test

2026-02-02 09:38:12 +01:00 · 2026-02-02 09:38:12 +01:00 · 2b31e79a4b
commit 2b31e79a4b
parent 424776e8ee
3 changed files with 215 additions and 263 deletions
--- a/ct/vaultwarden.sh
+++ b/ct/vaultwarden.sh
@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func)
+# Copyright (c) 2021-2026 tteck
+# Author: tteck (tteckster)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/dani-garcia/vaultwarden
+
+APP="Vaultwarden"
+var_tags="${var_tags:-password-manager}"
+var_cpu="${var_cpu:-4}"
+var_ram="${var_ram:-6144}"
+var_disk="${var_disk:-20}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+  if [[ ! -f /etc/systemd/system/vaultwarden.service ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  VAULT=$(get_latest_github_release "dani-garcia/vaultwarden")
+  WVRELEASE=$(get_latest_github_release "dani-garcia/bw_web_builds")
+
+  UPD=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SUPPORT" --radiolist --cancel-button Exit-Script "Spacebar = Select" 11 58 3 \
+    "1" "VaultWarden $VAULT" ON \
+    "2" "Web-Vault $WVRELEASE" OFF \
+    "3" "Set Admin Token" OFF \
+    3>&1 1>&2 2>&3)
+
+  if [ "$UPD" == "1" ]; then
+    if check_for_gh_release "vaultwarden" "dani-garcia/vaultwarden"; then
+      msg_info "Stopping Service"
+      systemctl stop vaultwarden
+      msg_ok "Stopped Service"
+
+      fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src"
+
+      msg_info "Updating VaultWarden to $VAULT (Patience)"
+      cd /tmp/vaultwarden-src
+      $STD cargo build --features "sqlite,mysql,postgresql" --release
+      if [[ -f /usr/bin/vaultwarden ]]; then
+        cp target/release/vaultwarden /usr/bin/
+      else
+        cp target/release/vaultwarden /opt/vaultwarden/bin/
+      fi
+      cd ~ && rm -rf /tmp/vaultwarden-src
+      msg_ok "Updated VaultWarden to ${VAULT}"
+
+      msg_info "Starting Service"
+      systemctl start vaultwarden
+      msg_ok "Started Service"
+      msg_ok "Updated successfully!"
+    else
+      msg_ok "VaultWarden is already up-to-date"
+    fi
+    exit
+  fi
+
+  if [ "$UPD" == "2" ]; then
+    if check_for_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds"; then
+      msg_info "Stopping Service"
+      systemctl stop vaultwarden
+      msg_ok "Stopped Service"
+
+      fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden" "bw_web_*.tar.gz"
+
+      msg_info "Updating Web-Vault to $WVRELEASE"
+      rm -rf /opt/vaultwarden/web-vault
+      chown -R root:root /opt/vaultwarden/web-vault/
+      msg_ok "Updated Web-Vault to ${WVRELEASE}"
+
+      msg_info "Starting Service"
+      systemctl start vaultwarden
+      msg_ok "Started Service"
+      msg_ok "Updated successfully!"
+    else
+      msg_ok "Web-Vault is already up-to-date"
+    fi
+    exit
+  fi
+
+  if [ "$UPD" == "3" ]; then
+    if NEWTOKEN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --passwordbox "Set the ADMIN_TOKEN" 10 58 3>&1 1>&2 2>&3); then
+      if [[ -z "$NEWTOKEN" ]]; then exit; fi
+      ensure_dependencies argon2
+      TOKEN=$(echo -n "${NEWTOKEN}" | argon2 "$(openssl rand -base64 32)" -t 2 -m 16 -p 4 -l 64 -e)
+      sed -i "s|ADMIN_TOKEN=.*|ADMIN_TOKEN='${TOKEN}'|" /opt/vaultwarden/.env
+      if [[ -f /opt/vaultwarden/data/config.json ]]; then
+        sed -i "s|\"admin_token\":.*|\"admin_token\": \"${TOKEN}\"|" /opt/vaultwarden/data/config.json
+      fi
+      systemctl restart vaultwarden
+      msg_ok "Admin token updated"
+    fi
+    exit
+  fi
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:8000${CL}"
--- a/install/opencloud-install.sh.bak
