mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 16:00:02 +02:00 
			
		
		
		
	Compare commits
	
		
			920 Commits
		
	
	
		
			1.25.0
			...
			test_dylin
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | f312e00dfa | ||
|  | 2f20ad86f9 | ||
|  | 33bae5fbe9 | ||
|  | f60502a17e | ||
|  | 13f4b66e62 | ||
|  | c967d0ddc1 | ||
|  | ae6ed0ece8 | ||
|  | b7c254eb30 | ||
|  | a47b484172 | ||
|  | 65629a99f0 | ||
|  | 49c5dec9b6 | ||
|  | cd195ff243 | ||
|  | e3541763fd | ||
|  | f0efec7c96 | ||
|  | 040e2a7bb0 | ||
|  | d184c8f08c | ||
|  | 7d6dec6413 | ||
|  | de01111082 | ||
|  | 0bd8f607cb | ||
|  | 21efc0800d | ||
|  | 1031c2e286 | ||
|  | 1bf85201e7 | ||
|  | 6ceed9284d | ||
|  | 25d99e3506 | ||
|  | dca14285fd | ||
|  | 66baa5e7d8 | ||
|  | 248e561b3f | ||
|  | 55623ad9c6 | ||
|  | e9acd8bd3c | ||
|  | 544b7229e8 | ||
|  | 978f009293 | ||
|  | 92f1530e96 | ||
|  | 2b824e8096 | ||
|  | 059661be48 | ||
|  | 0f3f97cc76 | ||
|  | aa0fe7785a | ||
|  | 65d11a9720 | ||
|  | c722006385 | ||
|  | aaab7f9640 | ||
|  | cbdb5657f1 | ||
|  | 669b9db758 | ||
|  | 3466a8040e | ||
|  | 7d47155d83 | ||
|  | 9e26014b4d | ||
|  | 339612c917 | ||
|  | 9eebbf3b9f | ||
|  | b557c11724 | ||
|  | a1204cc935 | ||
|  | 1ea511cbfc | ||
|  | 2e6a6fa39f | ||
|  | e7d5c17ff7 | ||
|  | a7be8fab9b | ||
|  | 39d4d31080 | ||
|  | c28246cf34 | ||
|  | d7df0ad79e | ||
|  | 7c8ba0c232 | ||
|  | d335187172 | ||
|  | f858523d92 | ||
|  | 529c39c6c5 | ||
|  | b428481ac0 | ||
|  | b4b2701905 | ||
|  | de66e56b6c | ||
|  | ecfebaf3c7 | ||
|  | 0e53f58288 | ||
|  | bc7ceb2ee3 | ||
|  | b27e6e30c9 | ||
|  | 505b30eec2 | ||
|  | 54bfcb8bc3 | ||
|  | 035f694d2f | ||
|  | a4ab014ade | ||
|  | 6fedfceaa9 | ||
|  | 8e8483481f | ||
|  | d04b94b77d | ||
|  | 247d0706ff | ||
|  | 0e8b410798 | ||
|  | fda77afc2a | ||
|  | d9835f530c | ||
|  | bd91964170 | ||
|  | d42b264a93 | ||
|  | a4c7fadbf4 | ||
|  | 8e2a87fd79 | ||
|  | 4233dbf3db | ||
|  | a2bf8def2a | ||
|  | 8f05a90b96 | ||
|  | 9082e7cebb | ||
|  | 55fdee3bf8 | ||
|  | 377969ea67 | ||
|  | f05398a6b3 | ||
|  | 9555ac7bb8 | ||
|  | f01ef40a8e | ||
|  | 8e7b27cc36 | ||
|  | d230ee087c | ||
|  | f8f14727b9 | ||
|  | 753a9e0bae | ||
|  | f5fb69b64f | ||
|  | 3261534438 | ||
|  | 46762d9fde | ||
|  | 6cadb2627a | ||
|  | 0fe93edea6 | ||
|  | e9aa5a545e | ||
|  | 9dcc738f85 | ||
|  | 84a7c7da5d | ||
|  | ca9234ed86 | ||
|  | 27dc67fadd | ||
|  | 2ad33ec97f | ||
|  | e1a8df96db | ||
|  | e42a37c6c1 | ||
|  | 129b835ac7 | ||
|  | 2d98aa3045 | ||
|  | 93636eb3c3 | ||
|  | 1e42755187 | ||
|  | ce8efcc48f | ||
|  | 79ce5b49bc | ||
|  | 7c3cad197c | ||
|  | 000c606029 | ||
|  | 29144b2ce0 | ||
|  | ea04b6f151 | ||
|  | 3427217686 | ||
|  | a1fbd6d729 | ||
|  | 2cbfe6fa5b | ||
|  | d86c4f2c23 | ||
|  | 6d73f30b4f | ||
|  | d0c22b9fc9 | ||
|  | d6b97090fa | ||
|  | 94b077cb2d | ||
|  | bb2412d033 | ||
|  | b9bdc9b8e2 | ||
|  | 897bdf8343 | ||
|  | 569add453d | ||
|  | 77cd5b5954 | ||
|  | 4438da39f9 | ||
|  | 0b2383ab56 | ||
|  | ad1d65bdf8 | ||
|  | 3b283c289e | ||
|  | 4b9384cb2b | ||
|  | 0f39d96518 | ||
|  | edf7484a70 | ||
|  | 8b66e34415 | ||
|  | 1d00e34bbb | ||
|  | 1b801406d6 | ||
|  | 5e46a43306 | ||
|  | 5c77431c2d | ||
|  | 2775c6ce8a | ||
|  | 890e668071 | ||
|  | 596c167312 | ||
|  | ae3a153bdb | ||
|  | 2c36993792 | ||
|  | d672ad3f76 | ||
|  | a641b48884 | ||
|  | 98b2178c7d | ||
|  | 76a3f0f531 | ||
|  | c5665e7b77 | ||
|  | cbdcf8ef9f | ||
|  | 3337594d60 | ||
|  | 2daa8be1f1 | ||
|  | eccb3ab947 | ||
|  | 3246251f29 | ||
|  | 8ab200224e | ||
|  | 34e00e1478 | ||
|  | 0fdda3bc2f | ||
|  | 48836501bf | ||
|  | f863ffb89a | ||
|  | 03c6ed2e07 | ||
|  | efc6eb0073 | ||
|  | cec1e87679 | ||
|  | 512b3b9b7c | ||
|  | 93da5091e6 | ||
|  | 915496c103 | ||
|  | ecb31c85d6 | ||
|  | d722328f05 | ||
|  | cb4b683dcd | ||
|  | 6eaf131922 | ||
|  | 8933ac2ee7 | ||
|  | 6822e445bb | ||
|  | 18fbc1ccf6 | ||
|  | 4861f6decc | ||
|  | b435ee49ad | ||
|  | 193f86e43e | ||
|  | 66a7baa67c | ||
|  | 18d66474e0 | ||
|  | ff8db4fd78 | ||
|  | b2f9af718e | ||
|  | 198fd2fc1d | ||
|  | ec8a9c82df | ||
|  | ef5e0bd4e5 | ||
|  | 30b408eaa9 | ||
|  | e205e3b7db | ||
|  | ca1a9e26d8 | ||
|  | f3a1385aee | ||
|  | 008a2cf298 | ||
|  | f0c9a7fbc3 | ||
|  | 9162b13123 | ||
|  | 480bf9b0c1 | ||
|  | f96c5e8a1e | ||
|  | 3d4be24902 | ||
|  | bf41d74501 | ||
|  | 01e33a4919 | ||
|  | bc26bfa589 | ||
|  | ccc51e7580 | ||
|  | 99a59bc4f3 | ||
|  | a77482575a | ||
|  | bbd630f1ee | ||
|  | d18b793c71 | ||
|  | d3a1d875d5 | ||
|  | d6e0ace192 | ||
|  | 60cbfa59bf | ||
|  | 5ab7010c37 | ||
|  | ad2cfd8b97 | ||
|  | 32543c46da | ||
|  | 66bff73ebf | ||
|  | 83d5432cbf | ||
|  | f579a4154c | ||
|  | f5a19c5f8b | ||
|  | aa9bc1f785 | ||
|  | f162e85e44 | ||
|  | 33ef70c192 | ||
|  | 3d2df6ce11 | ||
|  | 6cdcb3b297 | ||
|  | d1af468700 | ||
|  | ae1c53f4e5 | ||
|  | bc57c4b193 | ||
|  | 61ae4c9cf5 | ||
|  | 8d7b3db33d | ||
|  | e9ec3741ae | ||
|  | dacd50f3f1 | ||
|  | 9412112639 | ||
|  | aaeae16983 | ||
|  | d892880dd2 | ||
|  | 4395e8e888 | ||
|  | 3dbfc484a5 | ||
|  | 4ec2507073 | ||
|  | ab65d7989b | ||
|  | 8707728cdb | ||
|  | 631d022e17 | ||
|  | 211f4492fa | ||
|  | 61f9081827 | ||
|  | a8e5384c4a | ||
|  | 1c7338c7c4 | ||
|  | 08f37b9935 | ||
|  | 4826ddca4c | ||
|  | 2b32b6f78c | ||
|  | a6cfdddfd8 | ||
|  | 814ce9a6ac | ||
|  | 1bee46f64b | ||
|  | 556d945396 | ||
|  | 664b480c71 | ||
|  | 84e901b7d2 | ||
|  | 839b2bc950 | ||
|  | 6050c8dac5 | ||
|  | 0a6b797e6e | ||
|  | fb6f441a4f | ||
|  | 9876aedd67 | ||
|  | 19e671ff25 | ||
|  | 60964c07e6 | ||
|  | e4894524e4 | ||
|  | e7f083dee9 | ||
|  | 1074315a87 | ||
|  | c56bf38079 | ||
|  | 3c0cac623d | ||
|  | 550794b127 | ||
|  | e818a0bf37 | ||
|  | 2aedff50e8 | ||
|  | 84a23008f4 | ||
|  | 44e9e1a58e | ||
|  | e4606431d1 | ||
|  | 5b7d7390b0 | ||
|  | a05187c0ff | ||
|  | 8e34495e73 | ||
|  | 4219249e11 | ||
|  | bd883de70e | ||
|  | 2d66292350 | ||
|  | adf67a8ee8 | ||
|  | f40f5b8399 | ||
|  | 2d6ca0ea95 | ||
|  | 06a10e2c5a | ||
|  | 445680fb84 | ||
|  | 83376544d8 | ||
|  | 04a17dcdef | ||
|  | 0851561392 | ||
|  | 95cd6deda6 | ||
|  | 636f16dc66 | ||
|  | 9e5b049dca | ||
|  | 23aa9088f3 | ||
|  | 4f0ed06b06 | ||
|  | 349c97efaf | ||
|  | 8b05a5d192 | ||
|  | 83bf77d713 | ||
|  | 4d5c047ddc | ||
|  | 147c9c7b50 | ||
|  | 6515a2fcad | ||
|  | 4a2ed553df | ||
|  | ba492c0602 | ||
|  | 1ec049e2b5 | ||
|  | 0fb8563b13 | ||
|  | f906f6230a | ||
|  | 951ba55123 | ||
|  | 18abf226be | ||
|  | 393645617e | ||
|  | 5bf243b675 | ||
|  | cfba8347a3 | ||
|  | 55c1b6e8d5 | ||
|  | 3d7e80a7aa | ||
|  | 5866338de4 | ||
|  | 271e3ae757 | ||
|  | 48cc31a59f | ||
|  | 6a7cee4e7e | ||
|  | f850dbb310 | ||
|  | 07099df41a | ||
|  | 0c0a80720e | ||
|  | ae437f70a3 | ||
|  | 3d11f4cd16 | ||
|  | 3bd4e42fb0 | ||
|  | 89e94b1d91 | ||
|  | 0b28ab3be1 | ||
|  | c5bcc340fa | ||
|  | bff54fbfdb | ||
|  | 867c6ba056 | ||
|  | d1ecf03f44 | ||
|  | fc43608eec | ||
|  | 15dd05c78d | ||
|  | aa6f774f65 | ||
|  | 379f885354 | ||
|  | 39a5f2dbe8 | ||
|  | 0daaa9b175 | ||
|  | 0c085d21ce | ||
|  | dcaaa430f0 | ||
|  | 2cda54ceff | ||
|  | 525e6bb65a | ||
|  | 62cebebd3d | ||
|  | 3646f14042 | ||
|  | 813e889c97 | ||
|  | 8bcd0ab0c6 | ||
|  | 5725d297b4 | ||
|  | a428f05e77 | ||
|  | 467ecfdc99 | ||
|  | ed8091a994 | ||
|  | 56cad93e0f | ||
|  | 3cf67e0b8d | ||
|  | 5800aceb2d | ||
|  | 729b563160 | ||
|  | 6b5618a5fc | ||
|  | 2aa72eb240 | ||
|  | c8655c4f89 | ||
|  | daaa03d1b3 | ||
|  | 9e5b94924f | ||
|  | f21089900e | ||
|  | 0c0e632bc9 | ||
|  | a13a5bd1d8 | ||
|  | 3b34b429f3 | ||
|  | 97ffd17789 | ||
|  | 10c5476d31 | ||
|  | d3626eba2a | ||
|  | de157b2654 | ||
|  | 337cbfaf22 | ||
|  | f88b6d961e | ||
|  | 0426051541 | ||
|  | 4556f668de | ||
|  | da8225a3bd | ||
|  | f10e6b6ac2 | ||
|  | 7ec00d3850 | ||
|  | 8f8d7418ed | ||
|  | af6d17b701 | ||
|  | 61183d001c | ||
|  | 024d12db08 | ||
|  | dc7951efaf | ||
|  | 06e14fea55 | ||
|  | 0f656b4889 | ||
|  | 6fa1dc50be | ||
|  | 2bb41367bc | ||
|  | 20d8886bfa | ||
|  | 59ef82b740 | ||
|  | fc543154c0 | ||
|  | 569b464157 | ||
|  | adf83c698d | ||
|  | 8fcbc58ee2 | ||
|  | 2dcbb2be59 | ||
|  | 7026e004e1 | ||
|  | a3084feaee | ||
|  | e7d36de784 | ||
|  | 54cc47b14e | ||
|  | fac44888cd | ||
|  | 9f056523c9 | ||
|  | 0af1ef387d | ||
|  | f95f40be15 | ||
|  | 5c859e2e6c | ||
|  | 03ff5e6ece | ||
|  | 52d696aa74 | ||
|  | a4e80712dd | ||
|  | a947e434f0 | ||
|  | 2eb4f290a5 | ||
|  | 8ae799a771 | ||
|  | 9a5f3a5015 | ||
|  | 1ca0d6e245 | ||
|  | 7f69eebeb1 | ||
|  | 32bd9b83a3 | ||
|  | 477d60de49 | ||
|  | 1ba8275dcb | ||
|  | a0a4994250 | ||
|  | 32dfa41970 | ||
|  | f92efda0f0 | ||
|  | 3b0f643e9d | ||
|  | 5bcee24f88 | ||
|  | 9e3d7ea44c | ||
|  | 8cc6dac893 | ||
|  | b7c4316c77 | ||
|  | 0c295d5e6e | ||
|  | bc49d1f90d | ||
|  | 6f6d9dee83 | ||
|  | cef5dd4a46 | ||
|  | 79061c0eb5 | ||
|  | 6e2c3fc1cc | ||
|  | e301fe137f | ||
|  | af69c83db2 | ||
|  | 53fa8da5b1 | ||
|  | c58aac585b | ||
|  | 8c1117fcbf | ||
|  | a6dd4f1206 | ||
|  | 5af1799991 | ||
|  | a20a641de3 | ||
|  | 8abd38573b | ||
|  | 78abdf0e9d | ||
|  | dc031d8d86 | ||
|  | de6330b09d | ||
|  | 68bcc7a4b8 | ||
|  | c04a1352cb | ||
|  | 5d1c11ceba | ||
|  | a2aa7c9bc2 | ||
|  | b3a351ccb2 | ||
|  | 679bc7a59b | ||
|  | a72d0b518f | ||
|  | 6741b25907 | ||
|  | 24b5784f02 | ||
|  | eb9b481eba | ||
|  | 64edc49392 | ||
|  | 0d1753ac74 | ||
|  | a6558f5548 | ||
|  | 62dfeb80f2 | ||
|  | 26cd5d9643 | ||
|  | e65fbbfc21 | ||
|  | a2162f4d69 | ||
|  | c9ed9aa733 | ||
|  | 9b20decdc1 | ||
|  | adaefc8628 | ||
|  | c6c45c4c49 | ||
|  | 95494083f2 | ||
|  | 686474f815 | ||
|  | 2c6bd8c9dc | ||
|  | 9366e31452 | ||
|  | 96ff32fb2f | ||
|  | 9342fa5744 | ||
|  | 50fc22966c | ||
|  | 4fab4c74ff | ||
|  | e38e1a5d5f | ||
|  | cc91ac6cc0 | ||
|  | 2d8c8e18f7 | ||
|  | b17e2da2cf | ||
|  | d121cce0d2 | ||
|  | 0eba7a88fa | ||
|  | 34ac16e9d7 | ||
|  | 906d9e2f1a | ||
|  | 623d84aeb5 | ||
|  | f8122cd2ca | ||
|  | 9b7e86efc2 | ||
|  | e7ccfbdd0e | ||
|  | acc1474394 | ||
|  | c90b3031a6 | ||
|  | aaffb2e007 | ||
|  | e0e95e95e4 | ||
|  | fa70b440d0 | ||
|  | 42acb2ebb6 | ||
|  | 174bea8d6e | ||
|  | f68a57950b | ||
|  | f747bf126b | ||
|  | 1ca197fd46 | ||
|  | 63d05d929b | ||
|  | ef5bf5d326 | ||
|  | 9d6e35d803 | ||
|  | 0cccdcab83 | ||
|  | 6607faa390 | ||
|  | 6fcf18ab51 | ||
|  | d122c10573 | ||
|  | ae9553ca1c | ||
|  | ff919039c9 | ||
|  | 80eb15d46a | ||
|  | c36b870c54 | ||
|  | b7cbca590c | ||
|  | 606a1bbfcb | ||
|  | 3e5369c8dd | ||
|  | dd5e4cec73 | ||
|  | a31a040abd | ||
|  | f0125b95c1 | ||
|  | 072f2e24c2 | ||
|  | 36b5350f9b | ||
|  | c7489c9fdf | ||
|  | 3181e4e96e | ||
|  | 2ee0d53c5f | ||
|  | dfa629ecc7 | ||
|  | 92dc48b882 | ||
|  | 367e1ce289 | ||
|  | 7390f34355 | ||
|  | c47d9f6593 | ||
|  | 5399ee8208 | ||
|  | 117045e6d3 | ||
|  | 912ad64555 | ||
|  | 00855ee31d | ||
|  | c18a273b4a | ||
|  | ca24a4adf1 | ||
|  | a263aaa481 | ||
|  | 0a20ba0020 | ||
|  | 6541600af6 | ||
|  | 525979d5d9 | ||
|  | 7dd1959eba | ||
|  | e266b39254 | ||
|  | e935989fee | ||
|  | 25c401f64d | ||
|  | 18b72da657 | ||
|  | e8e6c89927 | ||
|  | fd5f657334 | ||
|  | da9605f2d2 | ||
|  | 7030de32d5 | ||
|  | b67c5b77be | ||
|  | d30878c4ea | ||
|  | 6be26f0a38 | ||
|  | 34a6bfaefa | ||
|  | 1c8749eb4d | ||
|  | 1198c36a2b | ||
|  | 41e6c1a383 | ||
|  | 0042c3e4a7 | ||
|  | 724190f262 | ||
|  | 6867d23ca2 | ||
|  | de26af0c2d | ||
|  | 3f223a7514 | ||
|  | 23f5a62d61 | ||
|  | 81e2054f59 | ||
|  | f9337effa5 | ||
|  | 2972904eb8 | ||
|  | bdd918b4d4 | ||
|  | 88085fe17b | ||
|  | 2020a302d0 | ||
|  | ab2dd0f300 | ||
|  | 8e6fd4b4a1 | ||
|  | 988d24927e | ||
|  | e945d16fcf | ||
|  | f1c0aa4f83 | ||
|  | 68362d06b3 | ||
|  | f65c0e2ac8 | ||
|  | 0f588ced03 | ||
|  | b0f03bb49c | ||
|  | 5063661028 | ||
|  | 7e66ab78ff | ||
|  | 665e275dc5 | ||
|  | a6da728cca | ||
|  | 04e02d7f9f | ||
|  | 7c739dd58e | ||
|  | 05a552910c | ||
|  | c990837066 | ||
|  | 57aec37507 | ||
|  | 0c5b4476ad | ||
|  | 17141147a8 | ||
|  | 193c2fa860 | ||
|  | 6d01aaa80f | ||
|  | ad60eaa0f3 | ||
|  | d878face07 | ||
|  | 8bf8388cd6 | ||
|  | b4db853bcb | ||
|  | 5ee94c0ba9 | ||
|  | f108349547 | ||
|  | d25e1ab94b | ||
|  | 79fee269ee | ||
|  | ffe362f856 | ||
|  | 04bb15a802 | ||
|  | 4d9d649db9 | ||
|  | 2897c24e83 | ||
|  | 5964dc95f0 | ||
|  | 613b2519ed | ||
|  | 996b60e43d | ||
|  | a6d09407b9 | ||
|  | f2e9ddef4e | ||
|  | ca417d3257 | ||
|  | 10dadfca06 | ||
|  | bf73a8235f | ||
|  | 67a584c1d4 | ||
|  | 8e5f03972e | ||
|  | d8abf8f98f | ||
|  | cb348d2e05 | ||
|  | aceb111024 | ||
|  | b60a4a68c7 | ||
|  | 8b6dfe48b7 | ||
|  | 6154e03c05 | ||
|  | d0b53a6a3d | ||
|  | 317aa679cf | ||
|  | 8d1bc2e539 | ||
|  | 50c46f6e9a | ||
|  | 4f1928778a | ||
|  | 5fcba3d7f5 | ||
|  | 4db42b07c4 | ||
|  | cd3e2d7a5a | ||
|  | d139e22042 | ||
|  | 892296e6d5 | ||
|  | 992ef399ed | ||
|  | 5afba46743 | ||
|  | df0aa7949e | ||
|  | 353d2e6e01 | ||
|  | f9375bb215 | ||
|  | 8d04ff66e7 | ||
|  | e649b11511 | ||
|  | bda19bdddf | ||
|  | 99fd92df21 | ||
|  | 1210310063 | ||
|  | b093384385 | ||
|  | cec45ae9bd | ||
|  | e6dd584dd6 | ||
|  | 7cc74dabaf | ||
|  | 2336f102f9 | ||
|  | cebe0f6442 | ||
|  | d9c0c23819 | ||
|  | aa355a96f9 | ||
|  | 4a85dd2480 | ||
|  | 213909baa5 | ||
|  | 6915a60332 | ||
|  | 52a50e9ade | ||
|  | b7c9a346c1 | ||
|  | 2d90c6ac24 | ||
|  | 7f7b5447fd | ||
|  | 142f7bb50d | ||
|  | d209df9e10 | ||
|  | 1b56f4266b | ||
|  | d6dc6070f3 | ||
|  | d66323b742 | ||
|  | 7b09d74b1f | ||
|  | c0e3c2c5e1 | ||
|  | 06189a58fe | ||
|  | f402dd81bb | ||
|  | c885bbc947 | ||
|  | 63fb0e5a57 | ||
|  | 37d0792a7d | ||
|  | c8040d2f63 | ||
|  | dbcad65b68 | ||
|  | 226da67bc0 | ||
|  | fee2b5c3fb | ||
|  | 6bbb3d53ae | ||
|  | 610b183cef | ||
|  | 1b64b9e164 | ||
|  | b022be9ba8 | ||
|  | 7f11363725 | ||
|  | 4aa6dd22bb | ||
|  | 8feed2916f | ||
|  | 59eaa0aa0d | ||
|  | d5e54cb576 | ||
|  | 8837660ba7 | ||
|  | 464a489b44 | ||
|  | 7035700c8d | ||
|  | 23c2921690 | ||
|  | 7d506f3633 | ||
|  | b186813049 | ||
|  | bfa82225da | ||
|  | ffa2044563 | ||
|  | d57b69952d | ||
|  | 5a13efefd3 | ||
|  | 2f9d7060bd | ||
|  | 0aa33a2cb4 | ||
|  | fa7dbedd5d | ||
|  | 2ea9b66943 | ||
|  | f3beaea9e9 | ||
|  | 39ae2f1f76 | ||
|  | 366b1050ec | ||
|  | b3aab7a6ad | ||
|  | aa8d050d6b | ||
|  | 5200f0e98d | ||
|  | 5f4abb1b7f | ||
|  | dfe1e30d1b | ||
|  | e27a5be47a | ||
|  | 56786a18f1 | ||
|  | 0d2399d485 | ||
|  | 5bfc7cfde3 | ||
|  | 723f0cbc1e | ||
|  | b141f789f6 | ||
|  | 7445ee40f8 | ||
|  | 4a9a0f7e64 | ||
|  | 63aad2e5d2 | ||
|  | d0baa23f9a | ||
|  | 7a7673103f | ||
|  | 05d4788d1d | ||
|  | 6f0dea1b56 | ||
|  | 439ef44973 | ||
|  | 2a525b42cb | ||
|  | aee91acfdc | ||
|  | 17388ec43e | ||
|  | bdc1cd13a7 | ||
|  | 42db4b5c77 | ||
|  | 53da073274 | ||
|  | b010dde661 | ||
|  | c9ec389b24 | ||
|  | baa2841b04 | ||
|  | 6af5c86081 | ||
|  | f60a6929a9 | ||
|  | 2aa97fa121 | ||
|  | b59809af46 | ||
|  | ed24d51d3e | ||
|  | 870f0d0932 | ||
|  | 31b77bf178 | ||
|  | b525f9aa4c | ||
|  | 8409b31d6b | ||
|  | b878495d64 | ||
|  | 945b85da2f | ||
|  | d4577d161e | ||
|  | 3c8e1c3ca9 | ||
|  | 88dba8c4dd | ||
|  | 21bc3bfd53 | ||
|  | 4cb5122e90 | ||
|  | 0a2a8be0ff | ||
|  | 720a046610 | ||
|  | 64ae5d4f81 | ||
|  | ff7e22c08a | ||
|  | 0c267d073f | ||
|  | bbc6470f65 | ||
|  | 23f1f8a576 | ||
|  | 0e6f6e612a | ||
|  | 4d1b860dad | ||
|  | 6576914e55 | ||
|  | 12075639f3 | ||
|  | 3b9bfe55d0 | ||
|  | a0c6a7c0de | ||
|  | a2d716aec3 | ||
|  | c1c60e3b68 | ||
|  | ed6e852904 | ||
|  | a54065420c | ||
|  | aa5a05960e | ||
|  | f41ba2a60f | ||
|  | 2215cfefb9 | ||
|  | 4289663a16 | ||
|  | ea19c2250e | ||
|  | 638766b346 | ||
|  | d1ff136552 | ||
|  | 46ec11de12 | ||
|  | 4283a49e0b | ||
|  | 1e32db8c41 | ||
|  | 0f944ec7e2 | ||
|  | 736dbc9553 | ||
|  | b4a38f1f63 | ||
|  | 646186fe38 | ||
|  | c2725916f4 | ||
|  | fd334e2b7d | ||
|  | f9feca1ce4 | ||
|  | 677fd2ff32 | ||
|  | f49eb8eb4d | ||
|  | b0e0d68632 | ||
|  | f3c8c16d79 | ||
|  | 2dd5086916 | ||
|  | 7532072d50 | ||
|  | 382e6107fe | ||
|  | e6c6609e19 | ||
|  | 4cb5918950 | ||
|  | 55030f3687 | ||
|  | ef4072e4ff | ||
|  | c78d383ed1 | ||
|  | 5b96270874 | ||
|  | 2c0742387b | ||
|  | 1704d14f29 | ||
|  | 2d7ffbf378 | ||
|  | dfd63f85c0 | ||
|  | cd0c49eaf6 | ||
|  | 080e38d227 | ||
|  | 1a664fba6a | ||
|  | c915ef815d | ||
|  | adea4ec54d | ||
|  | 387b5eb2dd | ||
|  | 6337af59ed | ||
|  | 475c7b8f16 | ||
|  | ac120be1c6 | ||
|  | b70316e6d3 | ||
|  | 0a0f620d0b | ||
|  | 9132cc4a30 | ||
|  | e50edcadfb | ||
|  | 2685099720 | ||
|  | 6fa6eb18e8 | ||
|  | bb79396f0e | ||
|  | da9fd6b7d0 | ||
|  | 5b8067ef77 | ||
|  | 9eabcd5cae | ||
|  | d6e0d4cbbd | ||
|  | e5e6db2688 | ||
|  | 186fe24484 | ||
|  | 5da96d36e6 | ||
|  | f4b1071e23 | ||
|  | 18291b6533 | ||
|  | 8095cb68bb | ||
|  | 04cd751556 | ||
|  | 7ce2372f51 | ||
|  | aebda93afe | ||
|  | 2b7b1141eb | ||
|  | 1ff4ff72bf | ||
|  | d27e91a9b0 | ||
|  | 7cf063b196 | ||
|  | 642f04d493 | ||
|  | fc6e65e4b0 | ||
|  | db5c98ec3b | ||
|  | 73c64af27e | ||
|  | b3f7db813f | ||
|  | 59660ff087 | ||
|  | 69a69e8e04 | ||
|  | 1094f359c3 | ||
|  | 102ee3f871 | ||
|  | acb5ab08a8 | ||
|  | ae59472d9a | ||
|  | 5a07b193dc | ||
|  | fd2edb9adc | ||
|  | 1d074f7b3f | ||
|  | 81984c4bce | ||
|  | 9c891baad1 | ||
|  | b050c60807 | ||
|  | e47a2fd0f3 | ||
|  | 42b9cc73ac | ||
|  | edca4248aa | ||
|  | b1b6bc9be0 | ||
|  | 818b254cef | ||
|  | ddfac5e34b | ||
|  | 8b5c945bad | ||
|  | 50c5eb9c50 | ||
|  | 94be67eac1 | ||
|  | 5a05139efe | ||
|  | a62dc102fb | ||
|  | 518d74ce21 | ||
|  | 7598997deb | ||
|  | 3c876dc202 | ||
|  | 1722742ab3 | ||
|  | d9c0eb3cfc | ||
|  | 0d990e1dc0 | ||
|  | 60ed5ff99d | ||
|  | 5b98bd66ee | ||
|  | abd20777fe | ||
|  | 7f0d0cf8a4 | ||
|  | 6e23a573fb | ||
|  | ce9d93003c | ||
|  | abfa868423 | ||
|  | 331f6c08fe | ||
|  | c0efd3d419 | ||
|  | 1385d75972 | ||
|  | 9a787dd105 | ||
|  | 0dcc435bb4 | ||
|  | f1a67663d1 | ||
|  | 0f95bdc9bb | ||
|  | a0eab35768 | ||
|  | 027c87dd07 | ||
|  | f2b31352fe | ||
|  | c9376e3126 | ||
|  | 7cbcad0e38 | ||
|  | e167798449 | ||
|  | fc5928772b | ||
|  | 8263bdd21d | ||
|  | 3c1d4254e7 | ||
|  | 55d7c48b1d | ||
|  | bf623eed7f | ||
|  | 84bcac0112 | ||
|  | 31595888ea | ||
|  | 5c38b2c4eb | ||
|  | ebe9162af9 | ||
|  | b64cf27038 | ||
|  | 0c4e79cff6 | ||
|  | 5b9129a086 | ||
|  | 93d4a12834 | ||
|  | bf3e2dc652 | ||
|  | 0d0e98d783 | ||
|  | 5a55cfbb9b | ||
|  | ac93b8a6b9 | ||
|  | 93786d9ebd | ||
|  | a6dbb580c9 | ||
|  | e62678abdb | ||
|  | af50eae604 | ||
|  | cb4f6aa7f6 | ||
|  | 5e13b1a7cb | ||
|  | 60b339f450 | ||
|  | f71c779860 | ||
|  | 221a11de9b | ||
|  | 794483c10d | ||
|  | c9934ccdb7 | ||
|  | 54729f3c1e | ||
|  | f1a86acb98 | ||
|  | 6b6ea3c8bf | ||
|  | bf403fee7d | ||
|  | 5cd920cf6f | ||
|  | 45d3b479bc | ||
|  | c7a752b01d | ||
|  | 099d359628 | ||
|  | 006a2aacbb | ||
|  | b71d9dd53e | ||
|  | 887e320e7f | ||
|  | d7c18fd86e | ||
|  | 7566f3db3e | ||
|  | 5d05ec58be | ||
|  | d9a452f558 | ||
|  | dec03b3dc0 | ||
|  | 85950bdc0b | ||
|  | f95bd3bb04 | ||
|  | e33b8fab34 | ||
|  | b00fbf153e | ||
|  | 0de5919a16 | ||
|  | 699777be9e | ||
|  | 16ff49d712 | ||
|  | 54c78cf06d | ||
|  | 303eaabeea | ||
|  | 6b6f5b8d04 | ||
|  | 0c18a7e306 | ||
|  | a23a38080b | ||
|  | 316ca66a4b | ||
|  | 2f71a01877 | ||
|  | d5cfbfc71d | ||
|  | 12612da75e | ||
|  | 68ec5f2a18 | ||
|  | 00670450df | ||
|  | dbd95e08e9 | ||
|  | 3713f2d134 | ||
|  | a85a250dfd | ||
|  | 5845ed2c92 | ||
|  | 40ed505581 | ||
|  | bf0b8d9968 | ||
|  | d0a7437dbd | ||
|  | 21b433c5d7 | ||
|  | 7c89bc619a | ||
|  | 0d3daa9fc6 | 
| @@ -1,40 +1,15 @@ | |||||||
| # Local build artifacts | // Ignore everything | ||||||
| target | * | ||||||
|  |  | ||||||
| # Data folder | // Allow what is needed | ||||||
| data | !.git | ||||||
|  |  | ||||||
| # Misc |  | ||||||
| .env |  | ||||||
| .env.template |  | ||||||
| .gitattributes |  | ||||||
| .gitignore |  | ||||||
| rustfmt.toml |  | ||||||
|  |  | ||||||
| # IDE files |  | ||||||
| .vscode |  | ||||||
| .idea |  | ||||||
| .editorconfig |  | ||||||
| *.iml |  | ||||||
|  |  | ||||||
| # Documentation |  | ||||||
| .github |  | ||||||
| *.md |  | ||||||
| *.txt |  | ||||||
| *.yml |  | ||||||
| *.yaml |  | ||||||
|  |  | ||||||
| # Docker |  | ||||||
| hooks |  | ||||||
| tools |  | ||||||
| Dockerfile |  | ||||||
| .dockerignore |  | ||||||
| docker/** |  | ||||||
| !docker/healthcheck.sh | !docker/healthcheck.sh | ||||||
| !docker/start.sh | !docker/start.sh | ||||||
|  | !migrations | ||||||
|  | !src | ||||||
|  |  | ||||||
| # Web vault | !build.rs | ||||||
| web-vault | !Cargo.lock | ||||||
|  | !Cargo.toml | ||||||
| # Vaultwarden Resources | !rustfmt.toml | ||||||
| resources | !rust-toolchain.toml | ||||||
|   | |||||||
							
