Update web vault to 2022.12.0

- Put groups support behind a feature flag, and disabled by default.
  The reason is that it has some known issues, but we want to keep
  optimizing this feature. Putting it behind a feature flag could help
  some users, and the developers into optimizing this feature without to
  much trouble.

Further:

- Updates Rust to v1.66.0
- Updated GHA workflows
- Updated Alpine to 3.17
- Updated jquery to v3.6.2
- Moved jdenticon.js to load at the bottom, fixes an issue on chromium
- Added autocomplete attribute to admin login password field
- Added some extra CSP options (Tested this on Safari, Firefox, Chrome, Bitwarden Desktop)
- Moved uppercase convertion from runtime to compile-time using `paste`
  for building the environment variables, lowers heap allocations.

.dockerignore

@@ -3,13 +3,18 @@ target
 
 # Data folder
 data
+
+# Misc
 .env
 .env.template
 .gitattributes
+.gitignore
+rustfmt.toml
 
 # IDE files
 .vscode
 .idea
+.editorconfig
 *.iml
 
 # Documentation
@@ -19,9 +24,17 @@ data
 *.yml
 *.yaml
 
-# Docker folders
+# Docker
 hooks
 tools
+Dockerfile
+.dockerignore
+docker/**
+!docker/healthcheck.sh
+!docker/start.sh
 
 # Web vault
-web-vault
+web-vault
+
+# Vaultwarden Resources
+resources

.env.template

@@ -1,8 +1,14 @@
+# shellcheck disable=SC2034,SC2148
 ## Vaultwarden Configuration File
 ## Uncomment any of the following lines to change the defaults
 ##
 ## Be aware that most of these settings will be overridden if they were changed
 ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
+##
+## By default, Vaultwarden expects for this file to be named ".env" and located
+## in the current working directory. If this is not the case, the environment
+## variable ENV_FILE can be set to the location of this file prior to starting
+## Vaultwarden.
 
 ## Main data folder
 # DATA_FOLDER=data
@@ -24,11 +30,21 @@
 ## Define the size of the connection pool used for connecting to the database.
 # DATABASE_MAX_CONNS=10
 
+## Database connection initialization
+## Allows SQL statements to be run whenever a new database connection is created.
+## This is mainly useful for connection-scoped pragmas.
+## If empty, a database-specific default is used:
+## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
+## - MySQL: ""
+## - PostgreSQL: ""
+# DATABASE_CONN_INIT=""
+
 ## Individual folders, these override %DATA_FOLDER%
 # RSA_KEY_FILENAME=data/rsa_key
 # ICON_CACHE_FOLDER=data/icon_cache
 # ATTACHMENTS_FOLDER=data/attachments
 # SENDS_FOLDER=data/sends
+# TMP_FOLDER=data/tmp
 
 ## Templates data folder, by default uses embedded templates
 ## Check source code to see the format
@@ -56,11 +72,43 @@
 # WEBSOCKET_ADDRESS=0.0.0.0
 # WEBSOCKET_PORT=3012
 
+## Controls whether users are allowed to create Bitwarden Sends.
+## This setting applies globally to all users.
+## To control this on a per-org basis instead, use the "Disable Send" org policy.
+# SENDS_ALLOWED=true
+
+## Controls whether users can enable emergency access to their accounts.
+## This setting applies globally to all users.
+# EMERGENCY_ACCESS_ALLOWED=true
+
+## Controls whether event logging is enabled for organizations
+## This setting applies to organizations.
+## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
+# ORG_EVENTS_ENABLED=false
+
+## Number of days to retain events stored in the database.
+## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
+# EVENTS_DAYS_RETAIN=
+
+## BETA FEATURE: Groups
+## Controls whether group support is enabled for organizations
+## This setting applies to organizations.
+## Disabled by default because this is a beta feature, it contains known issues!
+## KNOW WHAT YOU ARE DOING!
+# ORG_GROUPS_ENABLED=false
+
 ## Job scheduler settings
 ##
 ## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
 ## and are always in terms of UTC time (regardless of your local time zone settings).
 ##
+## The schedule format is a bit different from crontab as crontab does not contains seconds.
+## You can test the the format here: https://crontab.guru, but remove the first digit!
+## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
+## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
+## "0   30     *          *            *          *     "
+## "0   30     1          *            *          *     "
+##
 ## How often (in ms) the job scheduler thread checks for jobs that need running.
 ## Set to 0 to globally disable scheduled jobs.
 # JOB_POLL_INTERVAL_MS=30000
@@ -72,6 +120,22 @@
 ## Cron schedule of the job that checks for trashed items to delete permanently.
 ## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
 # TRASH_PURGE_SCHEDULE="0 5 0 * * *"
+##
+## Cron schedule of the job that checks for incomplete 2FA logins.
+## Defaults to once every minute. Set blank to disable this job.
+# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that sends expiration reminders to emergency access grantors.
+## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
+##
+## Cron schedule of the job that grants emergency access requests that have met the required wait time.
+## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
+##
+## Cron schedule of the job that cleans old events from the event table.
+## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
+# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
 
 ## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true
@@ -81,12 +145,10 @@
 # LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
 
 ## Logging to file
-## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # LOG_FILE=/path/to/log
 
 ## Logging to Syslog
 ## This requires extended logging
-## It's recommended to also set 'ROCKET_CLI_COLORS=off'
 # USE_SYSLOG=false
 
 ## Log level
@@ -99,19 +161,41 @@
 ## Enable WAL for the DB
 ## Set to false to avoid enabling WAL during startup.
 ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
-## this setting only prevents vaultwarden from automatically enabling it on start.
+## this setting only prevents Vaultwarden from automatically enabling it on start.
 ## Please read project wiki page about this setting first before changing the value as it can
-## cause performance degradation or might render  the service unable to start.
+## cause performance degradation or might render the service unable to start.
 # ENABLE_DB_WAL=true
 
 ## Database connection retries
 ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
 # DB_CONNECTION_RETRIES=15
 
+## Icon service
+## The predefined icon services are: internal, bitwarden, duckduckgo, google.
+## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
+## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
+##
+## `internal` refers to Vaultwarden's built-in icon fetching implementation.
+## If an external service is set, an icon request to Vaultwarden will return an HTTP
+## redirect to the corresponding icon at the external service. An external service may
+## be useful if your Vaultwarden instance has no external network connectivity, or if
+## you are concerned that someone may probe your instance to try to detect whether icons
+## for certain sites have been cached.
+# ICON_SERVICE=internal
+
+## Icon redirect code
+## The HTTP status code to use for redirects to an external icon service.
+## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
+## Temporary redirects are useful while testing different icon services, but once a service
+## has been decided on, consider using permanent redirects for cacheability. The legacy codes
+## are currently better supported by the Bitwarden clients.
+# ICON_REDIRECT_CODE=302
+
 ## Disable icon downloading
-## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
+## Set to true to disable icon downloading in the internal icon service.
-## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
-## otherwise it will delete them and they won't be downloaded again.
+## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
+## will be deleted eventually, but won't be downloaded again.
 # DISABLE_ICON_DOWNLOAD=false
 
 ## Icon download timeout
@@ -142,7 +226,7 @@
 # EMAIL_EXPIRATION_TIME=600
 
 ## Email token size
-## Number of digits in an email token (min: 6, max: 19).
+## Number of digits in an email 2FA token (min: 6, max: 255).
 ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
 # EMAIL_TOKEN_SIZE=6
 
@@ -189,27 +273,49 @@
 ## Name shown in the invitation emails that don't come from a specific organization
 # INVITATION_ORG_NAME=Vaultwarden
 
-## Per-organization attachment limit (KB)
+## The number of hours after which an organization invite token, emergency access invite token,
-## Limit in kilobytes for an organization attachments, once the limit is exceeded it won't be possible to upload more
+## email verification token and deletion request token will expire (must be at least 1)
+# INVITATION_EXPIRATION_HOURS=120
+
+## Per-organization attachment storage limit (KB)
+## Max kilobytes of attachment storage allowed per organization.
+## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
 # ORG_ATTACHMENT_LIMIT=
-## Per-user attachment limit (KB).
+## Per-user attachment storage limit (KB)
-## Limit in kilobytes for a users attachments, once the limit is exceeded it won't be possible to upload more
+## Max kilobytes of attachment storage allowed per user.
+## When this limit is reached, the user will not be allowed to upload further attachments.
 # USER_ATTACHMENT_LIMIT=
 
+## Number of days to wait before auto-deleting a trashed item.
+## If unset (the default), trashed items are not auto-deleted.
+## This setting applies globally, so make sure to inform all users of any changes to this setting.
+# TRASH_AUTO_DELETE_DAYS=
+
+## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
+## resulting in an email notification. An incomplete 2FA login is one where the correct
+## master password was provided but the required 2FA step was not completed, which
+## potentially indicates a master password compromise. Set to 0 to disable this check.
+## This setting applies globally to all users.
+# INCOMPLETE_2FA_TIME_LIMIT=3
 
 ## Controls the PBBKDF password iterations to apply on the server
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000
 
-## Whether password hint should be sent into the error response when the client request it
+## Controls whether users can set password hints. This setting applies globally to all users.
-# SHOW_PASSWORD_HINT=true
+# PASSWORD_HINTS_ALLOWED=true
+
+## Controls whether a password hint should be shown directly in the web page if
+## SMTP service is not configured. Not recommended for publicly-accessible instances
+## as this provides unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false
 
 ## Domain settings
 ## The domain must match the address from where you access the server
 ## It's recommended to configure this value, otherwise certain functionality might not work,
 ## like attachment downloads, email links and U2F.
 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
-# DOMAIN=https://bw.domain.tld:8443
+# DOMAIN=https://vw.domain.tld:8443
 
 ## Allowed iframe ancestors (Know the risks!)
 ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
@@ -218,6 +324,17 @@
 ## Multiple values must be separated with a whitespace.
 # ALLOWED_IFRAME_ANCESTORS=
 
+## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
+# LOGIN_RATELIMIT_SECONDS=60
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
+## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
+# LOGIN_RATELIMIT_MAX_BURST=10
+
+## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
+# ADMIN_RATELIMIT_SECONDS=300
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
+# ADMIN_RATELIMIT_MAX_BURST=3
+
 ## Yubico (Yubikey) Settings
 ## Set your Client ID and Secret Key for Yubikey OTP
 ## You can generate it here: https://upgrade.yubico.com/getapikey/
@@ -247,12 +364,13 @@
 ## You can disable this, so that only the current TOTP Code is allowed.
 ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
 ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
-# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
+# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
 
-## Rocket specific settings, check Rocket documentation to learn more
+## Rocket specific settings
-# ROCKET_ENV=staging
+## See https://rocket.rs/v0.4/guide/configuration/ for more details.
-# ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app
+# ROCKET_ADDRESS=0.0.0.0
-# ROCKET_PORT=8000
+# ROCKET_PORT=80  # Defaults to 80 in the Docker images, or 8000 otherwise.
+# ROCKET_WORKERS=10
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
 
 ## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
@@ -261,9 +379,8 @@
 # SMTP_HOST=smtp.domain.tld
 # SMTP_FROM=vaultwarden@domain.tld
 # SMTP_FROM_NAME=Vaultwarden
-# SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
+# SMTP_SECURITY=starttls # ("starttls", "force_tls", "off") Enable a secure connection. Default is "starttls" (Explicit - ports 587 or 25), "force_tls" (Implicit - port 465) or "off", no encryption (port 25)
-# SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
+# SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
-# SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
 # SMTP_USERNAME=username
 # SMTP_PASSWORD=password
 # SMTP_TIMEOUT=15
@@ -278,6 +395,9 @@
 ## but might need to be changed in case it trips some anti-spam filters
 # HELO_NAME=
 
+## Embed images as email attachments
+# SMTP_EMBED_IMAGES=false
+
 ## SMTP debugging
 ## When set to true this will output very detailed SMTP messages.
 ## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!

.github/FUNDING.yml

@@ -1,2 +1,3 @@
 github: dani-garcia
+liberapay: dani-garcia
 custom: ["https://paypal.me/DaniGG"]

.github/ISSUE_TEMPLATE/config.yml

@@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
-  - name: Discourse forum for bitwarden_rs
+  - name: Discourse forum for vaultwarden
-    url: https://bitwardenrs.discourse.group/
+    url: https://vaultwarden.discourse.group/
     about: Use this forum to request features or get help with usage/configuration.
   - name: GitHub Discussions for vaultwarden
     url: https://github.com/dani-garcia/vaultwarden/discussions

.github/workflows/build.yml

@@ -2,150 +2,191 @@ name: Build
 
 on:
   push:
+    paths:
+      - ".github/workflows/build.yml"
+      - "src/**"
+      - "migrations/**"
+      - "Cargo.*"
+      - "build.rs"
+      - "rust-toolchain"
   pull_request:
-    # Ignore when there are only changes done too one of these paths
+    paths:
-    paths-ignore:
+      - ".github/workflows/build.yml"
-      - "**.md"
+      - "src/**"
-      - "**.txt"
+      - "migrations/**"
-      - ".dockerignore"
+      - "Cargo.*"
-      - ".env.template"
+      - "build.rs"
-      - ".gitattributes"
+      - "rust-toolchain"
-      - ".gitignore"
-      - "azure-pipelines.yml"
-      - "docker/**"
-      - "hooks/**"
-      - "tools/**"
-      - ".github/FUNDING.yml"
-      - ".github/ISSUE_TEMPLATE/**"
 
 jobs:
   build:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
+    # Make warnings errors, this is to prevent warnings slipping through.
+    # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
+    env:
+      RUSTFLAGS: "-D warnings"
     strategy:
       fail-fast: false
       matrix:
         channel:
-          - nightly
+          - "rust-toolchain" # The version defined in rust-toolchain
-          # - stable
+          - "msrv" # The supported MSRV
-        target-triple:
-          - x86_64-unknown-linux-gnu
-          # - x86_64-unknown-linux-musl
         include:
-          - target-triple: x86_64-unknown-linux-gnu
+          - channel: "msrv"
-            host-triple: x86_64-unknown-linux-gnu
+            version: "1.60.0"
-            features: "sqlite,mysql,postgresql"
+
-            channel: nightly
+    name: Build and Test ${{ matrix.channel }}
-            os: ubuntu-18.04
-            ext:
-          # - target-triple: x86_64-unknown-linux-gnu
-          #   host-triple: x86_64-unknown-linux-gnu
-          #   features: "sqlite,mysql,postgresql"
-          #   channel: stable
-          #   os: ubuntu-18.04
-          #   ext:
-          # - target-triple: x86_64-unknown-linux-musl
-          #   host-triple: x86_64-unknown-linux-gnu
-          #   features: "sqlite,postgresql"
-          #   channel: nightly
-          #   os: ubuntu-18.04
-          #   ext:
-          # - target-triple: x86_64-unknown-linux-musl
-          #   host-triple: x86_64-unknown-linux-gnu
-          #   features: "sqlite,postgresql"
-          #   channel: stable
-          #   os: ubuntu-18.04
-          #   ext:
 
-    name: Building ${{ matrix.channel }}-${{ matrix.target-triple }}
-    runs-on: ${{ matrix.os }}
     steps:
       # Checkout the repo
-      - name: Checkout
+      - name: "Checkout"
-        uses: actions/checkout@v2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
       # End Checkout the repo
 
-
-      # Install musl-tools when needed
-      - name: Install musl tools
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends musl-dev musl-tools cmake
-        if: matrix.target-triple == 'x86_64-unknown-linux-musl'
-      # End Install musl-tools when needed
-
-
       # Install dependencies
-      - name: Install dependencies Ubuntu
+      - name: "Install dependencies Ubuntu"
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
-        if: startsWith( matrix.os, 'ubuntu' )
       # End Install dependencies
 
-
+      # Determine rust-toolchain version
-      # Enable Rust Caching
+      - name: Init Variables
-      - uses: Swatinem/rust-cache@v1
+        id: toolchain
-      # End Enable Rust Caching
+        shell: bash
-
+        if: ${{ matrix.channel == 'rust-toolchain' }}
+        run: |
+          RUST_TOOLCHAIN="$(cat rust-toolchain)"
+          echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}"
+      # End Determine rust-toolchain version
 
