
||||
# this option should be disabled as ZFS's ARC caches
|
||||
# frequently used files in RAM by default.
|
||||
sendfile on;
|
||||
|
||||
# Tell Nginx not to send out partial frames; this increases throughput
|
||||
# since TCP frames are filled up before being sent out. (adds TCP_CORK)
|
||||
tcp_nopush on;
|
||||
|
||||
|
||||
# Compression
|
||||
|
||||
# Enable Gzip compressed.
|
||||
gzip on;
|
||||
|
||||
# Compression level (1-9).
|
||||
# 5 is a perfect compromise between size and cpu usage, offering about
|
||||
# 75% reduction for most ascii files (almost identical to level 9).
|
||||
gzip_comp_level 5;
|
||||
|
||||
# Don't compress anything that's already small and unlikely to shrink much
|
||||
# if at all (the default is 20 bytes, which is bad as that usually leads to
|
||||
# larger files after gzipping).
|
||||
gzip_min_length 256;
|
||||
|
||||
# Compress data even for clients that are connecting to us via proxies,
|
||||
# identified by the "Via" header (required for CloudFront).
|
||||
gzip_proxied any;
|
||||
|
||||
# Tell proxies to cache both the gzipped and regular version of a resource
|
||||
# whenever the client's Accept-Encoding capabilities header varies;
|
||||
# Avoids the issue where a non-gzip capable client (which is extremely rare
|
||||
# today) would display gibberish if their proxy gave them the gzipped version.
|
||||
gzip_vary on;
|
||||
|
||||
# Compress all output labeled with one of the following MIME-types.
|
||||
gzip_types
|
||||
application/atom+xml
|
||||
application/javascript
|
||||
application/json
|
||||
application/ld+json
|
||||
application/manifest+json
|
||||
application/rss+xml
|
||||
application/vnd.geo+json
|
||||
application/vnd.ms-fontobject
|
||||
application/x-font-ttf
|
||||
application/x-web-app-manifest+json
|
||||
application/xhtml+xml
|
||||
application/xml
|
||||
font/opentype
|
||||
image/bmp
|
||||
image/svg+xml
|
||||
image/x-icon
|
||||
text/cache-manifest
|
||||
text/css
|
||||
text/plain
|
||||
text/vcard
|
||||
text/vnd.rim.location.xloc
|
||||
text/vtt
|
||||
text/x-component
|
||||
text/x-cross-domain-policy;
|
||||
# text/html is always compressed by HttpGzipModule
|
||||
|
||||
# This should be turned on if you are going to have pre-compressed copies (.gz) of
|
||||
# static files available. If not it should be left off as it will cause extra I/O
|
||||
# for the check. It is best if you enable this in a location{} block for
|
||||
# a specific directory, or on an individual server{} level.
|
||||
# gzip_static on;
|
||||
|
||||
# Content type for FIDO U2F facets
|
||||
map $uri $fido_content_type {
|
||||
default "application/fido.trusted-apps+json";
|
||||
}
|
||||
}
|
@ -1,27 +0,0 @@
|
||||
proxy_redirect off;
|
||||
|
||||
map $http_host $upstream_host {
|
||||
default "$host";
|
||||
~. "$http_host";
|
||||
}
|
||||
proxy_set_header Host $upstream_host;
|
||||
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
map $http_x_forwarded_proto $upstream_scheme {
|
||||
default "$scheme";
|
||||
~. "$http_x_forwarded_proto";
|
||||
}
|
||||
proxy_set_header X-Url-Scheme $upstream_scheme;
|
||||
proxy_set_header X-Forwarded-Proto $upstream_scheme;
|
||||
|
||||
client_max_body_size 505m;
|
||||
client_body_buffer_size 128k;
|
||||
proxy_connect_timeout 90;
|
||||
proxy_send_timeout 90;
|
||||
proxy_read_timeout 90;
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
large_client_header_buffers 4 32k;
|
@ -1,2 +0,0 @@
|
||||
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
@ -1,3 +0,0 @@
|
||||
add_header Referrer-Policy same-origin;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
