nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 16:12:49 -05:00
Code Activity

Bitwarden Unified Self-Host project (#2410)

Browse Source
This commit is contained in:
Vince Grassia
2022-11-18 14:39:01 -05:00
committed by GitHub
parent 3481fd76c1
commit 194dfe7e14
57 changed files with 1929 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docker-unified/.env.example Normal file
View File

@ -0,0 +1,3 @@
COMPOSE_PROJECT_NAME=bitwarden
REGISTRY=bitwarden
TAG=dev

291
docker-unified/Dockerfile Normal file
View File

@ -0,0 +1,291 @@
###############################################
# Build stage #
###############################################
FROM --platform=$BUILDPLATFORM alpine AS web-setup
# Add packages
RUN apk add --update-cache \
curl \
jq \
&& rm -rf /var/cache/apk/*
WORKDIR /tmp
# Download tags from 'clients' repository
RUN curl https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json
# Grab last tag/release of the 'web' client
RUN cat tags.json | jq -r 'last(.[] | select(.ref|test("refs/tags/web-v[0-9]{4}.[0-9]{1,2}.[0-9]+"))) | .ref | split("/")[2]' > tag.txt
# Extract the version of the 'web' client
RUN cat tag.txt | grep -o -E "[0-9]{4}\.[0-9]{1,2}\.[0-9]+" > version.txt
# Download the built release artifact for the 'web' client
RUN TAG=$(cat tag.txt) \
&& VERSION=$(cat version.txt) \
&& curl -L https://github.com/bitwarden/clients/releases/download/$TAG/web-$VERSION-selfhosted-COMMERCIAL.zip -O
# Unzip the 'web' client to /tmp/build
RUN VERSION=$(cat version.txt) \
&& unzip web-$VERSION-selfhosted-COMMERCIAL.zip
###############################################
# Build stage #
###############################################
FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:6.0 AS dotnet-build
# Docker buildx supplies the value for this arg
ARG TARGETPLATFORM
# Determine proper runtime value for .NET
# We put the value in a file to be read by later layers.
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
RID=linux-x64 ; \
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
RID=linux-arm64 ; \
elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
RID=linux-arm ; \
fi \
&& echo "RID=$RID" > /tmp/rid.txt
# Add packages
# RUN apk add --update-cache \
# npm \
# && rm -rf /var/cache/apk/*
RUN apt-get update && apt-get install -y \
npm \
&& rm -rf /var/lib/apt/lists/*
RUN npm install -g gulp
# Copy csproj files as distinct layers
WORKDIR /source
COPY src/Admin/*.csproj ./src/Admin/
COPY src/Api/*.csproj ./src/Api/
COPY src/Events/*.csproj ./src/Events/
COPY src/Icons/*.csproj ./src/Icons/
COPY src/Identity/*.csproj ./src/Identity/
COPY src/Notifications/*.csproj ./src/Notifications/
COPY bitwarden_license/src/Sso/*.csproj ./bitwarden_license/src/Sso/
COPY bitwarden_license/src/Scim/*.csproj ./bitwarden_license/src/Scim/
COPY src/Core/*.csproj ./src/Core/
COPY src/Infrastructure.Dapper/*.csproj ./src/Infrastructure.Dapper/
COPY src/Infrastructure.EntityFramework/*.csproj ./src/Infrastructure.EntityFramework/
COPY src/SharedWeb/*.csproj ./src/SharedWeb/
COPY util/Migrator/*.csproj ./util/Migrator/
COPY util/MySqlMigrations/*.csproj ./util/MySqlMigrations/
COPY util/PostgresMigrations/*.csproj ./util/PostgresMigrations/
COPY bitwarden_license/src/Commercial.Core/*.csproj ./bitwarden_license/src/Commercial.Core/
COPY Directory.Build.props .
# Restore Admin project dependencies and tools
WORKDIR /source/src/Admin
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Restore Api project dependencies and tools
WORKDIR /source/src/Api
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Restore Events project dependencies and tools
WORKDIR /source/src/Events
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Restore Icons project dependencies and tools