       # Uses the rust-toolchain file to determine version
-      - name: 'Install ${{ matrix.channel }}-${{ matrix.host-triple }} for target: ${{ matrix.target-triple }}'
+      - name: "Install rust-toolchain version"
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@55c7845fad90d0ae8b2e83715cb900e5e861e8cb # master @ 2022-10-25 - 21:40 GMT+2
+        if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
-          profile: minimal
+          toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
-          target: ${{ matrix.target-triple }}
           components: clippy, rustfmt
       # End Uses the rust-toolchain file to determine version
 
 
-      # Run cargo tests (In release mode to speed up future builds)
+      # Install the MSRV channel to be used
-      - name: '`cargo test --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}`'
+      - name: "Install MSRV version"
-        uses: actions-rs/cargo@v1
+        uses: dtolnay/rust-toolchain@55c7845fad90d0ae8b2e83715cb900e5e861e8cb # master @ 2022-10-25 - 21:40 GMT+2
+        if: ${{ matrix.channel != 'rust-toolchain' }}
         with:
-          command: test
+          toolchain: ${{ matrix.version }}
-          args: --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}
+      # End Install the MSRV channel to be used
+
+
+      # Enable Rust Caching
+      - uses: Swatinem/rust-cache@359a70e43a0bb8a13953b04a90f76428b4959bb6 # v2.2.0
+      # End Enable Rust Caching
+
+
+      # Show environment
+      - name: "Show environment"
+        run: |
+          rustc -vV
+          cargo -vV
+      # End Show environment
+
+
+      # Run cargo tests (In release mode to speed up future builds)
+      # First test all features together, afterwards test them separately.
+      - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
+        id: test_sqlite_mysql_postgresql_mimalloc
+        if: $${{ always() }}
+        run: |
+          cargo test --release --features sqlite,mysql,postgresql,enable_mimalloc
+
+      - name: "test features: sqlite,mysql,postgresql"
+        id: test_sqlite_mysql_postgresql
+        if: $${{ always() }}
+        run: |
+          cargo test --release --features sqlite,mysql,postgresql
+
+      - name: "test features: sqlite"
+        id: test_sqlite
+        if: $${{ always() }}
+        run: |
+          cargo test --release --features sqlite
+
+      - name: "test features: mysql"
+        id: test_mysql
+        if: $${{ always() }}
+        run: |
+          cargo test --release --features mysql
+
+      - name: "test features: postgresql"
+        id: test_postgresql
+        if: $${{ always() }}
+        run: |
+          cargo test --release --features postgresql
       # End Run cargo tests
 
 
-      # Run cargo clippy (In release mode to speed up future builds)
+      # Run cargo clippy, and fail on warnings (In release mode to speed up future builds)
-      - name: '`cargo clippy --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}`'
+      - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
-        uses: actions-rs/cargo@v1
+        id: clippy
-        with:
+        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
-          command: clippy
+        run: |
-          args: --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}
+          cargo clippy --release --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
       # End Run cargo clippy
 
 
-      # Run cargo fmt
+      # Run cargo fmt (Only run on rust-toolchain defined version)
-      - name: '`cargo fmt`'
+      - name: "check formatting"
-        uses: actions-rs/cargo@v1
+        id: formatting
-        with:
+        if: ${{ always() && matrix.channel == 'rust-toolchain' }}
-          command: fmt
+        run: |
-          args: --all -- --check
+          cargo fmt --all -- --check
       # End Run cargo fmt
 
 
-      # Build the binary
+      # Check for any previous failures, if there are stop, else continue.
-      - name: '`cargo build --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}`'
+      # This is useful so all test/clippy/fmt actions are done, and they can all be addressed
-        uses: actions-rs/cargo@v1
+      - name: "Some checks failed"
-        with:
+        if: ${{ failure() }}
-          command: build
+        run: |
-          args: --release --features ${{ matrix.features }} --target ${{ matrix.target-triple }}
+          echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY
+          echo "|---|------|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          exit 1
+
+
+      # Check for any previous failures, if there are stop, else continue.
+      # This is useful so all test/clippy/fmt actions are done, and they can all be addressed
+      - name: "All checks passed"
+        if: ${{ success() }}
+        run: |
+          echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+
+      # Build the binary to upload to the artifacts
+      - name: "build features: sqlite,mysql,postgresql"
+        if: ${{ matrix.channel == 'rust-toolchain' }}
+        run: |
+          cargo build --release --features sqlite,mysql,postgresql
       # End Build the binary
 
 
       # Upload artifact to Github Actions
-      - name: Upload artifact
+      - name: "Upload artifact"
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
-          name: vaultwarden-${{ matrix.target-triple }}${{ matrix.ext }}
+          name: vaultwarden
-          path: target/${{ matrix.target-triple }}/release/vaultwarden${{ matrix.ext }}
+          path: target/release/vaultwarden
       # End Upload artifact to Github Actions
-
-
-      ## This is not used at the moment
-      ## We could start using this when we can build static binaries
-      # Upload to github actions release
-      # - name: Release
-      #   uses: Shopify/upload-to-release@1
-      #   if: startsWith(github.ref, 'refs/tags/')
-      #   with:
-      #     name: vaultwarden-${{ matrix.target-triple }}${{ matrix.ext }}
-      #     path: target/${{ matrix.target-triple }}/release/vaultwarden${{ matrix.ext }}
-      #     repo-token: ${{ secrets.GITHUB_TOKEN }}
-      # End Upload to github actions release

.github/workflows/hadolint.yml

@@ -1,35 +1,34 @@
 name: Hadolint
 
-on:
+on: [
-  push:
+      push,
-  pull_request:
+      pull_request
-    # Ignore when there are only changes done too one of these paths
+    ]
-    paths:
-      - "docker/**"
 
 jobs:
   hadolint:
     name: Validate Dockerfile syntax
     runs-on: ubuntu-20.04
+    timeout-minutes: 30
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
       # End Checkout the repo
 
 
-      # Download hadolint
+      # Download hadolint - https://github.com/hadolint/hadolint/releases
       - name: Download hadolint
         shell: bash
         run: |
-          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
+          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
           sudo chmod +x /usr/local/bin/hadolint
         env:
-          HADOLINT_VERSION: 2.0.0
+          HADOLINT_VERSION: 2.12.0
       # End Download hadolint
 
       # Test Dockerfiles
       - name: Run hadolint
         shell: bash
-        run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored | xargs hadolint
+        run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored --cached | xargs hadolint
       # End Test Dockerfiles

.github/workflows/release.yml

@@ -0,0 +1,118 @@
+name: Release
+
+on:
+  push:
+    paths:
+      - ".github/workflows/release.yml"
+      - "src/**"
+      - "migrations/**"
+      - "hooks/**"
+      - "docker/**"
+      - "Cargo.*"
+      - "build.rs"
+      - "diesel.toml"
+      - "rust-toolchain"
+
+    branches: # Only on paths above
+      - main
+
+    tags: # Always, regardless of paths above
+      - '*'
+
+jobs:
+  # https://github.com/marketplace/actions/skip-duplicate-actions
+  # Some checks to determine if we need to continue with building a new docker.
+  # We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
+  skip_check:
+    runs-on: ubuntu-20.04
+    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
+    outputs:
+      should_skip: ${{ steps.skip_check.outputs.should_skip }}
+    steps:
+      - name: Skip Duplicates Actions
+        id: skip_check
+        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0
+        with:
+          cancel_others: 'true'
+        # Only run this when not creating a tag
+        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+
+  docker-build:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 120
+    needs: skip_check
+    # Start a local docker registry to be used to generate multi-arch images.
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    env:
+      DOCKER_BUILDKIT: 1 # Disabled for now, but we should look at this because it will speedup building!
+      # DOCKER_REPO/secrets.DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
+      DOCKER_REPO: ${{ secrets.DOCKERHUB_REPO }}
+      SOURCE_COMMIT: ${{ github.sha }}
+      SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
+    strategy:
+      matrix:
+        base_image: ["debian","alpine"]
+
+    steps:
+      # Checkout the repo
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        with:
+          fetch-depth: 0
+
+      # Login to Docker Hub
+      - name: Login to Docker Hub
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # Determine Docker Tag
+      - name: Init Variables
+        id: vars
+        shell: bash
+        run: |
+          # Check which main tag we are going to build determined by github.ref
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            echo "DOCKER_TAG=${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_OUTPUT}"
+          elif [[ "${{ github.ref }}" == refs/heads/* ]]; then
+            echo "DOCKER_TAG=testing" | tee -a "${GITHUB_OUTPUT}"
+          fi
+      # End Determine Docker Tag
+
+      - name: Build Debian based images
+        shell: bash
+        env:
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
+        run: |
+          ./hooks/build
+        if: ${{ matrix.base_image == 'debian' }}
+
+      - name: Push Debian based images
+        shell: bash
+        env:
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
+        run: |
+          ./hooks/push
+        if: ${{ matrix.base_image == 'debian' }}
+
+      - name: Build Alpine based images
+        shell: bash
+        env:
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
+        run: |
+          ./hooks/build
+        if: ${{ matrix.base_image == 'alpine' }}
+
+      - name: Push Alpine based images
+        shell: bash
+        env:
+          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
+        run: |
+          ./hooks/push
+        if: ${{ matrix.base_image == 'alpine' }}

.pre-commit-config.yaml

@@ -0,0 +1,40 @@
+---
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.3.0
+    hooks:
+    - id: check-yaml
+    - id: check-json
+    - id: check-toml
+    - id: end-of-file-fixer
+      exclude: "(.*js$|.*css$)"
+    - id: check-case-conflict
+    - id: check-merge-conflict
+    - id: detect-private-key
+-   repo: local
+    hooks:
+    - id: fmt
+      name: fmt
+      description: Format files with cargo fmt.
+      entry: cargo fmt
+      language: system
+      types: [rust]
+      args: ["--", "--check"]
+    - id: cargo-test
+      name: cargo test
+      description: Test the package for errors.
+      entry: cargo test
+      language: system
+      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|rust-toolchain|.*\.rs$)
+      pass_filenames: false
+    - id: cargo-clippy
+      name: cargo clippy
+      description: Lint Rust sources
+      entry: cargo clippy
+      language: system
+      args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"]
+      types_or: [rust, file]
+      files: (Cargo.toml|Cargo.lock|rust-toolchain|.*\.rs$)
+      pass_filenames: false

Cargo.toml

@@ -2,7 +2,9 @@
 name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
-edition = "2018"
+edition = "2021"
+rust-version = "1.60.0"
+resolver = "2"
 
 repository = "https://github.com/dani-garcia/vaultwarden"
 readme = "README.md"
@@ -11,6 +13,7 @@ publish = false
 build = "build.rs"
 
 [features]
+# default = ["sqlite"]
 # Empty to keep compatibility, prefer to set USE_SYSLOG=true
 enable_syslog = []
 mysql = ["diesel/mysql", "diesel_migrations/mysql"]
@@ -18,131 +21,145 @@ postgresql = ["diesel/postgres", "diesel_migrations/postgres"]
 sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"]
 # Enable to use a vendored and statically linked openssl
 vendored_openssl = ["openssl/vendored"]
+# Enable MiMalloc memory allocator to replace the default malloc
+# This can improve performance for Alpine builds
+enable_mimalloc = ["mimalloc"]
+# This is a development dependency, and should only be used during development!
+# It enables the usage of the diesel_logger crate, which is able to output the generated queries.
+# You also need to set an env variable `QUERY_LOGGER=1` to fully activate this so you do not have to re-compile
+# if you want to turn off the logging for a specific run.
+query_logger = ["diesel_logger"]
 
 # Enable unstable features, requires nightly
 # Currently only used to enable rusts official ip support
 unstable = []
 
 [target."cfg(not(windows))".dependencies]
-syslog = "4.0.1"
+# Logging
+syslog = "6.0.1" # Needs to be v4 until fern is updated
 
 [dependencies]
-# Web framework for nightly with a focus on ease-of-use, expressibility, and speed.
+# Logging
-rocket = { version = "0.5.0-dev", features = ["tls"], default-features = false }
+log = "0.4.17"
-rocket_contrib = "0.5.0-dev"
+fern = { version = "0.6.1", features = ["syslog-6"] }
+tracing = { version = "0.1.37", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
 
-# HTTP client
+backtrace = "0.3.67" # Logging panics to logfile instead stderr only
-reqwest = { version = "0.11.3", features = ["blocking", "json", "gzip", "brotli", "socks"] }
 
-# multipart/form-data support
+# A `dotenv` implementation for Rust
-multipart = { version = "0.17.1", features = ["server"], default-features = false }
+dotenvy = { version = "0.15.6", default-features = false }
 
-# WebSockets library
+# Lazy initialization
-ws = { version = "0.10.0", package = "parity-ws" }
+once_cell = "1.16.0"
 
-# MessagePack library
+# Numerical libraries
-rmpv = "0.4.7"
+num-traits = "0.2.15"
+num-derive = "0.3.3"
 
-# Concurrent hashmap implementation
+# Web framework
-chashmap = "2.2.2"
+rocket = { version = "0.5.0-rc.2", features = ["tls", "json"], default-features = false }
+
+# WebSockets libraries
+tokio-tungstenite = "0.18.0"
+rmpv = "1.0.0" # MessagePack library
+dashmap = "5.4.0"
+
+# Async futures
+futures = "0.3.25"
+tokio = { version = "1.23.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] }
 
 # A generic serialization/deserialization framework
-serde = { version = "1.0.125", features = ["derive"] }
+serde = { version = "1.0.150", features = ["derive"] }
-serde_json = "1.0.64"
+serde_json = "1.0.89"
-
-# Logging
-log = "0.4.14"
-fern = { version = "0.6.0", features = ["syslog-4"] }
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "1.4.6", features = [ "chrono", "r2d2"] }
+diesel = { version = "2.0.2", features = ["chrono", "r2d2"] }
-diesel_migrations = "1.4.0"
+diesel_migrations = "2.0.0"
+diesel_logger = { version = "0.2.0", optional = true }
 
 # Bundled SQLite
-libsqlite3-sys = { version = "0.20.1", features = ["bundled"], optional = true }
+libsqlite3-sys = { version = "0.25.2", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
-rand = "0.8.3"
+rand = { version = "0.8.5", features = ["small_rng"] }
 ring = "0.16.20"
 
 # UUID generation
-uuid = { version = "0.8.2", features = ["v4"] }
+uuid = { version = "1.2.2", features = ["v4"] }
 
 # Date and time libraries
-chrono = { version = "0.4.19", features = ["serde"] }
+chrono = { version = "0.4.23", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.5.3"
+chrono-tz = "0.8.1"
-time = "0.2.26"
+time = "0.3.17"
 
 # Job scheduler
-job_scheduler = "1.2.1"
+job_scheduler_ng = "2.0.3"
 
-# TOTP library
+# Data encoding library Hex/Base32/Base64
-oath = "0.10.2"
+data-encoding = "2.3.3"
-
-# Data encoding library
-data-encoding = "2.3.2"
 
 # JWT library
-jsonwebtoken = "7.2.0"
+jsonwebtoken = "8.2.0"
 
-# U2F library
+# TOTP library
-u2f = "0.2.0"
+totp-lite = "2.0.0"
 
 # Yubico Library
-yubico = { version = "0.10.0", features = ["online-tokio"], default-features = false }
+yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false }
 
-# A `dotenv` implementation for Rust
+# WebAuthn libraries
-dotenv = { version = "0.15.0", default-features = false }
+webauthn-rs = "0.3.2"
 
-# Lazy initialization
+# Handling of URL's for WebAuthn
-once_cell = "1.7.2"
+url = "2.3.1"
 
-# Numerical libraries
+# Email librariese-Base, Update crates and small change.
-num-traits = "0.2.14"
+lettre = { version = "0.10.1", features = ["smtp-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
-num-derive = "0.3.3"
+percent-encoding = "2.2.0" # URL encoding library used for URL's in the emails
-
+email_address = "0.2.4"
-# Email libraries
-tracing = { version = "0.1.25", features = ["log"] } # Needed to have lettre trace logging used when SMTP_DEBUG is enabled.
-lettre = { version = "0.10.0-beta.3", features = ["smtp-transport", "builder", "serde", "native-tls", "hostname", "tracing"], default-features = false }
-newline-converter = "0.2.0"
 