+++ b/install/opencloud-install.sh.bak
@ -1,263 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: vhsdream
-# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
-# Source: https://opencloud.eu
-
-source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
-color
-verb_ip6
-catch_errors
-setting_up_container
-network_check
-update_os
-
-echo -e "${TAB3}${INFO}${YW} Leave empty to use IP-based localhost mode (no Collabora)${CL}"
-read -r -p "${TAB3}Enter the hostname of your OpenCloud server (eg cloud.domain.tld): " oc_host
-
-if [[ -z "$oc_host" ]]; then
-  # Localhost/IP mode - no TLS, no Collabora
-  OC_HOST="${LOCAL_IP}"
-  LOCALHOST_MODE=true
-  msg_info "Using localhost mode with IP: ${LOCAL_IP}"
-  msg_warn "Collabora requires TLS and will be skipped in localhost mode"
-else
-  OC_HOST="$oc_host"
-  LOCALHOST_MODE=false
-  read -r -p "${TAB3}Enter the hostname of your Collabora server [collabora.${OC_HOST#*.}]: " collabora_host
-  COLLABORA_HOST="${collabora_host:-collabora.${OC_HOST#*.}}"
-  read -r -p "${TAB3}Enter the hostname of your WOPI server [wopiserver.${OC_HOST#*.}]: " wopi_host
-  WOPI_HOST="${wopi_host:-wopiserver.${OC_HOST#*.}}"
-fi
-
-# Collabora Online - only install if not in localhost mode (requires TLS)
-if [[ "$LOCALHOST_MODE" != true ]]; then
-  msg_info "Installing Collabora Online"
-  curl -fsSL https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg -o /etc/apt/keyrings/collaboraonline-release-keyring.gpg
-  cat <<EOF >/etc/apt/sources.list.d/collaboraonline.sources
-Types: deb
-URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb
-Suites: ./
-Signed-By: /etc/apt/keyrings/collaboraonline-release-keyring.gpg
-EOF
-  $STD apt-get update
-  $STD apt-get install -y coolwsd code-brand
-  systemctl stop coolwsd
-  mkdir -p /etc/systemd/system/coolwsd.service.d
-  cat <<EOF >/etc/systemd/system/coolwsd.service.d/override.conf
-[Unit]
-Before=opencloud-wopi.service
-EOF
-  systemctl daemon-reload
-  COOLPASS="$(openssl rand -base64 36)"
-  $STD runuser -u cool -- coolconfig set-admin-password --user=admin --password="$COOLPASS"
-  echo "$COOLPASS" >~/.coolpass
-  msg_ok "Installed Collabora Online"
-fi
-
-# OpenCloud
-fetch_and_deploy_gh_release "opencloud" "opencloud-eu/opencloud" "singlefile" "v5.0.1" "/usr/bin" "opencloud-*-linux-amd64"
-
-msg_info "Configuring OpenCloud"
-DATA_DIR="/var/lib/opencloud/"
-CONFIG_DIR="/etc/opencloud"
-ENV_FILE="${CONFIG_DIR}/opencloud.env"
-mkdir -p "$DATA_DIR" "$CONFIG_DIR"/assets/apps
-
-curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/csp.yaml -o "$CONFIG_DIR"/csp.yaml
-curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/proxy.yaml -o "$CONFIG_DIR"/proxy.yaml.bak
-
-if [[ "$LOCALHOST_MODE" == true ]]; then
-  OC_URL="http://${OC_HOST}:9200"
-  OC_INSECURE="true"
-else
-  OC_URL="https://${OC_HOST}"
-  OC_INSECURE="false"
-fi
-
-# Create web config directory and config.json
-mkdir -p "$CONFIG_DIR"/web
-cat <<EOF >"$CONFIG_DIR"/web/config.json
-{
-  "server": "${OC_URL}",
-  "theme": "https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/web/themes/opencloud/theme.json",
-  "openIdConnect": {
-    "metadata_url": "${OC_URL}/.well-known/openid-configuration",
-    "authority": "${OC_URL}",
-    "client_id": "web",
-    "response_type": "code",
-    "scope": "openid profile email"
-  }
-}
-EOF
-
-cat <<EOF >"$ENV_FILE"
-OC_URL=${OC_URL}
-OC_INSECURE=${OC_INSECURE}
-IDM_CREATE_DEMO_USERS=false
-OC_LOG_LEVEL=warning
-OC_CONFIG_DIR=${CONFIG_DIR}
-OC_BASE_DATA_PATH=${DATA_DIR}
-STORAGE_SYSTEM_OC_ROOT=${DATA_DIR}/storage/metadata
-
