diff --git a/ct/vaultwarden.sh b/ct/vaultwarden.sh new file mode 100644 index 000000000..fc8c5db45 --- /dev/null +++ b/ct/vaultwarden.sh @@ -0,0 +1,115 @@ +#!/usr/bin/env bash +source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func) +# Copyright (c) 2021-2026 tteck +# Author: tteck (tteckster) +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/dani-garcia/vaultwarden + +APP="Vaultwarden" +var_tags="${var_tags:-password-manager}" +var_cpu="${var_cpu:-4}" +var_ram="${var_ram:-6144}" +var_disk="${var_disk:-20}" +var_os="${var_os:-debian}" +var_version="${var_version:-13}" +var_unprivileged="${var_unprivileged:-1}" + +header_info "$APP" +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + if [[ ! -f /etc/systemd/system/vaultwarden.service ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + VAULT=$(get_latest_github_release "dani-garcia/vaultwarden") + WVRELEASE=$(get_latest_github_release "dani-garcia/bw_web_builds") + + UPD=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SUPPORT" --radiolist --cancel-button Exit-Script "Spacebar = Select" 11 58 3 \ + "1" "VaultWarden $VAULT" ON \ + "2" "Web-Vault $WVRELEASE" OFF \ + "3" "Set Admin Token" OFF \ + 3>&1 1>&2 2>&3) + + if [ "$UPD" == "1" ]; then + if check_for_gh_release "vaultwarden" "dani-garcia/vaultwarden"; then + msg_info "Stopping Service" + systemctl stop vaultwarden + msg_ok "Stopped Service" + + fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src" + + msg_info "Updating VaultWarden to $VAULT (Patience)" + cd /tmp/vaultwarden-src + $STD cargo build --features "sqlite,mysql,postgresql" --release + if [[ -f /usr/bin/vaultwarden ]]; then + cp target/release/vaultwarden /usr/bin/ + else + cp target/release/vaultwarden /opt/vaultwarden/bin/ + fi + cd ~ && rm -rf /tmp/vaultwarden-src + msg_ok "Updated VaultWarden to ${VAULT}" + + msg_info "Starting Service" + systemctl start vaultwarden + msg_ok "Started Service" + msg_ok "Updated successfully!" + else + msg_ok "VaultWarden is already up-to-date" + fi + exit + fi + + if [ "$UPD" == "2" ]; then + if check_for_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds"; then + msg_info "Stopping Service" + systemctl stop vaultwarden + msg_ok "Stopped Service" + + fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden" "bw_web_*.tar.gz" + + msg_info "Updating Web-Vault to $WVRELEASE" + rm -rf /opt/vaultwarden/web-vault + chown -R root:root /opt/vaultwarden/web-vault/ + msg_ok "Updated Web-Vault to ${WVRELEASE}" + + msg_info "Starting Service" + systemctl start vaultwarden + msg_ok "Started Service" + msg_ok "Updated successfully!" + else + msg_ok "Web-Vault is already up-to-date" + fi + exit + fi + + if [ "$UPD" == "3" ]; then + if NEWTOKEN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --passwordbox "Set the ADMIN_TOKEN" 10 58 3>&1 1>&2 2>&3); then + if [[ -z "$NEWTOKEN" ]]; then exit; fi + ensure_dependencies argon2 + TOKEN=$(echo -n "${NEWTOKEN}" | argon2 "$(openssl rand -base64 32)" -t 2 -m 16 -p 4 -l 64 -e) + sed -i "s|ADMIN_TOKEN=.*|ADMIN_TOKEN='${TOKEN}'|" /opt/vaultwarden/.env + if [[ -f /opt/vaultwarden/data/config.json ]]; then + sed -i "s|\"admin_token\":.*|\"admin_token\": \"${TOKEN}\"|" /opt/vaultwarden/data/config.json + fi + systemctl restart vaultwarden + msg_ok "Admin token updated" + fi + exit + fi +} + +start +build_container +description + +msg_ok "Completed successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:8000${CL}" diff --git a/install/opencloud-install.sh.bak b/install/opencloud-install.sh.bak deleted file mode 100644 index 0ed6cc619..000000000 --- a/install/opencloud-install.sh.bak +++ /dev/null @@ -1,263 +0,0 @@ -#!