test

2026-02-02 09:38:12 +01:00 · 2026-02-02 09:38:12 +01:00 · 2b31e79a4b
commit 2b31e79a4b
parent 424776e8ee
3 changed files with 215 additions and 263 deletions
--- a/ct/vaultwarden.sh
+++ b/ct/vaultwarden.sh
@ -0,0 +1,115 @@
 #!/usr/bin/env bash
 source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func)
 # Copyright (c) 2021-2026 tteck
 # Author: tteck (tteckster)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://github.com/dani-garcia/vaultwarden
 APP="Vaultwarden"
 var_tags="${var_tags:-password-manager}"
 var_cpu="${var_cpu:-4}"
 var_ram="${var_ram:-6144}"
 var_disk="${var_disk:-20}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-13}"
 var_unprivileged="${var_unprivileged:-1}"
 header_info "$APP"
 variables
 color
 catch_errors
 function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -f /etc/systemd/system/vaultwarden.service ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  VAULT=$(get_latest_github_release "dani-garcia/vaultwarden")
  WVRELEASE=$(get_latest_github_release "dani-garcia/bw_web_builds")
  UPD=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "SUPPORT" --radiolist --cancel-button Exit-Script "Spacebar = Select" 11 58 3 \
    "1" "VaultWarden $VAULT" ON \
    "2" "Web-Vault $WVRELEASE" OFF \
    "3" "Set Admin Token" OFF \
    3>&1 1>&2 2>&3)
  if [ "$UPD" == "1" ]; then
    if check_for_gh_release "vaultwarden" "dani-garcia/vaultwarden"; then
      msg_info "Stopping Service"
      systemctl stop vaultwarden
      msg_ok "Stopped Service"
      fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src"
      msg_info "Updating VaultWarden to $VAULT (Patience)"
      cd /tmp/vaultwarden-src
      $STD cargo build --features "sqlite,mysql,postgresql" --release
      if [[ -f /usr/bin/vaultwarden ]]; then
        cp target/release/vaultwarden /usr/bin/
      else
        cp target/release/vaultwarden /opt/vaultwarden/bin/
      fi
      cd ~ && rm -rf /tmp/vaultwarden-src
      msg_ok "Updated VaultWarden to ${VAULT}"
      msg_info "Starting Service"
      systemctl start vaultwarden
      msg_ok "Started Service"
      msg_ok "Updated successfully!"
    else
      msg_ok "VaultWarden is already up-to-date"
    fi
    exit
  fi
  if [ "$UPD" == "2" ]; then
    if check_for_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds"; then
      msg_info "Stopping Service"
      systemctl stop vaultwarden
      msg_ok "Stopped Service"
      fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden" "bw_web_*.tar.gz"
      msg_info "Updating Web-Vault to $WVRELEASE"
      rm -rf /opt/vaultwarden/web-vault
      chown -R root:root /opt/vaultwarden/web-vault/
      msg_ok "Updated Web-Vault to ${WVRELEASE}"
      msg_info "Starting Service"
      systemctl start vaultwarden
      msg_ok "Started Service"
      msg_ok "Updated successfully!"