WORKDIR /source/src/Icons
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Restore Identity project dependencies and tools
WORKDIR /source/src/Identity
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Restore Notifications project dependencies and tools
WORKDIR /source/src/Notifications
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Restore Sso project dependencies and tools
WORKDIR /source/bitwarden_license/src/Sso
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Restore Scim project dependencies and tools
WORKDIR /source/bitwarden_license/src/Scim
RUN . /tmp/rid.txt && dotnet restore -r $RID
# Copy required project files
WORKDIR /source
COPY src/Admin/. ./src/Admin/
COPY src/Api/. ./src/Api/
COPY src/Events/. ./src/Events/
COPY src/Icons/. ./src/Icons/
COPY src/Identity/. ./src/Identity/
COPY src/Notifications/. ./src/Notifications/
COPY bitwarden_license/src/Sso/. ./bitwarden_license/src/Sso/
COPY bitwarden_license/src/Scim/. ./bitwarden_license/src/Scim/
COPY src/Core/. ./src/Core/
COPY src/Infrastructure.Dapper/. ./src/Infrastructure.Dapper/
COPY src/Infrastructure.EntityFramework/. ./src/Infrastructure.EntityFramework/
COPY src/SharedWeb/. ./src/SharedWeb/
COPY util/Migrator/. ./util/Migrator/
COPY util/MySqlMigrations/. ./util/MySqlMigrations/
COPY util/PostgresMigrations/. ./util/PostgresMigrations/
COPY util/EfShared/. ./util/EfShared/
COPY bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
COPY .git/. ./.git/
# Build Admin app
WORKDIR /source/src/Admin
RUN npm install
RUN gulp --gulpfile "gulpfile.js" build
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
# Build Api app
WORKDIR /source/src/Api
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Api --no-restore --no-self-contained -r $RID
# Build Events app
WORKDIR /source/src/Events
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Events --no-restore --no-self-contained -r $RID
# Build Icons app
WORKDIR /source/src/Icons
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Icons --no-restore --no-self-contained -r $RID
# Build Identity app
WORKDIR /source/src/Identity
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Identity --no-restore --no-self-contained -r $RID
# Build Notifications app
WORKDIR /source/src/Notifications
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-restore --no-self-contained -r $RID
# Build Sso app
WORKDIR /source/bitwarden_license/src/Sso
RUN npm install
RUN gulp --gulpfile "gulpfile.js" build
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
# Build Scim app
WORKDIR /source/bitwarden_license/src/Scim
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-self-contained -r $RID
###############################################
# App stage #
###############################################
FROM mcr.microsoft.com/dotnet/aspnet:6.0-alpine
ARG TARGETPLATFORM
LABEL com.bitwarden.product="bitwarden"
LABEL com.bitwarden.project="unified"
ENV ASPNETCORE_ENVIRONMENT=Production
ENV BW_ENABLE_ADMIN=true
ENV BW_ENABLE_API=true
ENV BW_ENABLE_EVENTS=false
ENV BW_ENABLE_ICONS=true
ENV BW_ENABLE_IDENTITY=true
ENV BW_ENABLE_NOTIFICATIONS=true
ENV BW_ENABLE_SCIM=false
ENV BW_ENABLE_SSO=false
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
ENV globalSettings__selfHosted="true"
ENV globalSettings__pushRelayBaseUri="https://push.bitwarden.com"
ENV globalSettings__baseServiceUri__internalAdmin="http://localhost:5000"
ENV globalSettings__baseServiceUri__internalApi="http://localhost:5001"
ENV globalSettings__baseServiceUri__internalEvents="http://localhost:5003"
ENV globalSettings__baseServiceUri__internalIcons="http://localhost:5004"
ENV globalSettings__baseServiceUri__internalIdentity="http://localhost:5005"
ENV globalSettings__baseServiceUri__internalNotifications="http://localhost:5006"
ENV globalSettings__baseServiceUri__internalSso="http://localhost:5007"
ENV globalSettings__baseServiceUri__internalScim="http://localhost:5002"
ENV globalSettings__baseServiceUri__internalVault="http://localhost:80"
ENV globalSettings__identityServer__certificatePassword="default_cert_password"
ENV globalSettings__dataProtection__directory="/etc/bitwarden/data-protection"
ENV globalSettings__attachment__baseDirectory="/etc/bitwarden/attachments"
ENV globalSettings__send__baseDirectory="/etc/bitwarden/attachments/send"
ENV globalSettings__licenseDirectory="/etc/bitwarden/licenses"
ENV globalSettings__logDirectoryByProject="false"
ENV globalSettings__logRollBySizeLimit="1073741824"
EXPOSE 80
EXPOSE 443
# Add packages
RUN apk add --update-cache \
curl \
icu-libs \
nginx \
openssl \
su-exec \
supervisor \
tzdata \
&& rm -rf /var/cache/apk/*
# Create non-root user to run app
RUN adduser -s /bin/false -D bitwarden
# Create required directories
RUN mkdir -p /etc/bitwarden/attachments/send
RUN mkdir -p /etc/bitwarden/data-protection
RUN mkdir -p /etc/bitwarden/licenses
RUN mkdir -p /etc/bitwarden/logs
RUN mkdir -p /etc/supervisor
RUN mkdir -p /etc/supervisor.d
RUN mkdir -p /var/log/bitwarden
RUN mkdir -p /var/log/nginx/logs
RUN mkdir -p /app
RUN chown -R bitwarden:bitwarden \
/app \
/etc/bitwarden \
/etc/nginx/http.d \
/etc/supervisor \
/etc/supervisor.d \
/var/lib/nginx \
/var/log \
/run
# Copy all apps from dotnet-build stage
WORKDIR /app
COPY --chown=bitwarden:bitwarden --from=dotnet-build /app ./
# Copy Web files from web-setup stage
COPY --chown=bitwarden:bitwarden --from=web-setup /tmp/build /app/Web
# Set up supervisord
COPY --chown=bitwarden:bitwarden docker-unified/supervisord/*.ini /etc/supervisor.d/
COPY --chown=bitwarden:bitwarden docker-unified/supervisord/supervisord.conf /etc/supervisor/supervisord.conf
RUN rm -f /etc/supervisord.conf
# Set up nginx
COPY docker-unified/nginx/nginx.conf /etc/nginx
COPY docker-unified/nginx/proxy.conf /etc/nginx
COPY docker-unified/nginx/mime.types /etc/nginx
COPY docker-unified/nginx/security-headers.conf /etc/nginx
COPY docker-unified/nginx/security-headers-ssl.conf /etc/nginx
COPY docker-unified/nginx/logrotate.sh /
RUN chmod +x /logrotate.sh
# Copy configuration templates
COPY docker-unified/confd/nginx-config.toml /etc/confd/conf.d/
COPY docker-unified/confd/nginx-config.conf.tmpl /etc/confd/templates/
COPY docker-unified/confd/app-id.toml /etc/confd/conf.d/
COPY docker-unified/confd/app-id.conf.tmpl /etc/confd/templates/
# Download confd tool for generating final configurations
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then curl -L --output confd.tar.gz https://github.com/abtreece/confd/releases/download/v0.19.1/confd-v0.19.1-linux-amd64.tar.gz; fi
RUN if [ "$TARGETPLATFORM" = "linux/arm/v7" ] ; then curl -L --output confd.tar.gz https://github.com/abtreece/confd/releases/download/v0.19.1/confd-v0.19.1-linux-arm7.tar.gz; fi
RUN if [ "$TARGETPLATFORM" = "linux/arm64" ] ; then curl -L --output confd.tar.gz https://github.com/abtreece/confd/releases/download/v0.19.1/confd-v0.19.1-linux-arm64.tar.gz; fi
# Extract confd
RUN tar -xvzo -C /usr/local/bin -f confd.tar.gz && rm confd.tar.gz
# Copy entrypoint script and make it executable
COPY docker-unified/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
# TODO: Remove after testing
RUN apk add --update-cache \
vim \
&& rm -rf /var/cache/apk/*
VOLUME ["/etc/bitwarden"]
WORKDIR /app
USER bitwarden:bitwarden
HEALTHCHECK CMD curl --insecure -Lfs https://localhost/alive || curl -Lfs http://localhost/alive || exit 1
ENTRYPOINT ["/entrypoint.sh"]

15
docker-unified/confd/app-id.conf.tmpl Normal file
View File

@ -0,0 +1,15 @@
{
"trustedFacets": [
{
"version": {
"major": 1,
"minor": 0
},
"ids": [
"{{ getenv "globalSettings__baseServiceUri__vault" "https://localhost" }}",
"ios:bundle-id:com.8bit.bitwarden",
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI"
]
}
]
}

6
docker-unified/confd/app-id.toml Normal file
View File

@ -0,0 +1,6 @@
[template]
src = "app-id.conf.tmpl"
dest = "/app/Web/app-id.json"
keys = [
"globalSettings__baseServiceUri__vault"
]

144
docker-unified/confd/nginx-config.conf.tmpl Normal file
View File

@ -0,0 +1,144 @@
server {
listen 80 default_server;
#listen [::]:80 default_server;
server_name {{ getenv "BW_DOMAIN" "localhost" }};
{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
return 301 https://{{ getenv "BW_DOMAIN" "localhost" }}$request_uri;
}
server {
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name {{ getenv "BW_DOMAIN" "localhost" }};
ssl_certificate /etc/bitwarden/{{ getenv "BW_SSL_CERT" "ssl.crt" }};
ssl_certificate_key /etc/bitwarden/{{ getenv "BW_SSL_KEY" "ssl.key" }};
ssl_session_timeout 30m;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
ssl_protocols {{ getenv "BW_SSL_PROTOCOLS" "TLSv1.2" }};
ssl_ciphers "{{ getenv "BW_SSL_CIPHERS" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" }}";
# Enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
{{ if eq (getenv "BW_ENABLE_SSL_CA") "true" }}
# OCSP Stapling ---
# Fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/bitwarden/{{ getenv "BW_SSL_CA_CERT" "ca.crt" }};
resolver 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 valid=300s;
{{ end }}
include /etc/nginx/security-headers-ssl.conf;
{{ end }}
include /etc/nginx/security-headers.conf;
{{ if getenv "BW_REAL_IPS" }}
{{ range (getenv "BW_REAL_IPS") }}
set_real_ip_from {{ .Key }};
{{ end }}
real_ip_header X-Forwarded-For;
real_ip_recursive on;
{{ end }}
location / {
root /app/Web;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
include /etc/nginx/security-headers-ssl.conf;
{{ end }}
include /etc/nginx/security-headers.conf;
add_header Content-Security-Policy "{{ getenv "BW_CSP" "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;" }}";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Robots-Tag "noindex, nofollow";
}
location /alive {
default_type text/plain;
return 200 $date_gmt;
}
location = /app-id.json {
root /app/Web;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
include /etc/nginx/security-headers-ssl.conf;
{{ end }}
include /etc/nginx/security-headers.conf;
proxy_hide_header Content-Type;
add_header Content-Type $fido_content_type;
}
location /attachments {
alias /etc/bitwarden/attachments/;
}
location /api/ {
proxy_pass http://localhost:5001/;
}
location /icons/ {
{{ if eq (getenv "BW_ICONS_PROXY_TO_CLOUD") "true" }}
proxy_pass https://icons.bitwarden.net/;
proxy_set_header Host icons.bitwarden.net;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_ssl_server_name on;
{{ else }}
proxy_pass http://localhost:5004/;
{{ end }}
}
location /notifications/ {
proxy_pass http://localhost:5006/;
}
location /notifications/hub {
proxy_pass http://localhost:5006/hub;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}
location /events/ {
proxy_pass http://localhost:5003/;
}
location /sso {
proxy_pass http://localhost:5007;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
include /etc/nginx/security-headers-ssl.conf;
{{ end }}
include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
}
location /identity {
proxy_pass http://localhost:5005;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
include /etc/nginx/security-headers-ssl.conf;
{{ end }}
include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
}
location /admin {
proxy_pass http://localhost:5000;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }}
include /etc/nginx/security-headers-ssl.conf;
{{ end }}
include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN;
}
{{ if eq (getenv "BW_ENABLE_KEY_CONNECTOR") "true" }}
location /key-connector/ {
proxy_pass {{ getenv "BW_KEY_CONNECTOR_INTERNAL_URL"}}/;
}
{{ end }}
location /scim/ {
proxy_pass http://localhost:5002/;
}
}

17
docker-unified/confd/nginx-config.toml Normal file
View File

@ -0,0 +1,17 @@
[template]
src = "nginx-config.conf.tmpl"
dest = "/etc/nginx/http.d/bitwarden.conf"
keys = [
"BW_ENABLE_SSL_CA",
"BW_SSL_CA_CERT",
"BW_CSP",
"BW_ENABLE_KEY_CONNECTOR",
"BW_KEY_CONNECTOR_INTERNAL_URL",
"BW_REAL_IPS",
"BW_ENABLE_SSL",
"BW_SSL_CERT",
"BW_SSL_CIPHERS",
"BW_SSL_KEY",
"BW_SSL_PROTOCOLS",
"BW_ICONS_PROXY_TO_CLOUD"
]

56
docker-unified/docker-compose.yml Normal file
View File

@ -0,0 +1,56 @@
---
version: "3.8"
services:
bitwarden:
depends_on:
- db
env_file:
- settings.env
image: ${REGISTRY:-bitwarden}/self-host:${TAG:-latest}
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- bitwarden:/etc/bitwarden
- logs:/var/log/bitwarden
# MariaDB Example
db:
environment:
MARIADB_USER: "bitwarden"
MARIADB_PASSWORD: "super_strong_password"
MARIADB_DATABASE: "bitwarden_vault"
MARIADB_RANDOM_ROOT_PASSWORD: "true"
image: mariadb:10
restart: always
volumes:
- data:/var/lib/mysql
# PostgreSQL Example
# db:
# environment:
# POSTGRES_USER: "bitwarden"
# POSTGRES_PASSWORD: "super_strong_password"
# POSTGRES_DB: "bitwarden_vault"
# image: postgres:15
# restart: always
# volumes:
# - data:/var/lib/postgresql/data
# MS SQL Server Example
# Docs: https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-docker-container-deployment
# db:
# environment:
# MSSQL_SA_PASSWORD: "super_strong_password"
# ACCEPT_EULA: Y
# image: mcr.microsoft.com/mssql/server:2019-latest
# restart: always
# volumes:
# - data:/var/opt/mssql/data
volumes:
bitwarden:
logs:
data:

81
docker-unified/entrypoint.sh Normal file
View File

@ -0,0 +1,81 @@
#!/bin/sh
# Translate environment variables for application settings
VAULT_SERVICE_URI=https://$BW_DOMAIN
MYSQL_CONNECTION_STRING="server=$BW_DB_SERVER;database=$BW_DB_DATABASE;user=$BW_DB_USERNAME;password=$BW_DB_PASSWORD"
POSTGRESQL_CONNECTION_STRING="Host=$BW_DB_SERVER;Database=$BW_DB_DATABASE;Username=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD"
SQLSERVER_CONNECTION_STRING="Server=$BW_DB_SERVER;Database=$BW_DB_DATABASE;User Id=$BW_DB_USERNAME;Password=$BW_DB_PASSWORD;"
INTERNAL_IDENTITY_KEY=$(openssl rand -hex 30)
OIDC_IDENTITY_CLIENT_KEY=$(openssl rand -hex 30)
DUO_AKEY=$(openssl rand -hex 30)
export globalSettings__baseServiceUri__vault=${globalSettings__baseServiceUri__vault:-$VAULT_SERVICE_URI}
export globalSettings__installation__id=$BW_INSTALLATION_ID
export globalSettings__installation__key=$BW_INSTALLATION_KEY
export globalSettings__internalIdentityKey=${globalSettings__internalIdentityKey:-$INTERNAL_IDENTITY_KEY}
export globalSettings__oidcIdentityClientKey=${globalSettings__oidcIdentityClientKey:-$OIDC_IDENTITY_CLIENT_KEY}
export globalSettings__duo__aKey=${globalSettings__duo__aKey:-$DUO_AKEY}
export globalSettings__databaseProvider=$BW_DB_PROVIDER
export globalSettings__mysql__connectionString=${globalSettings__mysql__connectionString:-$MYSQL_CONNECTION_STRING}
export globalSettings__postgreSql__connectionString=${globalSettings__postgreSql__connectionString:-$POSTGRESQL_CONNECTION_STRING}
export globalSettings__sqlServer__connectionString=${globalSettings__sqlServer__connectionString:-$SQLSERVER_CONNECTION_STRING}
# Generate Identity certificate
if [ ! -f /etc/bitwarden/identity.pfx ]; then
openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-nodes \
-keyout /etc/bitwarden/identity.key \
-out /etc/bitwarden/identity.crt \
-subj "/CN=Bitwarden IdentityServer" \
-days 36500
openssl pkcs12 \
-export \
-out /etc/bitwarden/identity.pfx \
-inkey /etc/bitwarden/identity.key \
-in /etc/bitwarden/identity.crt \
-passout pass:$globalSettings__identityServer__certificatePassword
rm /etc/bitwarden/identity.crt
rm /etc/bitwarden/identity.key
fi
cp /etc/bitwarden/identity.pfx /app/Identity/identity.pfx
cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
# Generate SSL certificates
if [ "$BW_ENABLE_SSL" == "true" -a ! -f /etc/bitwarden/ssl.key ]; then
openssl req \
-x509 \
-newkey rsa:4096 \
-sha256 \
-nodes \
-days 36500 \
-keyout /etc/bitwarden/${BW_SSL_KEY:-ssl.key} \
-out /etc/bitwarden/${BW_SSL_CERT:-ssl.crt} \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true")) \
-subj "/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN=${BW_DOMAIN:-localhost}"
fi
# Launch a loop to rotate nginx logs on a daily basis
/bin/sh -c "/logrotate.sh loop >/dev/null 2>&1 &"
/usr/local/bin/confd -onetime -backend env
# Enable/Disable services
sed -i "s/autostart=true/autostart=${BW_ENABLE_ADMIN}/" /etc/supervisor.d/admin.ini
sed -i "s/autostart=true/autostart=${BW_ENABLE_API}/" /etc/supervisor.d/api.ini
sed -i "s/autostart=true/autostart=${BW_ENABLE_EVENTS}/" /etc/supervisor.d/events.ini
sed -i "s/autostart=true/autostart=${BW_ENABLE_ICONS}/" /etc/supervisor.d/icons.ini
sed -i "s/autostart=true/autostart=${BW_ENABLE_IDENTITY}/" /etc/supervisor.d/identity.ini
sed -i "s/autostart=true/autostart=${BW_ENABLE_NOTIFICATIONS}/" /etc/supervisor.d/notifications.ini
sed -i "s/autostart=true/autostart=${BW_ENABLE_SCIM}/" /etc/supervisor.d/scim.ini
sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini
exec /usr/bin/supervisord

15
docker-unified/nginx/logrotate.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/sh
while true
do
[ "$1" = "loop" ] && sleep $((24 * 3600 - (`date +%_H` * 3600 + `date +%_M` * 60 + `date +%_S`)))
ts=$(date +%Y%m%d_%H%M%S)
mv /var/log/nginx/access.log /var/log/nginx/access.$ts.log
mv /var/log/nginx/error.log /var/log/nginx/error.$ts.log
kill -USR1 `cat /var/run/nginx/nginx.pid`
sleep 1
gzip /var/log/nginx/access.$ts.log
gzip /var/log/nginx/error.$ts.log
find /var/log/nginx/ -name "*.gz" -mtime +32 -delete
[ "$1" != "loop" ] && break
done

138
docker-unified/nginx/mime.types Normal file
View File

@ -0,0 +1,138 @@
types {
# Data interchange
application/atom+xml atom;
application/json json map topojson;
application/ld+json jsonld;
application/rss+xml rss;
application/vnd.geo+json geojson;
application/xml rdf xml;
# JavaScript
# Normalize to standard type.
# https://tools.ietf.org/html/rfc4329#section-7.2
application/javascript js;
# Manifest files
application/manifest+json webmanifest;
application/x-web-app-manifest+json webapp;
text/cache-manifest appcache;
# Media files
audio/midi mid midi kar;
audio/mp4 aac f4a f4b m4a;
audio/mpeg mp3;
audio/ogg oga ogg opus;
audio/x-realaudio ra;
audio/x-wav wav;
image/bmp bmp;
image/gif gif;
image/jpeg jpeg jpg;
image/jxr jxr hdp wdp;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-jng jng;
video/3gpp 3gp 3gpp;
video/mp4 f4p f4v m4v mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-mng mng;
video/x-ms-asf asf asx;
video/x-ms-wmv wmv;
video/x-msvideo avi;
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying then as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
image/x-icon cur ico;
# Microsoft Office
application/msword doc;
application/vnd.ms-excel xls;
application/vnd.ms-powerpoint ppt;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
# Web fonts
application/font-woff woff;
application/font-woff2 woff2;
application/vnd.ms-fontobject eot;
# Browsers usually ignore the font media types and simply sniff
# the bytes to figure out the font type.
# https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
#
# However, Blink and WebKit based browsers will show a warning
# in the console if the following font types are served with any
# other media types.
application/x-font-ttf ttc ttf;
font/opentype otf;
# Other
application/java-archive ear jar war;
application/mac-binhex40 hqx;
application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
application/pdf pdf;
application/postscript ai eps ps;
application/rtf rtf;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-bb-appworld bbaw;
application/x-bittorrent torrent;
application/x-chrome-extension crx;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-opera-extension oex;
application/x-perl pl pm;
application/x-pilot pdb prc;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert crt der pem;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xslt+xml xsl;
application/zip zip;
text/css css;
text/csv csv;
text/html htm html shtml;
text/markdown md;
text/mathml mml;
text/plain txt;
text/vcard vcard vcf;
text/vnd.rim.location.xloc xloc;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/vtt vtt;
text/x-component htc;
}

147
docker-unified/nginx/nginx.conf Normal file
View File

@ -0,0 +1,147 @@
# nginx Configuration File
# http://wiki.nginx.org/Configuration
daemon off;
# Run as a less privileged user for security reasons.
# user www www;
# How many worker threads to run;
# "auto" sets it to the number of CPU cores available in the system, and
# offers the best performance. Don't set it higher than the number of CPU
# cores if changing this parameter.
# The maximum number of connections for Nginx is calculated by:
# max_clients = worker_processes * worker_connections
worker_processes auto;
# Maximum open file descriptors per process;
# should be > worker_connections.
worker_rlimit_nofile 8192;
events {
# When you need > 8000 * cpu_cores connections, you start optimizing your OS,
# and this is probably the point at which you hire people who are smarter than
# you, as this is *a lot* of requests.
worker_connections 8000;
}
# Default error log file
# (this is only used when you don't override error_log on a server{} level)
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx/nginx.pid;
http {
# Include proxy and server configuration.
include /etc/nginx/proxy.conf;
include /etc/nginx/http.d/bitwarden.conf;
# Hide nginx version information.
server_tokens off;
# Define the MIME types for files.
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Update charset_types to match updated mime.types.
# text/html is always included by charset module.
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
charset_types
text/css
text/plain
text/vnd.wap.wml
application/javascript
application/json
application/rss+xml
application/xml;
# Format to use in log files
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Default log file
# (this is only used when you don't override access_log on a server{} level)
access_log /var/log/nginx/access.log main;
# How long to allow each connection to stay idle; longer values are better
# for each individual client, particularly for SSL, but means that worker
# connections are tied up longer. (Default: 65)
keepalive_timeout 20;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write().
# For performance reasons, on FreeBSD systems w/ ZFS
# this option should be disabled as ZFS's ARC caches
# frequently used files in RAM by default.
sendfile on;
# Tell Nginx not to send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out. (adds TCP_CORK)
tcp_nopush on;
# Compression
# Enable Gzip compressed.
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and cpu usage, offering about
# 75% reduction for most ascii files (almost identical to level 9).
gzip_comp_level 5;
# Don't compress anything that's already small and unlikely to shrink much
# if at all (the default is 20 bytes, which is bad as that usually leads to
# larger files after gzipping).
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# text/html is always compressed by HttpGzipModule
# This should be turned on if you are going to have pre-compressed copies (.gz) of
# static files available. If not it should be left off as it will cause extra I/O
# for the check. It is best if you enable this in a location{} block for
# a specific directory, or on an individual server{} level.
# gzip_static on;
# Content type for FIDO U2F facets
map $uri $fido_content_type {
default "application/fido.trusted-apps+json";
}
}

15
docker-unified/nginx/proxy.conf Normal file
View File

@ -0,0 +1,15 @@
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 505m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
large_client_header_buffers 4 32k;

2
docker-unified/nginx/security-headers-ssl.conf Normal file
View File

@ -0,0 +1,2 @@
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
add_header Strict-Transport-Security max-age=15768000;