/usr/bin/env bash - -# Copyright (c) 2021-2026 community-scripts ORG -# Author: vhsdream -# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE -# Source: https://opencloud.eu - -source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" -color -verb_ip6 -catch_errors -setting_up_container -network_check -update_os - -echo -e "${TAB3}${INFO}${YW} Leave empty to use IP-based localhost mode (no Collabora)${CL}" -read -r -p "${TAB3}Enter the hostname of your OpenCloud server (eg cloud.domain.tld): " oc_host - -if [[ -z "$oc_host" ]]; then - # Localhost/IP mode - no TLS, no Collabora - OC_HOST="${LOCAL_IP}" - LOCALHOST_MODE=true - msg_info "Using localhost mode with IP: ${LOCAL_IP}" - msg_warn "Collabora requires TLS and will be skipped in localhost mode" -else - OC_HOST="$oc_host" - LOCALHOST_MODE=false - read -r -p "${TAB3}Enter the hostname of your Collabora server [collabora.${OC_HOST#*.}]: " collabora_host - COLLABORA_HOST="${collabora_host:-collabora.${OC_HOST#*.}}" - read -r -p "${TAB3}Enter the hostname of your WOPI server [wopiserver.${OC_HOST#*.}]: " wopi_host - WOPI_HOST="${wopi_host:-wopiserver.${OC_HOST#*.}}" -fi - -# Collabora Online - only install if not in localhost mode (requires TLS) -if [[ "$LOCALHOST_MODE" != true ]]; then - msg_info "Installing Collabora Online" - curl -fsSL https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg -o /etc/apt/keyrings/collaboraonline-release-keyring.gpg - cat </etc/apt/sources.list.d/collaboraonline.sources -Types: deb -URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb -Suites: ./ -Signed-By: /etc/apt/keyrings/collaboraonline-release-keyring.gpg -EOF - $STD apt-get update - $STD apt-get install -y coolwsd code-brand - systemctl stop coolwsd - mkdir -p /etc/systemd/system/coolwsd.service.d - cat </etc/systemd/system/coolwsd.service.d/override.conf -[Unit] -Before=opencloud-wopi.service -EOF - systemctl daemon-reload - COOLPASS="$(openssl rand -base64 36)" - $STD runuser -u cool -- coolconfig set-admin-password --user=admin --password="$COOLPASS" - echo "$COOLPASS" >~/.coolpass - msg_ok "Installed Collabora Online" -fi - -# OpenCloud -fetch_and_deploy_gh_release "opencloud" "opencloud-eu/opencloud" "singlefile" "v5.0.1" "/usr/bin" "opencloud-*-linux-amd64" - -msg_info "Configuring OpenCloud" -DATA_DIR="/var/lib/opencloud/" -CONFIG_DIR="/etc/opencloud" -ENV_FILE="${CONFIG_DIR}/opencloud.env" -mkdir -p "$DATA_DIR" "$CONFIG_DIR"/assets/apps - -curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/csp.yaml -o "$CONFIG_DIR"/csp.yaml -curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/proxy.yaml -o "$CONFIG_DIR"/proxy.yaml.bak - -if [[ "$LOCALHOST_MODE" == true ]]; then - OC_URL="http://${OC_HOST}:9200" - OC_INSECURE="true" -else - OC_URL="https://${OC_HOST}" - OC_INSECURE="false" -fi - -# Create web config directory and config.json -mkdir -p "$CONFIG_DIR"/web -cat <"$CONFIG_DIR"/web/config.json -{ - "server": "${OC_URL}", - "theme": "https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/web/themes/opencloud/theme.json", - "openIdConnect": { - "metadata_url": "${OC_URL}/.well-known/openid-configuration", - "authority": "${OC_URL}", - "client_id": "web", - "response_type": "code", - "scope": "openid profile email" - } -} -EOF - -cat <"$ENV_FILE" -OC_URL=${OC_URL} -OC_INSECURE=${OC_INSECURE} -IDM_CREATE_DEMO_USERS=false -OC_LOG_LEVEL=warning -OC_CONFIG_DIR=${CONFIG_DIR} -OC_BASE_DATA_PATH=${DATA_DIR} -STORAGE_SYSTEM_OC_ROOT=${DATA_DIR}/storage/metadata - -## Web -WEB_ASSET_CORE_PATH=${CONFIG_DIR}/web/assets -WEB_ASSET_APPS_PATH=${CONFIG_DIR}/web/assets/apps -WEB_UI_CONFIG_FILE=${CONFIG_DIR}/web/config.json -# WEB_ASSET_THEMES_PATH=${CONFIG_DIR}/web/assets/themes -# WEB_UI_THEME_PATH= - -## Frontend -FRONTEND_DISABLE_RADICALE=true -FRONTEND_GROUPWARE_ENABLED=false -GRAPH_INCLUDE_OCM_SHAREES=true - -## Proxy -PROXY_TLS=false -PROXY_CSP_CONFIG_FILE_LOCATION=${CONFIG_DIR}/csp.yaml - -## Collaboration - requires VALID TLS (disabled in localhost mode) -# COLLABORA_DOMAIN= -# COLLABORATION_APP_NAME="CollaboraOnline" -# COLLABORATION_APP_PRODUCT="Collabora" -# COLLABORATION_APP_ADDR= -# COLLABORATION_APP_INSECURE=false -# COLLABORATION_HTTP_ADDR=0.0.0.0:9300 -# COLLABORATION_WOPI_SRC= -# COLLABORATION_JWT_SECRET= - -## Notifications - Email settings -# NOTIFICATIONS_SMTP_HOST= -# NOTIFICATIONS_SMTP_PORT= -# NOTIFICATIONS_SMTP_SENDER= -# NOTIFICATIONS_SMTP_USERNAME= -# NOTIFICATIONS_SMTP_PASSWORD= -# NOTIFICATIONS_SMTP_AUTHENTICATION=login -## Encryption method. Possible values are 'starttls', 'ssltls' and 'none' -# NOTIFICATIONS_SMTP_ENCRYPTION=starttls -## Allow insecure connections. Defaults to false. -# NOTIFICATIONS_SMTP_INSECURE=false - -## Start additional services at runtime -## Examples: notifications, antivirus etc. -## Do not uncomment unless configured above. -# OC_ADD_RUN_SERVICES="notifications" - -## OpenID - via web browser -## uncomment for OpenID in general -# OC_EXCLUDE_RUN_SERVICES=idp -# OC_OIDC_ISSUER= -# IDP_DOMAIN= -# PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none -# PROXY_OIDC_REWRITE_WELLKNOWN=true -# PROXY_USER_OIDC_CLAIM=preferred_username -# PROXY_USER_CS3_CLAIM=username -## automatically create accounts -# PROXY_AUTOPROVISION_ACCOUNTS=true -# WEB_OIDC_SCOPE=openid profile email groups -# GRAPH_ASSIGN_DEFAULT_USER_ROLE=false -# -## uncomment below if using PocketID -# WEB_OIDC_CLIENT_ID= -# WEB_OIDC_METADATA_URL=/.well-known/openid-configuration - -## Full Text Search - Apache Tika -## Requires a separate install of Tika - see https://community-scripts.github.io/ProxmoxVE/scripts?id=apache-tika -# SEARCH_EXTRACTOR_TYPE=tika -# FRONTEND_FULL_TEXT_SEARCH_ENABLED=true -# SEARCH_EXTRACTOR_TIKA_TIKA_URL= - -## External storage test - Only NFS v4.2+ is supported -## User files -# STORAGE_USERS_POSIX_ROOT= -EOF - -cat </etc/systemd/system/opencloud.service -[Unit] -Description=OpenCloud server -After=network-online.target - -[Service] -Type=simple -User=opencloud -Group=opencloud -EnvironmentFile=${ENV_FILE} -ExecStart=/usr/bin/opencloud server -Restart=always - -[Install] -WantedBy=multi-user.target -EOF - -if [[ "$LOCALHOST_MODE" != true ]]; then - cat </etc/systemd/system/opencloud-wopi.service -[Unit] -Description=OpenCloud WOPI Server -Wants=coolwsd.service -After=opencloud.service coolwsd.service - -[Service] -Type=simple -User=opencloud -Group=opencloud -EnvironmentFile=${ENV_FILE} -ExecStartPre=/bin/sleep 10 -ExecStart=/usr/bin/opencloud collaboration server -Restart=always -KillSignal=SIGKILL -KillMode=mixed -TimeoutStopSec=10 - -[Install] -WantedBy=multi-user.target -EOF - - # Append active Collabora config to env file - cat <>"$ENV_FILE" - -## Collaboration - active configuration -COLLABORA_DOMAIN=${COLLABORA_HOST} -COLLABORATION_APP_NAME="CollaboraOnline" -COLLABORATION_APP_PRODUCT="Collabora" -COLLABORATION_APP_ADDR=https://${COLLABORA_HOST} -COLLABORATION_APP_INSECURE=false -COLLABORATION_HTTP_ADDR=0.0.0.0:9300 -COLLABORATION_WOPI_SRC=https://${WOPI_HOST} -COLLABORATION_JWT_SECRET= -EOF - - $STD runuser -u cool -- coolconfig set ssl.enable false - $STD runuser -u cool -- coolconfig set ssl.termination true - $STD runuser -u cool -- coolconfig set ssl.ssl_verification true - sed -i "s|CSP2\"/>|CSP2\">frame-ancestors