								
								
									
										567
									
								
								.env.template
									
									
									
									
									
								
							
							
						
						
									
										567
									
								
								.env.template
									
									
									
									
									
								
							| @@ -1,30 +1,72 @@ | |||||||
|  | # shellcheck disable=SC2034,SC2148 | ||||||
| ## Vaultwarden Configuration File | ## Vaultwarden Configuration File | ||||||
| ## Uncomment any of the following lines to change the defaults | ## Uncomment any of the following lines to change the defaults | ||||||
| ## | ## | ||||||
| ## Be aware that most of these settings will be overridden if they were changed | ## Be aware that most of these settings will be overridden if they were changed | ||||||
| ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . | ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . | ||||||
| ## | ## | ||||||
| ## By default, vaultwarden expects for this file to be named ".env" and located | ## By default, Vaultwarden expects for this file to be named ".env" and located | ||||||
| ## in the current working directory. If this is not the case, the environment | ## in the current working directory. If this is not the case, the environment | ||||||
| ## variable ENV_FILE can be set to the location of this file prior to starting | ## variable ENV_FILE can be set to the location of this file prior to starting | ||||||
| ## vaultwarden. | ## Vaultwarden. | ||||||
|  |  | ||||||
|  | #################### | ||||||
|  | ### Data folders ### | ||||||
|  | #################### | ||||||
|  |  | ||||||
| ## Main data folder | ## Main data folder | ||||||
| # DATA_FOLDER=data | # DATA_FOLDER=data | ||||||
|  |  | ||||||
|  | ## Individual folders, these override %DATA_FOLDER% | ||||||
|  | # RSA_KEY_FILENAME=data/rsa_key | ||||||
|  | # ICON_CACHE_FOLDER=data/icon_cache | ||||||
|  | # ATTACHMENTS_FOLDER=data/attachments | ||||||
|  | # SENDS_FOLDER=data/sends | ||||||
|  | # TMP_FOLDER=data/tmp | ||||||
|  |  | ||||||
|  | ## Templates data folder, by default uses embedded templates | ||||||
|  | ## Check source code to see the format | ||||||
|  | # TEMPLATES_FOLDER=data/templates | ||||||
|  | ## Automatically reload the templates for every request, slow, use only for development | ||||||
|  | # RELOAD_TEMPLATES=false | ||||||
|  |  | ||||||
|  | ## Web vault settings | ||||||
|  | # WEB_VAULT_FOLDER=web-vault/ | ||||||
|  | # WEB_VAULT_ENABLED=true | ||||||
|  |  | ||||||
|  | ######################### | ||||||
|  | ### Database settings ### | ||||||
|  | ######################### | ||||||
|  |  | ||||||
| ## Database URL | ## Database URL | ||||||
| ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 | ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 | ||||||
| # DATABASE_URL=data/db.sqlite3 | # DATABASE_URL=data/db.sqlite3 | ||||||
| ## When using MySQL, specify an appropriate connection URI. | ## When using MySQL, specify an appropriate connection URI. | ||||||
| ## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html | ## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html | ||||||
| # DATABASE_URL=mysql://user:password@host[:port]/database_name | # DATABASE_URL=mysql://user:password@host[:port]/database_name | ||||||
| ## When using PostgreSQL, specify an appropriate connection URI (recommended) | ## When using PostgreSQL, specify an appropriate connection URI (recommended) | ||||||
| ## or keyword/value connection string. | ## or keyword/value connection string. | ||||||
| ## Details: | ## Details: | ||||||
| ## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html | ## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html | ||||||
| ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING | ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING | ||||||
| # DATABASE_URL=postgresql://user:password@host[:port]/database_name | # DATABASE_URL=postgresql://user:password@host[:port]/database_name | ||||||
|  |  | ||||||
|  | ## Enable WAL for the DB | ||||||
|  | ## Set to false to avoid enabling WAL during startup. | ||||||
|  | ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, | ||||||
|  | ## this setting only prevents Vaultwarden from automatically enabling it on start. | ||||||
|  | ## Please read project wiki page about this setting first before changing the value as it can | ||||||
|  | ## cause performance degradation or might render the service unable to start. | ||||||
|  | # ENABLE_DB_WAL=true | ||||||
|  |  | ||||||
|  | ## Database connection retries | ||||||
|  | ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely | ||||||
|  | # DB_CONNECTION_RETRIES=15 | ||||||
|  |  | ||||||
|  | ## Database timeout | ||||||
|  | ## Timeout when acquiring database connection | ||||||
|  | # DATABASE_TIMEOUT=30 | ||||||
|  |  | ||||||
| ## Database max connections | ## Database max connections | ||||||
| ## Define the size of the connection pool used for connecting to the database. | ## Define the size of the connection pool used for connecting to the database. | ||||||
| # DATABASE_MAX_CONNS=10 | # DATABASE_MAX_CONNS=10 | ||||||
| @@ -38,52 +80,49 @@ | |||||||
| ## - PostgreSQL: "" | ## - PostgreSQL: "" | ||||||
| # DATABASE_CONN_INIT="" | # DATABASE_CONN_INIT="" | ||||||
|  |  | ||||||
| ## Individual folders, these override %DATA_FOLDER% | ################# | ||||||
| # RSA_KEY_FILENAME=data/rsa_key | ### WebSocket ### | ||||||
| # ICON_CACHE_FOLDER=data/icon_cache | ################# | ||||||
| # ATTACHMENTS_FOLDER=data/attachments |  | ||||||
| # SENDS_FOLDER=data/sends |  | ||||||
|  |  | ||||||
| ## Templates data folder, by default uses embedded templates | ## Enable websocket notifications | ||||||
| ## Check source code to see the format | # ENABLE_WEBSOCKET=true | ||||||
| # TEMPLATES_FOLDER=/path/to/templates |  | ||||||
| ## Automatically reload the templates for every request, slow, use only for development |  | ||||||
| # RELOAD_TEMPLATES=false |  | ||||||
|  |  | ||||||
| ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" | ########################## | ||||||
| ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP | ### Push notifications ### | ||||||
| # IP_HEADER=X-Real-IP | ########################## | ||||||
|  |  | ||||||
| ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") | ## Enables push notifications (requires key and id from https://bitwarden.com/host) | ||||||
| # ICON_CACHE_TTL=2592000 | ## Details about mobile client push notification: | ||||||
| ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") | ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification | ||||||
| # ICON_CACHE_NEGTTL=259200 | # PUSH_ENABLED=false | ||||||
|  | # PUSH_INSTALLATION_ID=CHANGEME | ||||||
|  | # PUSH_INSTALLATION_KEY=CHANGEME | ||||||
|  |  | ||||||
| ## Web vault settings | # WARNING: Do not modify the following settings unless you fully understand their implications! | ||||||
| # WEB_VAULT_FOLDER=web-vault/ | # Default Push Relay and Identity URIs | ||||||
| # WEB_VAULT_ENABLED=true | # PUSH_RELAY_URI=https://push.bitwarden.com | ||||||
|  | # PUSH_IDENTITY_URI=https://identity.bitwarden.com | ||||||
|  | # European Union Data Region Settings | ||||||
|  | # If you have selected "European Union" as your data region, use the following URIs instead. | ||||||
|  | # PUSH_RELAY_URI=https://api.bitwarden.eu | ||||||
|  | # PUSH_IDENTITY_URI=https://identity.bitwarden.eu | ||||||
|  |  | ||||||
| ## Enables websocket notifications | ##################### | ||||||
| # WEBSOCKET_ENABLED=false | ### Schedule jobs ### | ||||||
|  | ##################### | ||||||
| ## Controls the WebSocket server address and port |  | ||||||
| # WEBSOCKET_ADDRESS=0.0.0.0 |  | ||||||
| # WEBSOCKET_PORT=3012 |  | ||||||
|  |  | ||||||
| ## Controls whether users are allowed to create Bitwarden Sends. |  | ||||||
| ## This setting applies globally to all users. |  | ||||||
| ## To control this on a per-org basis instead, use the "Disable Send" org policy. |  | ||||||
| # SENDS_ALLOWED=true |  | ||||||
|  |  | ||||||
| ## Controls whether users can enable emergency access to their accounts. |  | ||||||
| ## This setting applies globally to all users. |  | ||||||
| # EMERGENCY_ACCESS_ALLOWED=true |  | ||||||
|  |  | ||||||
| ## Job scheduler settings | ## Job scheduler settings | ||||||
| ## | ## | ||||||
| ## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), | ## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), | ||||||
| ## and are always in terms of UTC time (regardless of your local time zone settings). | ## and are always in terms of UTC time (regardless of your local time zone settings). | ||||||
| ## | ## | ||||||
|  | ## The schedule format is a bit different from crontab as crontab does not contains seconds. | ||||||
|  | ## You can test the the format here: https://crontab.guru, but remove the first digit! | ||||||
|  | ## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK | ||||||
|  | ## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri" | ||||||
|  | ## "0   30     *          *            *          *     " | ||||||
|  | ## "0   30     1          *            *          *     " | ||||||
|  | ## | ||||||
| ## How often (in ms) the job scheduler thread checks for jobs that need running. | ## How often (in ms) the job scheduler thread checks for jobs that need running. | ||||||
| ## Set to 0 to globally disable scheduled jobs. | ## Set to 0 to globally disable scheduled jobs. | ||||||
| # JOB_POLL_INTERVAL_MS=30000 | # JOB_POLL_INTERVAL_MS=30000 | ||||||
| @@ -101,68 +140,83 @@ | |||||||
| # INCOMPLETE_2FA_SCHEDULE="30 * * * * *" | # INCOMPLETE_2FA_SCHEDULE="30 * * * * *" | ||||||
| ## | ## | ||||||
| ## Cron schedule of the job that sends expiration reminders to emergency access grantors. | ## Cron schedule of the job that sends expiration reminders to emergency access grantors. | ||||||
| ## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. | ## Defaults to hourly (3 minutes after the hour). Set blank to disable this job. | ||||||
| # EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 5 * * * *" | # EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *" | ||||||
| ## | ## | ||||||
| ## Cron schedule of the job that grants emergency access requests that have met the required wait time. | ## Cron schedule of the job that grants emergency access requests that have met the required wait time. | ||||||
| ## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. | ## Defaults to hourly (7 minutes after the hour). Set blank to disable this job. | ||||||
| # EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 5 * * * *" | # EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *" | ||||||
|  |  | ||||||
| ## Enable extended logging, which shows timestamps and targets in the logs |  | ||||||
| # EXTENDED_LOGGING=true |  | ||||||
|  |  | ||||||
| ## Timestamp format used in extended logging. |  | ||||||
| ## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime |  | ||||||
| # LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" |  | ||||||
|  |  | ||||||
| ## Logging to file |  | ||||||
| ## It's recommended to also set 'ROCKET_CLI_COLORS=off' |  | ||||||
| # LOG_FILE=/path/to/log |  | ||||||
|  |  | ||||||
| ## Logging to Syslog |  | ||||||
| ## This requires extended logging |  | ||||||
| ## It's recommended to also set 'ROCKET_CLI_COLORS=off' |  | ||||||
| # USE_SYSLOG=false |  | ||||||
|  |  | ||||||
| ## Log level |  | ||||||
| ## Change the verbosity of the log output |  | ||||||
| ## Valid values are "trace", "debug", "info", "warn", "error" and "off" |  | ||||||
| ## Setting it to "trace" or "debug" would also show logs for mounted |  | ||||||
| ## routes and static file, websocket and alive requests |  | ||||||
| # LOG_LEVEL=Info |  | ||||||
|  |  | ||||||
| ## Enable WAL for the DB |  | ||||||
| ## Set to false to avoid enabling WAL during startup. |  | ||||||
| ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, |  | ||||||
| ## this setting only prevents vaultwarden from automatically enabling it on start. |  | ||||||
| ## Please read project wiki page about this setting first before changing the value as it can |  | ||||||
| ## cause performance degradation or might render the service unable to start. |  | ||||||
| # ENABLE_DB_WAL=true |  | ||||||
|  |  | ||||||
| ## Database connection retries |  | ||||||
| ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely |  | ||||||
| # DB_CONNECTION_RETRIES=15 |  | ||||||
|  |  | ||||||
| ## Icon service |  | ||||||
| ## The predefined icon services are: internal, bitwarden, duckduckgo, google. |  | ||||||
| ## To specify a custom icon service, set a URL template with exactly one instance of `{}`, |  | ||||||
| ## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. |  | ||||||
| ## | ## | ||||||
| ## `internal` refers to Vaultwarden's built-in icon fetching implementation. | ## Cron schedule of the job that cleans old events from the event table. | ||||||
| ## If an external service is set, an icon request to Vaultwarden will return an HTTP | ## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start. | ||||||
| ## redirect to the corresponding icon at the external service. An external service may | # EVENT_CLEANUP_SCHEDULE="0 10 0 * * *" | ||||||
| ## be useful if your Vaultwarden instance has no external network connectivity, or if | ## Number of days to retain events stored in the database. | ||||||
| ## you are concerned that someone may probe your instance to try to detect whether icons | ## If unset (the default), events are kept indefinitely and the scheduled job is disabled! | ||||||
| ## for certain sites have been cached. | # EVENTS_DAYS_RETAIN= | ||||||
| # ICON_SERVICE=internal | ## | ||||||
|  | ## Cron schedule of the job that cleans old auth requests from the auth request. | ||||||
|  | ## Defaults to every minute. Set blank to disable this job. | ||||||
|  | # AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *" | ||||||
|  | ## | ||||||
|  | ## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt. | ||||||
|  | ## Defaults to every minute. Set blank to disable this job. | ||||||
|  | # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *" | ||||||
|  |  | ||||||
| ## Icon redirect code | ######################## | ||||||
| ## The HTTP status code to use for redirects to an external icon service. | ### General settings ### | ||||||
| ## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). | ######################## | ||||||
| ## Temporary redirects are useful while testing different icon services, but once a service |  | ||||||
| ## has been decided on, consider using permanent redirects for cacheability. The legacy codes | ## Domain settings | ||||||
| ## are currently better supported by the Bitwarden clients. | ## The domain must match the address from where you access the server | ||||||
| # ICON_REDIRECT_CODE=302 | ## It's recommended to configure this value, otherwise certain functionality might not work, | ||||||
|  | ## like attachment downloads, email links and U2F. | ||||||
|  | ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs | ||||||
|  | ## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy | ||||||
|  | ## Details: | ||||||
|  | ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS | ||||||
|  | ## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples | ||||||
|  | ## For development | ||||||
|  | # DOMAIN=http://localhost | ||||||
|  | ## For public server | ||||||
|  | # DOMAIN=https://vw.domain.tld | ||||||
|  | ## For public server (URL with port number) | ||||||
|  | # DOMAIN=https://vw.domain.tld:8443 | ||||||
|  | ## For public server (URL with path) | ||||||
|  | # DOMAIN=https://domain.tld/vw | ||||||
|  |  | ||||||
|  | ## Controls whether users are allowed to create Bitwarden Sends. | ||||||
|  | ## This setting applies globally to all users. | ||||||
|  | ## To control this on a per-org basis instead, use the "Disable Send" org policy. | ||||||
|  | # SENDS_ALLOWED=true | ||||||
|  |  | ||||||
|  | ## HIBP Api Key | ||||||
|  | ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key | ||||||
|  | # HIBP_API_KEY= | ||||||
|  |  | ||||||
|  | ## Per-organization attachment storage limit (KB) | ||||||
|  | ## Max kilobytes of attachment storage allowed per organization. | ||||||
|  | ## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. | ||||||
|  | # ORG_ATTACHMENT_LIMIT= | ||||||
|  | ## Per-user attachment storage limit (KB) | ||||||
|  | ## Max kilobytes of attachment storage allowed per user. | ||||||
|  | ## When this limit is reached, the user will not be allowed to upload further attachments. | ||||||
|  | # USER_ATTACHMENT_LIMIT= | ||||||
|  | ## Per-user send storage limit (KB) | ||||||
|  | ## Max kilobytes of send storage allowed per user. | ||||||
|  | ## When this limit is reached, the user will not be allowed to upload further sends. | ||||||
|  | # USER_SEND_LIMIT= | ||||||
|  |  | ||||||
|  | ## Number of days to wait before auto-deleting a trashed item. | ||||||
|  | ## If unset (the default), trashed items are not auto-deleted. | ||||||
|  | ## This setting applies globally, so make sure to inform all users of any changes to this setting. | ||||||
|  | # TRASH_AUTO_DELETE_DAYS= | ||||||
|  |  | ||||||
|  | ## Number of minutes to wait before a 2FA-enabled login is considered incomplete, | ||||||
|  | ## resulting in an email notification. An incomplete 2FA login is one where the correct | ||||||
|  | ## master password was provided but the required 2FA step was not completed, which | ||||||
|  | ## potentially indicates a master password compromise. Set to 0 to disable this check. | ||||||
|  | ## This setting applies globally to all users. | ||||||
|  | # INCOMPLETE_2FA_TIME_LIMIT=3 | ||||||
|  |  | ||||||
| ## Disable icon downloading | ## Disable icon downloading | ||||||
| ## Set to true to disable icon downloading in the internal icon service. | ## Set to true to disable icon downloading in the internal icon service. | ||||||
| @@ -171,38 +225,6 @@ | |||||||
| ## will be deleted eventually, but won't be downloaded again. | ## will be deleted eventually, but won't be downloaded again. | ||||||
| # DISABLE_ICON_DOWNLOAD=false | # DISABLE_ICON_DOWNLOAD=false | ||||||
|  |  | ||||||
| ## Icon download timeout |  | ||||||
| ## Configure the timeout value when downloading the favicons. |  | ||||||
| ## The default is 10 seconds, but this could be to low on slower network connections |  | ||||||
| # ICON_DOWNLOAD_TIMEOUT=10 |  | ||||||
|  |  | ||||||
| ## Icon blacklist Regex |  | ||||||
| ## Any domains or IPs that match this regex won't be fetched by the icon service. |  | ||||||
| ## Useful to hide other servers in the local network. Check the WIKI for more details |  | ||||||
| ## NOTE: Always enclose this regex withing single quotes! |  | ||||||
| # ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' |  | ||||||
|  |  | ||||||
| ## Any IP which is not defined as a global IP will be blacklisted. |  | ||||||
| ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block |  | ||||||
| # ICON_BLACKLIST_NON_GLOBAL_IPS=true |  | ||||||
|  |  | ||||||
| ## Disable 2FA remember |  | ||||||
| ## Enabling this would force the users to use a second factor to login every time. |  | ||||||
| ## Note that the checkbox would still be present, but ignored. |  | ||||||
| # DISABLE_2FA_REMEMBER=false |  | ||||||
|  |  | ||||||
| ## Maximum attempts before an email token is reset and a new email will need to be sent. |  | ||||||
| # EMAIL_ATTEMPTS_LIMIT=3 |  | ||||||
|  |  | ||||||
| ## Token expiration time |  | ||||||
| ## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. |  | ||||||
| # EMAIL_EXPIRATION_TIME=600 |  | ||||||
|  |  | ||||||
| ## Email token size |  | ||||||
| ## Number of digits in an email 2FA token (min: 6, max: 255). |  | ||||||
| ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! |  | ||||||
| # EMAIL_TOKEN_SIZE=6 |  | ||||||
|  |  | ||||||
| ## Controls if new users can register | ## Controls if new users can register | ||||||
| # SIGNUPS_ALLOWED=true | # SIGNUPS_ALLOWED=true | ||||||
|  |  | ||||||
| @@ -224,6 +246,11 @@ | |||||||
| ## even if SIGNUPS_ALLOWED is set to false | ## even if SIGNUPS_ALLOWED is set to false | ||||||
| # SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org | # SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org | ||||||
|  |  | ||||||
|  | ## Controls whether event logging is enabled for organizations | ||||||
|  | ## This setting applies to organizations. | ||||||
|  | ## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. | ||||||
|  | # ORG_EVENTS_ENABLED=false | ||||||
|  |  | ||||||
| ## Controls which users can create new orgs. | ## Controls which users can create new orgs. | ||||||
| ## Blank or 'all' means all users can create orgs (this is the default): | ## Blank or 'all' means all users can create orgs (this is the default): | ||||||
| # ORG_CREATION_USERS= | # ORG_CREATION_USERS= | ||||||
| @@ -232,56 +259,146 @@ | |||||||
| ## A comma-separated list means only those users can create orgs: | ## A comma-separated list means only those users can create orgs: | ||||||
| # ORG_CREATION_USERS=admin1@example.com,admin2@example.com | # ORG_CREATION_USERS=admin1@example.com,admin2@example.com | ||||||
|  |  | ||||||
| ## Token for the admin interface, preferably use a long random string |  | ||||||
| ## One option is to use 'openssl rand -base64 48' |  | ||||||
| ## If not set, the admin panel is disabled |  | ||||||
| # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp |  | ||||||
|  |  | ||||||
| ## Enable this to bypass the admin panel security. This option is only |  | ||||||