 # Template library
-handlebars = { version = "3.5.4", features = ["dir_source"] }
+handlebars = { version = "4.3.5", features = ["dir_source"] }
+
+# HTTP client
+reqwest = { version = "0.11.13", features = ["stream", "json", "gzip", "brotli", "socks", "cookies", "trust-dns"] }
 
 # For favicon extraction from main website
-html5ever = "0.25.1"
+html5gum = "0.5.2"
-markup5ever_rcdom = "0.1.0"
+regex = { version = "1.7.0", features = ["std", "perf", "unicode-perl"], default-features = false }
-regex = { version = "1.4.5", features = ["std", "perf"], default-features = false }
+data-url = "0.2.0"
-data-url = "0.1.0"
+bytes = "1.3.0"
+cached = "0.40.0"
+
+# Used for custom short lived cookie jar during favicon extraction
+cookie = "0.16.1"
+cookie_store = "0.19.0"
 
 # Used by U2F, JWT and Postgres
-openssl = "0.10.34"
+openssl = "0.10.44"
-
-# URL encoding library
-percent-encoding = "2.1.0"
-# Punycode conversion
-idna = "0.2.2"
 
 # CLI argument parsing
-pico-args = "0.4.0"
+pico-args = "0.5.0"
-
-# Logging panics to logfile instead stderr only
-backtrace = "0.3.56"
 
 # Macro ident concatenation
-paste = "1.0.5"
+paste = "1.0.10"
+governor = "0.5.1"
+
+# Check client versions for specific features.
+semver = "1.0.14"
+
+# Allow overriding the default memory allocator
+# Mainly used for the musl builds, since the default musl malloc is very slow
+mimalloc = { version = "0.1.32", features = ["secure"], default-features = false, optional = true }
 
 [patch.crates-io]
-# Use newest ring
+# Using a patched version of multer-rs (Used by Rocket) to fix attachment/send file uploads
-rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = '263e39b5b429de1913ce7e3036575a7b4d88b6d7' }
+# Issue: https://github.com/dani-garcia/vaultwarden/issues/2644
-rocket_contrib = { git = 'https://github.com/SergioBenitez/Rocket', rev = '263e39b5b429de1913ce7e3036575a7b4d88b6d7' }
+# Patch: https://github.com/BlackDex/multer-rs/commit/477d16b7fa0f361b5c2a5ba18a5b28bec6d26a8a
+multer = { git = "https://github.com/BlackDex/multer-rs", rev = "477d16b7fa0f361b5c2a5ba18a5b28bec6d26a8a" }
 
-# For favicon extraction from main website
+# Strip debuginfo from the release builds
-data-url = { git = 'https://github.com/servo/rust-url', package="data-url", rev = '540ede02d0771824c0c80ff9f57fe8eff38b1291' }
+# Also enable thin LTO for some optimizations
-
+[profile.release]
-# The maintainer of the `job_scheduler` crate doesn't seem to have responded
+strip = "debuginfo"
-# to any issues or PRs for almost a year (as of April 2021). This hopefully
+lto = "thin"
-# temporary fork updates Cargo.toml to use more up-to-date dependencies.
-# In particular, `cron` has since implemented parsing of some common syntax
-# that wasn't previously supported (https://github.com/zslayton/cron/pull/64).
-job_scheduler = { git = 'https://github.com/jjlin/job_scheduler', rev = 'ee023418dbba2bfe1e30a5fd7d937f9e33739806' }

README.md

@@ -1,16 +1,18 @@
-### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/#download)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+
+📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation.
 
 ---
 
-[![Docker Pulls](https://img.shields.io/docker/pulls/bitwardenrs/server.svg)](https://hub.docker.com/r/vaultwarden/server)
+[![Docker Pulls](https://img.shields.io/docker/pulls/vaultwarden/server.svg)](https://hub.docker.com/r/vaultwarden/server)
 [![Dependency Status](https://deps.rs/repo/github/dani-garcia/vaultwarden/status.svg)](https://deps.rs/repo/github/dani-garcia/vaultwarden)
 [![GitHub Release](https://img.shields.io/github/release/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/releases/latest)
-[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/master/LICENSE.txt)
+[![GPL-3.0 Licensed](https://img.shields.io/github/license/dani-garcia/vaultwarden.svg)](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt)
 [![Matrix Chat](https://img.shields.io/matrix/vaultwarden:matrix.org.svg?logo=matrix)](https://matrix.to/#/#vaultwarden:matrix.org)
 
 Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden).
 
-**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.**
+**This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.**
 
 #### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels.
 