    else
      msg_ok "Web-Vault is already up-to-date"
    fi
    exit
  fi
  if [ "$UPD" == "3" ]; then
    if NEWTOKEN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --passwordbox "Set the ADMIN_TOKEN" 10 58 3>&1 1>&2 2>&3); then
      if [[ -z "$NEWTOKEN" ]]; then exit; fi
      ensure_dependencies argon2
      TOKEN=$(echo -n "${NEWTOKEN}" | argon2 "$(openssl rand -base64 32)" -t 2 -m 16 -p 4 -l 64 -e)
      sed -i "s|ADMIN_TOKEN=.*|ADMIN_TOKEN='${TOKEN}'|" /opt/vaultwarden/.env
      if [[ -f /opt/vaultwarden/data/config.json ]]; then
        sed -i "s|\"admin_token\":.*|\"admin_token\": \"${TOKEN}\"|" /opt/vaultwarden/data/config.json
      fi
      systemctl restart vaultwarden
      msg_ok "Admin token updated"
    fi
    exit
  fi
 }
 start
 build_container
 description
 msg_ok "Completed successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URL:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:8000${CL}"
--- a/install/opencloud-install.sh.bak
+++ b/install/opencloud-install.sh.bak
@ -1,263 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: vhsdream
 # License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
 # Source: https://opencloud.eu
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 echo -e "${TAB3}${INFO}${YW} Leave empty to use IP-based localhost mode (no Collabora)${CL}"
 read -r -p "${TAB3}Enter the hostname of your OpenCloud server (eg cloud.domain.tld): " oc_host
 if [[ -z "$oc_host" ]]; then
  # Localhost/IP mode - no TLS, no Collabora
  OC_HOST="${LOCAL_IP}"
  LOCALHOST_MODE=true
  msg_info "Using localhost mode with IP: ${LOCAL_IP}"
  msg_warn "Collabora requires TLS and will be skipped in localhost mode"
 else
  OC_HOST="$oc_host"
  LOCALHOST_MODE=false
  read -r -p "${TAB3}Enter the hostname of your Collabora server [collabora.${OC_HOST#*.}]: " collabora_host
  COLLABORA_HOST="${collabora_host:-collabora.${OC_HOST#*.}}"
  read -r -p "${TAB3}Enter the hostname of your WOPI server [wopiserver.${OC_HOST#*.}]: " wopi_host
  WOPI_HOST="${wopi_host:-wopiserver.${OC_HOST#*.}}"
 fi
 # Collabora Online - only install if not in localhost mode (requires TLS)
 if [[ "$LOCALHOST_MODE" != true ]]; then
  msg_info "Installing Collabora Online"
  curl -fsSL https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg -o /etc/apt/keyrings/collaboraonline-release-keyring.gpg
  cat <<EOF >/etc/apt/sources.list.d/collaboraonline.sources
 Types: deb
 URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-deb
 Suites: ./
 Signed-By: /etc/apt/keyrings/collaboraonline-release-keyring.gpg
 EOF
  $STD apt-get update
  $STD apt-get install -y coolwsd code-brand
  systemctl stop coolwsd
  mkdir -p /etc/systemd/system/coolwsd.service.d
  cat <<EOF >/etc/systemd/system/coolwsd.service.d/override.conf
 [Unit]
 Before=opencloud-wopi.service
 EOF
  systemctl daemon-reload
  COOLPASS="$(openssl rand -base64 36)"
  $STD runuser -u cool -- coolconfig set-admin-password --user=admin --password="$COOLPASS"
  echo "$COOLPASS" >~/.coolpass
  msg_ok "Installed Collabora Online"
 fi
 # OpenCloud
 fetch_and_deploy_gh_release "opencloud" "opencloud-eu/opencloud" "singlefile" "v5.0.1" "/usr/bin" "opencloud-*-linux-amd64"
 msg_info "Configuring OpenCloud"
 DATA_DIR="/var/lib/opencloud/"
 CONFIG_DIR="/etc/opencloud"
 ENV_FILE="${CONFIG_DIR}/opencloud.env"
 mkdir -p "$DATA_DIR" "$CONFIG_DIR"/assets/apps
 curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/csp.yaml -o "$CONFIG_DIR"/csp.yaml
 curl -fsSL https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/proxy.yaml -o "$CONFIG_DIR"/proxy.yaml.bak
 if [[ "$LOCALHOST_MODE" == true ]]; then
  OC_URL="http://${OC_HOST}:9200"
  OC_INSECURE="true"
 else
  OC_URL="https://${OC_HOST}"
  OC_INSECURE="false"
 fi
 # Create web config directory and config.json
 mkdir -p "$CONFIG_DIR"/web
 cat <<EOF >"$CONFIG_DIR"/web/config.json
 {
  "server": "${OC_URL}",
  "theme": "https://raw.githubusercontent.com/opencloud-eu/opencloud-compose/refs/heads/main/config/opencloud/web/themes/opencloud/theme.json",
  "openIdConnect": {
    "metadata_url": "${OC_URL}/.well-known/openid-configuration",
    "authority": "${OC_URL}",
    "client_id": "web",
    "response_type": "code",
    "scope": "openid profile email"
  }
 }
 EOF
 cat <<EOF >"$ENV_FILE"