-## Web
-WEB_ASSET_CORE_PATH=${CONFIG_DIR}/web/assets
-WEB_ASSET_APPS_PATH=${CONFIG_DIR}/web/assets/apps
-WEB_UI_CONFIG_FILE=${CONFIG_DIR}/web/config.json
-# WEB_ASSET_THEMES_PATH=${CONFIG_DIR}/web/assets/themes
-# WEB_UI_THEME_PATH=
-
-## Frontend
-FRONTEND_DISABLE_RADICALE=true
-FRONTEND_GROUPWARE_ENABLED=false
-GRAPH_INCLUDE_OCM_SHAREES=true
-
-## Proxy
-PROXY_TLS=false
-PROXY_CSP_CONFIG_FILE_LOCATION=${CONFIG_DIR}/csp.yaml
-
-## Collaboration - requires VALID TLS (disabled in localhost mode)
-# COLLABORA_DOMAIN=
-# COLLABORATION_APP_NAME="CollaboraOnline"
-# COLLABORATION_APP_PRODUCT="Collabora"
-# COLLABORATION_APP_ADDR=
-# COLLABORATION_APP_INSECURE=false
-# COLLABORATION_HTTP_ADDR=0.0.0.0:9300
-# COLLABORATION_WOPI_SRC=
-# COLLABORATION_JWT_SECRET=
-
-## Notifications - Email settings
-# NOTIFICATIONS_SMTP_HOST=
-# NOTIFICATIONS_SMTP_PORT=
-# NOTIFICATIONS_SMTP_SENDER=
-# NOTIFICATIONS_SMTP_USERNAME=
-# NOTIFICATIONS_SMTP_PASSWORD=
-# NOTIFICATIONS_SMTP_AUTHENTICATION=login
-## Encryption method. Possible values are 'starttls', 'ssltls' and 'none'
-# NOTIFICATIONS_SMTP_ENCRYPTION=starttls
-## Allow insecure connections. Defaults to false.
-# NOTIFICATIONS_SMTP_INSECURE=false
-
-## Start additional services at runtime
-## Examples: notifications, antivirus etc.
-## Do not uncomment unless configured above.
-# OC_ADD_RUN_SERVICES="notifications"
-
-## OpenID - via web browser
-## uncomment for OpenID in general
-# OC_EXCLUDE_RUN_SERVICES=idp
-# OC_OIDC_ISSUER=<your auth URL>
-# IDP_DOMAIN=<your auth URL>
-# PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
-# PROXY_OIDC_REWRITE_WELLKNOWN=true
-# PROXY_USER_OIDC_CLAIM=preferred_username
-# PROXY_USER_CS3_CLAIM=username
-## automatically create accounts
-# PROXY_AUTOPROVISION_ACCOUNTS=true
-# WEB_OIDC_SCOPE=openid profile email groups
-# GRAPH_ASSIGN_DEFAULT_USER_ROLE=false
-#
-## uncomment below if using PocketID
-# WEB_OIDC_CLIENT_ID=<generated in PocketID>
-# WEB_OIDC_METADATA_URL=<your auth URL>/.well-known/openid-configuration
-
-## Full Text Search - Apache Tika
-## Requires a separate install of Tika - see https://community-scripts.github.io/ProxmoxVE/scripts?id=apache-tika
-# SEARCH_EXTRACTOR_TYPE=tika
-# FRONTEND_FULL_TEXT_SEARCH_ENABLED=true
-# SEARCH_EXTRACTOR_TIKA_TIKA_URL=<your-tika-url>
-
-## External storage test - Only NFS v4.2+ is supported
-## User files
-# STORAGE_USERS_POSIX_ROOT=<path-to-your-bind_mount>
-EOF
-
-cat <<EOF >/etc/systemd/system/opencloud.service
-[Unit]
-Description=OpenCloud server
-After=network-online.target
-
-[Service]
-Type=simple
-User=opencloud
-Group=opencloud
-EnvironmentFile=${ENV_FILE}
-ExecStart=/usr/bin/opencloud server
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-if [[ "$LOCALHOST_MODE" != true ]]; then
-  cat <<EOF >/etc/systemd/system/opencloud-wopi.service
-[Unit]
-Description=OpenCloud WOPI Server
-Wants=coolwsd.service
-After=opencloud.service coolwsd.service
-
-[Service]
-Type=simple
-User=opencloud
-Group=opencloud
-EnvironmentFile=${ENV_FILE}
-ExecStartPre=/bin/sleep 10
-ExecStart=/usr/bin/opencloud collaboration server
-Restart=always
-KillSignal=SIGKILL
-KillMode=mixed
-TimeoutStopSec=10
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-  # Append active Collabora config to env file
-  cat <<EOF >>"$ENV_FILE"
-
-## Collaboration - active configuration
-COLLABORA_DOMAIN=${COLLABORA_HOST}
-COLLABORATION_APP_NAME="CollaboraOnline"
-COLLABORATION_APP_PRODUCT="Collabora"
-COLLABORATION_APP_ADDR=https://${COLLABORA_HOST}
-COLLABORATION_APP_INSECURE=false
-COLLABORATION_HTTP_ADDR=0.0.0.0:9300