@@ -35,7 +37,7 @@ Pull the docker image and mount a volume from the host for persistent storage:
 docker pull vaultwarden/server:latest
 docker run -d --name vaultwarden -v /vw-data/:/data/ -p 80:80 vaultwarden/server:latest
 ```
-This will preserve any persistent data under /bw-data/, you can adapt the path to whatever suits you.
+This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.
 
 **IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS. 
 
@@ -56,32 +58,34 @@ If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org]
 ### Sponsors
 Thanks for your contribution to the project!
 
+<!--
 <table>
   <tr>
     <td align="center">
-      <a href="https://github.com/netdadaltd">
+      <a href="https://github.com/username">
-        <img src="https://avatars.githubusercontent.com/u/77323954?s=75&v=4" width="75px;" alt="netdadaltd"/>
+        <img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/>
         <br />
-        <sub><b>netDada Ltd.</b></sub>
+        <sub><b>username</b></sub>
       </a>
   </td>
   </tr>
 </table>
 
 <br/>
+-->
 
 <table>
   <tr>
     <td align="center">
-      <a href="https://github.com/ChonoN" style="width: 75px">
+       <a href="https://github.com/themightychris" style="width: 75px">
-        <sub><b>ChonoN</b></sub>
+        <sub><b>Chris Alfano</b></sub>
       </a>
     </td>
   </tr>
   <tr>
     <td align="center">
-       <a href="https://github.com/themightychris">
+      <a href="https://github.com/numberly" style="width: 75px">
-        <sub><b>themightychris</b></sub>
+        <sub><b>Numberly</b></sub>
       </a>
     </td>
   </tr>

Rocket.toml

@@ -1,2 +0,0 @@
-[global.limits]
-json = 10485760 # 10 MiB

SECURITY.md

@@ -0,0 +1,45 @@
+Vaultwarden tries to prevent security issues but there could always slip something through.
+If you believe you've found a security issue in our application, we encourage you to
+notify us. We welcome working with you to resolve the issue promptly. Thanks in advance!
+
+# Disclosure Policy
+
+- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every
+  effort to quickly resolve the issue.
+- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a
+  third-party. We may publicly disclose the issue before resolving it, if appropriate.
+- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or
+  degradation of our service. Only interact with accounts you own or with explicit permission of the
+  account holder.
+
+# In-scope
+
+- Security issues in any current release of Vaultwarden. Source code is available at https://github.com/dani-garcia/vaultwarden. This includes the current `latest` release and `main / testing` release.
+
+# Exclusions
+
+The following bug classes are out-of scope:
+
+- Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues)
+- Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated
+- Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer
+- Attacks requiring physical access to a user's device
+- Issues related to software or protocols not under Vaultwarden's control
+- Vulnerabilities in outdated versions of Vaultwarden
+- Missing security best practices that do not directly lead to a vulnerability (You may still report them as a normal issue)
+- Issues that do not have any impact on the general public
+
+While researching, we'd like to ask you to refrain from:
+
+- Denial of service
+- Spamming
+- Social engineering (including phishing) of Vaultwarden developers, contributors or users
+
+Thank you for helping keep Vaultwarden and our users safe!
+
+# How to contact us
+
+- You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (user: `@danig:matrix.org`)
+- You can send an ![security-contact](/.github/security-contact.gif) to report a security issue.
+  - If you want to send an encrypted email you can use the following GPG key:<br>
+    https://keyserver.ubuntu.com/pks/lookup?search=0xB9B7A108373276BF3C0406F9FC8A7D14C3CD543A&fingerprint=on&op=index

azure-pipelines.yml

@@ -1,22 +0,0 @@
-pool:
-  vmImage: 'Ubuntu-18.04'
-
-steps:
-- script: |
-    ls -la
-    curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain $(cat rust-toolchain) --profile=minimal
-    echo "##vso[task.prependpath]$HOME/.cargo/bin"
-  displayName: 'Install Rust'
-
-- script: |
-    sudo apt-get update
-    sudo apt-get install -y --no-install-recommends build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf
-  displayName: 'Install build libraries.'
-
-- script: |
-    rustc -Vv
-    cargo -V
-  displayName: Query rust and cargo versions
-
-- script : cargo test --features "sqlite,mysql,postgresql"
-  displayName: 'Test project with sqlite, mysql and postgresql backends'

build.rs

@@ -9,17 +9,25 @@ fn main() {
     println!("cargo:rustc-cfg=mysql");
     #[cfg(feature = "postgresql")]
     println!("cargo:rustc-cfg=postgresql");
+    #[cfg(feature = "query_logger")]
+    println!("cargo:rustc-cfg=query_logger");
 
     #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))]
     compile_error!(
         "You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite"
     );
 
-    if let Ok(version) = env::var("BWRS_VERSION") {
+    #[cfg(all(not(debug_assertions), feature = "query_logger"))]
-        println!("cargo:rustc-env=BWRS_VERSION={}", version);
+    compile_error!("Query Logging is only allowed during development, it is not intented for production usage!");
-        println!("cargo:rustc-env=CARGO_PKG_VERSION={}", version);
+
-    } else {
+    // Support $BWRS_VERSION for legacy compatibility, but default to $VW_VERSION.
-        read_git_info().ok();
+    // If neither exist, read from git.
+    let maybe_vaultwarden_version =
+        env::var("VW_VERSION").or_else(|_| env::var("BWRS_VERSION")).or_else(|_| version_from_git_info());
+
+    if let Ok(version) = maybe_vaultwarden_version {
+        println!("cargo:rustc-env=VW_VERSION={version}");
+        println!("cargo:rustc-env=CARGO_PKG_VERSION={version}");
     }
 }
 
@@ -33,46 +41,40 @@ fn run(args: &[&str]) -> Result<String, std::io::Error> {
 }
 
 /// This method reads info from Git, namely tags, branch, and revision
-fn read_git_info() -> Result<(), std::io::Error> {
+/// To access these values, use:
+///    - env!("GIT_EXACT_TAG")
+///    - env!("GIT_LAST_TAG")
+///    - env!("GIT_BRANCH")
+///    - env!("GIT_REV")
+///    - env!("VW_VERSION")
+fn version_from_git_info() -> Result<String, std::io::Error> {
     // The exact tag for the current commit, can be empty when
     // the current commit doesn't have an associated tag
     let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok();
     if let Some(ref exact) = exact_tag {
-        println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact);
+        println!("cargo:rustc-env=GIT_EXACT_TAG={exact}");
     }
 
     // The last available tag, equal to exact_tag when
     // the current commit is tagged
     let last_tag = run(&["git", "describe", "--abbrev=0", "--tags"])?;
-    println!("cargo:rustc-env=GIT_LAST_TAG={}", last_tag);
+    println!("cargo:rustc-env=GIT_LAST_TAG={last_tag}");
 
     // The current branch name
     let branch = run(&["git", "rev-parse", "--abbrev-ref", "HEAD"])?;
-    println!("cargo:rustc-env=GIT_BRANCH={}", branch);
+    println!("cargo:rustc-env=GIT_BRANCH={branch}");
 
     // The current git commit hash
     let rev = run(&["git", "rev-parse", "HEAD"])?;
     let rev_short = rev.get(..8).unwrap_or_default();
-    println!("cargo:rustc-env=GIT_REV={}", rev_short);
+    println!("cargo:rustc-env=GIT_REV={rev_short}");
 
     // Combined version
-    let version = if let Some(exact) = exact_tag {
+    if let Some(exact) = exact_tag {
-        exact
+        Ok(exact)
     } else if &branch != "main" && &branch != "master" {
-        format!("{}-{} ({})", last_tag, rev_short, branch)
+        Ok(format!("{last_tag}-{rev_short} ({branch})"))
     } else {
-        format!("{}-{}", last_tag, rev_short)
+        Ok(format!("{last_tag}-{rev_short}"))
-    };
+    }
-
-    println!("cargo:rustc-env=BWRS_VERSION={}", version);
-    println!("cargo:rustc-env=CARGO_PKG_VERSION={}", version);
-
-    // To access these values, use:
-    //    env!("GIT_EXACT_TAG")
-    //    env!("GIT_LAST_TAG")
-    //    env!("GIT_BRANCH")
-    //    env!("GIT_REV")
-    //    env!("BWRS_VERSION")
-
-    Ok(())
 }

docker/Dockerfile.buildx

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1
 # The cross-built images have the build arch (`amd64`) embedded in the image
 # manifest, rather than the target arch. For example:
 #

docker/Dockerfile.j2

@@ -1,31 +1,41 @@
+# syntax=docker/dockerfile:1
+
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
 
-{% set build_stage_base_image = "rust:1.51" %}
+{% set build_stage_base_image = "rust:1.66-bullseye" %}
 {% if "alpine" in target_file %}
 {%   if "amd64" in target_file %}
-{%     set build_stage_base_image = "clux/muslrust:nightly-2021-04-14" %}
+{%     set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-stable-1.66.0" %}
-{%     set runtime_stage_base_image = "alpine:3.13" %}
+{%     set runtime_stage_base_image = "alpine:3.17" %}
 {%     set package_arch_target = "x86_64-unknown-linux-musl" %}
 {%   elif "armv7" in target_file %}
-{%     set build_stage_base_image = "messense/rust-musl-cross:armv7-musleabihf" %}
+{%     set build_stage_base_image = "blackdex/rust-musl:armv7-musleabihf-stable-1.66.0" %}
-{%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.13" %}
+{%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.17" %}
 {%     set package_arch_target = "armv7-unknown-linux-musleabihf" %}
+{%   elif "armv6" in target_file %}
+{%     set build_stage_base_image = "blackdex/rust-musl:arm-musleabi-stable-1.66.0" %}
+{%     set runtime_stage_base_image = "balenalib/rpi-alpine:3.17" %}
+{%     set package_arch_target = "arm-unknown-linux-musleabi" %}
+{%   elif "arm64" in target_file %}
+{%     set build_stage_base_image = "blackdex/rust-musl:aarch64-musl-stable-1.66.0" %}
+{%     set runtime_stage_base_image = "balenalib/aarch64-alpine:3.17" %}
+{%     set package_arch_target = "aarch64-unknown-linux-musl" %}
 {%   endif %}
 {% elif "amd64" in target_file %}
-{%   set runtime_stage_base_image = "debian:buster-slim" %}
+{%   set runtime_stage_base_image = "debian:bullseye-slim" %}
 {% elif "arm64" in target_file %}
-{%   set runtime_stage_base_image = "balenalib/aarch64-debian:buster" %}
+{%   set runtime_stage_base_image = "balenalib/aarch64-debian:bullseye" %}
 {%   set package_arch_name = "arm64" %}
 {%   set package_arch_target = "aarch64-unknown-linux-gnu" %}
 {%   set package_cross_compiler = "aarch64-linux-gnu" %}
 {% elif "armv6" in target_file %}
-{%   set runtime_stage_base_image = "balenalib/rpi-debian:buster" %}
+{%   set runtime_stage_base_image = "balenalib/rpi-debian:bullseye" %}
 {%   set package_arch_name = "armel" %}
 {%   set package_arch_target = "arm-unknown-linux-gnueabi" %}
 {%   set package_cross_compiler = "arm-linux-gnueabi" %}
 {% elif "armv7" in target_file %}
-{%   set runtime_stage_base_image = "balenalib/armv7hf-debian:buster" %}
+{%   set runtime_stage_base_image = "balenalib/armv7hf-debian:bullseye" %}
 {%   set package_arch_name = "armhf" %}
 {%   set package_arch_target = "armv7-unknown-linux-gnueabihf" %}
 {%   set package_cross_compiler = "arm-linux-gnueabihf" %}
@@ -40,12 +50,17 @@
 {% else %}
 {%   set package_arch_target_param = "" %}
 {% endif %}
+{% if "buildx" in target_file %}
+{%   set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %}
+{% else %}
+{%   set mount_rust_cache = "" %}
+{% endif %}
 # Using multistage build:
 # 	https://docs.docker.com/develop/develop-images/multistage-build/
 # 	https://whitfin.io/speeding-up-rust-docker-builds/
 ####################### VAULT BUILD IMAGE  #######################
-{% set vault_version = "2.19.0d" %}
+{% set vault_version = "v2022.12.0" %}
-{% set vault_image_digest = "sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233" %}
+{% set vault_image_digest = "sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e" %}
 # The web-vault digest specifies a particular web-vault build on Docker Hub.
 # Using the digest instead of the tag name provides better security,
 # as the digest of an image is immutable, whereas a tag name can later
@@ -55,82 +70,75 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v{{ vault_version }}
+#     $ docker pull vaultwarden/web-vault:{{ vault_version }}
-#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" vaultwarden/web-vault:v{{ vault_version }}
+#     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" vaultwarden/web-vault:{{ vault_version }}
 #     [vaultwarden/web-vault@{{ vault_image_digest }}]
 #
 # - Conversely, to get the tag name from the digest:
 #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" vaultwarden/web-vault@{{ vault_image_digest }}
-#     [vaultwarden/web-vault:v{{ vault_version }}]
+#     [vaultwarden/web-vault:{{ vault_version }}]
 #
 FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault
 
 ########################## BUILD IMAGE  ##########################
 FROM {{ build_stage_base_image }} as build
 
-{% if "alpine" in target_file %}
+
-{%   if "amd64" in target_file %}
-# Alpine-based AMD64 (musl) does not support mysql/mariadb during compile time.
-ARG DB=sqlite,postgresql
-{%     set features = "sqlite,postgresql" %}
-{%   else %}
-# Alpine-based ARM (musl) only supports sqlite during compile time.
-ARG DB=sqlite
-{%     set features = "sqlite" %}
-{%   endif %}
-{% else %}
-# Debian-based builds support multidb
-ARG DB=sqlite,mysql,postgresql
-{%   set features = "sqlite,mysql,postgresql" %}
-{% endif %}
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
 
-# Don't download rust docs
+
-RUN rustup set profile minimal
+# Create CARGO_HOME folder and don't download rust docs
+RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
 
 {% if "alpine" in target_file %}
-ENV USER "root"
+{%   if "armv6" in target_file %}
-ENV RUSTFLAGS='-C link-arg=-s'
+# To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
-{%   if "armv7" in target_file %}
+ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomic.a'
-ENV CFLAGS_armv7_unknown_linux_musleabihf="-mfpu=vfpv3-d16"
 {%   endif %}
 {% elif "arm" in target_file %}
+#
 # Install required build libs for {{ package_arch_name }} architecture.
-# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+# hadolint ignore=DL3059
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+RUN dpkg --add-architecture {{ package_arch_name }} \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture {{ package_arch_name }} \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
         libssl-dev{{ package_arch_prefix }} \
         libc6-dev{{ package_arch_prefix }} \
         libpq5{{ package_arch_prefix }} \
-        libpq-dev \
+        libpq-dev{{ package_arch_prefix }} \
+        libmariadb3{{ package_arch_prefix }} \
         libmariadb-dev{{ package_arch_prefix }} \
-        libmariadb-dev-compat{{ package_arch_prefix }}
+        libmariadb-dev-compat{{ package_arch_prefix }} \
+        gcc-{{ package_cross_compiler }} \
+    #
+    # Make sure cargo has the right target config
+    && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \
+    && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> "${CARGO_HOME}/config" \
+    && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> "${CARGO_HOME}/config"
 
+# Set arm specific environment values
+ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc" \
+    CROSS_COMPILE="1" \
+    OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \
+    OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
+
+{% elif "amd64" in target_file %}
+# Install DB packages
 RUN apt-get update \
     && apt-get install -y \
         --no-install-recommends \
-        gcc-{{ package_cross_compiler }} \
+        libmariadb-dev{{ package_arch_prefix }} \
-    && mkdir -p ~/.cargo \
+        libpq-dev{{ package_arch_prefix }} \
-    && echo '[target.{{ package_arch_target }}]' >> ~/.cargo/config \
+    && apt-get clean \
-    && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> ~/.cargo/config \
-    && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> ~/.cargo/config
-
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
-{% endif -%}
-
-{% if "amd64" in target_file and "alpine" not in target_file %}
-# Install DB packages
-RUN apt-get update && apt-get install -y \
-    --no-install-recommends \
-    libmariadb-dev{{ package_arch_prefix }} \
-    libpq-dev{{ package_arch_prefix }} \
     && rm -rf /var/lib/apt/lists/*
 {% endif %}
 
@@ -143,39 +151,23 @@ COPY ./Cargo.* ./
 COPY ./rust-toolchain ./rust-toolchain
 COPY ./build.rs ./build.rs
 
-{% if "alpine" not in target_file %}
-{%   if "arm" in target_file %}
-# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
-# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
-# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
-# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the {{ package_arch_prefix }} version.
-# What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
-    apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
-    rm -rvf ./libmariadb-dev-compat*.deb
-
-# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
-# The libpq5{{ package_arch_prefix }} package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
-# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
-# Without this specific file the ld command will fail and compilation fails with it.
-RUN ln -sfnr /usr/lib/{{ package_cross_compiler }}/libpq.so.5 /usr/lib/{{ package_cross_compiler }}/libpq.so
-
-ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}"
-ENV OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}"
-{%   endif -%}
-{% endif %}
 {% if package_arch_target is defined %}
-RUN rustup target add {{ package_arch_target }}
+RUN {{ mount_rust_cache -}} rustup target add {{ package_arch_target }}
+{% endif %}
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+{% if "alpine" in target_file %}
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+{% else %}
+ARG DB=sqlite,mysql,postgresql
 {% endif %}
 
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release{{ package_arch_target_param }}
+RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} \
-RUN find . -not -path "./target*" -delete
+    && find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
@@ -186,60 +178,60 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
-RUN cargo build --features ${DB} --release{{ package_arch_target_param }}
+# hadolint ignore=DL3059
-{% if "alpine" in target_file %}
+RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }}
-{%   if "armv7" in target_file %}
-RUN musl-strip target/{{ package_arch_target }}/release/vaultwarden
-{%   endif %}
-{% endif %}
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
 FROM {{ runtime_stage_base_image }}
 
-ENV ROCKET_ENV "staging"
+ENV ROCKET_PROFILE="release" \
-ENV ROCKET_PORT=80
+    ROCKET_ADDRESS=0.0.0.0 \
-ENV ROCKET_WORKERS=10
+    ROCKET_PORT=80
-{% if "alpine" in runtime_stage_base_image %}
+{%- if "alpine" in runtime_stage_base_image %} \
-ENV SSL_CERT_DIR=/etc/ssl/certs
+    SSL_CERT_DIR=/etc/ssl/certs
 {% endif %}
 
+
 {% if "amd64" not in target_file %}
+# hadolint ignore=DL3059
 RUN [ "cross-build-start" ]
-
 {% endif %}
-# Install needed libraries
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
 {% if "alpine" in runtime_stage_base_image %}
-RUN apk add --no-cache \
+    && apk add --no-cache \
         openssl \
+        tzdata \
         curl \
-        dumb-init \
-{%   if "mysql" in features %}
-        mariadb-connector-c \
-{%   endif %}
-{%   if "postgresql" in features %}
-        postgresql-libs \
-{%   endif %}
         ca-certificates
 {% else %}
-RUN apt-get update && apt-get install -y \
+    && apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
     curl \
-    dumb-init \
     libmariadb-dev-compat \
     libpq5 \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 {% endif %}
 
-RUN mkdir /data
+{% if "armv6" in target_file and "alpine" not in target_file %}
+# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
+# This symlink was there in the buster images, and for some reason this is needed.
+# hadolint ignore=DL3059
+RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
+
+{% endif -%}
+
 {% if "amd64" not in target_file %}
-
+# hadolint ignore=DL3059
 RUN [ "cross-build-end" ]
-
 {% endif %}
+
 VOLUME /data
 EXPOSE 80
 EXPOSE 3012
@@ -247,7 +239,6 @@ EXPOSE 3012
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
-COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 {% if package_arch_target is defined %}
 COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden .
@@ -260,6 +251,4 @@ COPY docker/start.sh /start.sh
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
 
-# Configures the startup!
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]

docker/Makefile

@@ -7,3 +7,9 @@ all: $(OBJECTS)
 
 %/Dockerfile.alpine: Dockerfile.j2 render_template
 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
+
+%/Dockerfile.buildx: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
+
+%/Dockerfile.buildx.alpine: Dockerfile.j2 render_template
+	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"

docker/amd64/Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
 
@@ -14,33 +16,41 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.19.0d
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.19.0d
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
-#     [vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233]
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
-#     [vaultwarden/web-vault:v2.19.0d]
+#     [vaultwarden/web-vault:v2022.12.0]
 #
-FROM vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233 as vault
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.51 as build
+FROM rust:1.66-bullseye as build
+
 
-# Debian-based builds support multidb
-ARG DB=sqlite,mysql,postgresql
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
 
-# Don't download rust docs
+
-RUN rustup set profile minimal
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
 
 # Install DB packages
-RUN apt-get update && apt-get install -y \
+RUN apt-get update \
-    --no-install-recommends \
+    && apt-get install -y \
-    libmariadb-dev \
+        --no-install-recommends \
-    libpq-dev \
+        libmariadb-dev \
+        libpq-dev \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # Creates a dummy project used to grab dependencies
@@ -53,11 +63,14 @@ COPY ./rust-toolchain ./rust-toolchain
 COPY ./build.rs ./build.rs
 
 
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release
+RUN cargo build --features ${DB} --release \
-RUN find . -not -path "./target*" -delete
+    && find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
@@ -68,29 +81,32 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
+# hadolint ignore=DL3059
 RUN cargo build --features ${DB} --release
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM debian:buster-slim
+FROM debian:bullseye-slim
 
-ENV ROCKET_ENV "staging"
+ENV ROCKET_PROFILE="release" \
-ENV ROCKET_PORT=80
+    ROCKET_ADDRESS=0.0.0.0 \
-ENV ROCKET_WORKERS=10
+    ROCKET_PORT=80
 
-# Install needed libraries
+
-RUN apt-get update && apt-get install -y \
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
     curl \
-    dumb-init \
     libmariadb-dev-compat \
     libpq5 \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir /data
+
 VOLUME /data
 EXPOSE 80
 EXPOSE 3012
@@ -98,7 +114,6 @@ EXPOSE 3012
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
-COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/release/vaultwarden .
 
@@ -107,6 +122,4 @@ COPY docker/start.sh /start.sh
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
 
-# Configures the startup!
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]

docker/amd64/Dockerfile.alpine

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
 
@@ -14,30 +16,34 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.19.0d
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.19.0d
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
-#     [vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233]
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
-#     [vaultwarden/web-vault:v2.19.0d]
+#     [vaultwarden/web-vault:v2022.12.0]
 #
-FROM vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233 as vault
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM clux/muslrust:nightly-2021-04-14 as build
+FROM blackdex/rust-musl:x86_64-musl-stable-1.66.0 as build
+
 
-# Alpine-based AMD64 (musl) does not support mysql/mariadb during compile time.
-ARG DB=sqlite,postgresql
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
 
-# Don't download rust docs
-RUN rustup set profile minimal
 
-ENV USER "root"
+# Create CARGO_HOME folder and don't download rust docs
-ENV RUSTFLAGS='-C link-arg=-s'
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -50,11 +56,15 @@ COPY ./build.rs ./build.rs
 
 RUN rustup target add x86_64-unknown-linux-musl
 
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
-RUN find . -not -path "./target*" -delete
+    && find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
@@ -65,27 +75,30 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
+# hadolint ignore=DL3059
 RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM alpine:3.13
+FROM alpine:3.17
 
-ENV ROCKET_ENV "staging"
+ENV ROCKET_PROFILE="release" \
-ENV ROCKET_PORT=80
+    ROCKET_ADDRESS=0.0.0.0 \
-ENV ROCKET_WORKERS=10
+    ROCKET_PORT=80 \
-ENV SSL_CERT_DIR=/etc/ssl/certs
+    SSL_CERT_DIR=/etc/ssl/certs
 
-# Install needed libraries
+
-RUN apk add --no-cache \
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apk add --no-cache \
         openssl \
+        tzdata \
         curl \
-        dumb-init \
-        postgresql-libs \
         ca-certificates
 
-RUN mkdir /data
+
 VOLUME /data
 EXPOSE 80
 EXPOSE 3012
@@ -93,7 +106,6 @@ EXPOSE 3012
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
-COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
 
@@ -102,6 +114,4 @@ COPY docker/start.sh /start.sh
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
 
-# Configures the startup!
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]

docker/amd64/Dockerfile.buildx

@@ -0,0 +1,125 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.66-bullseye as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+# Install DB packages
+RUN apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libmariadb-dev \
+        libpq-dev \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM debian:bullseye-slim
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80
+
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadb-dev-compat \
+    libpq5 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/amd64/Dockerfile.buildx.alpine

@@ -0,0 +1,117 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM blackdex/rust-musl:x86_64-musl-stable-1.66.0 as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    SSL_CERT_DIR=/etc/ssl/certs
+
+
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apk add --no-cache \
+        openssl \
+        tzdata \
+        curl \
+        ca-certificates
+
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/arm64/Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
 
@@ -14,54 +16,61 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.19.0d
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.19.0d
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
-#     [vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233]
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
-#     [vaultwarden/web-vault:v2.19.0d]
+#     [vaultwarden/web-vault:v2022.12.0]
 #
-FROM vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233 as vault
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.51 as build
+FROM rust:1.66-bullseye as build
+
 
-# Debian-based builds support multidb
-ARG DB=sqlite,mysql,postgresql
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
 
-# Don't download rust docs
-RUN rustup set profile minimal
 
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+#
 # Install required build libs for arm64 architecture.
-# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+# hadolint ignore=DL3059
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+RUN dpkg --add-architecture arm64 \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture arm64 \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
         libssl-dev:arm64 \
         libc6-dev:arm64 \
         libpq5:arm64 \
-        libpq-dev \
+        libpq-dev:arm64 \
+        libmariadb3:arm64 \
         libmariadb-dev:arm64 \
-        libmariadb-dev-compat:arm64
+        libmariadb-dev-compat:arm64 \
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
         gcc-aarch64-linux-gnu \
-    && mkdir -p ~/.cargo \
+    #
-    && echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config \
+    # Make sure cargo has the right target config
-    && echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config \
+    && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
-    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/config
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
+    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
+    CROSS_COMPILE="1" \
+    OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
+    OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
 
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -72,33 +81,16 @@ COPY ./Cargo.* ./
 COPY ./rust-toolchain ./rust-toolchain
 COPY ./build.rs ./build.rs
 
-# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
-# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
-# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
-# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :arm64 version.
-# What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
-    apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
-    rm -rvf ./libmariadb-dev-compat*.deb
-
-# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
-# The libpq5:arm64 package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
-# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
-# Without this specific file the ld command will fail and compilation fails with it.
-RUN ln -sfnr /usr/lib/aarch64-linux-gnu/libpq.so.5 /usr/lib/aarch64-linux-gnu/libpq.so
-
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu"
-ENV OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
 RUN rustup target add aarch64-unknown-linux-gnu
 
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
-RUN find . -not -path "./target*" -delete
+    && find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
@@ -109,32 +101,34 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
+# hadolint ignore=DL3059
 RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/aarch64-debian:buster
+FROM balenalib/aarch64-debian:bullseye
 
-ENV ROCKET_ENV "staging"
+ENV ROCKET_PROFILE="release" \
-ENV ROCKET_PORT=80
+    ROCKET_ADDRESS=0.0.0.0 \
-ENV ROCKET_WORKERS=10
+    ROCKET_PORT=80
 
+# hadolint ignore=DL3059
 RUN [ "cross-build-start" ]
 
-# Install needed libraries
+# Create data folder and Install needed libraries
-RUN apt-get update && apt-get install -y \
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
     curl \
-    dumb-init \
     libmariadb-dev-compat \
     libpq5 \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir /data
+# hadolint ignore=DL3059
-
 RUN [ "cross-build-end" ]
 
 VOLUME /data
@@ -144,7 +138,6 @@ EXPOSE 3012
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
-COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
 
@@ -153,6 +146,4 @@ COPY docker/start.sh /start.sh
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
 
-# Configures the startup!
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]

docker/arm64/Dockerfile.alpine

@@ -0,0 +1,121 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM blackdex/rust-musl:aarch64-musl-stable-1.66.0 as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add aarch64-unknown-linux-musl
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    SSL_CERT_DIR=/etc/ssl/certs
+
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apk add --no-cache \
+        openssl \
+        tzdata \
+        curl \
+        ca-certificates
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/arm64/Dockerfile.buildx

@@ -0,0 +1,149 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.66-bullseye as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+#
+# Install required build libs for arm64 architecture.
+# hadolint ignore=DL3059
+RUN dpkg --add-architecture arm64 \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:arm64 \
+        libc6-dev:arm64 \
+        libpq5:arm64 \
+        libpq-dev:arm64 \
+        libmariadb3:arm64 \
+        libmariadb-dev:arm64 \
+        libmariadb-dev-compat:arm64 \
+        gcc-aarch64-linux-gnu \
+    #
+    # Make sure cargo has the right target config
+    && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
+    && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
+    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
+    CROSS_COMPILE="1" \
+    OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
+    OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-debian:bullseye
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadb-dev-compat \
+    libpq5 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/arm64/Dockerfile.buildx.alpine

@@ -0,0 +1,121 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM blackdex/rust-musl:aarch64-musl-stable-1.66.0 as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/aarch64-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    SSL_CERT_DIR=/etc/ssl/certs
+
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apk add --no-cache \
+        openssl \
+        tzdata \
+        curl \
+        ca-certificates
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/armv6/Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
 
@@ -14,54 +16,61 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.19.0d
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.19.0d
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
-#     [vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233]
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
-#     [vaultwarden/web-vault:v2.19.0d]
+#     [vaultwarden/web-vault:v2022.12.0]
 #
-FROM vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233 as vault
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.51 as build
+FROM rust:1.66-bullseye as build
+
 
-# Debian-based builds support multidb
-ARG DB=sqlite,mysql,postgresql
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
 
-# Don't download rust docs
-RUN rustup set profile minimal
 
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+#
 # Install required build libs for armel architecture.
-# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+# hadolint ignore=DL3059
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+RUN dpkg --add-architecture armel \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armel \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
         libssl-dev:armel \
         libc6-dev:armel \
         libpq5:armel \
-        libpq-dev \
+        libpq-dev:armel \
+        libmariadb3:armel \
         libmariadb-dev:armel \
-        libmariadb-dev-compat:armel
+        libmariadb-dev-compat:armel \
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
         gcc-arm-linux-gnueabi \
-    && mkdir -p ~/.cargo \
+    #
-    && echo '[target.arm-unknown-linux-gnueabi]' >> ~/.cargo/config \
+    # Make sure cargo has the right target config
-    && echo 'linker = "arm-linux-gnueabi-gcc"' >> ~/.cargo/config \
+    && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
-    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> ~/.cargo/config
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
+    CROSS_COMPILE="1" \
+    OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
+    OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
 
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -72,33 +81,16 @@ COPY ./Cargo.* ./
 COPY ./rust-toolchain ./rust-toolchain
 COPY ./build.rs ./build.rs
 
-# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
-# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
-# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
-# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armel version.
-# What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
-    apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
-    rm -rvf ./libmariadb-dev-compat*.deb
-
-# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
-# The libpq5:armel package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
-# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
-# Without this specific file the ld command will fail and compilation fails with it.
-RUN ln -sfnr /usr/lib/arm-linux-gnueabi/libpq.so.5 /usr/lib/arm-linux-gnueabi/libpq.so
-
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
 RUN rustup target add arm-unknown-linux-gnueabi
 
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
-RUN find . -not -path "./target*" -delete
+    && find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
@@ -109,32 +101,39 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
+# hadolint ignore=DL3059
 RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/rpi-debian:buster
+FROM balenalib/rpi-debian:bullseye
 
-ENV ROCKET_ENV "staging"
+ENV ROCKET_PROFILE="release" \
-ENV ROCKET_PORT=80
+    ROCKET_ADDRESS=0.0.0.0 \
-ENV ROCKET_WORKERS=10
+    ROCKET_PORT=80
 
+# hadolint ignore=DL3059
 RUN [ "cross-build-start" ]
 
-# Install needed libraries
+# Create data folder and Install needed libraries
-RUN apt-get update && apt-get install -y \
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
     curl \
-    dumb-init \
     libmariadb-dev-compat \
     libpq5 \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir /data
+# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
+# This symlink was there in the buster images, and for some reason this is needed.
+# hadolint ignore=DL3059
+RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
 
+# hadolint ignore=DL3059
 RUN [ "cross-build-end" ]
 
 VOLUME /data
@@ -144,7 +143,6 @@ EXPOSE 3012
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
-COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
 
@@ -153,6 +151,4 @@ COPY docker/start.sh /start.sh