| ## meant to be used with the use of a separate auth layer in front |  | ||||||
| # DISABLE_ADMIN_TOKEN=false |  | ||||||
|  |  | ||||||
| ## Invitations org admins to invite users, even when signups are disabled | ## Invitations org admins to invite users, even when signups are disabled | ||||||
| # INVITATIONS_ALLOWED=true | # INVITATIONS_ALLOWED=true | ||||||
| ## Name shown in the invitation emails that don't come from a specific organization | ## Name shown in the invitation emails that don't come from a specific organization | ||||||
| # INVITATION_ORG_NAME=Vaultwarden | # INVITATION_ORG_NAME=Vaultwarden | ||||||
|  |  | ||||||
| ## Per-organization attachment storage limit (KB) | ## The number of hours after which an organization invite token, emergency access invite token, | ||||||
| ## Max kilobytes of attachment storage allowed per organization. | ## email verification token and deletion request token will expire (must be at least 1) | ||||||
| ## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. | # INVITATION_EXPIRATION_HOURS=120 | ||||||
| # ORG_ATTACHMENT_LIMIT= |  | ||||||
| ## Per-user attachment storage limit (KB) |  | ||||||
| ## Max kilobytes of attachment storage allowed per user. |  | ||||||
| ## When this limit is reached, the user will not be allowed to upload further attachments. |  | ||||||
| # USER_ATTACHMENT_LIMIT= |  | ||||||
|  |  | ||||||
| ## Number of days to wait before auto-deleting a trashed item. | ## Controls whether users can enable emergency access to their accounts. | ||||||
| ## If unset (the default), trashed items are not auto-deleted. |  | ||||||
| ## This setting applies globally, so make sure to inform all users of any changes to this setting. |  | ||||||
| # TRASH_AUTO_DELETE_DAYS= |  | ||||||
|  |  | ||||||
| ## Number of minutes to wait before a 2FA-enabled login is considered incomplete, |  | ||||||
| ## resulting in an email notification. An incomplete 2FA login is one where the correct |  | ||||||
| ## master password was provided but the required 2FA step was not completed, which |  | ||||||
| ## potentially indicates a master password compromise. Set to 0 to disable this check. |  | ||||||
| ## This setting applies globally to all users. | ## This setting applies globally to all users. | ||||||
| # INCOMPLETE_2FA_TIME_LIMIT=3 | # EMERGENCY_ACCESS_ALLOWED=true | ||||||
|  |  | ||||||
| ## Controls the PBBKDF password iterations to apply on the server | ## Controls whether users can change their email. | ||||||
| ## The change only applies when the password is changed | ## This setting applies globally to all users | ||||||
| # PASSWORD_ITERATIONS=100000 | # EMAIL_CHANGE_ALLOWED=true | ||||||
|  |  | ||||||
|  | ## Number of server-side passwords hashing iterations for the password hash. | ||||||
|  | ## The default for new users. If changed, it will be updated during login for existing users. | ||||||
|  | # PASSWORD_ITERATIONS=600000 | ||||||
|  |  | ||||||
|  | ## Controls whether users can set password hints. This setting applies globally to all users. | ||||||
|  | # PASSWORD_HINTS_ALLOWED=true | ||||||
|  |  | ||||||
| ## Controls whether a password hint should be shown directly in the web page if | ## Controls whether a password hint should be shown directly in the web page if | ||||||
| ## SMTP service is not configured. Not recommended for publicly-accessible instances | ## SMTP service is not configured. Not recommended for publicly-accessible instances | ||||||
| ## as this provides unauthenticated access to potentially sensitive data. | ## as this provides unauthenticated access to potentially sensitive data. | ||||||
| # SHOW_PASSWORD_HINT=false | # SHOW_PASSWORD_HINT=false | ||||||
|  |  | ||||||
| ## Domain settings | ######################### | ||||||
| ## The domain must match the address from where you access the server | ### Advanced settings ### | ||||||
| ## It's recommended to configure this value, otherwise certain functionality might not work, | ######################### | ||||||
| ## like attachment downloads, email links and U2F. |  | ||||||
| ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs | ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" | ||||||
| # DOMAIN=https://bw.domain.tld:8443 | ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP | ||||||
|  | # IP_HEADER=X-Real-IP | ||||||
|  |  | ||||||
|  | ## Icon service | ||||||
|  | ## The predefined icon services are: internal, bitwarden, duckduckgo, google. | ||||||
|  | ## To specify a custom icon service, set a URL template with exactly one instance of `{}`, | ||||||
|  | ## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. | ||||||
|  | ## | ||||||
|  | ## `internal` refers to Vaultwarden's built-in icon fetching implementation. | ||||||
|  | ## If an external service is set, an icon request to Vaultwarden will return an HTTP | ||||||
|  | ## redirect to the corresponding icon at the external service. An external service may | ||||||
|  | ## be useful if your Vaultwarden instance has no external network connectivity, or if | ||||||
|  | ## you are concerned that someone may probe your instance to try to detect whether icons | ||||||
|  | ## for certain sites have been cached. | ||||||
|  | # ICON_SERVICE=internal | ||||||
|  |  | ||||||
|  | ## Icon redirect code | ||||||
|  | ## The HTTP status code to use for redirects to an external icon service. | ||||||
|  | ## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). | ||||||
|  | ## Temporary redirects are useful while testing different icon services, but once a service | ||||||
|  | ## has been decided on, consider using permanent redirects for cacheability. The legacy codes | ||||||
|  | ## are currently better supported by the Bitwarden clients. | ||||||
|  | # ICON_REDIRECT_CODE=302 | ||||||
|  |  | ||||||
|  | ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") | ||||||
|  | ## Default: 2592000 (30 days) | ||||||
|  | # ICON_CACHE_TTL=2592000 | ||||||
|  | ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") | ||||||
|  | ## Default: 2592000 (3 days) | ||||||
|  | # ICON_CACHE_NEGTTL=259200 | ||||||
|  |  | ||||||
|  | ## Icon download timeout | ||||||
|  | ## Configure the timeout value when downloading the favicons. | ||||||
|  | ## The default is 10 seconds, but this could be to low on slower network connections | ||||||
|  | # ICON_DOWNLOAD_TIMEOUT=10 | ||||||
|  |  | ||||||
|  | ## Block HTTP domains/IPs by Regex | ||||||
|  | ## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. | ||||||
|  | ## Useful to hide other servers in the local network. Check the WIKI for more details | ||||||
|  | ## NOTE: Always enclose this regex withing single quotes! | ||||||
|  | # HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' | ||||||
|  |  | ||||||
|  | ## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. | ||||||
|  | ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block | ||||||
|  | # HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true | ||||||
|  |  | ||||||
|  | ## Client Settings | ||||||
|  | ## Enable experimental feature flags for clients. | ||||||
|  | ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". | ||||||
|  | ## | ||||||
|  | ## The following flags are available: | ||||||
|  | ## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. | ||||||
|  | ## - "autofill-v2": Use the new autofill implementation. | ||||||
|  | ## - "browser-fileless-import": Directly import credentials from other providers without a file. | ||||||
|  | ## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) | ||||||
|  | ## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. | ||||||
|  | # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials | ||||||
|  |  | ||||||
|  | ## Require new device emails. When a user logs in an email is required to be sent. | ||||||
|  | ## If sending the email fails the login attempt will fail!! | ||||||
|  | # REQUIRE_DEVICE_EMAIL=false | ||||||
|  |  | ||||||
|  | ## Enable extended logging, which shows timestamps and targets in the logs | ||||||
|  | # EXTENDED_LOGGING=true | ||||||
|  |  | ||||||
|  | ## Timestamp format used in extended logging. | ||||||
|  | ## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime | ||||||
|  | # LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" | ||||||
|  |  | ||||||
|  | ## Logging to Syslog | ||||||
|  | ## This requires extended logging | ||||||
|  | # USE_SYSLOG=false | ||||||
|  |  | ||||||
|  | ## Logging to file | ||||||
|  | # LOG_FILE=/path/to/log | ||||||
|  |  | ||||||
|  | ## Log level | ||||||
|  | ## Change the verbosity of the log output | ||||||
|  | ## Valid values are "trace", "debug", "info", "warn", "error" and "off" | ||||||
|  | ## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests | ||||||
|  | ## For a specific module append a comma separated `path::to::module=log_level` | ||||||
|  | ## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug" | ||||||
|  | # LOG_LEVEL=info | ||||||
|  |  | ||||||
|  | ## Token for the admin interface, preferably an Argon2 PCH string | ||||||
|  | ## Vaultwarden has a built-in generator by calling `vaultwarden hash` | ||||||
|  | ## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token | ||||||
|  | ## If not set, the admin panel is disabled | ||||||
|  | ## New Argon2 PHC string | ||||||
|  | ## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$` | ||||||
|  | ## Also, use single quotes (') instead of double quotes (") to enclose the string when needed | ||||||
|  | # ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78' | ||||||
|  | ## Old plain text string (Will generate warnings in favor of Argon2) | ||||||
|  | # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp | ||||||
|  |  | ||||||
|  | ## Enable this to bypass the admin panel security. This option is only | ||||||
|  | ## meant to be used with the use of a separate auth layer in front | ||||||
|  | # DISABLE_ADMIN_TOKEN=false | ||||||
|  |  | ||||||
|  | ## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. | ||||||
|  | # ADMIN_RATELIMIT_SECONDS=300 | ||||||
|  | ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. | ||||||
|  | # ADMIN_RATELIMIT_MAX_BURST=3 | ||||||
|  |  | ||||||
|  | ## Set the lifetime of admin sessions to this value (in minutes). | ||||||
|  | # ADMIN_SESSION_LIFETIME=20 | ||||||
|  |  | ||||||
| ## Allowed iframe ancestors (Know the risks!) | ## Allowed iframe ancestors (Know the risks!) | ||||||
| ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors | ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors | ||||||
| @@ -296,10 +413,28 @@ | |||||||
| ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. | ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. | ||||||
| # LOGIN_RATELIMIT_MAX_BURST=10 | # LOGIN_RATELIMIT_MAX_BURST=10 | ||||||
|  |  | ||||||
| ## Number of seconds, on average, between admin requests from the same IP address before rate limiting kicks in. | ## BETA FEATURE: Groups | ||||||
| # ADMIN_RATELIMIT_SECONDS=300 | ## Controls whether group support is enabled for organizations | ||||||
| ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. | ## This setting applies to organizations. | ||||||
| # ADMIN_RATELIMIT_MAX_BURST=3 | ## Disabled by default because this is a beta feature, it contains known issues! | ||||||
|  | ## KNOW WHAT YOU ARE DOING! | ||||||
|  | # ORG_GROUPS_ENABLED=false | ||||||
|  |  | ||||||
|  | ## Increase secure note size limit (Know the risks!) | ||||||
|  | ## Sets the secure note size limit to 100_000 instead of the default 10_000. | ||||||
|  | ## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers! | ||||||
|  | ## KNOW WHAT YOU ARE DOING! | ||||||
|  | # INCREASE_NOTE_SIZE_LIMIT=false | ||||||
|  |  | ||||||
|  | ## Enforce Single Org with Reset Password Policy | ||||||
|  | ## Enforce that the Single Org policy is enabled before setting the Reset Password policy | ||||||
|  | ## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available. | ||||||
|  | ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy. | ||||||
|  | # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false | ||||||
|  |  | ||||||
|  | ######################## | ||||||
|  | ### MFA/2FA settings ### | ||||||
|  | ######################## | ||||||
|  |  | ||||||
| ## Yubico (Yubikey) Settings | ## Yubico (Yubikey) Settings | ||||||
| ## Set your Client ID and Secret Key for Yubikey OTP | ## Set your Client ID and Secret Key for Yubikey OTP | ||||||
| @@ -310,16 +445,46 @@ | |||||||
| # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify | # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify | ||||||
|  |  | ||||||
| ## Duo Settings | ## Duo Settings | ||||||
| ## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves | ## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support. | ||||||
|  | ## Otherwise users will need to configure it themselves. | ||||||
| ## Create an account and protect an application as mentioned in this link (only the first step, not the rest): | ## Create an account and protect an application as mentioned in this link (only the first step, not the rest): | ||||||
| ## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account | ## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account | ||||||
| ## Then set the following options, based on the values obtained from the last step: | ## Then set the following options, based on the values obtained from the last step: | ||||||
| # DUO_IKEY=<Integration Key> | # DUO_IKEY=<Client ID> | ||||||
| # DUO_SKEY=<Secret Key> | # DUO_SKEY=<Client Secret> | ||||||
| # DUO_HOST=<API Hostname> | # DUO_HOST=<API Hostname> | ||||||
| ## After that, you should be able to follow the rest of the guide linked above, | ## After that, you should be able to follow the rest of the guide linked above, | ||||||
| ## ignoring the fields that ask for the values that you already configured beforehand. | ## ignoring the fields that ask for the values that you already configured beforehand. | ||||||
|  | ## | ||||||
|  | ## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'. | ||||||
|  | ## Duo no longer supports this, but it still works for some integrations. | ||||||
|  | ## If you aren't sure, leave this alone. | ||||||
|  | # DUO_USE_IFRAME=false | ||||||
|  |  | ||||||
|  | ## Email 2FA settings | ||||||
|  | ## Email token size | ||||||
|  | ## Number of digits in an email 2FA token (min: 6, max: 255). | ||||||
|  | ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! | ||||||
|  | # EMAIL_TOKEN_SIZE=6 | ||||||
|  | ## | ||||||
|  | ## Token expiration time | ||||||
|  | ## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. | ||||||
|  | # EMAIL_EXPIRATION_TIME=600 | ||||||
|  | ## | ||||||
|  | ## Maximum attempts before an email token is reset and a new email will need to be sent. | ||||||
|  | # EMAIL_ATTEMPTS_LIMIT=3 | ||||||
|  | ## | ||||||
|  | ## Setup email 2FA regardless of any organization policy | ||||||
|  | # EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false | ||||||
|  | ## Automatically setup email 2FA as fallback provider when needed | ||||||
|  | # EMAIL_2FA_AUTO_FALLBACK=false | ||||||
|  |  | ||||||
|  | ## Other MFA/2FA settings | ||||||
|  | ## Disable 2FA remember | ||||||
|  | ## Enabling this would force the users to use a second factor to login every time. | ||||||
|  | ## Note that the checkbox would still be present, but ignored. | ||||||
|  | # DISABLE_2FA_REMEMBER=false | ||||||
|  | ## | ||||||
| ## Authenticator Settings | ## Authenticator Settings | ||||||
| ## Disable authenticator time drifted codes to be valid. | ## Disable authenticator time drifted codes to be valid. | ||||||
| ## TOTP codes of the previous and next 30 seconds will be invalid | ## TOTP codes of the previous and next 30 seconds will be invalid | ||||||
| @@ -332,57 +497,73 @@ | |||||||
| ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. | ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. | ||||||
| # AUTHENTICATOR_DISABLE_TIME_DRIFT=false | # AUTHENTICATOR_DISABLE_TIME_DRIFT=false | ||||||
|  |  | ||||||
| ## Rocket specific settings | ########################### | ||||||
| ## See https://rocket.rs/v0.4/guide/configuration/ for more details. | ### SMTP Email settings ### | ||||||
| # ROCKET_ADDRESS=0.0.0.0 | ########################### | ||||||
| # ROCKET_PORT=80  # Defaults to 80 in the Docker images, or 8000 otherwise. |  | ||||||
| # ROCKET_WORKERS=10 |  | ||||||
| # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} |  | ||||||
|  |  | ||||||
| ## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service. | ## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service. | ||||||
| ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. | ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. | ||||||
| ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory | ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory | ||||||
| # SMTP_HOST=smtp.domain.tld | # SMTP_HOST=smtp.domain.tld | ||||||
| # SMTP_FROM=vaultwarden@domain.tld | # SMTP_FROM=vaultwarden@domain.tld | ||||||
| # SMTP_FROM_NAME=Vaultwarden | # SMTP_FROM_NAME=Vaultwarden | ||||||
| # SMTP_SECURITY=starttls # ("starttls", "force_tls", "off") Enable a secure connection. Default is "starttls" (Explicit - ports 587 or 25), "force_tls" (Implicit - port 465) or "off", no encryption (port 25) |  | ||||||
| # SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS. |  | ||||||
| # SMTP_USERNAME=username | # SMTP_USERNAME=username | ||||||
| # SMTP_PASSWORD=password | # SMTP_PASSWORD=password | ||||||
| # SMTP_TIMEOUT=15 | # SMTP_TIMEOUT=15 | ||||||
|  |  | ||||||
|  | ## Choose the type of secure connection for SMTP. The default is "starttls". | ||||||
|  | ## The available options are: | ||||||
|  | ## - "starttls": The default port is 587. | ||||||
|  | ## - "force_tls": The default port is 465. | ||||||
|  | ## - "off": The default port is 25. | ||||||
|  | ## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). | ||||||
|  | # SMTP_SECURITY=starttls | ||||||
|  | # SMTP_PORT=587 | ||||||
|  |  | ||||||
|  | # Whether to send mail via the `sendmail` command | ||||||
|  | # USE_SENDMAIL=false | ||||||
|  | # Which sendmail command to use. The one found in the $PATH is used if not specified. | ||||||
|  | # SENDMAIL_COMMAND="/path/to/sendmail" | ||||||
|  |  | ||||||
| ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. | ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. | ||||||
| ## Possible values: ["Plain", "Login", "Xoauth2"]. | ## Possible values: ["Plain", "Login", "Xoauth2"]. | ||||||
| ## Multiple options need to be separated by a comma ','. | ## Multiple options need to be separated by a comma ','. | ||||||
| # SMTP_AUTH_MECHANISM="Plain" | # SMTP_AUTH_MECHANISM= | ||||||
|  |  | ||||||
| ## Server name sent during the SMTP HELO | ## Server name sent during the SMTP HELO | ||||||
| ## By default this value should be is on the machine's hostname, | ## By default this value should be is on the machine's hostname, | ||||||
| ## but might need to be changed in case it trips some anti-spam filters | ## but might need to be changed in case it trips some anti-spam filters | ||||||
| # HELO_NAME= | # HELO_NAME= | ||||||
|  |  | ||||||
|  | ## Embed images as email attachments | ||||||
|  | # SMTP_EMBED_IMAGES=true | ||||||
|  |  | ||||||
| ## SMTP debugging | ## SMTP debugging | ||||||
| ## When set to true this will output very detailed SMTP messages. | ## When set to true this will output very detailed SMTP messages. | ||||||
| ## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! | ## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! | ||||||
| # SMTP_DEBUG=false | # SMTP_DEBUG=false | ||||||
|  |  | ||||||
| ## Accept Invalid Hostnames |  | ||||||
| ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! |  | ||||||
| ## Only use this as a last resort if you are not able to use a valid certificate. |  | ||||||
| # SMTP_ACCEPT_INVALID_HOSTNAMES=false |  | ||||||
|  |  | ||||||
| ## Accept Invalid Certificates | ## Accept Invalid Certificates | ||||||
| ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! | ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! | ||||||
| ## Only use this as a last resort if you are not able to use a valid certificate. | ## Only use this as a last resort if you are not able to use a valid certificate. | ||||||
| ## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. | ## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. | ||||||
| # SMTP_ACCEPT_INVALID_CERTS=false | # SMTP_ACCEPT_INVALID_CERTS=false | ||||||
|  |  | ||||||
| ## Require new device emails. When a user logs in an email is required to be sent. | ## Accept Invalid Hostnames | ||||||
| ## If sending the email fails the login attempt will fail!! | ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! | ||||||
| # REQUIRE_DEVICE_EMAIL=false | ## Only use this as a last resort if you are not able to use a valid certificate. | ||||||
|  | # SMTP_ACCEPT_INVALID_HOSTNAMES=false | ||||||
|  |  | ||||||
|  | ####################### | ||||||
|  | ### Rocket settings ### | ||||||
|  | ####################### | ||||||
|  |  | ||||||
|  | ## Rocket specific settings | ||||||
|  | ## See https://rocket.rs/v0.5/guide/configuration/ for more details. | ||||||
|  | # ROCKET_ADDRESS=0.0.0.0 | ||||||
|  | ## The default port is 8000, unless running in a Docker container, in which case it is 80. | ||||||
|  | # ROCKET_PORT=8000 | ||||||
|  | # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} | ||||||
|  |  | ||||||
| ## HIBP Api Key |  | ||||||
| ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key |  | ||||||
| # HIBP_API_KEY= |  | ||||||
|  |  | ||||||
| # vim: syntax=ini | # vim: syntax=ini | ||||||
|   | |||||||
							