-COLLABORATION_WOPI_SRC=https://${WOPI_HOST}
-COLLABORATION_JWT_SECRET=
-EOF
-
-  $STD runuser -u cool -- coolconfig set ssl.enable false
-  $STD runuser -u cool -- coolconfig set ssl.termination true
-  $STD runuser -u cool -- coolconfig set ssl.ssl_verification true
-  sed -i "s|CSP2\"/>|CSP2\">frame-ancestors https://${OC_HOST}</content_security_policy>|" /etc/coolwsd/coolwsd.xml
-fi
-
-useradd -r -M -s /usr/sbin/nologin opencloud
-chown -R opencloud:opencloud "$CONFIG_DIR" "$DATA_DIR"
-
-if [[ "$LOCALHOST_MODE" == true ]]; then
-  $STD runuser -u opencloud -- opencloud init --config-path "$CONFIG_DIR" --insecure yes
-else
-  $STD runuser -u opencloud -- opencloud init --config-path "$CONFIG_DIR" --insecure no
-fi
-
-OPENCLOUD_SECRET="$(sed -n '/jwt/p' "$CONFIG_DIR"/opencloud.yaml | awk '{print $2}')"
-if [[ "$LOCALHOST_MODE" != true ]]; then
-  sed -i "s/COLLABORATION_JWT_SECRET=/&${OPENCLOUD_SECRET//&/\\&}/" "$ENV_FILE"
-fi
-msg_ok "Configured OpenCloud"
-
-msg_info "Starting services"
-if [[ "$LOCALHOST_MODE" == true ]]; then
-  systemctl enable -q --now opencloud
-else
-  systemctl enable -q --now coolwsd opencloud
-  sleep 5
-  systemctl enable -q --now opencloud-wopi
-fi
-msg_ok "Started services"
-
-motd_ssh
-customize
-cleanup_lxc
--- a/install/vaultwarden-install.sh
+++ b/install/vaultwarden-install.sh
@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 tteck
+# Author: tteck (tteckster)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/dani-garcia/vaultwarden
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  build-essential \
+  pkgconf \
+  libssl-dev \
+  libmariadb-dev-compat \
+  libpq-dev \
+  argon2 \
+  ssl-cert
+msg_ok "Installed Dependencies"
+
+setup_rust
+fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src"
+
+msg_info "Building Vaultwarden (Patience)"
+cd /tmp/vaultwarden-src
+$STD cargo build --features "sqlite,mysql,postgresql" --release
+msg_ok "Built Vaultwarden"
+
+$STD addgroup --system vaultwarden
+$STD adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden
+mkdir -p /opt/vaultwarden/{bin,data}
+cp target/release/vaultwarden /opt/vaultwarden/bin/
+cd ~ && rm -rf /tmp/vaultwarden-src
+
+fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden" "bw_web_*.tar.gz"
+
+cat <<EOF >/opt/vaultwarden/.env
+ADMIN_TOKEN=''
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}'
+DATA_FOLDER=/opt/vaultwarden/data
+DATABASE_MAX_CONNS=10
+WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
+WEB_VAULT_ENABLED=true
+EOF
+
+mv /etc/ssl/certs/ssl-cert-snakeoil.pem /opt/vaultwarden/
+mv /etc/ssl/private/ssl-cert-snakeoil.key /opt/vaultwarden/
+
+msg_info "Creating Service"
+chown -R vaultwarden:vaultwarden /opt/vaultwarden/
+chown root:root /opt/vaultwarden/bin/vaultwarden
+chmod +x /opt/vaultwarden/bin/vaultwarden
+chown -R root:root /opt/vaultwarden/web-vault/
+chmod +r /opt/vaultwarden/.env
+
+cat <<'EOF' >/etc/systemd/system/vaultwarden.service
+[Unit]
+Description=Bitwarden Server (Powered by Vaultwarden)
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target
+
+[Service]
+User=vaultwarden
+Group=vaultwarden
+EnvironmentFile=-/opt/vaultwarden/.env
+ExecStart=/opt/vaultwarden/bin/vaultwarden
+LimitNOFILE=65535
+LimitNPROC=4096
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+DevicePolicy=closed
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+WorkingDirectory=/opt/vaultwarden
+ReadWriteDirectories=/opt/vaultwarden/data
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable --q -now vaultwarden
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc