mirror of
https://github.com/bitwarden/server.git
synced 2024-11-25 12:45:18 +01:00
PersistKeysToFileSystem when selfhosted
This commit is contained in:
parent
3e7c0f7ca1
commit
e7905dec04
@ -4,9 +4,16 @@ services:
|
||||
mssql:
|
||||
volumes:
|
||||
- /etc/bitwarden/mssql_data:/var/opt/mssql/data
|
||||
web:
|
||||
volumes:
|
||||
- /etc/bitwarden/web:/etc/bitwarden/web
|
||||
api:
|
||||
volumes:
|
||||
- /etc/bitwarden/core:/etc/bitwarden/core
|
||||
identity:
|
||||
volumes:
|
||||
- /etc/bitwarden/identity:/etc/bitwarden/identity
|
||||
- /etc/bitwarden/core:/etc/bitwarden/core
|
||||
nginx:
|
||||
volumes:
|
||||
- /etc/bitwarden/nginx:/etc/bitwarden/nginx
|
||||
|
@ -4,9 +4,16 @@ services:
|
||||
mssql:
|
||||
volumes:
|
||||
- mssql_data:/var/opt/mssql/data
|
||||
web:
|
||||
volumes:
|
||||
- c:/bitwarden/web:/etc/bitwarden/web
|
||||
api:
|
||||
volumes:
|
||||
- c:/bitwarden/core:/etc/bitwarden/core
|
||||
identity:
|
||||
volumes:
|
||||
- c:/bitwarden/identity:/etc/bitwarden/identity
|
||||
- c:/bitwarden/core:/etc/bitwarden/core
|
||||
nginx:
|
||||
volumes:
|
||||
- c:/bitwarden/nginx:/etc/bitwarden/nginx
|
||||
|
@ -4,9 +4,16 @@ services:
|
||||
mssql:
|
||||
volumes:
|
||||
- mssql_data:/var/opt/mssql/data
|
||||
web:
|
||||
volumes:
|
||||
- c:/bitwarden/web:/etc/bitwarden/web
|
||||
api:
|
||||
volumes:
|
||||
- c:/bitwarden/core:/etc/bitwarden/core
|
||||
identity:
|
||||
volumes:
|
||||
- c:/bitwarden/identity:/etc/bitwarden/identity
|
||||
- c:/bitwarden/core:/etc/bitwarden/core
|
||||
nginx:
|
||||
volumes:
|
||||
- c:/bitwarden/nginx:/etc/bitwarden/nginx
|
||||
|
@ -1,3 +1,4 @@
|
||||
*
|
||||
!obj/Docker/publish/*
|
||||
!obj/Docker/empty/
|
||||
!entrypoint.sh
|
||||
|
@ -22,4 +22,7 @@ done
|
||||
WORKDIR /app
|
||||
EXPOSE 80
|
||||
COPY obj/Docker/publish .
|
||||
ENTRYPOINT ["dotnet", "Api.dll"]
|
||||
|
||||
COPY entrypoint.sh /
|
||||
RUN chmod +x /entrypoint.sh
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
3
src/Api/entrypoint.sh
Normal file
3
src/Api/entrypoint.sh
Normal file
@ -0,0 +1,3 @@
|
||||
#!/bin/sh
|
||||
|
||||
dotnet /app/Api.dll
|
@ -17,6 +17,7 @@ using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.WindowsAzure.Storage;
|
||||
using System;
|
||||
using System.IO;
|
||||
using SqlServerRepos = Bit.Core.Repositories.SqlServer;
|
||||
|
||||
namespace Bit.Core.Utilities
|
||||
@ -195,10 +196,19 @@ namespace Bit.Core.Utilities
|
||||
public static void AddCustomDataProtectionServices(
|
||||
this IServiceCollection services, IHostingEnvironment env, GlobalSettings globalSettings)
|
||||
{
|
||||
if(env.IsDevelopment())
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if(globalSettings.SelfHosted)
|
||||
{
|
||||
var dir = new DirectoryInfo("/etc/bitwarden/core/aspnet-dataprotection");
|
||||
services.AddDataProtection().PersistKeysToFileSystem(dir);
|
||||
}
|
||||
|
||||
#if NET461
|
||||
if(!env.IsDevelopment() && !globalSettings.SelfHosted &&
|
||||
!string.IsNullOrWhiteSpace(globalSettings.Storage.ConnectionString) &&
|
||||
!string.IsNullOrWhiteSpace(globalSettings.DataProtection.CertificateThumbprint))
|
||||
if(!globalSettings.SelfHosted)
|
||||
{
|
||||
var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint);
|
||||
var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);
|
||||
|
@ -12,7 +12,7 @@ namespace Setup
|
||||
private static IDictionary<string, string> _parameters = null;
|
||||
private static string _domain = null;
|
||||
private static string _url = null;
|
||||
private static string _certPassword = null;
|
||||
private static string _identityCertPassword = null;
|
||||
private static bool _ssl = false;
|
||||
private static bool _letsEncrypt = false;
|
||||
|
||||
@ -28,21 +28,21 @@ namespace Setup
|
||||
_ssl = _letsEncrypt || (_parameters.ContainsKey("ssl") ?
|
||||
_parameters["ssl"].ToLowerInvariant() == "y" : false);
|
||||
_url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
|
||||
_certPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
|
||||
_identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
|
||||
|
||||
MakeIdentityCert();
|
||||
MakeCerts();
|
||||
BuildNginxConfig();
|
||||
BuildEnvironmentFiles();
|
||||
BuildAppSettingsFiles();
|
||||
}
|
||||
|
||||
private static void MakeIdentityCert()
|
||||
private static void MakeCerts()
|
||||
{
|
||||
Directory.CreateDirectory("/bitwarden/identity/");
|
||||
var identityCertResult = Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
|
||||
Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
|
||||
"-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
|
||||
var identityPfxResult = Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
|
||||
$"-in identity.crt -certfile identity.crt -passout pass:{_certPassword}");
|
||||
Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
|
||||
$"-in identity.crt -certfile identity.crt -passout pass:{_identityCertPassword}");
|
||||
}
|
||||
|
||||
private static void BuildNginxConfig()
|
||||
@ -165,6 +165,7 @@ server {{
|
||||
|
||||
private static void BuildEnvironmentFiles()
|
||||
{
|
||||
Directory.CreateDirectory("/bitwarden/docker/");
|
||||
var dbPass = _parameters.ContainsKey("db_pass") ? _parameters["db_pass"].ToLowerInvariant() : "REPLACE";
|
||||
var dbConnectionString = "Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;" +
|
||||
$"Password={dbPass};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;" +
|
||||
@ -176,7 +177,7 @@ server {{
|
||||
globalSettings:baseServiceUri:api={_url}/api
|
||||
globalSettings:baseServiceUri:identity={_url}/identity
|
||||
globalSettings:sqlServer:connectionString={dbConnectionString}
|
||||
globalSettings:identityServer:certificatePassword={_certPassword}
|
||||
globalSettings:identityServer:certificatePassword={_identityCertPassword}
|
||||
globalSettings:duo:aKey={Helpers.SecureRandomString(32, alpha: true, numeric: true)}
|
||||
globalSettings:yubico:clientId=REPLACE
|
||||
globalSettings:yubico:REPLACE");
|
||||
|
Loading…
Reference in New Issue
Block a user