 OC_URL=${OC_URL}
 OC_INSECURE=${OC_INSECURE}
 IDM_CREATE_DEMO_USERS=false
 OC_LOG_LEVEL=warning
 OC_CONFIG_DIR=${CONFIG_DIR}
 OC_BASE_DATA_PATH=${DATA_DIR}
 STORAGE_SYSTEM_OC_ROOT=${DATA_DIR}/storage/metadata
 ## Web
 WEB_ASSET_CORE_PATH=${CONFIG_DIR}/web/assets
 WEB_ASSET_APPS_PATH=${CONFIG_DIR}/web/assets/apps
 WEB_UI_CONFIG_FILE=${CONFIG_DIR}/web/config.json
 # WEB_ASSET_THEMES_PATH=${CONFIG_DIR}/web/assets/themes
 # WEB_UI_THEME_PATH=
 ## Frontend
 FRONTEND_DISABLE_RADICALE=true
 FRONTEND_GROUPWARE_ENABLED=false
 GRAPH_INCLUDE_OCM_SHAREES=true
 ## Proxy
 PROXY_TLS=false
 PROXY_CSP_CONFIG_FILE_LOCATION=${CONFIG_DIR}/csp.yaml
 ## Collaboration - requires VALID TLS (disabled in localhost mode)
 # COLLABORA_DOMAIN=
 # COLLABORATION_APP_NAME="CollaboraOnline"
 # COLLABORATION_APP_PRODUCT="Collabora"
 # COLLABORATION_APP_ADDR=
 # COLLABORATION_APP_INSECURE=false
 # COLLABORATION_HTTP_ADDR=0.0.0.0:9300
 # COLLABORATION_WOPI_SRC=
 # COLLABORATION_JWT_SECRET=
 ## Notifications - Email settings
 # NOTIFICATIONS_SMTP_HOST=
 # NOTIFICATIONS_SMTP_PORT=
 # NOTIFICATIONS_SMTP_SENDER=
 # NOTIFICATIONS_SMTP_USERNAME=
 # NOTIFICATIONS_SMTP_PASSWORD=
 # NOTIFICATIONS_SMTP_AUTHENTICATION=login
 ## Encryption method. Possible values are 'starttls', 'ssltls' and 'none'
 # NOTIFICATIONS_SMTP_ENCRYPTION=starttls
 ## Allow insecure connections. Defaults to false.
 # NOTIFICATIONS_SMTP_INSECURE=false
 ## Start additional services at runtime
 ## Examples: notifications, antivirus etc.
 ## Do not uncomment unless configured above.
 # OC_ADD_RUN_SERVICES="notifications"
 ## OpenID - via web browser
 ## uncomment for OpenID in general
 # OC_EXCLUDE_RUN_SERVICES=idp
 # OC_OIDC_ISSUER=<your auth URL>
 # IDP_DOMAIN=<your auth URL>
 # PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
 # PROXY_OIDC_REWRITE_WELLKNOWN=true
 # PROXY_USER_OIDC_CLAIM=preferred_username
 # PROXY_USER_CS3_CLAIM=username
 ## automatically create accounts
 # PROXY_AUTOPROVISION_ACCOUNTS=true
 # WEB_OIDC_SCOPE=openid profile email groups
 # GRAPH_ASSIGN_DEFAULT_USER_ROLE=false
 #
 ## uncomment below if using PocketID
 # WEB_OIDC_CLIENT_ID=<generated in PocketID>
 # WEB_OIDC_METADATA_URL=<your auth URL>/.well-known/openid-configuration
 ## Full Text Search - Apache Tika
 ## Requires a separate install of Tika - see https://community-scripts.github.io/ProxmoxVE/scripts?id=apache-tika
 # SEARCH_EXTRACTOR_TYPE=tika
 # FRONTEND_FULL_TEXT_SEARCH_ENABLED=true
 # SEARCH_EXTRACTOR_TIKA_TIKA_URL=<your-tika-url>
 ## External storage test - Only NFS v4.2+ is supported
 ## User files
 # STORAGE_USERS_POSIX_ROOT=<path-to-your-bind_mount>
 EOF