https://${OC_HOST}|" /etc/coolwsd/coolwsd.xml -fi - -useradd -r -M -s /usr/sbin/nologin opencloud -chown -R opencloud:opencloud "$CONFIG_DIR" "$DATA_DIR" - -if [[ "$LOCALHOST_MODE" == true ]]; then - $STD runuser -u opencloud -- opencloud init --config-path "$CONFIG_DIR" --insecure yes -else - $STD runuser -u opencloud -- opencloud init --config-path "$CONFIG_DIR" --insecure no -fi - -OPENCLOUD_SECRET="$(sed -n '/jwt/p' "$CONFIG_DIR"/opencloud.yaml | awk '{print $2}')" -if [[ "$LOCALHOST_MODE" != true ]]; then - sed -i "s/COLLABORATION_JWT_SECRET=/&${OPENCLOUD_SECRET//&/\\&}/" "$ENV_FILE" -fi -msg_ok "Configured OpenCloud" - -msg_info "Starting services" -if [[ "$LOCALHOST_MODE" == true ]]; then - systemctl enable -q --now opencloud -else - systemctl enable -q --now coolwsd opencloud - sleep 5 - systemctl enable -q --now opencloud-wopi -fi -msg_ok "Started services" - -motd_ssh -customize -cleanup_lxc diff --git a/install/vaultwarden-install.sh b/install/vaultwarden-install.sh new file mode 100644 index 000000000..4b7f0e6d0 --- /dev/null +++ b/install/vaultwarden-install.sh @@ -0,0 +1,100 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 tteck +# Author: tteck (tteckster) +# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE +# Source: https://github.com/dani-garcia/vaultwarden + +source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +msg_info "Installing Dependencies" +$STD apt install -y \ + build-essential \ + pkgconf \ + libssl-dev \ + libmariadb-dev-compat \ + libpq-dev \ + argon2 \ + ssl-cert +msg_ok "Installed Dependencies" + +setup_rust +fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src" + +msg_info "Building Vaultwarden (Patience)" +cd /tmp/vaultwarden-src +$STD cargo build --features "sqlite,mysql,postgresql" --release +msg_ok "Built Vaultwarden" + +$STD addgroup --system vaultwarden +$STD adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden +mkdir -p /opt/vaultwarden/{bin,data} +cp target/release/vaultwarden /opt/vaultwarden/bin/ +cd ~ && rm -rf /tmp/vaultwarden-src + +fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden" "bw_web_*.tar.gz" + +cat </opt/vaultwarden/.env +ADMIN_TOKEN='' +ROCKET_ADDRESS=0.0.0.0 +ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}' +DATA_FOLDER=/opt/vaultwarden/data +DATABASE_MAX_CONNS=10 +WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault +WEB_VAULT_ENABLED=true +EOF + +mv /etc/ssl/certs/ssl-cert-snakeoil.pem /opt/vaultwarden/ +mv /etc/ssl/private/ssl-cert-snakeoil.key /opt/vaultwarden/ + +msg_info "Creating Service" +chown -R vaultwarden:vaultwarden /opt/vaultwarden/ +chown root:root /opt/vaultwarden/bin/vaultwarden +chmod +x /opt/vaultwarden/bin/vaultwarden +chown -R root:root /opt/vaultwarden/web-vault/ +chmod +r /opt/vaultwarden/.env + +cat <<'EOF' >/etc/systemd/system/vaultwarden.service +[Unit] +Description=Bitwarden Server (Powered by Vaultwarden) +Documentation=https://github.com/dani-garcia/vaultwarden +After=network.target + +[Service] +User=vaultwarden +Group=vaultwarden +EnvironmentFile=-/opt/vaultwarden/.env +ExecStart=/opt/vaultwarden/bin/vaultwarden +LimitNOFILE=65535 +LimitNPROC=4096 +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=strict +DevicePolicy=closed +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictNamespaces=yes +RestrictRealtime=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes +WorkingDirectory=/opt/vaultwarden +ReadWriteDirectories=/opt/vaultwarden/data +AmbientCapabilities=CAP_NET_BIND_SERVICE + +[Install] +WantedBy=multi-user.target +EOF +systemctl enable --q -now vaultwarden +msg_ok "Created Service" + +motd_ssh +customize +cleanup_lxc