nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-03 00:52:49 -05:00
Code Activity

change confd to hbs for unified docker templates (#2434)

Browse Source 
* change confd to hbs tool

* use new repo owner
This commit is contained in:
Kyle Spearrin
2022-11-23 12:48:34 -05:00
committed by GitHub
parent 0795545fb8
commit 93afa93b85
7 changed files with 62 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docker-unified/Dockerfile
View File

@ -214,6 +214,7 @@ RUN apk add --update-cache \
su-exec \ su-exec \
supervisor \ supervisor \
tzdata \ tzdata \
unzip \
&& rm -rf /var/cache/apk/* && rm -rf /var/cache/apk/*
# Create non-root user to run app # Create non-root user to run app
@ -261,18 +262,18 @@ COPY docker-unified/nginx/logrotate.sh /
RUN chmod +x /logrotate.sh RUN chmod +x /logrotate.sh
# Copy configuration templates # Copy configuration templates
COPY docker-unified/confd/nginx-config.toml /etc/confd/conf.d/ COPY docker-unified/hbs/nginx-config.hbs /etc/hbs/
COPY docker-unified/confd/nginx-config.conf.tmpl /etc/confd/templates/ COPY docker-unified/hbs/app-id.hbs /etc/hbs/
COPY docker-unified/confd/app-id.toml /etc/confd/conf.d/ COPY docker-unified/hbs/config.yaml /etc/hbs/
COPY docker-unified/confd/app-id.conf.tmpl /etc/confd/templates/
# Download confd tool for generating final configurations # Download hbs tool for generating final configurations
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then curl -L --output confd.tar.gz https://github.com/abtreece/confd/releases/download/v0.19.1/confd-v0.19.1-linux-amd64.tar.gz; fi RUN if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then curl -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/v1.2.0/hbs_linux-musl-x64_dotnet.zip; fi
RUN if [ "$TARGETPLATFORM" = "linux/arm/v7" ] ; then curl -L --output confd.tar.gz https://github.com/abtreece/confd/releases/download/v0.19.1/confd-v0.19.1-linux-arm7.tar.gz; fi RUN if [ "$TARGETPLATFORM" = "linux/arm/v7" ] ; then curl -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/v1.2.0/hbs_linux-arm_dotnet.zip; fi
RUN if [ "$TARGETPLATFORM" = "linux/arm64" ] ; then curl -L --output confd.tar.gz https://github.com/abtreece/confd/releases/download/v0.19.1/confd-v0.19.1-linux-arm64.tar.gz; fi RUN if [ "$TARGETPLATFORM" = "linux/arm64" ] ; then curl -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/v1.2.0/hbs_linux-arm64_dotnet.zip; fi
# Extract confd # Extract hbs
RUN tar -xvzo -C /usr/local/bin -f confd.tar.gz && rm confd.tar.gz RUN unzip hbs.zip -d /usr/local/bin && rm hbs.zip
RUN chmod +x /usr/local/bin/hbs
# Copy entrypoint script and make it executable # Copy entrypoint script and make it executable
COPY docker-unified/entrypoint.sh /entrypoint.sh COPY docker-unified/entrypoint.sh /entrypoint.sh

6
docker-unified/confd/app-id.toml
View File

@ -1,6 +0,0 @@
[template]
src = "app-id.conf.tmpl"
dest = "/app/Web/app-id.json"
keys = [
"globalSettings__baseServiceUri__vault"
]

17
docker-unified/confd/nginx-config.toml
View File

@ -1,17 +0,0 @@
[template]
src = "nginx-config.conf.tmpl"
dest = "/etc/nginx/http.d/bitwarden.conf"
keys = [
"BW_ENABLE_SSL_CA",
"BW_SSL_CA_CERT",
"BW_CSP",
"BW_ENABLE_KEY_CONNECTOR",
"BW_KEY_CONNECTOR_INTERNAL_URL",
"BW_REAL_IPS",
"BW_ENABLE_SSL",
"BW_SSL_CERT",
"BW_SSL_CIPHERS",
"BW_SSL_KEY",
"BW_SSL_PROTOCOLS",
"BW_ICONS_PROXY_TO_CLOUD"
]

2
docker-unified/entrypoint.sh
View File

@ -66,7 +66,7 @@ fi
# Launch a loop to rotate nginx logs on a daily basis # Launch a loop to rotate nginx logs on a daily basis
/bin/sh -c "/logrotate.sh loop >/dev/null 2>&1 &" /bin/sh -c "/logrotate.sh loop >/dev/null 2>&1 &"
/usr/local/bin/confd -onetime -backend env /usr/local/bin/hbs
# Enable/Disable services # Enable/Disable services
sed -i "s/autostart=true/autostart=${BW_ENABLE_ADMIN}/" /etc/supervisor.d/admin.ini sed -i "s/autostart=true/autostart=${BW_ENABLE_ADMIN}/" /etc/supervisor.d/admin.ini

2
docker-unified/confd/app-id.conf.tmpl → docker-unified/hbs/app-id.hbs
View File

@ -6,7 +6,7 @@
"minor": 0 "minor": 0
}, },
"ids": [ "ids": [
"{{ getenv "globalSettings__baseServiceUri__vault" "https://localhost" }}", "{{{String.Coalesce env.globalSettings__baseServiceUri__vault "https://localhost"}}}",
"ios:bundle-id:com.8bit.bitwarden", "ios:bundle-id:com.8bit.bitwarden",
"android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI" "android:apk-key-hash:dUGFzUzf3lmHSLBDBIv+WaFyZMI"
] ]

7
docker-unified/hbs/config.yaml Normal file
View File

@ -0,0 +1,7 @@
helper_categories:
- String
templates:
- src: /etc/hbs/app-id.hbs
dest: /app/Web/app-id.json
- src: /etc/hbs/nginx-config.hbs
dest: /etc/nginx/http.d/bitwarden.conf

77
docker-unified/confd/nginx-config.conf.tmpl → docker-unified/hbs/nginx-config.hbs
View File

@ -1,28 +1,33 @@
server { server {
listen 80 default_server; listen 80 default_server;
#listen [::]:80 default_server; #listen [::]:80 default_server;
server_name {{ getenv "BW_DOMAIN" "localhost" }}; server_name {{{String.Coalesce env.BW_DOMAIN "localhost"}}};
{{ if eq (getenv "BW_ENABLE_SSL") "true" }} {{#if (String.Equal env.BW_ENABLE_SSL "true")}}
return 301 https://{{ getenv "BW_DOMAIN" "localhost" }}$request_uri; return 301 https://{{{String.Coalesce env.BW_DOMAIN "localhost"}}}$request_uri;
} }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
#listen [::]:443 ssl http2; #listen [::]:443 ssl http2;
server_name {{ getenv "BW_DOMAIN" "localhost" }}; server_name {{{String.Coalesce env.BW_DOMAIN "localhost"}}};
ssl_certificate /etc/bitwarden/{{ getenv "BW_SSL_CERT" "ssl.crt" }}; ssl_certificate /etc/bitwarden/{{{String.Coalesce env.BW_SSL_CERT "ssl.crt"}}};
ssl_certificate_key /etc/bitwarden/{{ getenv "BW_SSL_KEY" "ssl.key" }}; ssl_certificate_key /etc/bitwarden/{{{String.Coalesce env.BW_SSL_KEY "ssl.key"}}};
ssl_session_timeout 30m; ssl_session_timeout 30m;
ssl_session_cache shared:SSL:20m; ssl_session_cache shared:SSL:20m;
ssl_session_tickets off; ssl_session_tickets off;
{{#if (String.Equal env.BW_ENABLE_SSL_DH "true")}}
ssl_protocols {{ getenv "BW_SSL_PROTOCOLS" "TLSv1.2" }}; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_ciphers "{{ getenv "BW_SSL_CIPHERS" "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" }}"; ssl_dhparam /etc/bitwarden/{{{String.Coalesce env.BW_SSL_DH_CERT "dh.pem"}}};
{{/if}}
ssl_protocols {{{String.Coalesce env.BW_SSL_PROTOCOLS "TLSv1.2"}}};
ssl_ciphers "{{{String.Coalesce env.BW_SSL_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}}}";
# Enables server-side protection from BEAST attacks # Enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
{{ if eq (getenv "BW_ENABLE_SSL_CA") "true" }} {{#if (String.Equal env.BW_ENABLE_SSL_CA "true")}}
# OCSP Stapling --- # OCSP Stapling ---
# Fetch OCSP records from URL in ssl_certificate and cache them # Fetch OCSP records from URL in ssl_certificate and cache them
@ -30,29 +35,29 @@ server {
ssl_stapling_verify on; ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs # Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/bitwarden/{{ getenv "BW_SSL_CA_CERT" "ca.crt" }}; ssl_trusted_certificate /etc/bitwarden/{{{String.Coalesce env.BW_SSL_CA_CERT "ca.crt"}}};
resolver 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 valid=300s; resolver 1.1.1.1 1.0.0.1 9.9.9.9 149.112.112.112 valid=300s;
{{ end }} {{/if}}
include /etc/nginx/security-headers-ssl.conf; include /etc/nginx/security-headers-ssl.conf;
{{ end }} {{/if}}
include /etc/nginx/security-headers.conf; include /etc/nginx/security-headers.conf;
{{ if getenv "BW_REAL_IPS" }} {{#if (String.IsNotNullOrWhitespace env.BW_REAL_IPS)}}
{{ range (getenv "BW_REAL_IPS") }} {{#each (String.Split env.BW_REAL_IPS ",")}}
set_real_ip_from {{ .Key }}; set_real_ip_from {{{String.Trim .}}};
{{ end }} {{/each}}
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
real_ip_recursive on; real_ip_recursive on;
{{ end }} {{/if}}
location / { location / {
root /app/Web; root /app/Web;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }} {{#if (String.Equal env.BW_ENABLE_SSL "true")}}
include /etc/nginx/security-headers-ssl.conf; include /etc/nginx/security-headers-ssl.conf;
{{ end }} {{/if}}
include /etc/nginx/security-headers.conf; include /etc/nginx/security-headers.conf;
add_header Content-Security-Policy "{{ getenv "BW_CSP" "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;" }}"; add_header Content-Security-Policy "{{{String.Coalesce env.BW_CSP "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; connect-src 'self' https://api.pwnedpasswords.com https://2fa.directory; object-src 'self' blob:;"}}}";
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
add_header X-Robots-Tag "noindex, nofollow"; add_header X-Robots-Tag "noindex, nofollow";
} }
@ -64,9 +69,9 @@ server {
location = /app-id.json { location = /app-id.json {
root /app/Web; root /app/Web;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }} {{#if (String.Equal env.BW_ENABLE_SSL "true")}}
include /etc/nginx/security-headers-ssl.conf; include /etc/nginx/security-headers-ssl.conf;
{{ end }} {{/if}}
include /etc/nginx/security-headers.conf; include /etc/nginx/security-headers.conf;
proxy_hide_header Content-Type; proxy_hide_header Content-Type;
add_header Content-Type $fido_content_type; add_header Content-Type $fido_content_type;
@ -81,14 +86,14 @@ server {
} }
location /icons/ { location /icons/ {
{{ if eq (getenv "BW_ICONS_PROXY_TO_CLOUD") "true" }} {{#if (String.Equal env.BW_ICONS_PROXY_TO_CLOUD "true")}}
proxy_pass https://icons.bitwarden.net/; proxy_pass https://icons.bitwarden.net/;
proxy_set_header Host icons.bitwarden.net; proxy_set_header Host icons.bitwarden.net;
proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy_ssl_server_name on; proxy_ssl_server_name on;
{{else}} {{else}}
proxy_pass http://localhost:5004/; proxy_pass http://localhost:5004/;
{{ end }} {{/if}}
} }
location /notifications/ { location /notifications/ {
@ -107,38 +112,38 @@ server {
location /sso { location /sso {
proxy_pass http://localhost:5007; proxy_pass http://localhost:5007;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }} {{#if (String.Equal env.BW_ENABLE_SSL "true")}}
include /etc/nginx/security-headers-ssl.conf; include /etc/nginx/security-headers-ssl.conf;
{{ end }} {{/if}}
include /etc/nginx/security-headers.conf; include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
} }
location /identity { location /identity {
proxy_pass http://localhost:5005; proxy_pass http://localhost:5005;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }} {{#if (String.Equal env.BW_ENABLE_SSL "true")}}
include /etc/nginx/security-headers-ssl.conf; include /etc/nginx/security-headers-ssl.conf;
{{ end }} {{/if}}
include /etc/nginx/security-headers.conf; include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
} }
location /admin { location /admin {
proxy_pass http://localhost:5000; proxy_pass http://localhost:5000;
{{ if eq (getenv "BW_ENABLE_SSL") "true" }} {{#if (String.Equal env.BW_ENABLE_SSL "true")}}
include /etc/nginx/security-headers-ssl.conf; include /etc/nginx/security-headers-ssl.conf;
{{ end }} {{/if}}
include /etc/nginx/security-headers.conf; include /etc/nginx/security-headers.conf;
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
} }
{{ if eq (getenv "BW_ENABLE_KEY_CONNECTOR") "true" }}
location /key-connector/ {
proxy_pass {{ getenv "BW_KEY_CONNECTOR_INTERNAL_URL"}}/;
}
{{ end }}
location /scim/ { location /scim/ {
proxy_pass http://localhost:5002/; proxy_pass http://localhost:5002/;
} }
{{#if (String.Equal env.BW_ENABLE_KEY_CONNECTOR "true")}}
location /key-connector/ {
proxy_pass {{{env.BW_KEY_CONNECTOR_INTERNAL_URL}}}/;
}
{{/if}}
} }