3
docker-unified/nginx/security-headers.conf Normal file
View File

@ -0,0 +1,3 @@
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

61
docker-unified/settings.env Normal file
View File

@ -0,0 +1,61 @@
#####################
# Required Settings #
#####################
# Server hostname
BW_DOMAIN=bitwarden.yourdomain.com
# Database
# Available providers are sqlserver, postgresql, or mysql/mariadb
BW_DB_PROVIDER=mysql
BW_DB_SERVER=db
BW_DB_DATABASE=bitwarden_vault
BW_DB_USERNAME=bitwarden
BW_DB_PASSWORD=super_strong_password
# Installation information
# Get your ID and key from https://bitwarden.com/host/
BW_INSTALLATION_ID=00000000-0000-0000-0000-000000000000
BW_INSTALLATION_KEY=xxxxxxxxxxxx
#####################
# Optional Settings #
#####################
# Learn more here: https://bitwarden.com/help/environment-variables/
# SSL
#BW_ENABLE_SSL=true
#BW_ENABLE_SSL_CA=true
#BW_SSL_CERT=ssl.crt
#BW_SSL_KEY=ssl.key
#BW_SSL_CA_CERT=ca.crt
# Services
# Some services, namely for enterprise use cases, are disabled by default. Defaults shown below.
#BW_ENABLE_ADMIN=true
#BW_ENABLE_API=true
#BW_ENABLE_EVENTS=false
#BW_ENABLE_ICONS=true
#BW_ENABLE_IDENTITY=true
#BW_ENABLE_NOTIFICATIONS=true
#BW_ENABLE_SCIM=false
#BW_ENABLE_SSO=false
#BW_ICONS_PROXY_TO_CLOUD=false
# Mail
#globalSettings__mail__replyToEmail=noreply@$BW_DOMAIN
#globalSettings__mail__smtp__host=smtphost.example.com
#globalSettings__mail__smtp__port=587
#globalSettings__mail__smtp__ssl=false
#globalSettings__mail__smtp__username=smtpusername
#globalSettings__mail__smtp__password=smtppassword
# Yubikey
#globalSettings__yubico__clientId=REPLACE
#globalSettings__yubico__key=REPLACE
# Other
#globalSettings__disableUserRegistration=false
#globalSettings__hibpApiKey=REPLACE
#adminSettings__admins="admin1@email.com,admin2@email.com"

9
docker-unified/supervisord/admin.ini Normal file
View File

@ -0,0 +1,9 @@
[program:admin]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Admin.dll"
directory=/app/Admin
environment=ASPNETCORE_URLS="http://+:5000"
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/admin.log

9
docker-unified/supervisord/api.ini Normal file
View File

@ -0,0 +1,9 @@
[program:api]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Api.dll"
directory=/app/Api
environment=ASPNETCORE_URLS="http://+:5001"
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/api.log

9
docker-unified/supervisord/events.ini Normal file
View File

@ -0,0 +1,9 @@
[program:events]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Events.dll"
directory=/app/Events
environment=ASPNETCORE_URLS="http://+:5003"
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/events.log

9
docker-unified/supervisord/icons.ini Normal file
View File

@ -0,0 +1,9 @@
[program:icons]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Icons.dll"
directory=/app/Icons
environment=ASPNETCORE_URLS="http://+:5004"
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/icons.log

10
docker-unified/supervisord/identity.ini Normal file
View File

@ -0,0 +1,10 @@
[program:identity]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Identity.dll"
directory=/app/Identity
environment=ASPNETCORE_URLS="http://+:5005"
priority=1
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/identity.log

7
docker-unified/supervisord/nginx.ini Normal file
View File

@ -0,0 +1,7 @@
[program:nginx]
autostart=true
autorestart=true
command=nginx
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/nginx.log

9
docker-unified/supervisord/notifications.ini Normal file
View File

@ -0,0 +1,9 @@
[program:notifications]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Notifications.dll"
directory=/app/Notifications
environment=ASPNETCORE_URLS="http://+:5006"
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/notifications.log

9
docker-unified/supervisord/scim.ini Normal file
View File

@ -0,0 +1,9 @@
[program:scim]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Scim.dll"
directory=/app/Scim
environment=ASPNETCORE_URLS="http://+:5002"
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/scim.log

9
docker-unified/supervisord/sso.ini Normal file
View File

@ -0,0 +1,9 @@
[program:sso]
autostart=true
autorestart=true
command=/usr/bin/dotnet "Sso.dll"
directory=/app/Sso
environment=ASPNETCORE_URLS="http://+:5007"
redirect_stderr=true
startsecs=15
stdout_logfile=/var/log/bitwarden/sso.log

15
docker-unified/supervisord/supervisord.conf Normal file
View File

@ -0,0 +1,15 @@
[unix_http_server]
file=/run/supervisord.sock ; the path to the socket file
[supervisord]
logfile=/var/log/supervisord.log ; main log file; default $CWD/supervisord.log
nodaemon=true ; start in foreground if true; default false
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///run/supervisord.sock ; use a unix:// URL for a unix socket
[include]
files = /etc/supervisor.d/*.ini