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
 
-# Configures the startup!
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]

docker/armv6/Dockerfile.alpine

@@ -0,0 +1,123 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM blackdex/rust-musl:arm-musleabi-stable-1.66.0 as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+# To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
+ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a'
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN rustup target add arm-unknown-linux-musleabi
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    SSL_CERT_DIR=/etc/ssl/certs
+
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apk add --no-cache \
+        openssl \
+        tzdata \
+        curl \
+        ca-certificates
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/armv6/Dockerfile.buildx

@@ -0,0 +1,154 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.66-bullseye as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+#
+# Install required build libs for armel architecture.
+# hadolint ignore=DL3059
+RUN dpkg --add-architecture armel \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armel \
+        libc6-dev:armel \
+        libpq5:armel \
+        libpq-dev:armel \
+        libmariadb3:armel \
+        libmariadb-dev:armel \
+        libmariadb-dev-compat:armel \
+        gcc-arm-linux-gnueabi \
+    #
+    # Make sure cargo has the right target config
+    && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
+    && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
+    CROSS_COMPILE="1" \
+    OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
+    OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-debian:bullseye
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadb-dev-compat \
+    libpq5 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
+# This symlink was there in the buster images, and for some reason this is needed.
+# hadolint ignore=DL3059
+RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/armv6/Dockerfile.buildx.alpine

@@ -0,0 +1,123 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM blackdex/rust-musl:arm-musleabi-stable-1.66.0 as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+# To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
+ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a'
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-musleabi
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/rpi-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    SSL_CERT_DIR=/etc/ssl/certs
+
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apk add --no-cache \
+        openssl \
+        tzdata \
+        curl \
+        ca-certificates
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/armv7/Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
 
@@ -14,54 +16,61 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.19.0d
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.19.0d
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
-#     [vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233]
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
-#     [vaultwarden/web-vault:v2.19.0d]
+#     [vaultwarden/web-vault:v2022.12.0]
 #
-FROM vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233 as vault
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM rust:1.51 as build
+FROM rust:1.66-bullseye as build
+
 
-# Debian-based builds support multidb
-ARG DB=sqlite,mysql,postgresql
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
 
-# Don't download rust docs
-RUN rustup set profile minimal
 
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+#
 # Install required build libs for armhf architecture.
-# To compile both mysql and postgresql we need some extra packages for both host arch and target arch
+# hadolint ignore=DL3059
-RUN sed 's/^deb/deb-src/' /etc/apt/sources.list > \
+RUN dpkg --add-architecture armhf \
-        /etc/apt/sources.list.d/deb-src.list \
-    && dpkg --add-architecture armhf \
     && apt-get update \
     && apt-get install -y \
         --no-install-recommends \
         libssl-dev:armhf \
         libc6-dev:armhf \
         libpq5:armhf \
-        libpq-dev \
+        libpq-dev:armhf \
+        libmariadb3:armhf \
         libmariadb-dev:armhf \
-        libmariadb-dev-compat:armhf
+        libmariadb-dev-compat:armhf \
-
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
         gcc-arm-linux-gnueabihf \
-    && mkdir -p ~/.cargo \
+    #
-    && echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config \
+    # Make sure cargo has the right target config
-    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config \
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
-    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
+    CROSS_COMPILE="1" \
+    OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
+    OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
 
-ENV CARGO_HOME "/root/.cargo"
-ENV USER "root"
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -72,33 +81,16 @@ COPY ./Cargo.* ./
 COPY ./rust-toolchain ./rust-toolchain
 COPY ./build.rs ./build.rs
 
-# NOTE: This should be the last apt-get/dpkg for this stage, since after this it will fail because of broken dependencies.
-# For Diesel-RS migrations_macros to compile with MySQL/MariaDB we need to do some magic.
-# We at least need libmariadb3:amd64 installed for the x86_64 version of libmariadb.so (client)
-# We also need the libmariadb-dev-compat:amd64 but it can not be installed together with the :armhf version.
-# What we can do is a force install, because nothing important is overlapping each other.
-RUN apt-get install -y --no-install-recommends libmariadb3:amd64 && \
-    apt-get download libmariadb-dev-compat:amd64 && \
-    dpkg --force-all -i ./libmariadb-dev-compat*.deb && \
-    rm -rvf ./libmariadb-dev-compat*.deb
-
-# For Diesel-RS migrations_macros to compile with PostgreSQL we need to do some magic.
-# The libpq5:armhf package seems to not provide a symlink to libpq.so.5 with the name libpq.so.
-# This is only provided by the libpq-dev package which can't be installed for both arch at the same time.
-# Without this specific file the ld command will fail and compilation fails with it.
-RUN ln -sfnr /usr/lib/arm-linux-gnueabihf/libpq.so.5 /usr/lib/arm-linux-gnueabihf/libpq.so
-
-ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc"
-ENV CROSS_COMPILE="1"
-ENV OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf"
-ENV OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
 RUN rustup target add armv7-unknown-linux-gnueabihf
 
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \
-RUN find . -not -path "./target*" -delete
+    && find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
@@ -109,32 +101,34 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
+# hadolint ignore=DL3059
 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/armv7hf-debian:buster
+FROM balenalib/armv7hf-debian:bullseye
 
-ENV ROCKET_ENV "staging"
+ENV ROCKET_PROFILE="release" \
-ENV ROCKET_PORT=80
+    ROCKET_ADDRESS=0.0.0.0 \
-ENV ROCKET_WORKERS=10
+    ROCKET_PORT=80
 
+# hadolint ignore=DL3059
 RUN [ "cross-build-start" ]
 
-# Install needed libraries
+# Create data folder and Install needed libraries
-RUN apt-get update && apt-get install -y \
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
     --no-install-recommends \
     openssl \
     ca-certificates \
     curl \
-    dumb-init \
     libmariadb-dev-compat \
     libpq5 \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir /data
+# hadolint ignore=DL3059
-
 RUN [ "cross-build-end" ]
 
 VOLUME /data
@@ -144,7 +138,6 @@ EXPOSE 3012
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
-COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
 
@@ -153,6 +146,4 @@ COPY docker/start.sh /start.sh
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
 
-# Configures the startup!
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]

docker/armv7/Dockerfile.alpine

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # This file was generated using a Jinja2 template.
 # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
 
@@ -14,31 +16,34 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2.19.0d
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.19.0d
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
-#     [vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233]
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
-#     [vaultwarden/web-vault:v2.19.0d]
+#     [vaultwarden/web-vault:v2022.12.0]
 #
-FROM vaultwarden/web-vault@sha256:a7bd6bc4db33bd45f723c4b1ac90918b7f80204560683cfc8efd9efd03a9b233 as vault
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
 
 ########################## BUILD IMAGE  ##########################
-FROM messense/rust-musl-cross:armv7-musleabihf as build
+FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.0 as build
+
 
-# Alpine-based ARM (musl) only supports sqlite during compile time.
-ARG DB=sqlite
 
 # Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 TZ=UTC TERM=xterm-256color
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
 
-# Don't download rust docs
-RUN rustup set profile minimal
 
-ENV USER "root"
+# Create CARGO_HOME folder and don't download rust docs
-ENV RUSTFLAGS='-C link-arg=-s'
+RUN mkdir -pv "${CARGO_HOME}" \
-ENV CFLAGS_armv7_unknown_linux_musleabihf="-mfpu=vfpv3-d16"
+    && rustup set profile minimal
+
 
 # Creates a dummy project used to grab dependencies
 RUN USER=root cargo new --bin /app
@@ -51,11 +56,15 @@ COPY ./build.rs ./build.rs
 
 RUN rustup target add armv7-unknown-linux-musleabihf
 
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
 # Builds your dependencies and removes the
 # dummy project, except the target folder
 # This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \
-RUN find . -not -path "./target*" -delete
+    && find . -not -path "./target*" -delete
 
 # Copies the complete project
 # To avoid copying unneeded files, use .dockerignore
@@ -66,30 +75,32 @@ RUN touch src/main.rs
 
 # Builds again, this time it'll just be
 # your actual source files being built
+# hadolint ignore=DL3059
 RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
-RUN musl-strip target/armv7-unknown-linux-musleabihf/release/vaultwarden
 
 ######################## RUNTIME IMAGE  ########################
 # Create a new stage with a minimal image
 # because we already have a binary built
-FROM balenalib/armv7hf-alpine:3.13
+FROM balenalib/armv7hf-alpine:3.17
 
-ENV ROCKET_ENV "staging"
+ENV ROCKET_PROFILE="release" \
-ENV ROCKET_PORT=80
+    ROCKET_ADDRESS=0.0.0.0 \
-ENV ROCKET_WORKERS=10
+    ROCKET_PORT=80 \
-ENV SSL_CERT_DIR=/etc/ssl/certs
+    SSL_CERT_DIR=/etc/ssl/certs
 
+
+# hadolint ignore=DL3059
 RUN [ "cross-build-start" ]
 
-# Install needed libraries
+# Create data folder and Install needed libraries
-RUN apk add --no-cache \
+RUN mkdir /data \
+    && apk add --no-cache \
         openssl \
+        tzdata \
         curl \
-        dumb-init \
         ca-certificates
 
-RUN mkdir /data
+# hadolint ignore=DL3059
-
 RUN [ "cross-build-end" ]
 
 VOLUME /data
@@ -99,7 +110,6 @@ EXPOSE 3012
 # Copies the files from the context (Rocket.toml file and web-vault)
 # and the binary from the "build" stage to the current stage
 WORKDIR /
-COPY Rocket.toml .
 COPY --from=vault /web-vault ./web-vault
 COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
 
@@ -108,6 +118,4 @@ COPY docker/start.sh /start.sh
 
 HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
 
-# Configures the startup!
-ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/start.sh"]

docker/armv7/Dockerfile.buildx

@@ -0,0 +1,149 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM rust:1.66-bullseye as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+#
+# Install required build libs for armhf architecture.
+# hadolint ignore=DL3059
+RUN dpkg --add-architecture armhf \
+    && apt-get update \
+    && apt-get install -y \
+        --no-install-recommends \
+        libssl-dev:armhf \
+        libc6-dev:armhf \
+        libpq5:armhf \
+        libpq-dev:armhf \
+        libmariadb3:armhf \
+        libmariadb-dev:armhf \
+        libmariadb-dev-compat:armhf \
+        gcc-arm-linux-gnueabihf \
+    #
+    # Make sure cargo has the right target config
+    && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \
+    && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \
+    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config"
+
+# Set arm specific environment values
+ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \
+    CROSS_COMPILE="1" \
+    OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \
+    OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf"
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-gnueabihf
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-debian:bullseye
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apt-get update && apt-get install -y \
+    --no-install-recommends \
+    openssl \
+    ca-certificates \
+    curl \
+    libmariadb-dev-compat \
+    libpq5 \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/armv7/Dockerfile.buildx.alpine

@@ -0,0 +1,121 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+####################### VAULT BUILD IMAGE  #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull vaultwarden/web-vault:v2022.12.0
+#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2022.12.0
+#     [vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e
+#     [vaultwarden/web-vault:v2022.12.0]
+#
+FROM vaultwarden/web-vault@sha256:068ac863d52a5626568ae3c7f93a509f87c76b1b15821b101f2707724df9da3e as vault
+
+########################## BUILD IMAGE  ##########################
+FROM blackdex/rust-musl:armv7-musleabihf-stable-1.66.0 as build
+
+
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain ./rust-toolchain
+COPY ./build.rs ./build.rs
+
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-musleabihf
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \
+    && find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Make sure that we actually build the project
+RUN touch src/main.rs
+
+# Builds again, this time it'll just be
+# your actual source files being built
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+FROM balenalib/armv7hf-alpine:3.17
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    SSL_CERT_DIR=/etc/ssl/certs
+
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-start" ]
+
+# Create data folder and Install needed libraries
+RUN mkdir /data \
+    && apk add --no-cache \
+        openssl \
+        tzdata \
+        curl \
+        ca-certificates
+
+# hadolint ignore=DL3059
+RUN [ "cross-build-end" ]
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden .
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/healthcheck.sh

@@ -2,8 +2,8 @@
 
 # Use the value of the corresponding env var (if present),
 # or a default value otherwise.
-: ${DATA_FOLDER:="data"}
+: "${DATA_FOLDER:="data"}"
-: ${ROCKET_PORT:="80"}
+: "${ROCKET_PORT:="80"}"
 
 CONFIG_FILE="${DATA_FOLDER}"/config.json
 
@@ -45,9 +45,13 @@ if [ -r "${CONFIG_FILE}" ]; then
     fi
 fi
 
+addr="${ROCKET_ADDRESS}"
+if [ -z "${addr}" ] || [ "${addr}" = '0.0.0.0' ] || [ "${addr}" = '::' ]; then
+    addr='localhost'
+fi
 base_path="$(get_base_path "${DOMAIN}")"
 if [ -n "${ROCKET_TLS}" ]; then
     s='s'
 fi
 curl --insecure --fail --silent --show-error \
-     "http${s}://localhost:${ROCKET_PORT}${base_path}/alive" || exit 1
+     "http${s}://${addr}:${ROCKET_PORT}${base_path}/alive" || exit 1

docker/start.sh

@@ -9,15 +9,15 @@ fi
 
 if [ -d /etc/vaultwarden.d ]; then
     for f in /etc/vaultwarden.d/*.sh; do
-        if [ -r $f ]; then
+        if [ -r "${f}" ]; then
-            . $f
+            . "${f}"
         fi
     done
 elif [ -d /etc/bitwarden_rs.d ]; then
     echo "### You are using the old /etc/bitwarden_rs.d script directory, please migrate to /etc/vaultwarden.d ###"
     for f in /etc/bitwarden_rs.d/*.sh; do
-        if [ -r $f ]; then
+        if [ -r "${f}" ]; then
-            . $f
+            . "${f}"
         fi
     done
 fi

hooks/arches.sh

@@ -7,10 +7,5 @@ arches=(
 )
 
 if [[ "${DOCKER_TAG}" == *alpine ]]; then
-    # The Alpine image build currently only works for certain arches.
     distro_suffix=.alpine
-    arches=(
-        amd64
-        armv7
-    )
 fi

hooks/build

@@ -34,12 +34,17 @@ for label in "${LABELS[@]}"; do
     LABEL_ARGS+=(--label "${label}")
 done
 
+# Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildx as template
+if [[ -n "${DOCKER_BUILDKIT}" ]]; then
+    buildx_suffix=.buildx
+fi
+
 set -ex
 
 for arch in "${arches[@]}"; do
     docker build \
            "${LABEL_ARGS[@]}" \
            -t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \
-           -f docker/${arch}/Dockerfile${distro_suffix} \
+           -f docker/${arch}/Dockerfile${buildx_suffix}${distro_suffix} \
            .
 done

hooks/push

@@ -10,7 +10,7 @@ join() { local IFS="$1"; shift; echo "$*"; }
 
 set -ex
 
-echo ">>> Starting local Docker registry..."
+echo ">>> Starting local Docker registry when needed..."
 
 # Docker Buildx's `docker-container` driver is needed for multi-platform
 # builds, but it can't access existing images on the Docker host (like the
@@ -25,7 +25,13 @@ echo ">>> Starting local Docker registry..."
 # Use host networking so the buildx container can access the registry via
 # localhost.
 #
-docker run -d --name registry --network host registry:2 # defaults to port 5000
+# First check if there already is a registry container running, else skip it.
+# This will only happen either locally or running it via Github Actions
+#
+if ! timeout 5 bash -c 'cat < /dev/null > /dev/tcp/localhost/5000'; then
+    # defaults to port 5000
+    docker run -d --name registry --network host registry:2
+fi
 
 # Docker Hub sets a `DOCKER_REPO` env var with the format `index.docker.io/user/repo`.
 # Strip the registry portion to construct a local repo path for use in `Dockerfile.buildx`.
@@ -49,7 +55,12 @@ echo ">>> Setting up Docker Buildx..."
 #
 # Ref: https://github.com/docker/buildx/issues/94#issuecomment-534367714
 #
-docker buildx create --name builder --use --driver-opt network=host
+# Check if there already is a builder running, else skip this and use the existing.
+# This will only happen either locally or running it via Github Actions
+#
+if ! docker buildx inspect builder > /dev/null 2>&1 ; then
+    docker buildx create --name builder --use --driver-opt network=host
+fi
 
 echo ">>> Running Docker Buildx..."
 

migrations/mysql/2021-04-30-233251_add_reprompt/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE ciphers
+ADD COLUMN reprompt INTEGER;

migrations/mysql/2021-05-11-205202_add_hide_email/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sends
+ADD COLUMN hide_email BOOLEAN;

migrations/mysql/2021-07-01-203140_add_password_reset_keys/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE organizations
+  ADD COLUMN private_key TEXT;
+
+ALTER TABLE organizations
+  ADD COLUMN public_key TEXT;

migrations/mysql/2021-08-30-193501_create_emergency_access/down.sql

@@ -0,0 +1 @@
+DROP TABLE emergency_access;

migrations/mysql/2021-08-30-193501_create_emergency_access/up.sql

@@ -0,0 +1,14 @@
+CREATE TABLE emergency_access (
+  uuid                      CHAR(36)     NOT NULL PRIMARY KEY,
+  grantor_uuid              CHAR(36)     REFERENCES users (uuid),
+  grantee_uuid              CHAR(36)     REFERENCES users (uuid),
+  email                     VARCHAR(255),
+  key_encrypted             TEXT,
+  atype                     INTEGER  NOT NULL,
+  status                    INTEGER  NOT NULL,
+  wait_time_days            INTEGER  NOT NULL,
+  recovery_initiated_at     DATETIME,
+  last_notification_at      DATETIME,
+  updated_at                DATETIME NOT NULL,
+  created_at                DATETIME NOT NULL
+);

migrations/mysql/2021-10-24-164321_add_2fa_incomplete/down.sql

@@ -0,0 +1 @@
+DROP TABLE twofactor_incomplete;

migrations/mysql/2021-10-24-164321_add_2fa_incomplete/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE twofactor_incomplete (
+  user_uuid   CHAR(36) NOT NULL REFERENCES users(uuid),
+  device_uuid CHAR(36) NOT NULL,
+  device_name TEXT     NOT NULL,
+  login_time  DATETIME NOT NULL,
+  ip_address  TEXT     NOT NULL,
+
+  PRIMARY KEY (user_uuid, device_uuid)
+);

migrations/mysql/2022-01-17-234911_add_api_key/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE users
+ADD COLUMN api_key VARCHAR(255);

migrations/mysql/2022-03-02-210038_update_devices_primary_key/up.sql

@@ -0,0 +1,4 @@
+-- First remove the previous primary key
+ALTER TABLE devices DROP PRIMARY KEY;
+-- Add a new combined one
+ALTER TABLE devices ADD PRIMARY KEY (uuid, user_uuid);

migrations/mysql/2022-07-27-110000_add_group_support/down.sql

@@ -0,0 +1,3 @@
+DROP TABLE `groups`;
+DROP TABLE groups_users;
+DROP TABLE collections_groups;

migrations/mysql/2022-07-27-110000_add_group_support/up.sql

@@ -0,0 +1,23 @@
+CREATE TABLE `groups` (
+  uuid                              CHAR(36) NOT NULL PRIMARY KEY,
+  organizations_uuid                VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name                              VARCHAR(100) NOT NULL,
+  access_all                        BOOLEAN NOT NULL,
+  external_id                       VARCHAR(300) NULL,
+  creation_date                     DATETIME NOT NULL,
+  revision_date                     DATETIME NOT NULL
+);
+
+CREATE TABLE groups_users (
+  groups_uuid                       CHAR(36) NOT NULL REFERENCES `groups` (uuid),
+  users_organizations_uuid          VARCHAR(36) NOT NULL REFERENCES users_organizations (uuid),
+  UNIQUE (groups_uuid, users_organizations_uuid)
+);
+
+CREATE TABLE collections_groups (
+  collections_uuid                  VARCHAR(40) NOT NULL REFERENCES collections (uuid),
+  groups_uuid                       CHAR(36) NOT NULL REFERENCES `groups` (uuid),
+  read_only                         BOOLEAN NOT NULL,
+  hide_passwords                    BOOLEAN NOT NULL,
+  UNIQUE (collections_uuid, groups_uuid)
+);

migrations/mysql/2022-10-18-170602_add_events/down.sql

@@ -0,0 +1 @@
+DROP TABLE event;

migrations/mysql/2022-10-18-170602_add_events/up.sql

@@ -0,0 +1,19 @@
+CREATE TABLE event (
+  uuid               CHAR(36)    NOT NULL PRIMARY KEY,
+  event_type         INTEGER     NOT NULL,
+  user_uuid          CHAR(36),
+  org_uuid           CHAR(36),
+  cipher_uuid        CHAR(36),
+  collection_uuid    CHAR(36),
+  group_uuid         CHAR(36),
+  org_user_uuid      CHAR(36),
+  act_user_uuid      CHAR(36),
+  device_type        INTEGER,
+  ip_address         TEXT,
+  event_date         DATETIME    NOT NULL,
+  policy_uuid        CHAR(36),
+  provider_uuid      CHAR(36),
+  provider_user_uuid CHAR(36),
+  provider_org_uuid  CHAR(36),
+  UNIQUE (uuid)
+);

migrations/postgresql/2021-04-30-233251_add_reprompt/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE ciphers
+ADD COLUMN reprompt INTEGER;

migrations/postgresql/2021-05-11-205202_add_hide_email/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sends
+ADD COLUMN hide_email BOOLEAN;

migrations/postgresql/2021-07-01-203140_add_password_reset_keys/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE organizations
+  ADD COLUMN private_key TEXT;
+
+ALTER TABLE organizations
+  ADD COLUMN public_key TEXT;

migrations/postgresql/2021-08-30-193501_create_emergency_access/down.sql

@@ -0,0 +1 @@
+DROP TABLE emergency_access;

migrations/postgresql/2021-08-30-193501_create_emergency_access/up.sql

@@ -0,0 +1,14 @@
+CREATE TABLE emergency_access (
+  uuid                      CHAR(36)     NOT NULL PRIMARY KEY,
+  grantor_uuid              CHAR(36)     REFERENCES users (uuid),
+  grantee_uuid              CHAR(36)     REFERENCES users (uuid),
+  email                     VARCHAR(255),
+  key_encrypted             TEXT,
+  atype                     INTEGER  NOT NULL,
+  status                    INTEGER  NOT NULL,
+  wait_time_days            INTEGER  NOT NULL,
+  recovery_initiated_at     TIMESTAMP,
+  last_notification_at      TIMESTAMP,
+  updated_at                TIMESTAMP NOT NULL,
+  created_at                TIMESTAMP NOT NULL
+);

migrations/postgresql/2021-10-24-164321_add_2fa_incomplete/down.sql

@@ -0,0 +1 @@
+DROP TABLE twofactor_incomplete;

migrations/postgresql/2021-10-24-164321_add_2fa_incomplete/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE twofactor_incomplete (
+  user_uuid   VARCHAR(40) NOT NULL REFERENCES users(uuid),
+  device_uuid VARCHAR(40) NOT NULL,
+  device_name TEXT        NOT NULL,
+  login_time  TIMESTAMP   NOT NULL,
+  ip_address  TEXT        NOT NULL,
+
+  PRIMARY KEY (user_uuid, device_uuid)
+);

migrations/postgresql/2022-01-17-234911_add_api_key/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE users
+ADD COLUMN api_key TEXT;

migrations/postgresql/2022-03-02-210038_update_devices_primary_key/up.sql

@@ -0,0 +1,4 @@
+-- First remove the previous primary key
+ALTER TABLE devices DROP CONSTRAINT devices_pkey;
+-- Add a new combined one
+ALTER TABLE devices ADD PRIMARY KEY (uuid, user_uuid);

migrations/postgresql/2022-07-27-110000_add_group_support/down.sql

@@ -0,0 +1,3 @@
+DROP TABLE groups;
+DROP TABLE groups_users;
+DROP TABLE collections_groups;

migrations/postgresql/2022-07-27-110000_add_group_support/up.sql

@@ -0,0 +1,23 @@
+CREATE TABLE groups (
+  uuid                              CHAR(36) NOT NULL PRIMARY KEY,
+  organizations_uuid                 VARCHAR(40) NOT NULL REFERENCES organizations (uuid),
+  name                              VARCHAR(100) NOT NULL,
+  access_all                        BOOLEAN NOT NULL,
+  external_id                       VARCHAR(300) NULL,
+  creation_date                     TIMESTAMP NOT NULL,
+  revision_date                     TIMESTAMP NOT NULL
+);
+
+CREATE TABLE groups_users (
+  groups_uuid                       CHAR(36) NOT NULL REFERENCES groups (uuid),
+  users_organizations_uuid          VARCHAR(36) NOT NULL REFERENCES users_organizations (uuid),
+  PRIMARY KEY (groups_uuid, users_organizations_uuid)
+);
+
+CREATE TABLE collections_groups (
+  collections_uuid                  VARCHAR(40) NOT NULL REFERENCES collections (uuid),
+  groups_uuid                       CHAR(36) NOT NULL REFERENCES groups (uuid),
+  read_only                         BOOLEAN NOT NULL,
+  hide_passwords                    BOOLEAN NOT NULL,
+  PRIMARY KEY (collections_uuid, groups_uuid)
+);

migrations/postgresql/2022-10-18-170602_add_events/down.sql

@@ -0,0 +1 @@
+DROP TABLE event;

migrations/postgresql/2022-10-18-170602_add_events/up.sql

@@ -0,0 +1,19 @@
+CREATE TABLE event (
+  uuid               CHAR(36)        NOT NULL PRIMARY KEY,
+  event_type         INTEGER     NOT NULL,
+  user_uuid          CHAR(36),
+  org_uuid           CHAR(36),
+  cipher_uuid        CHAR(36),
+  collection_uuid    CHAR(36),
+  group_uuid         CHAR(36),
+  org_user_uuid      CHAR(36),
+  act_user_uuid      CHAR(36),
+  device_type        INTEGER,
+  ip_address         TEXT,
+  event_date         TIMESTAMP    NOT NULL,
+  policy_uuid        CHAR(36),
+  provider_uuid      CHAR(36),
+  provider_user_uuid CHAR(36),
+  provider_org_uuid  CHAR(36),
+  UNIQUE (uuid)
+);

migrations/sqlite/2021-04-30-233251_add_reprompt/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE ciphers
+ADD COLUMN reprompt INTEGER;

migrations/sqlite/2021-05-11-205202_add_hide_email/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sends
+ADD COLUMN hide_email BOOLEAN;

migrations/sqlite/2021-07-01-203140_add_password_reset_keys/up.sql

@@ -0,0 +1,5 @@
+ALTER TABLE organizations
+  ADD COLUMN private_key TEXT;
+
+ALTER TABLE organizations
+  ADD COLUMN public_key TEXT;

migrations/sqlite/2021-08-30-193501_create_emergency_access/down.sql

@@ -0,0 +1 @@
+DROP TABLE emergency_access;

migrations/sqlite/2021-08-30-193501_create_emergency_access/up.sql

@@ -0,0 +1,14 @@
+CREATE TABLE emergency_access (
+  uuid                      TEXT     NOT NULL PRIMARY KEY,
+  grantor_uuid              TEXT     REFERENCES users (uuid),
+  grantee_uuid              TEXT     REFERENCES users (uuid),
+  email                     TEXT,
+  key_encrypted             TEXT,
+  atype                     INTEGER  NOT NULL,
+  status                    INTEGER  NOT NULL,
+  wait_time_days            INTEGER  NOT NULL,
+  recovery_initiated_at     DATETIME,
+  last_notification_at      DATETIME,
+  updated_at                DATETIME NOT NULL,
+  created_at                DATETIME NOT NULL
+);

migrations/sqlite/2021-10-24-164321_add_2fa_incomplete/down.sql

@@ -0,0 +1 @@
+DROP TABLE twofactor_incomplete;

migrations/sqlite/2021-10-24-164321_add_2fa_incomplete/up.sql

@@ -0,0 +1,9 @@
+CREATE TABLE twofactor_incomplete (
+  user_uuid   TEXT     NOT NULL REFERENCES users(uuid),
+  device_uuid TEXT     NOT NULL,
+  device_name TEXT     NOT NULL,
+  login_time  DATETIME NOT NULL,
+  ip_address  TEXT     NOT NULL,
+
+  PRIMARY KEY (user_uuid, device_uuid)
+);

migrations/sqlite/2022-01-17-234911_add_api_key/up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE users
+ADD COLUMN api_key TEXT;

migrations/sqlite/2022-03-02-210038_update_devices_primary_key/up.sql

@@ -0,0 +1,23 @@
+-- Create new devices table with primary keys on both uuid and user_uuid
+CREATE TABLE devices_new (
+	uuid	TEXT NOT NULL,
+	created_at	DATETIME NOT NULL,
+	updated_at	DATETIME NOT NULL,
+	user_uuid	TEXT NOT NULL,
+	name	TEXT NOT NULL,
+	atype	INTEGER NOT NULL,
+	push_token	TEXT,
+	refresh_token	TEXT NOT NULL,
+	twofactor_remember	TEXT,
+	PRIMARY KEY(uuid, user_uuid),
+	FOREIGN KEY(user_uuid) REFERENCES users(uuid)
+);
+
+-- Transfer current data to new table
+INSERT INTO devices_new SELECT * FROM devices;
+
+-- Drop the old table
+DROP TABLE devices;
+
+-- Rename the new table to the original name
+ALTER TABLE devices_new RENAME TO devices;

migrations/sqlite/2022-07-27-110000_add_group_support/down.sql

@@ -0,0 +1,3 @@
+DROP TABLE groups;
+DROP TABLE groups_users;
+DROP TABLE collections_groups;

migrations/sqlite/2022-07-27-110000_add_group_support/up.sql

@@ -0,0 +1,23 @@
+CREATE TABLE groups (
+  uuid                              TEXT NOT NULL PRIMARY KEY,
+  organizations_uuid                TEXT NOT NULL REFERENCES organizations (uuid),
+  name                              TEXT NOT NULL,
+  access_all                        BOOLEAN NOT NULL,
+  external_id                       TEXT NULL,
+  creation_date                     TIMESTAMP NOT NULL,
+  revision_date                     TIMESTAMP NOT NULL
+);
+
+CREATE TABLE groups_users (
+  groups_uuid                       TEXT NOT NULL REFERENCES groups (uuid),
+  users_organizations_uuid          TEXT NOT NULL REFERENCES users_organizations (uuid),
+  UNIQUE (groups_uuid, users_organizations_uuid)
+);
+
+CREATE TABLE collections_groups (
+  collections_uuid                  TEXT NOT NULL REFERENCES collections (uuid),
+  groups_uuid                       TEXT NOT NULL REFERENCES groups (uuid),
+  read_only                         BOOLEAN NOT NULL,
+  hide_passwords                    BOOLEAN NOT NULL,
+  UNIQUE (collections_uuid, groups_uuid)
+);

migrations/sqlite/2022-10-18-170602_add_events/down.sql

@@ -0,0 +1 @@
+DROP TABLE event;

migrations/sqlite/2022-10-18-170602_add_events/up.sql

@@ -0,0 +1,19 @@
+CREATE TABLE event (
+  uuid               TEXT        NOT NULL PRIMARY KEY,
+  event_type         INTEGER     NOT NULL,
+  user_uuid          TEXT,
+  org_uuid           TEXT,
+  cipher_uuid        TEXT,
+  collection_uuid    TEXT,
+  group_uuid         TEXT,
+  org_user_uuid      TEXT,
+  act_user_uuid      TEXT,
+  device_type        INTEGER,
+  ip_address         TEXT,
+  event_date         DATETIME    NOT NULL,
+  policy_uuid        TEXT,
+  provider_uuid      TEXT,
+  provider_user_uuid TEXT,
+  provider_org_uuid  TEXT,
+  UNIQUE (uuid)
+);

resources/404.svg

@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="500"
+   height="222"
+   viewBox="0 0 500 222"
+   version="1.1"
+   id="svg5"
+   xml:space="preserve"
+   inkscape:version="1.2.1 (9c6d41e410, 2022-07-14, custom)"
+   sodipodi:docname="404.svg"
+   inkscape:export-filename="404.png"
+   inkscape:export-xdpi="96"
+   inkscape:export-ydpi="96"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
+     id="namedview7"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="px"
+     showgrid="false"
+     inkscape:zoom="1.3791767"
+     inkscape:cx="284.59007"
+     inkscape:cy="214.25826"
+     inkscape:window-width="1916"
+     inkscape:window-height="1038"
+     inkscape:window-x="0"
+     inkscape:window-y="18"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="layer1"
+     showguides="false" /><defs
+     id="defs2"><mask
+       id="holes"><rect
+         x="-60"
+         y="-60"
+         width="120"
+         height="120"
+         fill="#ffffff"
+         id="rect3296" /><circle
+         id="hole"
+         cy="-40"
+         r="3"
+         cx="0" /><use
+         transform="rotate(72)"
+         xlink:href="#hole"
+         id="use3299" /><use
+         transform="rotate(144)"
+         xlink:href="#hole"
+         id="use3301" /><use
+         transform="rotate(-144)"
+         xlink:href="#hole"
+         id="use3303" /><use
+         transform="rotate(-72)"
+         xlink:href="#hole"
+         id="use3305" /></mask></defs><g
+     inkscape:label="Ebene 1"
+     inkscape:groupmode="layer"
+     id="layer1"><rect
+       style="fill:none;fill-opacity:0.5;stroke:none;stroke-width:0.74;stroke-opacity:1"
+       id="rect681"
+       width="666"
+       height="222"
+       x="0"
+       y="0" /><text
+       xml:space="preserve"
+       style="font-size:128px;line-height:1.25;font-family:'Open Sans';-inkscape-font-specification:'Open Sans';text-align:center;text-anchor:middle;fill:#000000;fill-opacity:0.7;stroke-width:1"
+       x="249.9375"
+       y="134.8125"
+       id="text3425"><tspan
+         id="tspan3423"
+         x="249.9375"
+         y="134.8125"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:128px;font-family:'Open Sans';-inkscape-font-specification:'Open Sans';text-align:center;text-anchor:middle;fill:#000000;fill-opacity:0.7;stroke-width:1"
+         sodipodi:role="line">404</tspan></text><text
+       xml:space="preserve"
+       style="font-size:26.6667px;line-height:1.25;font-family:'Open Sans';-inkscape-font-specification:'Open Sans';text-align:center;text-anchor:middle"
+       x="249.04297"
+       y="194.68582"
+       id="text4067"><tspan
+         sodipodi:role="line"
+         id="tspan4065"
+         x="249.04295"
+         y="194.68582"
+         style="font-size:26.6667px;text-align:center;text-anchor:middle;fill:#000000;fill-opacity:0.7">Return to the web vault?</tspan></text></g></svg>

resources/vaultwarden-icon-white.svg

@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg version="1.1" viewBox="0 0 256 256" id="svg3917" sodipodi:docname="vaultwarden-icon-white.svg" inkscape:version="1.2.1 (9c6d41e410, 2022-07-14, custom)" width="256" height="256" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs id="defs3921" />
+  <sodipodi:namedview id="namedview3919" pagecolor="#000000" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#202020" showgrid="false" inkscape:zoom="3.3359375" inkscape:cx="128" inkscape:cy="128" inkscape:window-width="1874" inkscape:window-height="1056" inkscape:window-x="46" inkscape:window-y="24" inkscape:window-maximized="1" inkscape:current-layer="svg3917" />
+  <title id="title3817">Vaultwarden Icon - White</title>
+  <g id="logo" transform="matrix(2.4381018,0,0,2.4381018,128,128)">
+    <g id="gear" mask="url(#holes)" stroke="#fff">
+      <path d="m-31.1718-33.813208 26.496029 74.188883h9.3515399l26.49603-74.188883h-9.767164l-16.728866 47.588948q-1.662496 4.571864-2.805462 8.624198-1.142966 3.948427-1.870308 7.585137-.72734199-3.63671-1.8703079-7.689043-1.142966-4.052334-2.805462-8.728104l-16.624959-47.381136z" fill="#fff" stroke-width="4.51171" id="path3819" />
+      <circle transform="scale(-1,1)" r="43" fill="none" stroke-width="9" id="circle3821" />
+      <g id="cogs" transform="scale(-1,1)">
+        <polygon id="cog" points="51 0 46 -3 46 3" fill="#fff" stroke="#fff" stroke-linejoin="round" stroke-width="3" />
+        <g fill="#fff" stroke="#fff" id="g3886">
+          <use transform="rotate(11.25)" xlink:href="#cog" id="use3824" />
+          <use transform="rotate(22.5)" xlink:href="#cog" id="use3826" />
+          <use transform="rotate(33.75)" xlink:href="#cog" id="use3828" />
+          <use transform="rotate(45)" xlink:href="#cog" id="use3830" />
+          <use transform="rotate(56.25)" xlink:href="#cog" id="use3832" />
+          <use transform="rotate(67.5)" xlink:href="#cog" id="use3834" />
+          <use transform="rotate(78.75)" xlink:href="#cog" id="use3836" />
+          <use transform="rotate(90)" xlink:href="#cog" id="use3838" />
+          <use transform="rotate(101.25)" xlink:href="#cog" id="use3840" />
+          <use transform="rotate(112.5)" xlink:href="#cog" id="use3842" />
+          <use transform="rotate(123.75)" xlink:href="#cog" id="use3844" />
+          <use transform="rotate(135)" xlink:href="#cog" id="use3846" />
+          <use transform="rotate(146.25)" xlink:href="#cog" id="use3848" />
+          <use transform="rotate(157.5)" xlink:href="#cog" id="use3850" />
+          <use transform="rotate(168.75)" xlink:href="#cog" id="use3852" />
+          <use transform="scale(-1)" xlink:href="#cog" id="use3854" />
+          <use transform="rotate(191.25)" xlink:href="#cog" id="use3856" />
+          <use transform="rotate(202.5)" xlink:href="#cog" id="use3858" />
+          <use transform="rotate(213.75)" xlink:href="#cog" id="use3860" />
+          <use transform="rotate(225)" xlink:href="#cog" id="use3862" />
+          <use transform="rotate(236.25)" xlink:href="#cog" id="use3864" />
+          <use transform="rotate(247.5)" xlink:href="#cog" id="use3866" />
+          <use transform="rotate(258.75)" xlink:href="#cog" id="use3868" />
+          <use transform="rotate(-90)" xlink:href="#cog" id="use3870" />
+          <use transform="rotate(-78.75)" xlink:href="#cog" id="use3872" />
+          <use transform="rotate(-67.5)" xlink:href="#cog" id="use3874" />
+          <use transform="rotate(-56.25)" xlink:href="#cog" id="use3876" />
+          <use transform="rotate(-45)" xlink:href="#cog" id="use3878" />
+          <use transform="rotate(-33.75)" xlink:href="#cog" id="use3880" />
+          <use transform="rotate(-22.5)" xlink:href="#cog" id="use3882" />
+          <use transform="rotate(-11.25)" xlink:href="#cog" id="use3884" />
+        </g>
+      </g>
+      <g id="mounts" transform="scale(-1,1)">
+        <polygon id="mount" points="0 -35 7 -42 -7 -42" fill="#fff" stroke="#fff" stroke-linejoin="round" stroke-width="6" />
+        <g fill="#fff" stroke="#fff" id="g3898">
+          <use transform="rotate(72)" xlink:href="#mount" id="use3890" />
+          <use transform="rotate(144)" xlink:href="#mount" id="use3892" />
+          <use transform="rotate(216)" xlink:href="#mount" id="use3894" />
+          <use transform="rotate(-72)" xlink:href="#mount" id="use3896" />
+        </g>
+      </g>
+    </g>
+    <mask id="holes">
+      <rect x="-60" y="-60" width="120" height="120" fill="#fff" id="rect3902" />
+      <circle id="hole" cy="-40" r="3" />
+      <use transform="rotate(72)" xlink:href="#hole" id="use3905" />
+      <use transform="rotate(144)" xlink:href="#hole" id="use3907" />
+      <use transform="rotate(216)" xlink:href="#hole" id="use3909" />
+      <use transform="rotate(-72)" xlink:href="#hole" id="use3911" />
+    </mask>
+  </g>
+  <metadata id="metadata3915">
+    <rdf:RDF>
+      <cc:Work rdf:about="">
+        <dc:title>Vaultwarden Icon - White</dc:title>
+        <dc:creator>
+          <cc:Agent>
+            <dc:title>Mathijs van Veluw</dc:title>
+          </cc:Agent>
+        </dc:creator>
+        <dc:relation>Rust Logo</dc:relation>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+</svg>

resources/vaultwarden-icon.svg

@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg version="1.1" viewBox="0 0 256 256" id="svg383" sodipodi:docname="vaultwarden-icon.svg" inkscape:version="1.2.1 (9c6d41e410, 2022-07-14, custom)" width="256" height="256" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <defs id="defs387" />
+  <sodipodi:namedview id="namedview385" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" showgrid="false" inkscape:zoom="3.3359375" inkscape:cx="128" inkscape:cy="128" inkscape:window-width="1874" inkscape:window-height="1056" inkscape:window-x="46" inkscape:window-y="24" inkscape:window-maximized="1" inkscape:current-layer="svg383" />
+  <title id="title287">Vaultwarden Icon</title>
+  <g id="logo" transform="matrix(2.4381018,0,0,2.4381018,128,128)">
+    <g id="gear" mask="url(#holes)">
+      <path d="m-31.1718-33.813208 26.496029 74.188883h9.3515399l26.49603-74.188883h-9.767164l-16.728866 47.588948q-1.662496 4.571864-2.805462 8.624198-1.142966 3.948427-1.870308 7.585137-.72734199-3.63671-1.8703079-7.689043-1.142966-4.052334-2.805462-8.728104l-16.624959-47.381136z" stroke="#000" stroke-width="4.51171" id="path289" />
+      <circle transform="scale(-1,1)" r="43" fill="none" stroke="#000" stroke-width="9" id="circle291" />
+      <g id="cogs" transform="scale(-1,1)">
+        <polygon id="cog" points="51 0 46 -3 46 3" stroke="#000" stroke-linejoin="round" stroke-width="3" />
+        <use transform="rotate(11.25)" xlink:href="#cog" id="use294" />
+        <use transform="rotate(22.5)" xlink:href="#cog" id="use296" />
+        <use transform="rotate(33.75)" xlink:href="#cog" id="use298" />
+        <use transform="rotate(45)" xlink:href="#cog" id="use300" />
+        <use transform="rotate(56.25)" xlink:href="#cog" id="use302" />
+        <use transform="rotate(67.5)" xlink:href="#cog" id="use304" />
+        <use transform="rotate(78.75)" xlink:href="#cog" id="use306" />
+        <use transform="rotate(90)" xlink:href="#cog" id="use308" />
+        <use transform="rotate(101.25)" xlink:href="#cog" id="use310" />
+        <use transform="rotate(112.5)" xlink:href="#cog" id="use312" />
+        <use transform="rotate(123.75)" xlink:href="#cog" id="use314" />
+        <use transform="rotate(135)" xlink:href="#cog" id="use316" />
+        <use transform="rotate(146.25)" xlink:href="#cog" id="use318" />
+        <use transform="rotate(157.5)" xlink:href="#cog" id="use320" />
+        <use transform="rotate(168.75)" xlink:href="#cog" id="use322" />
+        <use transform="scale(-1)" xlink:href="#cog" id="use324" />
+        <use transform="rotate(191.25)" xlink:href="#cog" id="use326" />
+        <use transform="rotate(202.5)" xlink:href="#cog" id="use328" />
+        <use transform="rotate(213.75)" xlink:href="#cog" id="use330" />
+        <use transform="rotate(225)" xlink:href="#cog" id="use332" />
+        <use transform="rotate(236.25)" xlink:href="#cog" id="use334" />
+        <use transform="rotate(247.5)" xlink:href="#cog" id="use336" />
+        <use transform="rotate(258.75)" xlink:href="#cog" id="use338" />
+        <use transform="rotate(-90)" xlink:href="#cog" id="use340" />
+        <use transform="rotate(-78.75)" xlink:href="#cog" id="use342" />
+        <use transform="rotate(-67.5)" xlink:href="#cog" id="use344" />
+        <use transform="rotate(-56.25)" xlink:href="#cog" id="use346" />
+        <use transform="rotate(-45)" xlink:href="#cog" id="use348" />
+        <use transform="rotate(-33.75)" xlink:href="#cog" id="use350" />
+        <use transform="rotate(-22.5)" xlink:href="#cog" id="use352" />
+        <use transform="rotate(-11.25)" xlink:href="#cog" id="use354" />
+      </g>
+      <g id="mounts" transform="scale(-1,1)">
+        <polygon id="mount" points="0 -35 7 -42 -7 -42" stroke="#000" stroke-linejoin="round" stroke-width="6" />
+        <use transform="rotate(72)" xlink:href="#mount" id="use358" />
+        <use transform="rotate(144)" xlink:href="#mount" id="use360" />
+        <use transform="rotate(216)" xlink:href="#mount" id="use362" />
+        <use transform="rotate(-72)" xlink:href="#mount" id="use364" />
+      </g>
+    </g>
+    <mask id="holes">
+      <rect x="-60" y="-60" width="120" height="120" fill="#fff" id="rect368" />
+      <circle id="hole" cy="-40" r="3" />
+      <use transform="rotate(72)" xlink:href="#hole" id="use371" />
+      <use transform="rotate(144)" xlink:href="#hole" id="use373" />
+      <use transform="rotate(216)" xlink:href="#hole" id="use375" />
+      <use transform="rotate(-72)" xlink:href="#hole" id="use377" />
+    </mask>
+  </g>
+  <metadata id="metadata381">
+    <rdf:RDF>
+      <cc:Work rdf:about="">
+        <dc:title>Vaultwarden Icon</dc:title>
+        <dc:creator>
+          <cc:Agent>
+            <dc:title>Mathijs van Veluw</dc:title>
+          </cc:Agent>
+        </dc:creator>
+        <dc:relation>Rust Logo</dc:relation>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+</svg>

resources/vaultwarden-logo-white.svg

@@ -0,0 +1,88 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="1365.8256" height="280.48944" version="1.1" viewBox="0 0 1365.8255 280.48944" id="svg3412" sodipodi:docname="vaultwarden-logo.svg" inkscape:version="1.2.1 (9c6d41e410, 2022-07-14, custom)" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <sodipodi:namedview id="namedview3414" pagecolor="#000000" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#202020" showgrid="false" inkscape:zoom="0.95107314" inkscape:cx="683.4385" inkscape:cy="139.84203" inkscape:window-width="1874" inkscape:window-height="1056" inkscape:window-x="46" inkscape:window-y="24" inkscape:window-maximized="1" inkscape:current-layer="svg3412" />
+  <title id="title3292">Vaultwarden Logo - White</title>
+  <defs id="defs3308">
+    <mask id="holes">
+      <rect x="-60" y="-60" width="120" height="120" fill="#fff" id="rect3296" />
+      <circle id="hole" cy="-40" r="3" />
+      <use transform="rotate(72)" xlink:href="#hole" id="use3299" />
+      <use transform="rotate(144)" xlink:href="#hole" id="use3301" />
+      <use transform="rotate(216)" xlink:href="#hole" id="use3303" />
+      <use transform="rotate(-72)" xlink:href="#hole" id="use3305" />
+    </mask>
+  </defs>
+  <text transform="translate(-10.708266,-9.2965379)" x="286.59244" y="223.43649" fill="#e6e6e6" font-family="'Open Sans'" font-size="200px" style="line-height:1.25" xml:space="preserve" id="text3314"><tspan x="286.59244" y="223.43649" font-family="'Open Sans'" font-size="200px" id="tspan3312"><tspan font-family="'Open Sans'" font-size="200px" font-weight="bold" id="tspan3310">ault</tspan>warden</tspan></text>
+  <g transform="translate(-10.708266,-9.2965379)" id="g3410">
+    <g id="logo" transform="matrix(2.6712834,0,0,2.6712834,150.95027,149.53854)">
+      <g id="gear" mask="url(#holes)">
+        <path d="m-31.1718-33.813208 26.496029 74.188883h9.3515399l26.49603-74.188883h-9.767164l-16.728866 47.588948q-1.662496 4.571864-2.805462 8.624198-1.142966 3.948427-1.870308 7.585137-.72734199-3.63671-1.8703079-7.689043-1.142966-4.052334-2.805462-8.728104l-16.624959-47.381136z" fill="#e6e6e6" stroke="#e6e6e6" stroke-width="4.51171" id="path3316" />
+        <circle transform="scale(-1,1)" r="43" fill="none" stroke="#e6e6e6" stroke-width="9" id="circle3318" />
+        <g id="cogs" transform="scale(-1,1)">
+          <polygon id="cog" points="46 -3 46 3 51 0" fill="#e6e6e6" stroke="#e6e6e6" stroke-linejoin="round" stroke-width="3" />
+          <use transform="rotate(11.25)" xlink:href="#cog" id="use3321" />
+          <use transform="rotate(22.5)" xlink:href="#cog" id="use3323" />
+          <use transform="rotate(33.75)" xlink:href="#cog" id="use3325" />
+          <use transform="rotate(45)" xlink:href="#cog" id="use3327" />
+          <use transform="rotate(56.25)" xlink:href="#cog" id="use3329" />
+          <use transform="rotate(67.5)" xlink:href="#cog" id="use3331" />
+          <use transform="rotate(78.75)" xlink:href="#cog" id="use3333" />
+          <use transform="rotate(90)" xlink:href="#cog" id="use3335" />
+          <use transform="rotate(101.25)" xlink:href="#cog" id="use3337" />
+          <use transform="rotate(112.5)" xlink:href="#cog" id="use3339" />
+          <use transform="rotate(123.75)" xlink:href="#cog" id="use3341" />
+          <use transform="rotate(135)" xlink:href="#cog" id="use3343" />
+          <use transform="rotate(146.25)" xlink:href="#cog" id="use3345" />
+          <use transform="rotate(157.5)" xlink:href="#cog" id="use3347" />
+          <use transform="rotate(168.75)" xlink:href="#cog" id="use3349" />
+          <use transform="scale(-1)" xlink:href="#cog" id="use3351" />
+          <use transform="rotate(191.25)" xlink:href="#cog" id="use3353" />
+          <use transform="rotate(202.5)" xlink:href="#cog" id="use3355" />
+          <use transform="rotate(213.75)" xlink:href="#cog" id="use3357" />
+          <use transform="rotate(225)" xlink:href="#cog" id="use3359" />
+          <use transform="rotate(236.25)" xlink:href="#cog" id="use3361" />
+          <use transform="rotate(247.5)" xlink:href="#cog" id="use3363" />
+          <use transform="rotate(258.75)" xlink:href="#cog" id="use3365" />
+          <use transform="rotate(-90)" xlink:href="#cog" id="use3367" />
+          <use transform="rotate(-78.75)" xlink:href="#cog" id="use3369" />
+          <use transform="rotate(-67.5)" xlink:href="#cog" id="use3371" />
+          <use transform="rotate(-56.25)" xlink:href="#cog" id="use3373" />
+          <use transform="rotate(-45)" xlink:href="#cog" id="use3375" />
+          <use transform="rotate(-33.75)" xlink:href="#cog" id="use3377" />
+          <use transform="rotate(-22.5)" xlink:href="#cog" id="use3379" />
+          <use transform="rotate(-11.25)" xlink:href="#cog" id="use3381" />
+        </g>
+        <g id="mounts" transform="scale(-1,1)">
+          <polygon id="mount" points="7 -42 -7 -42 0 -35" stroke="#e6e6e6" stroke-linejoin="round" stroke-width="6" />
+          <use transform="rotate(72)" xlink:href="#mount" id="use3385" />
+          <use transform="rotate(144)" xlink:href="#mount" id="use3387" />
+          <use transform="rotate(216)" xlink:href="#mount" id="use3389" />
+          <use transform="rotate(-72)" xlink:href="#mount" id="use3391" />
+        </g>
+      </g>
+      <mask id="mask3407">
+        <rect x="-60" y="-60" width="120" height="120" fill="#e6e6e6" id="rect3395" />
+        <circle cy="-40" r="3" id="circle3397" />
+        <use transform="rotate(72)" xlink:href="#hole" id="use3399" />
+        <use transform="rotate(144)" xlink:href="#hole" id="use3401" />
+        <use transform="rotate(216)" xlink:href="#hole" id="use3403" />
+        <use transform="rotate(-72)" xlink:href="#hole" id="use3405" />
+      </mask>
+    </g>
+  </g>
+  <metadata id="metadata3294">
+    <rdf:RDF>
+      <cc:Work rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title>Vaultwarden Logo - White</dc:title>
+        <dc:creator>
+          <cc:Agent>
+            <dc:title>Mathijs van Veluw</dc:title>
+          </cc:Agent>
+        </dc:creator>
+        <dc:relation>Rust Logo</dc:relation>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+</svg>

resources/vaultwarden-logo.svg

@@ -0,0 +1,88 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="1365.8256" height="280.48944" version="1.1" viewBox="0 0 1365.8255 280.48944" id="svg3412" sodipodi:docname="vaultwarden-logo.svg" inkscape:version="1.2.1 (9c6d41e410, 2022-07-14, custom)" xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+  <sodipodi:namedview id="namedview3414" pagecolor="#ffffff" bordercolor="#666666" borderopacity="1.0" inkscape:showpageshadow="2" inkscape:pageopacity="0.0" inkscape:pagecheckerboard="0" inkscape:deskcolor="#d1d1d1" showgrid="false" inkscape:zoom="0.95107314" inkscape:cx="683.4385" inkscape:cy="139.84203" inkscape:window-width="1874" inkscape:window-height="1056" inkscape:window-x="46" inkscape:window-y="24" inkscape:window-maximized="1" inkscape:current-layer="svg3412" />
+  <title id="title3292">Vaultwarden Logo</title>
+  <defs id="defs3308">
+    <mask id="holes">
+      <rect x="-60" y="-60" width="120" height="120" fill="#fff" id="rect3296" />
+      <circle id="hole" cy="-40" r="3" />
+      <use transform="rotate(72)" xlink:href="#hole" id="use3299" />
+      <use transform="rotate(144)" xlink:href="#hole" id="use3301" />
+      <use transform="rotate(216)" xlink:href="#hole" id="use3303" />
+      <use transform="rotate(-72)" xlink:href="#hole" id="use3305" />
+    </mask>
+  </defs>
+  <text transform="translate(-10.708266,-9.2965379)" x="286.59244" y="223.43649" fill="#000000" font-family="'Open Sans'" font-size="200px" style="line-height:1.25" xml:space="preserve" id="text3314"><tspan x="286.59244" y="223.43649" font-family="'Open Sans'" font-size="200px" id="tspan3312"><tspan font-family="'Open Sans'" font-size="200px" font-weight="bold" id="tspan3310">ault</tspan>warden</tspan></text>
+  <g transform="translate(-10.708266,-9.2965379)" id="g3410">
+    <g id="logo" transform="matrix(2.6712834,0,0,2.6712834,150.95027,149.53854)">
+      <g id="gear" mask="url(#holes)">
+        <path d="m-31.1718-33.813208 26.496029 74.188883h9.3515399l26.49603-74.188883h-9.767164l-16.728866 47.588948q-1.662496 4.571864-2.805462 8.624198-1.142966 3.948427-1.870308 7.585137-.72734199-3.63671-1.8703079-7.689043-1.142966-4.052334-2.805462-8.728104l-16.624959-47.381136z" stroke="#000" stroke-width="4.51171" id="path3316" />
+        <circle transform="scale(-1,1)" r="43" fill="none" stroke="#000" stroke-width="9" id="circle3318" />
+        <g id="cogs" transform="scale(-1,1)">
+          <polygon id="cog" points="46 -3 46 3 51 0" stroke="#000" stroke-linejoin="round" stroke-width="3" />
+          <use transform="rotate(11.25)" xlink:href="#cog" id="use3321" />
+          <use transform="rotate(22.5)" xlink:href="#cog" id="use3323" />
+          <use transform="rotate(33.75)" xlink:href="#cog" id="use3325" />
+          <use transform="rotate(45)" xlink:href="#cog" id="use3327" />
+          <use transform="rotate(56.25)" xlink:href="#cog" id="use3329" />
+          <use transform="rotate(67.5)" xlink:href="#cog" id="use3331" />
+          <use transform="rotate(78.75)" xlink:href="#cog" id="use3333" />
+          <use transform="rotate(90)" xlink:href="#cog" id="use3335" />
+          <use transform="rotate(101.25)" xlink:href="#cog" id="use3337" />
+          <use transform="rotate(112.5)" xlink:href="#cog" id="use3339" />
+          <use transform="rotate(123.75)" xlink:href="#cog" id="use3341" />
+          <use transform="rotate(135)" xlink:href="#cog" id="use3343" />
+          <use transform="rotate(146.25)" xlink:href="#cog" id="use3345" />
+          <use transform="rotate(157.5)" xlink:href="#cog" id="use3347" />
+          <use transform="rotate(168.75)" xlink:href="#cog" id="use3349" />
+          <use transform="scale(-1)" xlink:href="#cog" id="use3351" />
+          <use transform="rotate(191.25)" xlink:href="#cog" id="use3353" />
+          <use transform="rotate(202.5)" xlink:href="#cog" id="use3355" />
+          <use transform="rotate(213.75)" xlink:href="#cog" id="use3357" />
+          <use transform="rotate(225)" xlink:href="#cog" id="use3359" />
+          <use transform="rotate(236.25)" xlink:href="#cog" id="use3361" />
+          <use transform="rotate(247.5)" xlink:href="#cog" id="use3363" />
+          <use transform="rotate(258.75)" xlink:href="#cog" id="use3365" />
+          <use transform="rotate(-90)" xlink:href="#cog" id="use3367" />
+          <use transform="rotate(-78.75)" xlink:href="#cog" id="use3369" />
+          <use transform="rotate(-67.5)" xlink:href="#cog" id="use3371" />
+          <use transform="rotate(-56.25)" xlink:href="#cog" id="use3373" />
+          <use transform="rotate(-45)" xlink:href="#cog" id="use3375" />
+          <use transform="rotate(-33.75)" xlink:href="#cog" id="use3377" />
+          <use transform="rotate(-22.5)" xlink:href="#cog" id="use3379" />
+          <use transform="rotate(-11.25)" xlink:href="#cog" id="use3381" />
+        </g>
+        <g id="mounts" transform="scale(-1,1)">
+          <polygon id="mount" points="7 -42 -7 -42 0 -35" stroke="#000" stroke-linejoin="round" stroke-width="6" />
+          <use transform="rotate(72)" xlink:href="#mount" id="use3385" />
+          <use transform="rotate(144)" xlink:href="#mount" id="use3387" />
+          <use transform="rotate(216)" xlink:href="#mount" id="use3389" />
+          <use transform="rotate(-72)" xlink:href="#mount" id="use3391" />
+        </g>
+      </g>
+      <mask id="mask3407">
+        <rect x="-60" y="-60" width="120" height="120" fill="#fff" id="rect3395" />
+        <circle cy="-40" r="3" id="circle3397" />
+        <use transform="rotate(72)" xlink:href="#hole" id="use3399" />
+        <use transform="rotate(144)" xlink:href="#hole" id="use3401" />
+        <use transform="rotate(216)" xlink:href="#hole" id="use3403" />
+        <use transform="rotate(-72)" xlink:href="#hole" id="use3405" />
+      </mask>
+    </g>
+  </g>
+  <metadata id="metadata3294">
+    <rdf:RDF>
+      <cc:Work rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title>Vaultwarden Logo</dc:title>
+        <dc:creator>
+          <cc:Agent>
+            <dc:title>Mathijs van Veluw</dc:title>
+          </cc:Agent>
+        </dc:creator>
+        <dc:relation>Rust Logo</dc:relation>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+</svg>

rust-toolchain

@@ -1 +1 @@
-nightly-2021-04-14
+1.66.0