 cat <<EOF >/etc/systemd/system/opencloud.service
 [Unit]
 Description=OpenCloud server
 After=network-online.target
 [Service]
 Type=simple
 User=opencloud
 Group=opencloud
 EnvironmentFile=${ENV_FILE}
 ExecStart=/usr/bin/opencloud server
 Restart=always
 [Install]
 WantedBy=multi-user.target
 EOF
 if [[ "$LOCALHOST_MODE" != true ]]; then
  cat <<EOF >/etc/systemd/system/opencloud-wopi.service
 [Unit]
 Description=OpenCloud WOPI Server
 Wants=coolwsd.service
 After=opencloud.service coolwsd.service
 [Service]
 Type=simple
 User=opencloud
 Group=opencloud
 EnvironmentFile=${ENV_FILE}
 ExecStartPre=/bin/sleep 10
 ExecStart=/usr/bin/opencloud collaboration server
 Restart=always
 KillSignal=SIGKILL
 KillMode=mixed
 TimeoutStopSec=10
 [Install]
 WantedBy=multi-user.target
 EOF
  # Append active Collabora config to env file
  cat <<EOF >>"$ENV_FILE"
 ## Collaboration - active configuration
 COLLABORA_DOMAIN=${COLLABORA_HOST}
 COLLABORATION_APP_NAME="CollaboraOnline"
 COLLABORATION_APP_PRODUCT="Collabora"
 COLLABORATION_APP_ADDR=https://${COLLABORA_HOST}
 COLLABORATION_APP_INSECURE=false
 COLLABORATION_HTTP_ADDR=0.0.0.0:9300
 COLLABORATION_WOPI_SRC=https://${WOPI_HOST}
 COLLABORATION_JWT_SECRET=
 EOF
  $STD runuser -u cool -- coolconfig set ssl.enable false
  $STD runuser -u cool -- coolconfig set ssl.termination true
  $STD runuser -u cool -- coolconfig set ssl.ssl_verification true
  sed -i "s|CSP2\"/>|CSP2\">frame-ancestors https://${OC_HOST}</content_security_policy>|" /etc/coolwsd/coolwsd.xml
 fi
 useradd -r -M -s /usr/sbin/nologin opencloud
 chown -R opencloud:opencloud "$CONFIG_DIR" "$DATA_DIR"
 if [[ "$LOCALHOST_MODE" == true ]]; then
  $STD runuser -u opencloud -- opencloud init --config-path "$CONFIG_DIR" --insecure yes
 else
  $STD runuser -u opencloud -- opencloud init --config-path "$CONFIG_DIR" --insecure no
 fi
 OPENCLOUD_SECRET="$(sed -n '/jwt/p' "$CONFIG_DIR"/opencloud.yaml | awk '{print $2}')"
 if [[ "$LOCALHOST_MODE" != true ]]; then
  sed -i "s/COLLABORATION_JWT_SECRET=/&${OPENCLOUD_SECRET//&/\\&}/" "$ENV_FILE"
 fi
 msg_ok "Configured OpenCloud"
 msg_info "Starting services"
 if [[ "$LOCALHOST_MODE" == true ]]; then
  systemctl enable -q --now opencloud
 else
  systemctl enable -q --now coolwsd opencloud
  sleep 5
  systemctl enable -q --now opencloud-wopi
 fi
 msg_ok "Started services"
 motd_ssh
 customize
 cleanup_lxc
--- a/install/vaultwarden-install.sh
+++ b/install/vaultwarden-install.sh
@ -0,0 +1,100 @@
 #!/usr/bin/env bash
 # Copyright (c) 2021-2026 tteck
 # Author: tteck (tteckster)
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