@ -1,69 +0,0 @@
|
||||
#####################
|
||||
# Required Settings #
|
||||
#####################
|
||||
|
||||
# Server hostname
|
||||
BW_DOMAIN=bitwarden.yourdomain.com
|
||||
|
||||
# Database
|
||||
# Available providers are sqlserver, postgresql, mysql/mariadb, or sqlite
|
||||
BW_DB_PROVIDER=mysql
|
||||
BW_DB_SERVER=db
|
||||
BW_DB_DATABASE=bitwarden_vault
|
||||
BW_DB_USERNAME=bitwarden
|
||||
BW_DB_PASSWORD=super_strong_password
|
||||
|
||||
# Installation information
|
||||
# Get your ID and key from https://bitwarden.com/host/
|
||||
BW_INSTALLATION_ID=00000000-0000-0000-0000-000000000000
|
||||
BW_INSTALLATION_KEY=xxxxxxxxxxxx
|
||||
|
||||
#####################
|
||||
# Optional Settings #
|
||||
#####################
|
||||
# Learn more here: https://bitwarden.com/help/environment-variables/
|
||||
|
||||
# Container user ID/group ID
|
||||
#PUID=1000
|
||||
#PGID=1000
|
||||
|
||||
# Webserver ports
|
||||
#BW_PORT_HTTP=8080
|
||||
#BW_PORT_HTTPS=8443
|
||||
|
||||
# SSL
|
||||
#BW_ENABLE_SSL=true
|
||||
#BW_ENABLE_SSL_CA=true
|
||||
#BW_SSL_CERT=ssl.crt
|
||||
#BW_SSL_KEY=ssl.key
|
||||
#BW_SSL_CA_CERT=ca.crt
|
||||
|
||||
# Services
|
||||
# Some services, namely for enterprise use cases, are disabled by default. Defaults shown below.
|
||||
#BW_ENABLE_ADMIN=true
|
||||
#BW_ENABLE_API=true
|
||||
#BW_ENABLE_EVENTS=false
|
||||
#BW_ENABLE_ICONS=true
|
||||
#BW_ENABLE_IDENTITY=true
|
||||
#BW_ENABLE_NOTIFICATIONS=true
|
||||
#BW_ENABLE_SCIM=false
|
||||
#BW_ENABLE_SSO=false
|
||||
|
||||
#BW_ICONS_PROXY_TO_CLOUD=false
|
||||
|
||||
# Mail
|
||||
#globalSettings__mail__replyToEmail=noreply@$BW_DOMAIN
|
||||
#globalSettings__mail__smtp__host=smtphost.example.com
|
||||
#globalSettings__mail__smtp__port=587
|
||||
#globalSettings__mail__smtp__ssl=false
|
||||
#globalSettings__mail__smtp__username=smtpusername
|
||||
#globalSettings__mail__smtp__password=smtppassword
|
||||
|
||||
# Yubikey
|
||||
#globalSettings__yubico__clientId=REPLACE
|
||||
#globalSettings__yubico__key=REPLACE
|
||||
|
||||
# Other
|
||||
#globalSettings__disableUserRegistration=false
|
||||
#globalSettings__hibpApiKey=REPLACE
|
||||
#adminSettings__admins=admin1@email.com,admin2@email.com
|
@ -1,9 +0,0 @@
|
||||
[program:admin]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Admin.dll"
|
||||
directory=/app/Admin
|
||||
environment=ASPNETCORE_URLS="http://+:5000"
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/admin.log
|
@ -1,9 +0,0 @@
|
||||
[program:api]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Api.dll"
|
||||
directory=/app/Api
|
||||
environment=ASPNETCORE_URLS="http://+:5001"
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/api.log
|
@ -1,9 +0,0 @@
|
||||
[program:events]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Events.dll"
|
||||
directory=/app/Events
|
||||
environment=ASPNETCORE_URLS="http://+:5003"
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/events.log
|
@ -1,9 +0,0 @@
|
||||
[program:icons]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Icons.dll"
|
||||
directory=/app/Icons
|
||||
environment=ASPNETCORE_URLS="http://+:5004"
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/icons.log
|
@ -1,10 +0,0 @@
|
||||
[program:identity]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Identity.dll"
|
||||
directory=/app/Identity
|
||||
environment=ASPNETCORE_URLS="http://+:5005"
|
||||
priority=1
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/identity.log
|
@ -1,7 +0,0 @@
|
||||
[program:nginx]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=nginx
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/nginx.log
|
@ -1,9 +0,0 @@
|
||||
[program:notifications]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Notifications.dll"
|
||||
directory=/app/Notifications
|
||||
environment=ASPNETCORE_URLS="http://+:5006"
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/notifications.log
|
@ -1,9 +0,0 @@
|
||||
[program:scim]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Scim.dll"
|
||||
directory=/app/Scim
|
||||
environment=ASPNETCORE_URLS="http://+:5002"
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/scim.log
|
@ -1,9 +0,0 @@
|
||||
[program:sso]
|
||||
autostart=true
|
||||
autorestart=true
|
||||
command=/usr/bin/dotnet "Sso.dll"
|
||||
directory=/app/Sso
|
||||
environment=ASPNETCORE_URLS="http://+:5007"
|
||||
redirect_stderr=true
|
||||
startsecs=15
|
||||
stdout_logfile=/var/log/bitwarden/sso.log
|
@ -1,15 +0,0 @@
|
||||
[unix_http_server]
|
||||
file=/run/supervisord.sock ; the path to the socket file
|
||||
|
||||
[supervisord]
|
||||
logfile=/var/log/supervisord.log ; main log file; default $CWD/supervisord.log
|
||||
nodaemon=true ; start in foreground if true; default false
|
||||
|
||||
[rpcinterface:supervisor]
|
||||
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
|
||||
|
||||
[supervisorctl]
|
||||
serverurl=unix:///run/supervisord.sock ; use a unix:// URL for a unix socket
|
||||
|
||||
[include]
|
||||
files = /etc/supervisor.d/*.ini
|
Loading…
Reference in New Issue
Block a user