 # Source: https://github.com/dani-garcia/vaultwarden
 source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
 color
 verb_ip6
 catch_errors
 setting_up_container
 network_check
 update_os
 msg_info "Installing Dependencies"
 $STD apt install -y \
  build-essential \
  pkgconf \
  libssl-dev \
  libmariadb-dev-compat \
  libpq-dev \
  argon2 \
  ssl-cert
 msg_ok "Installed Dependencies"
 setup_rust
 fetch_and_deploy_gh_release "vaultwarden" "dani-garcia/vaultwarden" "tarball" "latest" "/tmp/vaultwarden-src"
 msg_info "Building Vaultwarden (Patience)"
 cd /tmp/vaultwarden-src
 $STD cargo build --features "sqlite,mysql,postgresql" --release
 msg_ok "Built Vaultwarden"
 $STD addgroup --system vaultwarden
 $STD adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden
 mkdir -p /opt/vaultwarden/{bin,data}
 cp target/release/vaultwarden /opt/vaultwarden/bin/
 cd ~ && rm -rf /tmp/vaultwarden-src
 fetch_and_deploy_gh_release "vaultwarden_webvault" "dani-garcia/bw_web_builds" "prebuild" "latest" "/opt/vaultwarden" "bw_web_*.tar.gz"
 cat <<EOF >/opt/vaultwarden/.env
 ADMIN_TOKEN=''
 ROCKET_ADDRESS=0.0.0.0
 ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}'
 DATA_FOLDER=/opt/vaultwarden/data
 DATABASE_MAX_CONNS=10
 WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
 WEB_VAULT_ENABLED=true
 EOF
 mv /etc/ssl/certs/ssl-cert-snakeoil.pem /opt/vaultwarden/
 mv /etc/ssl/private/ssl-cert-snakeoil.key /opt/vaultwarden/
 msg_info "Creating Service"
 chown -R vaultwarden:vaultwarden /opt/vaultwarden/
 chown root:root /opt/vaultwarden/bin/vaultwarden
 chmod +x /opt/vaultwarden/bin/vaultwarden
 chown -R root:root /opt/vaultwarden/web-vault/
 chmod +r /opt/vaultwarden/.env
 cat <<'EOF' >/etc/systemd/system/vaultwarden.service
 [Unit]
 Description=Bitwarden Server (Powered by Vaultwarden)
 Documentation=https://github.com/dani-garcia/vaultwarden
 After=network.target
 [Service]
 User=vaultwarden
 Group=vaultwarden
 EnvironmentFile=-/opt/vaultwarden/.env
 ExecStart=/opt/vaultwarden/bin/vaultwarden
 LimitNOFILE=65535
 LimitNPROC=4096
 PrivateTmp=true
 PrivateDevices=true
 ProtectHome=true
 ProtectSystem=strict
 DevicePolicy=closed
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictNamespaces=yes
 RestrictRealtime=yes
 MemoryDenyWriteExecute=yes
 LockPersonality=yes
 WorkingDirectory=/opt/vaultwarden
 ReadWriteDirectories=/opt/vaultwarden/data
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=multi-user.target
 EOF
 systemctl enable --q -now vaultwarden
 msg_ok "Created Service"
 motd_ssh
 customize
 cleanup_lxc