								
								
									
										3
									
								
								.github/CODEOWNERS
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								.github/CODEOWNERS
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | /.github @dani-garcia @BlackDex | ||||||
|  | /.github/CODEOWNERS @dani-garcia @BlackDex | ||||||
|  | /.github/workflows/** @dani-garcia @BlackDex | ||||||
							
								
								
									
										1
									
								
								.github/FUNDING.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.github/FUNDING.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,2 +1,3 @@ | |||||||
| github: dani-garcia | github: dani-garcia | ||||||
|  | liberapay: dani-garcia | ||||||
| custom: ["https://paypal.me/DaniGG"] | custom: ["https://paypal.me/DaniGG"] | ||||||
|   | |||||||
							
								
								
									
										66
									
								
								.github/ISSUE_TEMPLATE/bug_report.md
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										66
									
								
								.github/ISSUE_TEMPLATE/bug_report.md
									
									
									
									
										vendored
									
									
								
							| @@ -1,66 +0,0 @@ | |||||||
| --- |  | ||||||
| name: Bug report |  | ||||||
| about: Use this ONLY for bugs in vaultwarden itself. Use the Discourse forum (link below) to request features or get help with usage/configuration. If in doubt, use the forum. |  | ||||||
| title: '' |  | ||||||
| labels: '' |  | ||||||
| assignees: '' |  | ||||||
|  |  | ||||||
| --- |  | ||||||
| <!-- |  | ||||||
|     # ### |  | ||||||
|     NOTE: Please update to the latest version of vaultwarden before reporting an issue! |  | ||||||
|     This saves you and us a lot of time and troubleshooting. |  | ||||||
|     See: |  | ||||||
|     * https://github.com/dani-garcia/vaultwarden/issues/1180 |  | ||||||
|     * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image |  | ||||||
|     # ### |  | ||||||
| --> |  | ||||||
|  |  | ||||||
| <!-- |  | ||||||
| Please fill out the following template to make solving your problem easier and faster for us. |  | ||||||
| This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. |  | ||||||
|  |  | ||||||
| Remember to hide/redact personal or confidential information, |  | ||||||
| such as passwords, IP addresses, and DNS names as appropriate. |  | ||||||
| --> |  | ||||||
|  |  | ||||||
| ### Subject of the issue |  | ||||||
| <!-- Describe your issue here. --> |  | ||||||
|  |  | ||||||
| ### Deployment environment |  | ||||||
|  |  | ||||||
| <!-- |  | ||||||
|     ========================================================================================= |  | ||||||
|     Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. |  | ||||||
|     That will auto-generate most of the info requested in this section. |  | ||||||
|     ========================================================================================= |  | ||||||
| --> |  | ||||||
|  |  | ||||||
| <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> |  | ||||||
| <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> |  | ||||||
| <!-- Remember to check if your issue exists on the latest version first! --> |  | ||||||
| * vaultwarden version: |  | ||||||
|  |  | ||||||
| <!-- How the server was installed: Docker image, OS package, built from source, etc. --> |  | ||||||
| * Install method: |  | ||||||
|  |  | ||||||
| * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> |  | ||||||
|  |  | ||||||
| * Reverse proxy and version: <!-- if applicable --> |  | ||||||
|  |  | ||||||
| * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> |  | ||||||
|  |  | ||||||
| * Other relevant details: |  | ||||||
|  |  | ||||||
| ### Steps to reproduce |  | ||||||
| <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) |  | ||||||
| and how did you start vaultwarden? --> |  | ||||||
|  |  | ||||||
| ### Expected behaviour |  | ||||||
| <!-- Tell us what you expected to happen --> |  | ||||||
|  |  | ||||||
| ### Actual behaviour |  | ||||||
| <!-- Tell us what actually happened --> |  | ||||||
|  |  | ||||||
| ### Troubleshooting data |  | ||||||
| <!-- Share any log files, screenshots, or other relevant troubleshooting data --> |  | ||||||
							
								
								
									
										167
									
								
								.github/ISSUE_TEMPLATE/bug_report.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										167
									
								
								.github/ISSUE_TEMPLATE/bug_report.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,167 @@ | |||||||
|  | name: Bug Report | ||||||
|  | description: File a bug report | ||||||
|  | labels: ["bug"] | ||||||
|  | body: | ||||||
|  |   # | ||||||
|  |   - type: markdown | ||||||
|  |     attributes: | ||||||
|  |       value: | | ||||||
|  |         Thanks for taking the time to fill out this bug report! | ||||||
|  |  | ||||||
|  |         Please *do not* submit feature requests or ask for help on how to configure Vaultwarden here. | ||||||
|  |  | ||||||
|  |         The [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions/) has sections for Questions and Ideas. | ||||||
|  |  | ||||||
|  |         Also, make sure you are running [](https://github.com/dani-garcia/vaultwarden/releases/latest) of Vaultwarden! | ||||||
|  |         And search for existing open or closed issues or discussions regarding your topic before posting. | ||||||
|  |  | ||||||
|  |         Be sure to check and validate the Vaultwarden Admin Diagnostics (`/admin/diagnostics`) page for any errors! | ||||||
|  |         See here [how to enable the admin page](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page). | ||||||
|  |   # | ||||||
|  |   - id: support-string | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Vaultwarden Support String | ||||||
|  |       description: Output of the **Generate Support String** from the `/admin/diagnostics` page. | ||||||
|  |       placeholder: | | ||||||
|  |         1. Go to the Vaultwarden Admin of your instance https://example.domain.tld/admin/diagnostics | ||||||
|  |         2. Click on `Generate Support String` | ||||||
|  |         3. Click on `Copy To Clipboard` | ||||||
|  |         4. Replace this text by pasting it into this textarea without any modifications | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: version | ||||||
|  |     type: input | ||||||
|  |     attributes: | ||||||
|  |       label: Vaultwarden Build Version | ||||||
|  |       description: What version of Vaultwarden are you running? | ||||||
|  |       placeholder: ex. v1.31.0 or v1.32.0-3466a804 | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: deployment | ||||||
|  |     type: dropdown | ||||||
|  |     attributes: | ||||||
|  |       label: Deployment method | ||||||
|  |       description: How did you deploy Vaultwarden? | ||||||
|  |       multiple: false | ||||||
|  |       options: | ||||||
|  |         - Official Container Image | ||||||
|  |         - Build from source | ||||||
|  |         - OS Package (apt, yum/dnf, pacman, apk, nix, ...) | ||||||
|  |         - Manually Extracted from Container Image | ||||||
|  |         - Downloaded from GitHub Actions Release Workflow | ||||||
|  |         - Other method | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: deployment-other | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Custom deployment method | ||||||
|  |       description: If you deployed Vaultwarden via any other method, please describe how. | ||||||
|  |   # | ||||||
|  |   - id: reverse-proxy | ||||||
|  |     type: input | ||||||
|  |     attributes: | ||||||
|  |       label: Reverse Proxy | ||||||
|  |       description: Are you using a reverse proxy, if so which and what version? | ||||||
|  |       placeholder: ex. nginx 1.26.2, caddy 2.8.4, traefik 3.1.2, haproxy 3.0 | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: os | ||||||
|  |     type: dropdown | ||||||
|  |     attributes: | ||||||
|  |       label: Host/Server Operating System | ||||||
|  |       description: On what operating system are you running the Vaultwarden server? | ||||||
|  |       multiple: false | ||||||
|  |       options: | ||||||
|  |         - Linux | ||||||
|  |         - NAS/SAN | ||||||
|  |         - Cloud | ||||||
|  |         - Windows | ||||||
|  |         - macOS | ||||||
|  |         - Other | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: os-version | ||||||
|  |     type: input | ||||||
|  |     attributes: | ||||||
|  |       label: Operating System Version | ||||||
|  |       description: What version of the operating system(s) are you seeing the problem on? | ||||||
|  |       placeholder: ex. Arch Linux, Ubuntu 24.04, Kubernetes, Synology DSM 7.x, Windows 11 | ||||||
|  |   # | ||||||
|  |   - id: clients | ||||||
|  |     type: dropdown | ||||||
|  |     attributes: | ||||||
|  |       label: Clients | ||||||
|  |       description: What client(s) are you seeing the problem on? | ||||||
|  |       multiple: true | ||||||
|  |       options: | ||||||
|  |         - Web Vault | ||||||
|  |         - Browser Extension | ||||||
|  |         - CLI | ||||||
|  |         - Desktop | ||||||
|  |         - Android | ||||||
|  |         - iOS | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: client-version | ||||||
|  |     type: input | ||||||
|  |     attributes: | ||||||
|  |       label: Client Version | ||||||
|  |       description: What version(s) of the client(s) are you seeing the problem on? | ||||||
|  |       placeholder: ex. CLI v2024.7.2, Firefox 130 - v2024.7.0 | ||||||
|  |   # | ||||||
|  |   - id: reproduce | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Steps To Reproduce | ||||||
|  |       description: How can we reproduce the behavior. | ||||||
|  |       value: | | ||||||
|  |         1. Go to '...' | ||||||
|  |         2. Click on '....' | ||||||
|  |         3. Scroll down to '....' | ||||||
|  |         4. Click on '...' | ||||||
|  |         5. Etc '...' | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: expected | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Expected Result | ||||||
|  |       description: A clear and concise description of what you expected to happen. | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: actual | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Actual Result | ||||||
|  |       description: A clear and concise description of what is happening. | ||||||
|  |     validations: | ||||||
|  |       required: true | ||||||
|  |   # | ||||||
|  |   - id: logs | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Logs | ||||||
|  |       description: Provide the logs generated by Vaultwarden during the time this issue occurs. | ||||||
|  |       render: text | ||||||
|  |   # | ||||||
|  |   - id: screenshots | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Screenshots or Videos | ||||||
|  |       description: If applicable, add screenshots and/or a short video to help explain your problem. | ||||||
|  |   # | ||||||
|  |   - id: additional-context | ||||||
|  |     type: textarea | ||||||
|  |     attributes: | ||||||
|  |       label: Additional Context | ||||||
|  |       description: Add any other context about the problem here. | ||||||
							
								
								
									
										10
									
								
								.github/ISSUE_TEMPLATE/config.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										10
									
								
								.github/ISSUE_TEMPLATE/config.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,8 +1,8 @@ | |||||||
| blank_issues_enabled: false | blank_issues_enabled: false | ||||||
| contact_links: | contact_links: | ||||||
|   - name: Discourse forum for vaultwarden |   - name: GitHub Discussions for Vaultwarden | ||||||
|     url: https://vaultwarden.discourse.group/ |  | ||||||
|     about: Use this forum to request features or get help with usage/configuration. |  | ||||||
|   - name: GitHub Discussions for vaultwarden |  | ||||||
|     url: https://github.com/dani-garcia/vaultwarden/discussions |     url: https://github.com/dani-garcia/vaultwarden/discussions | ||||||
|     about: An alternative to the Discourse forum, if this is easier for you. |     about: Use the discussions to request features or get help with usage/configuration. | ||||||
|  |   - name: Discourse forum for Vaultwarden | ||||||
|  |     url: https://vaultwarden.discourse.group/ | ||||||
|  |     about: An alternative to the GitHub Discussions, if this is easier for you. | ||||||
|   | |||||||
							
								
								
									
										227
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										227
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							| @@ -8,8 +8,11 @@ on: | |||||||
|       - "migrations/**" |       - "migrations/**" | ||||||
|       - "Cargo.*" |       - "Cargo.*" | ||||||
|       - "build.rs" |       - "build.rs" | ||||||
|  |       - "rust-toolchain.toml" | ||||||
|  |       - "rustfmt.toml" | ||||||
|       - "diesel.toml" |       - "diesel.toml" | ||||||
|       - "rust-toolchain" |       - "docker/Dockerfile.j2" | ||||||
|  |       - "docker/DockerSettings.yaml" | ||||||
|   pull_request: |   pull_request: | ||||||
|     paths: |     paths: | ||||||
|       - ".github/workflows/build.yml" |       - ".github/workflows/build.yml" | ||||||
| @@ -17,11 +20,17 @@ on: | |||||||
|       - "migrations/**" |       - "migrations/**" | ||||||
|       - "Cargo.*" |       - "Cargo.*" | ||||||
|       - "build.rs" |       - "build.rs" | ||||||
|  |       - "rust-toolchain.toml" | ||||||
|  |       - "rustfmt.toml" | ||||||
|       - "diesel.toml" |       - "diesel.toml" | ||||||
|       - "rust-toolchain" |       - "docker/Dockerfile.j2" | ||||||
|  |       - "docker/DockerSettings.yaml" | ||||||
|  |  | ||||||
| jobs: | jobs: | ||||||
|   build: |   build: | ||||||
|  |     # We use Ubuntu 22.04 here because this matches the library versions used within the Debian docker containers | ||||||
|  |     runs-on: ubuntu-22.04 | ||||||
|  |     timeout-minutes: 120 | ||||||
|     # Make warnings errors, this is to prevent warnings slipping through. |     # Make warnings errors, this is to prevent warnings slipping through. | ||||||
|     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes. |     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes. | ||||||
|     env: |     env: | ||||||
| @@ -30,118 +39,160 @@ jobs: | |||||||
|       fail-fast: false |       fail-fast: false | ||||||
|       matrix: |       matrix: | ||||||
|         channel: |         channel: | ||||||
|           - stable |           - "rust-toolchain" # The version defined in rust-toolchain | ||||||
|         target-triple: |           - "msrv" # The supported MSRV | ||||||
|           - x86_64-unknown-linux-gnu |  | ||||||
|         include: |     name: Build and Test ${{ matrix.channel }} | ||||||
|           - target-triple: x86_64-unknown-linux-gnu |  | ||||||
|             host-triple: x86_64-unknown-linux-gnu |  | ||||||
|             features: [sqlite,mysql,postgresql,enable_mimalloc] # Remember to update the `cargo test` to match the amount of features |  | ||||||
|             channel: stable |  | ||||||
|             os: ubuntu-20.04 |  | ||||||
|             ext: "" |  | ||||||
|  |  | ||||||
|     name: Building ${{ matrix.channel }}-${{ matrix.target-triple }} |  | ||||||
|     runs-on: ${{ matrix.os }} |  | ||||||
|     steps: |     steps: | ||||||
|       # Checkout the repo |       # Checkout the repo | ||||||
|       - name: Checkout |       - name: "Checkout" | ||||||
|         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 | ||||||
|       # End Checkout the repo |       # End Checkout the repo | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Install musl-tools when needed |  | ||||||
|       - name: Install musl tools |  | ||||||
|         run: sudo apt-get update && sudo apt-get install -y --no-install-recommends musl-dev musl-tools cmake |  | ||||||
|         if: matrix.target-triple == 'x86_64-unknown-linux-musl' |  | ||||||
|       # End Install musl-tools when needed |  | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Install dependencies |       # Install dependencies | ||||||
|       - name: Install dependencies Ubuntu |       - name: "Install dependencies Ubuntu" | ||||||
|         run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf |         run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config | ||||||
|         if: startsWith( matrix.os, 'ubuntu' ) |  | ||||||
|       # End Install dependencies |       # End Install dependencies | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Enable Rust Caching |       # Determine rust-toolchain version | ||||||
|       - uses: Swatinem/rust-cache@842ef286fff290e445b90b4002cc9807c3669641 # v1.3.0 |       - name: Init Variables | ||||||
|       # End Enable Rust Caching |         id: toolchain | ||||||
|  |         shell: bash | ||||||
|  |         run: | | ||||||
|  |           if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then | ||||||
|  |             RUST_TOOLCHAIN="$(grep -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)" | ||||||
|  |           elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then | ||||||
|  |             RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)" | ||||||
|  |           else | ||||||
|  |             RUST_TOOLCHAIN="${{ matrix.channel }}" | ||||||
|  |           fi | ||||||
|  |           echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}" | ||||||
|  |       # End Determine rust-toolchain version | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Uses the rust-toolchain file to determine version |       # Only install the clippy and rustfmt components on the default rust-toolchain | ||||||
|       - name: 'Install ${{ matrix.channel }}-${{ matrix.host-triple }} for target: ${{ matrix.target-triple }}' |       - name: "Install rust-toolchain version" | ||||||
|         uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 |         uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2 | ||||||
|  |         if: ${{ matrix.channel == 'rust-toolchain' }} | ||||||
|         with: |         with: | ||||||
|           profile: minimal |           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" | ||||||
|           target: ${{ matrix.target-triple }} |  | ||||||
|           components: clippy, rustfmt |           components: clippy, rustfmt | ||||||
|       # End Uses the rust-toolchain file to determine version |       # End Uses the rust-toolchain file to determine version | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Run cargo tests (In release mode to speed up future builds) |       # Install the any other channel to be used for which we do not execute clippy and rustfmt | ||||||
|  |       - name: "Install MSRV version" | ||||||
|  |         uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # master @ Aug 8, 2024, 7:36 PM GMT+2 | ||||||
|  |         if: ${{ matrix.channel != 'rust-toolchain' }} | ||||||
|  |         with: | ||||||
|  |           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" | ||||||
|  |       # End Install the MSRV channel to be used | ||||||
|  |  | ||||||
|  |       # Set the current matrix toolchain version as default | ||||||
|  |       - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default" | ||||||
|  |         run: | | ||||||
|  |           # Remove the rust-toolchain.toml | ||||||
|  |           rm rust-toolchain.toml | ||||||
|  |           # Set the default | ||||||
|  |           rustup default ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} | ||||||
|  |  | ||||||
|  |       # Show environment | ||||||
|  |       - name: "Show environment" | ||||||
|  |         run: | | ||||||
|  |           rustc -vV | ||||||
|  |           cargo -vV | ||||||
|  |       # End Show environment | ||||||
|  |  | ||||||
|  |       # Enable Rust Caching | ||||||
|  |       - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | ||||||
|  |         with: | ||||||
|  |           # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes. | ||||||
|  |           # Like changing the build host from Ubuntu 20.04 to 22.04 for example. | ||||||
|  |           # Only update when really needed! Use a <year>.<month>[.<inc>] format. | ||||||
|  |           prefix-key: "v2023.07-rust" | ||||||
|  |       # End Enable Rust Caching | ||||||
|  |  | ||||||
|  |       # Run cargo tests | ||||||
|       # First test all features together, afterwards test them separately. |       # First test all features together, afterwards test them separately. | ||||||
|       - name: "`cargo test --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}`" |       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc" | ||||||
|         uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |         id: test_sqlite_mysql_postgresql_mimalloc | ||||||
|         with: |         if: $${{ always() }} | ||||||
|           command: test |         run: | | ||||||
|           args: --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }} |           cargo test --features sqlite,mysql,postgresql,enable_mimalloc | ||||||
|       # Test single features |  | ||||||
|       # 0: sqlite |       - name: "test features: sqlite,mysql,postgresql" | ||||||
|       - name: "`cargo test --release --features ${{ matrix.features[0] }} --target ${{ matrix.target-triple }}`" |         id: test_sqlite_mysql_postgresql | ||||||
|         uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |         if: $${{ always() }} | ||||||
|         with: |         run: | | ||||||
|           command: test |           cargo test --features sqlite,mysql,postgresql | ||||||
|           args: --release --features ${{ matrix.features[0] }} --target ${{ matrix.target-triple }} |  | ||||||
|         if: ${{ matrix.features[0] != '' }} |       - name: "test features: sqlite" | ||||||
|       # 1: mysql |         id: test_sqlite | ||||||
|       - name: "`cargo test --release --features ${{ matrix.features[1] }} --target ${{ matrix.target-triple }}`" |         if: $${{ always() }} | ||||||
|         uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |         run: | | ||||||
|         with: |           cargo test --features sqlite | ||||||
|           command: test |  | ||||||
|           args: --release --features ${{ matrix.features[1] }} --target ${{ matrix.target-triple }} |       - name: "test features: mysql" | ||||||
|         if: ${{ matrix.features[1] != '' }} |         id: test_mysql | ||||||
|       # 2: postgresql |         if: $${{ always() }} | ||||||
|       - name: "`cargo test --release --features ${{ matrix.features[2] }} --target ${{ matrix.target-triple }}`" |         run: | | ||||||
|         uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |           cargo test --features mysql | ||||||
|         with: |  | ||||||
|           command: test |       - name: "test features: postgresql" | ||||||
|           args: --release --features ${{ matrix.features[2] }} --target ${{ matrix.target-triple }} |         id: test_postgresql | ||||||
|         if: ${{ matrix.features[2] != '' }} |         if: $${{ always() }} | ||||||
|  |         run: | | ||||||
|  |           cargo test --features postgresql | ||||||
|       # End Run cargo tests |       # End Run cargo tests | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Run cargo clippy, and fail on warnings (In release mode to speed up future builds) |       # Run cargo clippy, and fail on warnings | ||||||
|       - name: "`cargo clippy --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}`" |       - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc" | ||||||
|         uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |         id: clippy | ||||||
|         with: |         if: ${{ always() && matrix.channel == 'rust-toolchain' }} | ||||||
|           command: clippy |         run: | | ||||||
|           args: --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }} -- -D warnings |           cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings | ||||||
|       # End Run cargo clippy |       # End Run cargo clippy | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Run cargo fmt |       # Run cargo fmt (Only run on rust-toolchain defined version) | ||||||
|       - name: '`cargo fmt`' |       - name: "check formatting" | ||||||
|         uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |         id: formatting | ||||||
|         with: |         if: ${{ always() && matrix.channel == 'rust-toolchain' }} | ||||||
|           command: fmt |         run: | | ||||||
|           args: --all -- --check |           cargo fmt --all -- --check | ||||||
|       # End Run cargo fmt |       # End Run cargo fmt | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Build the binary |       # Check for any previous failures, if there are stop, else continue. | ||||||
|       - name: "`cargo build --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }}`" |       # This is useful so all test/clippy/fmt actions are done, and they can all be addressed | ||||||
|         uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |       - name: "Some checks failed" | ||||||
|         with: |         if: ${{ failure() }} | ||||||
|           command: build |         run: | | ||||||
|           args: --release --features ${{ join(matrix.features, ',') }} --target ${{ matrix.target-triple }} |           echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY | ||||||
|       # End Build the binary |           echo "" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|---|------|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY | ||||||
|  |           echo "" >> $GITHUB_STEP_SUMMARY | ||||||
|  |           exit 1 | ||||||
|  |  | ||||||
|  |  | ||||||
|       # Upload artifact to Github Actions |       # Check for any previous failures, if there are stop, else continue. | ||||||
|       - name: Upload artifact |       # This is useful so all test/clippy/fmt actions are done, and they can all be addressed | ||||||
|         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 |       - name: "All checks passed" | ||||||
|         with: |         if: ${{ success() }} | ||||||
|           name: vaultwarden-${{ matrix.target-triple }}${{ matrix.ext }} |         run: | | ||||||
|           path: target/${{ matrix.target-triple }}/release/vaultwarden${{ matrix.ext }} |           echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY | ||||||
|       # End Upload artifact to Github Actions |           echo "" >> $GITHUB_STEP_SUMMARY | ||||||
|   | |||||||
							
								
								
									
										46
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										46
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,24 +1,32 @@ | |||||||
| name: Hadolint | name: Hadolint | ||||||
|  |  | ||||||
| on: | on: [ | ||||||
|   push: |       push, | ||||||
|     paths: |       pull_request | ||||||
|       - "docker/**" |     ] | ||||||
|  |  | ||||||
|   pull_request: |  | ||||||
|     paths: |  | ||||||
|       - "docker/**" |  | ||||||
|  |  | ||||||
| jobs: | jobs: | ||||||
|   hadolint: |   hadolint: | ||||||
|     name: Validate Dockerfile syntax |     name: Validate Dockerfile syntax | ||||||
|     runs-on: ubuntu-20.04 |     runs-on: ubuntu-24.04 | ||||||
|  |     timeout-minutes: 30 | ||||||
|     steps: |     steps: | ||||||
|       # Checkout the repo |       # Checkout the repo | ||||||
|       - name: Checkout |       - name: Checkout | ||||||
|         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 | ||||||
|       # End Checkout the repo |       # End Checkout the repo | ||||||
|  |  | ||||||
|  |       # Start Docker Buildx | ||||||
|  |       - name: Setup Docker Buildx | ||||||
|  |         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | ||||||
|  |         # https://github.com/moby/buildkit/issues/3969 | ||||||
|  |         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills | ||||||
|  |         with: | ||||||
|  |           buildkitd-config-inline: | | ||||||
|  |             [worker.oci] | ||||||
|  |               max-parallelism = 2 | ||||||
|  |           driver-opts: | | ||||||
|  |             network=host | ||||||
|  |  | ||||||
|       # Download hadolint - https://github.com/hadolint/hadolint/releases |       # Download hadolint - https://github.com/hadolint/hadolint/releases | ||||||
|       - name: Download hadolint |       - name: Download hadolint | ||||||
| @@ -27,11 +35,21 @@ jobs: | |||||||
|           sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \ |           sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \ | ||||||
|           sudo chmod +x /usr/local/bin/hadolint |           sudo chmod +x /usr/local/bin/hadolint | ||||||
|         env: |         env: | ||||||
|           HADOLINT_VERSION: 2.10.0 |           HADOLINT_VERSION: 2.12.0 | ||||||
|       # End Download hadolint |       # End Download hadolint | ||||||
|  |  | ||||||
|       # Test Dockerfiles |       # Test Dockerfiles with hadolint | ||||||
|       - name: Run hadolint |       - name: Run hadolint | ||||||
|         shell: bash |         shell: bash | ||||||
|         run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored --cached | xargs hadolint |         run: hadolint docker/Dockerfile.{debian,alpine} | ||||||
|       # End Test Dockerfiles |       # End Test Dockerfiles with hadolint | ||||||
|  |  | ||||||
|  |       # Test Dockerfiles with docker build checks | ||||||
|  |       - name: Run docker build check | ||||||
|  |         shell: bash | ||||||
|  |         run: | | ||||||
|  |           echo "Checking docker/Dockerfile.debian" | ||||||
|  |           docker build --check . -f docker/Dockerfile.debian | ||||||
|  |           echo "Checking docker/Dockerfile.alpine" | ||||||
|  |           docker build --check . -f docker/Dockerfile.alpine | ||||||
|  |       # End Test Dockerfiles with docker build checks | ||||||
|   | |||||||
							
								
								
									
										257
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										257
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -2,21 +2,10 @@ name: Release | |||||||
|  |  | ||||||
| on: | on: | ||||||
|   push: |   push: | ||||||
|     paths: |     branches: | ||||||
|       - ".github/workflows/release.yml" |  | ||||||
|       - "src/**" |  | ||||||
|       - "migrations/**" |  | ||||||
|       - "hooks/**" |  | ||||||
|       - "docker/**" |  | ||||||
|       - "Cargo.*" |  | ||||||
|       - "build.rs" |  | ||||||
|       - "diesel.toml" |  | ||||||
|       - "rust-toolchain" |  | ||||||
|  |  | ||||||
|     branches: # Only on paths above |  | ||||||
|       - main |       - main | ||||||
|  |  | ||||||
|     tags: # Always, regardless of paths above |     tags: | ||||||
|       - '*' |       - '*' | ||||||
|  |  | ||||||
| jobs: | jobs: | ||||||
| @@ -24,35 +13,44 @@ jobs: | |||||||
|   # Some checks to determine if we need to continue with building a new docker. |   # Some checks to determine if we need to continue with building a new docker. | ||||||
|   # We will skip this check if we are creating a tag, because that has the same hash as a previous run already. |   # We will skip this check if we are creating a tag, because that has the same hash as a previous run already. | ||||||
|   skip_check: |   skip_check: | ||||||
|     runs-on: ubuntu-latest |     runs-on: ubuntu-24.04 | ||||||
|     if: ${{ github.repository == 'dani-garcia/vaultwarden' }} |     if: ${{ github.repository == 'dani-garcia/vaultwarden' }} | ||||||
|     outputs: |     outputs: | ||||||
|       should_skip: ${{ steps.skip_check.outputs.should_skip }} |       should_skip: ${{ steps.skip_check.outputs.should_skip }} | ||||||
|     steps: |     steps: | ||||||
|       - name: Skip Duplicates Actions |       - name: Skip Duplicates Actions | ||||||
|         id: skip_check |         id: skip_check | ||||||
|         uses: fkirc/skip-duplicate-actions@9d116fa7e55f295019cfab7e3ab72b478bcf7fdd # v4.0.0 |         uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 | ||||||
|         with: |         with: | ||||||
|           cancel_others: 'true' |           cancel_others: 'true' | ||||||
|         # Only run this when not creating a tag |         # Only run this when not creating a tag | ||||||
|         if: ${{ startsWith(github.ref, 'refs/heads/') }} |         if: ${{ github.ref_type == 'branch' }} | ||||||
|  |  | ||||||
|   docker-build: |   docker-build: | ||||||
|     runs-on: ubuntu-latest |     runs-on: ubuntu-24.04 | ||||||
|  |     timeout-minutes: 120 | ||||||
|     needs: skip_check |     needs: skip_check | ||||||
|     # Start a local docker registry to be used to generate multi-arch images. |     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} | ||||||
|  |     # Start a local docker registry to extract the final Alpine static build binaries | ||||||
|     services: |     services: | ||||||
|       registry: |       registry: | ||||||
|         image: registry:2 |         image: registry:2 | ||||||
|         ports: |         ports: | ||||||
|           - 5000:5000 |           - 5000:5000 | ||||||
|     env: |     env: | ||||||
|       DOCKER_BUILDKIT: 1 # Disabled for now, but we should look at this because it will speedup building! |  | ||||||
|       # DOCKER_REPO/secrets.DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>' |  | ||||||
|       DOCKER_REPO: ${{ secrets.DOCKERHUB_REPO }} |  | ||||||
|       SOURCE_COMMIT: ${{ github.sha }} |       SOURCE_COMMIT: ${{ github.sha }} | ||||||
|       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" |       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" | ||||||
|     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} |       # The *_REPO variables need to be configured as repository variables | ||||||
|  |       # Append `/settings/variables/actions` to your repo url | ||||||
|  |       # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>' | ||||||
|  |       # Check for Docker hub credentials in secrets | ||||||
|  |       HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} | ||||||
|  |       # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>' | ||||||
|  |       # Check for Github credentials in secrets | ||||||
|  |       HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }} | ||||||
|  |       # QUAY_REPO needs to be 'quay.io/<user>/<repo>' | ||||||
|  |       # Check for Quay.io credentials in secrets | ||||||
|  |       HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }} | ||||||
|     strategy: |     strategy: | ||||||
|       matrix: |       matrix: | ||||||
|         base_image: ["debian","alpine"] |         base_image: ["debian","alpine"] | ||||||
| @@ -60,60 +58,195 @@ jobs: | |||||||
|     steps: |     steps: | ||||||
|       # Checkout the repo |       # Checkout the repo | ||||||
|       - name: Checkout |       - name: Checkout | ||||||
|         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 | ||||||
|         with: |         with: | ||||||
|           fetch-depth: 0 |           fetch-depth: 0 | ||||||
|  |  | ||||||
|  |       - name: Initialize QEMU binfmt support | ||||||
|  |         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | ||||||
|  |         with: | ||||||
|  |           platforms: "arm64,arm" | ||||||
|  |  | ||||||
|  |       # Start Docker Buildx | ||||||
|  |       - name: Setup Docker Buildx | ||||||
|  |         uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | ||||||
|  |         # https://github.com/moby/buildkit/issues/3969 | ||||||
|  |         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills | ||||||
|  |         with: | ||||||
|  |           buildkitd-config-inline: | | ||||||
|  |             [worker.oci] | ||||||
|  |               max-parallelism = 2 | ||||||
|  |           driver-opts: | | ||||||
|  |             network=host | ||||||
|  |  | ||||||
|  |       # Determine Base Tags and Source Version | ||||||
|  |       - name: Determine Base Tags and Source Version | ||||||
|  |         shell: bash | ||||||
|  |         run: | | ||||||
|  |           # Check which main tag we are going to build determined by github.ref_type | ||||||
|  |           if [[ "${{ github.ref_type }}" == "tag" ]]; then | ||||||
|  |             echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}" | ||||||
|  |           elif [[ "${{ github.ref_type }}" == "branch" ]]; then | ||||||
|  |             echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}" | ||||||
|  |           fi | ||||||
|  |  | ||||||
|  |           # Get the Source Version for this release | ||||||
|  |           GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)" | ||||||
|  |           if [[ -n "${GIT_EXACT_TAG}" ]]; then | ||||||
|  |               echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}" | ||||||
|  |           else | ||||||
|  |               GIT_LAST_TAG="$(git describe --tags --abbrev=0)" | ||||||
|  |               echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}" | ||||||
|  |           fi | ||||||
|  |       # End Determine Base Tags | ||||||
|  |  | ||||||
|       # Login to Docker Hub |       # Login to Docker Hub | ||||||
|       - name: Login to Docker Hub |       - name: Login to Docker Hub | ||||||
|         uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 |         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||||||
|         with: |         with: | ||||||
|           username: ${{ secrets.DOCKERHUB_USERNAME }} |           username: ${{ secrets.DOCKERHUB_USERNAME }} | ||||||
|           password: ${{ secrets.DOCKERHUB_TOKEN }} |           password: ${{ secrets.DOCKERHUB_TOKEN }} | ||||||
|  |         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||||
|  |  | ||||||
|       # Determine Docker Tag |       - name: Add registry for DockerHub | ||||||
|       - name: Init Variables |         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||||
|         id: vars |  | ||||||
|         shell: bash |         shell: bash | ||||||
|         run: | |         run: | | ||||||
|           # Check which main tag we are going to build determined by github.ref |           echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}" | ||||||
|           if [[ "${{ github.ref }}" == refs/tags/* ]]; then |  | ||||||
|             echo "set-output name=DOCKER_TAG::${GITHUB_REF#refs/*/}" |       # Login to GitHub Container Registry | ||||||
|             echo "::set-output name=DOCKER_TAG::${GITHUB_REF#refs/*/}" |       - name: Login to GitHub Container Registry | ||||||
|           elif [[ "${{ github.ref }}" == refs/heads/* ]]; then |         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||||||
|             echo "set-output name=DOCKER_TAG::testing" |         with: | ||||||
|             echo "::set-output name=DOCKER_TAG::testing" |           registry: ghcr.io | ||||||
|  |           username: ${{ github.repository_owner }} | ||||||
|  |           password: ${{ secrets.GITHUB_TOKEN }} | ||||||
|  |         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | ||||||
|  |  | ||||||
|  |       - name: Add registry for ghcr.io | ||||||
|  |         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | ||||||
|  |         shell: bash | ||||||
|  |         run: | | ||||||
|  |           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" | ||||||
|  |  | ||||||
|  |       # Login to Quay.io | ||||||
|  |       - name: Login to Quay.io | ||||||
|  |         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | ||||||
|  |         with: | ||||||
|  |           registry: quay.io | ||||||
|  |           username: ${{ secrets.QUAY_USERNAME }} | ||||||
|  |           password: ${{ secrets.QUAY_TOKEN }} | ||||||
|  |         if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} | ||||||
|  |  | ||||||
|  |       - name: Add registry for Quay.io | ||||||
|  |         if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} | ||||||
|  |         shell: bash | ||||||
|  |         run: | | ||||||
|  |           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" | ||||||
|  |  | ||||||
|  |       - name: Configure build cache from/to | ||||||
|  |         shell: bash | ||||||
|  |         run: | | ||||||
|  |           # | ||||||
|  |           # Check if there is a GitHub Container Registry Login and use it for caching | ||||||
|  |           if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then | ||||||
|  |             echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}" | ||||||
|  |             echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}" | ||||||
|  |           else | ||||||
|  |             echo "BAKE_CACHE_FROM=" | ||||||
|  |             echo "BAKE_CACHE_TO=" | ||||||
|           fi |           fi | ||||||
|       # End Determine Docker Tag |           # | ||||||
|  |  | ||||||
|       - name: Build Debian based images |       - name: Add localhost registry | ||||||
|         shell: bash |  | ||||||
|         env: |  | ||||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" |  | ||||||
|         run: | |  | ||||||
|           ./hooks/build |  | ||||||
|         if: ${{ matrix.base_image == 'debian' }} |  | ||||||
|  |  | ||||||
|       - name: Push Debian based images |  | ||||||
|         shell: bash |  | ||||||
|         env: |  | ||||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}" |  | ||||||
|         run: | |  | ||||||
|           ./hooks/push |  | ||||||
|         if: ${{ matrix.base_image == 'debian' }} |  | ||||||
|  |  | ||||||
|       - name: Build Alpine based images |  | ||||||
|         shell: bash |  | ||||||
|         env: |  | ||||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" |  | ||||||
|         run: | |  | ||||||
|           ./hooks/build |  | ||||||
|         if: ${{ matrix.base_image == 'alpine' }} |         if: ${{ matrix.base_image == 'alpine' }} | ||||||
|  |  | ||||||
|       - name: Push Alpine based images |  | ||||||
|         shell: bash |         shell: bash | ||||||
|         env: |  | ||||||
|           DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine" |  | ||||||
|         run: | |         run: | | ||||||
|           ./hooks/push |           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}" | ||||||
|  |  | ||||||
|  |       - name: Bake ${{ matrix.base_image }} containers | ||||||
|  |         uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0 | ||||||
|  |         env: | ||||||
|  |           BASE_TAGS: "${{ env.BASE_TAGS }}" | ||||||
|  |           SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" | ||||||
|  |           SOURCE_VERSION: "${{ env.SOURCE_VERSION }}" | ||||||
|  |           SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}" | ||||||
|  |           CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}" | ||||||
|  |         with: | ||||||
|  |           pull: true | ||||||
|  |           push: true | ||||||
|  |           files: docker/docker-bake.hcl | ||||||
|  |           targets: "${{ matrix.base_image }}-multi" | ||||||
|  |           set: | | ||||||
|  |             *.cache-from=${{ env.BAKE_CACHE_FROM }} | ||||||
|  |             *.cache-to=${{ env.BAKE_CACHE_TO }} | ||||||
|  |  | ||||||
|  |  | ||||||
|  |       # Extract the Alpine binaries from the containers | ||||||
|  |       - name: Extract binaries | ||||||
|         if: ${{ matrix.base_image == 'alpine' }} |         if: ${{ matrix.base_image == 'alpine' }} | ||||||
|  |         shell: bash | ||||||
|  |         run: | | ||||||
|  |           # Check which main tag we are going to build determined by github.ref_type | ||||||
|  |           if [[ "${{ github.ref_type }}" == "tag" ]]; then | ||||||
|  |             EXTRACT_TAG="latest" | ||||||
|  |           elif [[ "${{ github.ref_type }}" == "branch" ]]; then | ||||||
|  |             EXTRACT_TAG="testing" | ||||||
|  |           fi | ||||||
|  |  | ||||||
|  |           # After each extraction the image is removed. | ||||||
|  |           # This is needed because using different platforms doesn't trigger a new pull/download | ||||||
|  |  | ||||||
|  |           # Extract amd64 binary | ||||||
|  |           docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |           docker cp amd64:/vaultwarden vaultwarden-amd64 | ||||||
|  |           docker rm --force amd64 | ||||||
|  |           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |  | ||||||
|  |           # Extract arm64 binary | ||||||
|  |           docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |           docker cp arm64:/vaultwarden vaultwarden-arm64 | ||||||
|  |           docker rm --force arm64 | ||||||
|  |           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |  | ||||||
|  |           # Extract armv7 binary | ||||||
|  |           docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |           docker cp armv7:/vaultwarden vaultwarden-armv7 | ||||||
|  |           docker rm --force armv7 | ||||||
|  |           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |  | ||||||
|  |           # Extract armv6 binary | ||||||
|  |           docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |           docker cp armv6:/vaultwarden vaultwarden-armv6 | ||||||
|  |           docker rm --force armv6 | ||||||
|  |           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||||
|  |  | ||||||
|  |       # Upload artifacts to Github Actions | ||||||
|  |       - name: "Upload amd64 artifact" | ||||||
|  |         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||||||
|  |         if: ${{ matrix.base_image == 'alpine' }} | ||||||
|  |         with: | ||||||
|  |           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64 | ||||||
|  |           path: vaultwarden-amd64 | ||||||
|  |  | ||||||
|  |       - name: "Upload arm64 artifact" | ||||||
|  |         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||||||
|  |         if: ${{ matrix.base_image == 'alpine' }} | ||||||
|  |         with: | ||||||
|  |           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64 | ||||||
|  |           path: vaultwarden-arm64 | ||||||
|  |  | ||||||
|  |       - name: "Upload armv7 artifact" | ||||||
|  |         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||||||
|  |         if: ${{ matrix.base_image == 'alpine' }} | ||||||
|  |         with: | ||||||
|  |           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7 | ||||||
|  |           path: vaultwarden-armv7 | ||||||
|  |  | ||||||
|  |       - name: "Upload armv6 artifact" | ||||||
|  |         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | ||||||
|  |         if: ${{ matrix.base_image == 'alpine' }} | ||||||
|  |         with: | ||||||
|  |           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6 | ||||||
|  |           path: vaultwarden-armv6 | ||||||
|  |       # End Upload artifacts to Github Actions | ||||||
|   | |||||||
							
								
								
									
										26
									
								
								.github/workflows/releasecache-cleanup.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										26
									
								
								.github/workflows/releasecache-cleanup.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,26 @@ | |||||||
|  | on: | ||||||
|  |   workflow_dispatch: | ||||||
|  |     inputs: | ||||||
|  |       manual_trigger: | ||||||
|  |         description: "Manual trigger buildcache cleanup" | ||||||
|  |         required: false | ||||||
|  |         default: "" | ||||||
|  |  | ||||||
|  |   schedule: | ||||||
|  |     - cron: '0 1 * * FRI' | ||||||
|  |  | ||||||
|  | name: Cleanup | ||||||
|  | jobs: | ||||||
|  |   releasecache-cleanup: | ||||||
|  |     name: Releasecache Cleanup | ||||||
|  |     runs-on: ubuntu-24.04 | ||||||
|  |     continue-on-error: true | ||||||
|  |     timeout-minutes: 30 | ||||||
|  |     steps: | ||||||
|  |       - name: Delete vaultwarden-buildcache containers | ||||||
|  |         uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 | ||||||
|  |         with: | ||||||
|  |           package-name: 'vaultwarden-buildcache' | ||||||
|  |           package-type: 'container' | ||||||
|  |           min-versions-to-keep: 0 | ||||||
|  |           delete-only-untagged-versions: 'false' | ||||||
							
								
								
									
										45
									
								
								.github/workflows/trivy.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										45
									
								
								.github/workflows/trivy.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,45 @@ | |||||||
|  | name: trivy | ||||||
|  |  | ||||||
|  | on: | ||||||
|  |   push: | ||||||
|  |     branches: | ||||||
|  |       - main | ||||||
|  |     tags: | ||||||
|  |       - '*' | ||||||
|  |   pull_request: | ||||||
|  |     branches: [ "main" ] | ||||||
|  |   schedule: | ||||||
|  |     - cron: '08 11 * * *' | ||||||
|  |  | ||||||
|  | permissions: | ||||||
|  |   contents: read | ||||||
|  |  | ||||||
|  | jobs: | ||||||
|  |   trivy-scan: | ||||||
|  |     # Only run this in the master repo and not on forks | ||||||
|  |     # When all forks run this at the same time, it is causing `Too Many Requests` issues | ||||||
|  |     if: ${{ github.repository == 'dani-garcia/vaultwarden' }} | ||||||
|  |     name: Check | ||||||
|  |     runs-on: ubuntu-24.04 | ||||||
|  |     timeout-minutes: 30 | ||||||
|  |     permissions: | ||||||
|  |       contents: read | ||||||
|  |       security-events: write | ||||||
|  |       actions: read | ||||||
|  |     steps: | ||||||
|  |       - name: Checkout code | ||||||
|  |         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 | ||||||
|  |  | ||||||
|  |       - name: Run Trivy vulnerability scanner | ||||||
|  |         uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0 | ||||||
|  |         with: | ||||||
|  |           scan-type: repo | ||||||
|  |           ignore-unfixed: true | ||||||
|  |           format: sarif | ||||||
|  |           output: trivy-results.sarif | ||||||
|  |           severity: CRITICAL,HIGH | ||||||
|  |  | ||||||
|  |       - name: Upload Trivy scan results to GitHub Security tab | ||||||
|  |         uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 # v3.26.6 | ||||||
|  |         with: | ||||||
|  |           sarif_file: 'trivy-results.sarif' | ||||||
| @@ -1,7 +1,13 @@ | |||||||
| ignored: | ignored: | ||||||
|  |   # To prevent issues and make clear some images only work on linux/amd64, we ignore this | ||||||
|  |   - DL3029 | ||||||
|   # disable explicit version for apt install |   # disable explicit version for apt install | ||||||
|   - DL3008 |   - DL3008 | ||||||
|   # disable explicit version for apk install |   # disable explicit version for apk install | ||||||
|   - DL3018 |   - DL3018 | ||||||
|  |   # Ignore shellcheck info message | ||||||
|  |   - SC1091 | ||||||
| trustedRegistries: | trustedRegistries: | ||||||
|   - docker.io |   - docker.io | ||||||
|  |   - ghcr.io | ||||||
|  |   - quay.io | ||||||
|   | |||||||
| @@ -1,16 +1,20 @@ | |||||||
| --- | --- | ||||||
| repos: | repos: | ||||||
| -   repo: https://github.com/pre-commit/pre-commit-hooks | -   repo: https://github.com/pre-commit/pre-commit-hooks | ||||||
|     rev: v4.2.0 |     rev: v4.6.0 | ||||||
|     hooks: |     hooks: | ||||||
|     - id: check-yaml |     - id: check-yaml | ||||||
|     - id: check-json |     - id: check-json | ||||||
|     - id: check-toml |     - id: check-toml | ||||||
|  |     - id: mixed-line-ending | ||||||
|  |       args: ["--fix=no"] | ||||||
|     - id: end-of-file-fixer |     - id: end-of-file-fixer | ||||||
|       exclude: "(.*js$|.*css$)" |       exclude: "(.*js$|.*css$)" | ||||||
|     - id: check-case-conflict |     - id: check-case-conflict | ||||||
|     - id: check-merge-conflict |     - id: check-merge-conflict | ||||||
|     - id: detect-private-key |     - id: detect-private-key | ||||||
|  |     - id: check-symlinks | ||||||
|  |     - id: forbid-submodules | ||||||
| -   repo: local | -   repo: local | ||||||
|     hooks: |     hooks: | ||||||
|     - id: fmt |     - id: fmt | ||||||
| @@ -26,7 +30,8 @@ repos: | |||||||
|       entry: cargo test |       entry: cargo test | ||||||
|       language: system |       language: system | ||||||
|       args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"] |       args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"] | ||||||
|       types: [rust] |       types_or: [rust, file] | ||||||
|  |       files: (Cargo.toml|Cargo.lock|rust-toolchain|.*\.rs$) | ||||||
|       pass_filenames: false |       pass_filenames: false | ||||||
|     - id: cargo-clippy |     - id: cargo-clippy | ||||||
|       name: cargo clippy |       name: cargo clippy | ||||||
| @@ -34,5 +39,6 @@ repos: | |||||||
|       entry: cargo clippy |       entry: cargo clippy | ||||||
|       language: system |       language: system | ||||||
|       args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"] |       args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"] | ||||||
|       types: [rust] |       types_or: [rust, file] | ||||||
|  |       files: (Cargo.toml|Cargo.lock|rust-toolchain|clippy.toml|.*\.rs$) | ||||||
|       pass_filenames: false |       pass_filenames: false | ||||||
|   | |||||||
							
								
								
									
										3985
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										3985
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										244
									
								
								Cargo.toml
									
									
									
									
									
								
							
							
						
						
									
										244
									
								
								Cargo.toml
									
									
									
									
									
								
							| @@ -3,12 +3,12 @@ name = "vaultwarden" | |||||||
| version = "1.0.0" | version = "1.0.0" | ||||||
| authors = ["Daniel García <dani-garcia@users.noreply.github.com>"] | authors = ["Daniel García <dani-garcia@users.noreply.github.com>"] | ||||||
| edition = "2021" | edition = "2021" | ||||||
| rust-version = "1.60" | rust-version = "1.80.0" | ||||||
| resolver = "2" | resolver = "2" | ||||||
|  |  | ||||||
| repository = "https://github.com/dani-garcia/vaultwarden" | repository = "https://github.com/dani-garcia/vaultwarden" | ||||||
| readme = "README.md" | readme = "README.md" | ||||||
| license = "GPL-3.0-only" | license = "AGPL-3.0-only" | ||||||
| publish = false | publish = false | ||||||
| build = "build.rs" | build = "build.rs" | ||||||
|  |  | ||||||
| @@ -18,85 +18,92 @@ build = "build.rs" | |||||||
| enable_syslog = [] | enable_syslog = [] | ||||||
| mysql = ["diesel/mysql", "diesel_migrations/mysql"] | mysql = ["diesel/mysql", "diesel_migrations/mysql"] | ||||||
| postgresql = ["diesel/postgres", "diesel_migrations/postgres"] | postgresql = ["diesel/postgres", "diesel_migrations/postgres"] | ||||||
| sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"] | sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "dep:libsqlite3-sys"] | ||||||
| # Enable to use a vendored and statically linked openssl | # Enable to use a vendored and statically linked openssl | ||||||
| vendored_openssl = ["openssl/vendored"] | vendored_openssl = ["openssl/vendored"] | ||||||
| # Enable MiMalloc memory allocator to replace the default malloc | # Enable MiMalloc memory allocator to replace the default malloc | ||||||
| # This can improve performance for Alpine builds | # This can improve performance for Alpine builds | ||||||
| enable_mimalloc = ["mimalloc"] | enable_mimalloc = ["dep:mimalloc"] | ||||||
|  | # This is a development dependency, and should only be used during development! | ||||||
|  | # It enables the usage of the diesel_logger crate, which is able to output the generated queries. | ||||||
|  | # You also need to set an env variable `QUERY_LOGGER=1` to fully activate this so you do not have to re-compile | ||||||
|  | # if you want to turn off the logging for a specific run. | ||||||
|  | query_logger = ["dep:diesel_logger"] | ||||||
|  |  | ||||||
| # Enable unstable features, requires nightly | # Enable unstable features, requires nightly | ||||||
| # Currently only used to enable rusts official ip support | # Currently only used to enable rusts official ip support | ||||||
| unstable = [] | unstable = [] | ||||||
|  |  | ||||||
| [target."cfg(not(windows))".dependencies] | [target."cfg(unix)".dependencies] | ||||||
| # Logging | # Logging | ||||||
| syslog = "6.0.1" # Needs to be v4 until fern is updated | syslog = "6.1.1" | ||||||
|  |  | ||||||
| [dependencies] | [dependencies] | ||||||
| # Logging | # Logging | ||||||
| log = "0.4.17" | log = "0.4.22" | ||||||
| fern = { version = "0.6.1", features = ["syslog-6"] } | fern = { version = "0.7.0", features = ["syslog-6", "reopen-1"] } | ||||||
| tracing = { version = "0.1.34", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work | tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work | ||||||
|  |  | ||||||
| backtrace = "0.3.65" # Logging panics to logfile instead stderr only |  | ||||||
|  |  | ||||||
| # A `dotenv` implementation for Rust | # A `dotenv` implementation for Rust | ||||||
| dotenvy = { version = "0.15.1", default-features = false } | dotenvy = { version = "0.15.7", default-features = false } | ||||||
|  |  | ||||||
| # Lazy initialization | # Lazy initialization | ||||||
| once_cell = "1.10.0" | once_cell = "1.20.2" | ||||||
|  |  | ||||||
| # Numerical libraries | # Numerical libraries | ||||||
| num-traits = "0.2.15" | num-traits = "0.2.19" | ||||||
| num-derive = "0.3.3" | num-derive = "0.4.2" | ||||||
|  | bigdecimal = "0.4.5" | ||||||
|  |  | ||||||
| # Web framework | # Web framework | ||||||
| rocket = { version = "0.5.0-rc.2", features = ["tls", "json"], default-features = false } | rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false } | ||||||
|  | rocket_ws = { version ="0.1.1" } | ||||||
|  |  | ||||||
| # WebSockets libraries | # WebSockets libraries | ||||||
| ws = { version = "0.11.1", package = "parity-ws" } | rmpv = "1.3.0" # MessagePack library | ||||||
| rmpv = "1.0.0" # MessagePack library |  | ||||||
| chashmap = "2.2.2" # Concurrent hashmap implementation | # Concurrent HashMap used for WebSocket messaging and favicons | ||||||
|  | dashmap = "6.1.0" | ||||||
|  |  | ||||||
| # Async futures | # Async futures | ||||||
| futures = "0.3.21" | futures = "0.3.31" | ||||||
| tokio = { version = "1.18.2", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time"] } | tokio = { version = "1.41.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] } | ||||||
|  |  | ||||||
| # A generic serialization/deserialization framework | # A generic serialization/deserialization framework | ||||||
| serde = { version = "1.0.137", features = ["derive"] } | serde = { version = "1.0.213", features = ["derive"] } | ||||||
| serde_json = "1.0.81" | serde_json = "1.0.132" | ||||||
|  |  | ||||||
| # A safe, extensible ORM and Query builder | # A safe, extensible ORM and Query builder | ||||||
| diesel = { version = "1.4.8", features = ["chrono", "r2d2"] } | diesel = { version = "2.2.4", features = ["chrono", "r2d2", "numeric"] } | ||||||
| diesel_migrations = "1.4.0" | diesel_migrations = "2.2.0" | ||||||
|  | diesel_logger = { version = "0.3.0", optional = true } | ||||||
|  |  | ||||||
| # Bundled SQLite | # Bundled/Static SQLite | ||||||
| libsqlite3-sys = { version = "0.22.2", features = ["bundled"], optional = true } | libsqlite3-sys = { version = "0.30.1", features = ["bundled"], optional = true } | ||||||
|  |  | ||||||
| # Crypto-related libraries | # Crypto-related libraries | ||||||
| rand = "0.8.5" | rand = { version = "0.8.5", features = ["small_rng"] } | ||||||
| ring = "0.16.20" | ring = "0.17.8" | ||||||
|  |  | ||||||
| # UUID generation | # UUID generation | ||||||
| uuid = { version = "1.0.0", features = ["v4"] } | uuid = { version = "1.11.0", features = ["v4"] } | ||||||
|  |  | ||||||
| # Date and time libraries | # Date and time libraries | ||||||
| chrono = { version = "0.4.19", features = ["clock", "serde"], default-features = false } | chrono = { version = "0.4.38", features = ["clock", "serde"], default-features = false } | ||||||
| chrono-tz = "0.6.1" | chrono-tz = "0.10.0" | ||||||
| time = "0.3.9" | time = "0.3.36" | ||||||
|  |  | ||||||
| # Job scheduler | # Job scheduler | ||||||
| job_scheduler = "1.2.1" | job_scheduler_ng = "2.0.5" | ||||||
|  |  | ||||||
| # Data encoding library Hex/Base32/Base64 | # Data encoding library Hex/Base32/Base64 | ||||||
| data-encoding = "2.3.2" | data-encoding = "2.6.0" | ||||||
|  |  | ||||||
| # JWT library | # JWT library | ||||||
| jsonwebtoken = "8.1.0" | jsonwebtoken = "9.3.0" | ||||||
|  |  | ||||||
| # TOTP library | # TOTP library | ||||||
| totp-lite = "1.0.3" | totp-lite = "2.0.1" | ||||||
|  |  | ||||||
| # Yubico Library | # Yubico Library | ||||||
| yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false } | yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false } | ||||||
| @@ -104,59 +111,154 @@ yubico = { version = "0.11.0", features = ["online-tokio"], default-features = f | |||||||
| # WebAuthn libraries | # WebAuthn libraries | ||||||
| webauthn-rs = "0.3.2" | webauthn-rs = "0.3.2" | ||||||
|  |  | ||||||
| # Handling of URL's for WebAuthn | # Handling of URL's for WebAuthn and favicons | ||||||
| url = "2.2.2" | url = "2.5.2" | ||||||
|  |  | ||||||
| # Email libraries | # Email libraries | ||||||
| idna = "0.2.3" # Punycode conversion | lettre = { version = "0.11.10", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false } | ||||||
| lettre = { version = "0.10.0-rc.6", features = ["smtp-transport", "builder", "serde", "native-tls", "hostname", "tracing"], default-features = false } | percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails | ||||||
| percent-encoding = "2.1.0" # URL encoding library used for URL's in the emails | email_address = "0.2.9" | ||||||
|  |  | ||||||
| # Template library | # HTML Template library | ||||||
| handlebars = { version = "4.2.2", features = ["dir_source"] } | handlebars = { version = "6.1.0", features = ["dir_source"] } | ||||||
|  |  | ||||||
| # HTTP client | # HTTP client (Used for favicons, version check, DUO and HIBP API) | ||||||
| reqwest = { version = "0.11.10", features = ["stream", "json", "gzip", "brotli", "socks", "cookies", "trust-dns"] } | reqwest = { version = "0.12.8", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] } | ||||||
|  | hickory-resolver = "0.24.1" | ||||||
|  |  | ||||||
| # For favicon extraction from main website | # Favicon extraction libraries | ||||||
| html5gum = "0.4.0" | html5gum = "0.5.7" | ||||||
| regex = { version = "1.5.5", features = ["std", "perf", "unicode-perl"], default-features = false } | regex = { version = "1.11.0", features = ["std", "perf", "unicode-perl"], default-features = false } | ||||||
| data-url = "0.1.1" | data-url = "0.3.1" | ||||||
| bytes = "1.1.0" | bytes = "1.8.0" | ||||||
| cached = "0.34.0" |  | ||||||
|  | # Cache function results (Used for version check and favicon fetching) | ||||||
|  | cached = { version = "0.53.1", features = ["async"] } | ||||||
|  |  | ||||||
| # Used for custom short lived cookie jar during favicon extraction | # Used for custom short lived cookie jar during favicon extraction | ||||||
| cookie = "0.16.0" | cookie = "0.18.1" | ||||||
| cookie_store = "0.16.0" | cookie_store = "0.21.0" | ||||||
|  |  | ||||||
| # Used by U2F, JWT and Postgres | # Used by U2F, JWT and PostgreSQL | ||||||
| openssl = "0.10.40" | openssl = "0.10.68" | ||||||
|  |  | ||||||
| # CLI argument parsing | # CLI argument parsing | ||||||
| pico-args = "0.4.2" | pico-args = "0.5.0" | ||||||
|  |  | ||||||
| # Macro ident concatenation | # Macro ident concatenation | ||||||
| paste = "1.0.7" | paste = "1.0.15" | ||||||
| governor = "0.4.2" | governor = "0.7.0" | ||||||
|  |  | ||||||
| # Capture CTRL+C | # Check client versions for specific features. | ||||||
| ctrlc = { version = "3.2.2", features = ["termination"] } | semver = "1.0.23" | ||||||
|  |  | ||||||
| # Allow overriding the default memory allocator | # Allow overriding the default memory allocator | ||||||
| # Mainly used for the musl builds, since the default musl malloc is very slow | # Mainly used for the musl builds, since the default musl malloc is very slow | ||||||
| mimalloc = { version = "0.1.29", features = ["secure"], default-features = false, optional = true } | mimalloc = { version = "0.1.43", features = ["secure"], default-features = false, optional = true } | ||||||
|  | which = "6.0.3" | ||||||
|  |  | ||||||
| [patch.crates-io] | # Argon2 library with support for the PHC format | ||||||
| # The maintainer of the `job_scheduler` crate doesn't seem to have responded | argon2 = "0.5.3" | ||||||
| # to any issues or PRs for almost a year (as of April 2021). This hopefully |  | ||||||
| # temporary fork updates Cargo.toml to use more up-to-date dependencies. | # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN | ||||||
| # In particular, `cron` has since implemented parsing of some common syntax | rpassword = "7.3.1" | ||||||
| # that wasn't previously supported (https://github.com/zslayton/cron/pull/64). |  | ||||||
| # 2022-05-04: Forked/Updated the job_scheduler again use the latest dependencies and some fixes. |  | ||||||
| job_scheduler = { git = 'https://github.com/BlackDex/job_scheduler', rev = '9100fc596a083fd9c0b560f8f11f108e0a19d07e' } |  | ||||||
|  |  | ||||||
| # Strip debuginfo from the release builds | # Strip debuginfo from the release builds | ||||||
| # Also enable thin LTO for some optimizations | # The symbols are the provide better panic traces | ||||||
|  | # Also enable fat LTO and use 1 codegen unit for optimizations | ||||||
| [profile.release] | [profile.release] | ||||||
| strip = "debuginfo" | strip = "debuginfo" | ||||||
|  | lto = "fat" | ||||||
|  | codegen-units = 1 | ||||||
|  |  | ||||||
|  | # A little bit of a speedup | ||||||
|  | [profile.dev] | ||||||
|  | split-debuginfo = "unpacked" | ||||||
|  |  | ||||||
|  | # Always build argon2 using opt-level 3 | ||||||
|  | # This is a huge speed improvement during testing | ||||||
|  | [profile.dev.package.argon2] | ||||||
|  | opt-level = 3 | ||||||
|  |  | ||||||
|  | # Optimize for size | ||||||
|  | [profile.release-micro] | ||||||
|  | inherits = "release" | ||||||
|  | opt-level = "z" | ||||||
|  | strip = "symbols" | ||||||
|  | lto = "fat" | ||||||
|  | codegen-units = 1 | ||||||
|  | panic = "abort" | ||||||
|  |  | ||||||
|  | # Profile for systems with low resources | ||||||
|  | # It will use less resources during build | ||||||
|  | [profile.release-low] | ||||||
|  | inherits = "release" | ||||||
|  | strip = "symbols" | ||||||
| lto = "thin" | lto = "thin" | ||||||
|  | codegen-units = 16 | ||||||
|  |  | ||||||
|  | # Linting config | ||||||
|  | # https://doc.rust-lang.org/rustc/lints/groups.html | ||||||
|  | [lints.rust] | ||||||
|  | # Forbid | ||||||
|  | unsafe_code = "forbid" | ||||||
|  | non_ascii_idents = "forbid" | ||||||
|  |  | ||||||
|  | # Deny | ||||||
|  | deprecated_in_future = "deny" | ||||||
|  | future_incompatible = { level = "deny", priority = -1 } | ||||||
|  | keyword_idents = { level = "deny", priority = -1 } | ||||||
|  | let_underscore = { level = "deny", priority = -1 } | ||||||
|  | noop_method_call = "deny" | ||||||
|  | refining_impl_trait = { level = "deny", priority = -1 } | ||||||
|  | rust_2018_idioms = { level = "deny", priority = -1 } | ||||||
|  | rust_2021_compatibility = { level = "deny", priority = -1 } | ||||||
|  | # rust_2024_compatibility = { level = "deny", priority = -1 } # Enable once we are at MSRV 1.81.0 | ||||||
|  | single_use_lifetimes = "deny" | ||||||
|  | trivial_casts = "deny" | ||||||
|  | trivial_numeric_casts = "deny" | ||||||
|  | unused = { level = "deny", priority = -1 } | ||||||
|  | unused_import_braces = "deny" | ||||||
|  | unused_lifetimes = "deny" | ||||||
|  | unused_qualifications = "deny" | ||||||
|  | variant_size_differences = "deny" | ||||||
|  | # The lints below are part of the rust_2024_compatibility group | ||||||
|  | static-mut-refs = "deny" | ||||||
|  | unsafe-op-in-unsafe-fn = "deny" | ||||||
|  |  | ||||||
|  | # https://rust-lang.github.io/rust-clippy/stable/index.html | ||||||
|  | [lints.clippy] | ||||||
|  | # Warn | ||||||
|  | dbg_macro = "warn" | ||||||
|  | todo = "warn" | ||||||
|  |  | ||||||
|  | # Deny | ||||||
|  | case_sensitive_file_extension_comparisons = "deny" | ||||||
|  | cast_lossless = "deny" | ||||||
|  | clone_on_ref_ptr = "deny" | ||||||
|  | equatable_if_let = "deny" | ||||||
|  | filter_map_next = "deny" | ||||||
|  | float_cmp_const = "deny" | ||||||
|  | inefficient_to_string = "deny" | ||||||
|  | iter_on_empty_collections = "deny" | ||||||
|  | iter_on_single_items = "deny" | ||||||
|  | linkedlist = "deny" | ||||||
|  | macro_use_imports = "deny" | ||||||
|  | manual_assert = "deny" | ||||||
|  | manual_instant_elapsed = "deny" | ||||||
|  | manual_string_new = "deny" | ||||||
|  | match_on_vec_items = "deny" | ||||||
|  | match_wildcard_for_single_variants = "deny" | ||||||
|  | mem_forget = "deny" | ||||||
|  | needless_continue = "deny" | ||||||
|  | needless_lifetimes = "deny" | ||||||
|  | option_option = "deny" | ||||||
|  | string_add_assign = "deny" | ||||||
|  | string_to_string = "deny" | ||||||
|  | unnecessary_join = "deny" | ||||||
|  | unnecessary_self_imports = "deny" | ||||||
|  | unnested_or_patterns = "deny" | ||||||
|  | unused_async = "deny" | ||||||
|  | unused_self = "deny" | ||||||
|  | verbose_file_reads = "deny" | ||||||
|  | zero_sized_map_values = "deny" | ||||||
|   | |||||||
| @@ -1 +1 @@ | |||||||
| docker/amd64/Dockerfile | docker/Dockerfile.debian | ||||||
							
								
								
									
										143
									
								
								LICENSE.txt
									
									
									
									
									
								
							
							
						
						
									
										143
									
								
								LICENSE.txt
									
									
									
									
									
								
							| @@ -1,5 +1,5 @@ | |||||||
|                     GNU GENERAL PUBLIC LICENSE |                     GNU AFFERO GENERAL PUBLIC LICENSE | ||||||
|                        Version 3, 29 June 2007 |                        Version 3, 19 November 2007 | ||||||
|  |  | ||||||
|  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/> | ||||||
|  Everyone is permitted to copy and distribute verbatim copies |  Everyone is permitted to copy and distribute verbatim copies | ||||||
| @@ -7,17 +7,15 @@ | |||||||
|  |  | ||||||
|                             Preamble |                             Preamble | ||||||
|  |  | ||||||
|   The GNU General Public License is a free, copyleft license for |   The GNU Affero General Public License is a free, copyleft license for | ||||||
| software and other kinds of works. | software and other kinds of works, specifically designed to ensure | ||||||
|  | cooperation with the community in the case of network server software. | ||||||
|  |  | ||||||
|   The licenses for most software and other practical works are designed |   The licenses for most software and other practical works are designed | ||||||
| to take away your freedom to share and change the works.  By contrast, | to take away your freedom to share and change the works.  By contrast, | ||||||
| the GNU General Public License is intended to guarantee your freedom to | our General Public Licenses are intended to guarantee your freedom to | ||||||
| share and change all versions of a program--to make sure it remains free | share and change all versions of a program--to make sure it remains free | ||||||
| software for all its users.  We, the Free Software Foundation, use the | software for all its users. | ||||||
| GNU General Public License for most of our software; it applies also to |  | ||||||
| any other work released this way by its authors.  You can apply it to |  | ||||||
| your programs, too. |  | ||||||
|  |  | ||||||
|   When we speak of free software, we are referring to freedom, not |   When we speak of free software, we are referring to freedom, not | ||||||
| price.  Our General Public Licenses are designed to make sure that you | price.  Our General Public Licenses are designed to make sure that you | ||||||
| @@ -26,44 +24,34 @@ them if you wish), that you receive source code or can get it if you | |||||||
| want it, that you can change the software or use pieces of it in new | want it, that you can change the software or use pieces of it in new | ||||||
| free programs, and that you know you can do these things. | free programs, and that you know you can do these things. | ||||||
|  |  | ||||||
|   To protect your rights, we need to prevent others from denying you |   Developers that use our General Public Licenses protect your rights | ||||||
| these rights or asking you to surrender the rights.  Therefore, you have | with two steps: (1) assert copyright on the software, and (2) offer | ||||||
| certain responsibilities if you distribute copies of the software, or if | you this License which gives you legal permission to copy, distribute | ||||||
| you modify it: responsibilities to respect the freedom of others. | and/or modify the software. | ||||||
|  |  | ||||||
|   For example, if you distribute copies of such a program, whether |   A secondary benefit of defending all users' freedom is that | ||||||
| gratis or for a fee, you must pass on to the recipients the same | improvements made in alternate versions of the program, if they | ||||||
| freedoms that you received.  You must make sure that they, too, receive | receive widespread use, become available for other developers to | ||||||
| or can get the source code.  And you must show them these terms so they | incorporate.  Many developers of free software are heartened and | ||||||
| know their rights. | encouraged by the resulting cooperation.  However, in the case of | ||||||
|  | software used on network servers, this result may fail to come about. | ||||||
|  | The GNU General Public License permits making a modified version and | ||||||
|  | letting the public access it on a server without ever releasing its | ||||||
|  | source code to the public. | ||||||
|  |  | ||||||
|   Developers that use the GNU GPL protect your rights with two steps: |   The GNU Affero General Public License is designed specifically to | ||||||
| (1) assert copyright on the software, and (2) offer you this License | ensure that, in such cases, the modified source code becomes available | ||||||
| giving you legal permission to copy, distribute and/or modify it. | to the community.  It requires the operator of a network server to | ||||||
|  | provide the source code of the modified version running there to the | ||||||
|  | users of that server.  Therefore, public use of a modified version, on | ||||||
|  | a publicly accessible server, gives the public access to the source | ||||||
|  | code of the modified version. | ||||||
|  |  | ||||||
|   For the developers' and authors' protection, the GPL clearly explains |   An older license, called the Affero General Public License and | ||||||
| that there is no warranty for this free software.  For both users' and | published by Affero, was designed to accomplish similar goals.  This is | ||||||
| authors' sake, the GPL requires that modified versions be marked as | a different license, not a version of the Affero GPL, but Affero has | ||||||
| changed, so that their problems will not be attributed erroneously to | released a new version of the Affero GPL which permits relicensing under | ||||||
| authors of previous versions. | this license. | ||||||
|  |  | ||||||
|   Some devices are designed to deny users access to install or run |  | ||||||
| modified versions of the software inside them, although the manufacturer |  | ||||||
| can do so.  This is fundamentally incompatible with the aim of |  | ||||||
| protecting users' freedom to change the software.  The systematic |  | ||||||
| pattern of such abuse occurs in the area of products for individuals to |  | ||||||
| use, which is precisely where it is most unacceptable.  Therefore, we |  | ||||||
| have designed this version of the GPL to prohibit the practice for those |  | ||||||
| products.  If such problems arise substantially in other domains, we |  | ||||||
| stand ready to extend this provision to those domains in future versions |  | ||||||
| of the GPL, as needed to protect the freedom of users. |  | ||||||
|  |  | ||||||
|   Finally, every program is threatened constantly by software patents. |  | ||||||
| States should not allow patents to restrict development and use of |  | ||||||
| software on general-purpose computers, but in those that do, we wish to |  | ||||||
| avoid the special danger that patents applied to a free program could |  | ||||||
| make it effectively proprietary.  To prevent this, the GPL assures that |  | ||||||
| patents cannot be used to render the program non-free. |  | ||||||
|  |  | ||||||
|   The precise terms and conditions for copying, distribution and |   The precise terms and conditions for copying, distribution and | ||||||
| modification follow. | modification follow. | ||||||
| @@ -72,7 +60,7 @@ modification follow. | |||||||
|  |  | ||||||
|   0. Definitions. |   0. Definitions. | ||||||
|  |  | ||||||
|   "This License" refers to version 3 of the GNU General Public License. |   "This License" refers to version 3 of the GNU Affero General Public License. | ||||||
|  |  | ||||||
|   "Copyright" also means copyright-like laws that apply to other kinds of |   "Copyright" also means copyright-like laws that apply to other kinds of | ||||||
| works, such as semiconductor masks. | works, such as semiconductor masks. | ||||||
| @@ -549,35 +537,45 @@ to collect a royalty for further conveying from those to whom you convey | |||||||
| the Program, the only way you could satisfy both those terms and this | the Program, the only way you could satisfy both those terms and this | ||||||
| License would be to refrain entirely from conveying the Program. | License would be to refrain entirely from conveying the Program. | ||||||
|  |  | ||||||
|   13. Use with the GNU Affero General Public License. |   13. Remote Network Interaction; Use with the GNU General Public License. | ||||||
|  |  | ||||||
|  |   Notwithstanding any other provision of this License, if you modify the | ||||||
|  | Program, your modified version must prominently offer all users | ||||||
|  | interacting with it remotely through a computer network (if your version | ||||||
|  | supports such interaction) an opportunity to receive the Corresponding | ||||||
|  | Source of your version by providing access to the Corresponding Source | ||||||
|  | from a network server at no charge, through some standard or customary | ||||||
|  | means of facilitating copying of software.  This Corresponding Source | ||||||
|  | shall include the Corresponding Source for any work covered by version 3 | ||||||
|  | of the GNU General Public License that is incorporated pursuant to the | ||||||
|  | following paragraph. | ||||||
|  |  | ||||||
|   Notwithstanding any other provision of this License, you have |   Notwithstanding any other provision of this License, you have | ||||||
| permission to link or combine any covered work with a work licensed | permission to link or combine any covered work with a work licensed | ||||||
| under version 3 of the GNU Affero General Public License into a single | under version 3 of the GNU General Public License into a single | ||||||
| combined work, and to convey the resulting work.  The terms of this | combined work, and to convey the resulting work.  The terms of this | ||||||
| License will continue to apply to the part which is the covered work, | License will continue to apply to the part which is the covered work, | ||||||
| but the special requirements of the GNU Affero General Public License, | but the work with which it is combined will remain governed by version | ||||||
| section 13, concerning interaction through a network will apply to the | 3 of the GNU General Public License. | ||||||
| combination as such. |  | ||||||
|  |  | ||||||
|   14. Revised Versions of this License. |   14. Revised Versions of this License. | ||||||
|  |  | ||||||
|   The Free Software Foundation may publish revised and/or new versions of |   The Free Software Foundation may publish revised and/or new versions of | ||||||
| the GNU General Public License from time to time.  Such new versions will | the GNU Affero General Public License from time to time.  Such new versions | ||||||
| be similar in spirit to the present version, but may differ in detail to | will be similar in spirit to the present version, but may differ in detail to | ||||||
| address new problems or concerns. | address new problems or concerns. | ||||||
|  |  | ||||||
|   Each version is given a distinguishing version number.  If the |   Each version is given a distinguishing version number.  If the | ||||||
| Program specifies that a certain numbered version of the GNU General | Program specifies that a certain numbered version of the GNU Affero General | ||||||
| Public License "or any later version" applies to it, you have the | Public License "or any later version" applies to it, you have the | ||||||
| option of following the terms and conditions either of that numbered | option of following the terms and conditions either of that numbered | ||||||
| version or of any later version published by the Free Software | version or of any later version published by the Free Software | ||||||
| Foundation.  If the Program does not specify a version number of the | Foundation.  If the Program does not specify a version number of the | ||||||
| GNU General Public License, you may choose any version ever published | GNU Affero General Public License, you may choose any version ever published | ||||||
| by the Free Software Foundation. | by the Free Software Foundation. | ||||||
|  |  | ||||||
|   If the Program specifies that a proxy can decide which future |   If the Program specifies that a proxy can decide which future | ||||||
| versions of the GNU General Public License can be used, that proxy's | versions of the GNU Affero General Public License can be used, that proxy's | ||||||
| public statement of acceptance of a version permanently authorizes you | public statement of acceptance of a version permanently authorizes you | ||||||
| to choose that version for the Program. | to choose that version for the Program. | ||||||
|  |  | ||||||
| @@ -635,40 +633,29 @@ the "copyright" line and a pointer to where the full notice is found. | |||||||
|     Copyright (C) <year>  <name of author> |     Copyright (C) <year>  <name of author> | ||||||
|  |  | ||||||
|     This program is free software: you can redistribute it and/or modify |     This program is free software: you can redistribute it and/or modify | ||||||
|     it under the terms of the GNU General Public License as published by |     it under the terms of the GNU Affero General Public License as published | ||||||
|     the Free Software Foundation, either version 3 of the License, or |     by the Free Software Foundation, either version 3 of the License, or | ||||||
|     (at your option) any later version. |     (at your option) any later version. | ||||||
|  |  | ||||||
|     This program is distributed in the hope that it will be useful, |     This program is distributed in the hope that it will be useful, | ||||||
|     but WITHOUT ANY WARRANTY; without even the implied warranty of |     but WITHOUT ANY WARRANTY; without even the implied warranty of | ||||||
|     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | ||||||
|     GNU General Public License for more details. |     GNU Affero General Public License for more details. | ||||||
|  |  | ||||||
|     You should have received a copy of the GNU General Public License |     You should have received a copy of the GNU Affero General Public License | ||||||
|     along with this program.  If not, see <https://www.gnu.org/licenses/>. |     along with this program.  If not, see <https://www.gnu.org/licenses/>. | ||||||
|  |  | ||||||
| Also add information on how to contact you by electronic and paper mail. | Also add information on how to contact you by electronic and paper mail. | ||||||
|  |  | ||||||
|   If the program does terminal interaction, make it output a short |   If your software can interact with users remotely through a computer | ||||||
| notice like this when it starts in an interactive mode: | network, you should also make sure that it provides a way for users to | ||||||
|  | get its source.  For example, if your program is a web application, its | ||||||
|     <program>  Copyright (C) <year>  <name of author> | interface could display a "Source" link that leads users to an archive | ||||||
|     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. | of the code.  There are many ways you could offer source, and different | ||||||
|     This is free software, and you are welcome to redistribute it | solutions will be better for different programs; see section 13 for the | ||||||
|     under certain conditions; type `show c' for details. | specific requirements. | ||||||
|  |  | ||||||
| The hypothetical commands `show w' and `show c' should show the appropriate |  | ||||||
| parts of the General Public License.  Of course, your program's commands |  | ||||||
| might be different; for a GUI interface, you would use an "about box". |  | ||||||
|  |  | ||||||
|   You should also get your employer (if you work as a programmer) or school, |   You should also get your employer (if you work as a programmer) or school, | ||||||
| if any, to sign a "copyright disclaimer" for the program, if necessary. | if any, to sign a "copyright disclaimer" for the program, if necessary. | ||||||
| For more information on this, and how to apply and follow the GNU GPL, see | For more information on this, and how to apply and follow the GNU AGPL, see | ||||||
| <https://www.gnu.org/licenses/>. | <https://www.gnu.org/licenses/>. | ||||||
|  |  | ||||||
|   The GNU General Public License does not permit incorporating your program |  | ||||||
| into proprietary programs.  If your program is a subroutine library, you |  | ||||||
| may consider it more useful to permit linking proprietary applications with |  | ||||||
| the library.  If this is what you want to do, use the GNU Lesser General |  | ||||||
| Public License instead of this License.  But first, please read |  | ||||||
| <https://www.gnu.org/licenses/why-not-lgpl.html>. |  | ||||||
|   | |||||||
							
								
								
									
										190
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										190
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,90 +1,144 @@ | |||||||
| ### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. |  | ||||||
|  |  | ||||||
| 📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation. | An alternative server implementation of the Bitwarden Client API, written in Rust and compatible with [official Bitwarden clients](https://bitwarden.com/download/) [[disclaimer](#disclaimer)], perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. | ||||||
|  |  | ||||||
| --- | --- | ||||||
|  |  | ||||||
| [](https://hub.docker.com/r/vaultwarden/server) | [](https://github.com/dani-garcia/vaultwarden/releases/latest) | ||||||
| [](https://deps.rs/repo/github/dani-garcia/vaultwarden) | [](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden) | ||||||
| [](https://github.com/dani-garcia/vaultwarden/releases/latest) | [](https://hub.docker.com/r/vaultwarden/server) | ||||||
| [](https://github.com/dani-garcia/vaultwarden/blob/master/LICENSE.txt) | [](https://quay.io/repository/vaultwarden/server) <br> | ||||||
| [](https://matrix.to/#/#vaultwarden:matrix.org) | [](https://github.com/dani-garcia/vaultwarden/graphs/contributors) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/network/members) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/stargazers) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/issues) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue+is%3Aclosed) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) <br> | ||||||
|  | [%3D'svg'%5D%2F*%5Blocal-name()%3D'g'%5D%5B2%5D%2F*%5Blocal-name()%3D'text'%5D%5B4%5D&style=flat-square&logo=rust&label=dependencies&color=005AA4)](https://deps.rs/repo/github/dani-garcia/vaultwarden) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/actions/workflows/release.yml) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml) <br> | ||||||
|  | [](https://matrix.to/#/#vaultwarden:matrix.org) | ||||||
|  | [](https://github.com/dani-garcia/vaultwarden/discussions) | ||||||
|  | [](https://vaultwarden.discourse.group/) | ||||||
|  |  | ||||||
| Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden). | > [!IMPORTANT] | ||||||
|  | > **When using this server, please report any bugs or suggestions directly to us (see [Get in touch](#get-in-touch)), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official Bitwarden support channels.** | ||||||
|  |  | ||||||
| **This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor 8bit Solutions LLC.** | <br> | ||||||
|  |  | ||||||
| #### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels. |  | ||||||
|  |  | ||||||
| --- |  | ||||||
|  |  | ||||||
| ## Features | ## Features | ||||||
|  |  | ||||||
| Basically full implementation of Bitwarden API is provided including: | A nearly complete implementation of the Bitwarden Client API is provided, including: | ||||||
|  |  | ||||||
|  * Organizations support |  * [Personal Vault](https://bitwarden.com/help/managing-items/) | ||||||
|  * Attachments |  * [Send](https://bitwarden.com/help/about-send/) | ||||||
|  * Vault API support |  * [Attachments](https://bitwarden.com/help/attachments/) | ||||||
|  * Serving the static files for Vault interface |  * [Website icons](https://bitwarden.com/help/website-icons/) | ||||||
|  * Website icons API |  * [Personal API Key](https://bitwarden.com/help/personal-api-key/) | ||||||
|  * Authenticator and U2F support |  * [Organizations](https://bitwarden.com/help/getting-started-organizations/) | ||||||
|  * YubiKey and Duo support |    - [Collections](https://bitwarden.com/help/about-collections/), | ||||||
|  |      [Password Sharing](https://bitwarden.com/help/sharing/), | ||||||
|  |      [Member Roles](https://bitwarden.com/help/user-types-access-control/), | ||||||
|  |      [Groups](https://bitwarden.com/help/about-groups/), | ||||||
|  |      [Event Logs](https://bitwarden.com/help/event-logs/), | ||||||
|  |      [Admin Password Reset](https://bitwarden.com/help/admin-reset/), | ||||||
|  |      [Directory Connector](https://bitwarden.com/help/directory-sync/), | ||||||
|  |      [Policies](https://bitwarden.com/help/policies/) | ||||||
|  |  * [Multi/Two Factor Authentication](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/) | ||||||
|  |    - [Authenticator](https://bitwarden.com/help/setup-two-step-login-authenticator/), | ||||||
|  |      [Email](https://bitwarden.com/help/setup-two-step-login-email/), | ||||||
|  |      [FIDO2 WebAuthn](https://bitwarden.com/help/setup-two-step-login-fido/), | ||||||
|  |      [YubiKey](https://bitwarden.com/help/setup-two-step-login-yubikey/), | ||||||
|  |      [Duo](https://bitwarden.com/help/setup-two-step-login-duo/) | ||||||
|  |  * [Emergency Access](https://bitwarden.com/help/emergency-access/) | ||||||
|  |  * [Vaultwarden Admin Backend](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page) | ||||||
|  |  * [Modified Web Vault client](https://github.com/dani-garcia/bw_web_builds) (Bundled within our containers) | ||||||
|  |  | ||||||
| ## Installation | <br> | ||||||
| Pull the docker image and mount a volume from the host for persistent storage: |  | ||||||
|  |  | ||||||
| ```sh |  | ||||||
| docker pull vaultwarden/server:latest |  | ||||||
| docker run -d --name vaultwarden -v /vw-data/:/data/ -p 80:80 vaultwarden/server:latest |  | ||||||
| ``` |  | ||||||
| This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you. |  | ||||||
|  |  | ||||||
| **IMPORTANT**: Some web browsers, like Chrome, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault from HTTPS.  |  | ||||||
|  |  | ||||||
| This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)). |  | ||||||
|  |  | ||||||
| If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above). |  | ||||||
|  |  | ||||||
| ## Usage | ## Usage | ||||||
| See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server. |  | ||||||
|  | > [!IMPORTANT] | ||||||
|  | > Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost. | ||||||
|  | > | ||||||
|  | >This can be configured in [Vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)). | ||||||
|  | > | ||||||
|  | >If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy or Traefik (see examples linked above). | ||||||
|  |  | ||||||
|  | > [!TIP] | ||||||
|  | >**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).** | ||||||
|  |  | ||||||
|  | The main way to use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server). | ||||||
|  |  | ||||||
|  | There are also [community driven packages](https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages) which can be used, but those might be lagging behind the latest version or might deviate in the way Vaultwarden is configured, as described in our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki). | ||||||
|  |  | ||||||
|  | ### Docker/Podman CLI | ||||||
|  |  | ||||||
|  | Pull the container image and mount a volume from the host for persistent storage.<br> | ||||||
|  | You can replace `docker` with `podman` if you prefer to use podman. | ||||||
|  |  | ||||||
|  | ```shell | ||||||
|  | docker pull vaultwarden/server:latest | ||||||
|  | docker run --detach --name vaultwarden \ | ||||||
|  |   --env DOMAIN="https://vw.domain.tld" \ | ||||||
|  |   --volume /vw-data/:/data/ \ | ||||||
|  |   --restart unless-stopped \ | ||||||
|  |   --publish 80:80 \ | ||||||
|  |   vaultwarden/server:latest | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | This will preserve any persistent data under `/vw-data/`, you can adapt the path to whatever suits you. | ||||||
|  |  | ||||||
|  | ### Docker Compose | ||||||
|  |  | ||||||
|  | To use Docker compose you need to create a `compose.yaml` which will hold the configuration to run the Vaultwarden container. | ||||||
|  |  | ||||||
|  | ```yaml | ||||||
|  | services: | ||||||
|  |   vaultwarden: | ||||||
|  |     image: vaultwarden/server:latest | ||||||
|  |     container_name: vaultwarden | ||||||
|  |     restart: unless-stopped | ||||||
|  |     environment: | ||||||
|  |       DOMAIN: "https://vw.domain.tld" | ||||||
|  |     volumes: | ||||||
|  |       - ./vw-data/:/data/ | ||||||
|  |     ports: | ||||||
|  |       - 80:80 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | <br> | ||||||
|  |  | ||||||
| ## Get in touch | ## Get in touch | ||||||
| To ask a question, offer suggestions or new features or to get help configuring or installing the software, please [use the forum](https://vaultwarden.discourse.group/). |  | ||||||
|  |  | ||||||
| If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure there aren't any similar issues open, though! | Have a question, suggestion or need help? Join our community on [Matrix](https://matrix.to/#/#vaultwarden:matrix.org), [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [Discourse Forums](https://vaultwarden.discourse.group/). | ||||||
|  |  | ||||||
| If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us! | Encountered a bug or crash? Please search our issue tracker and discussions to see if it's already been reported. If not, please [start a new discussion](https://github.com/dani-garcia/vaultwarden/discussions) or [create a new issue](https://github.com/dani-garcia/vaultwarden/issues/). Ensure you're using the latest version of Vaultwarden and there aren't any similar issues open or closed! | ||||||
|  |  | ||||||
|  | <br> | ||||||
|  |  | ||||||
|  | ## Contributors | ||||||
|  |  | ||||||
| ### Sponsors |  | ||||||
| Thanks for your contribution to the project! | Thanks for your contribution to the project! | ||||||
|  |  | ||||||
| <table> | [](https://github.com/dani-garcia/vaultwarden/graphs/contributors)<br> | ||||||
|   <tr> | [](https://github.com/dani-garcia/vaultwarden/graphs/contributors) | ||||||
|     <td align="center"> |  | ||||||
|       <a href="https://github.com/netdadaltd"> |  | ||||||
|         <img src="https://avatars.githubusercontent.com/u/77323954?s=75&v=4" width="75px;" alt="netdadaltd"/> |  | ||||||
|         <br /> |  | ||||||
|         <sub><b>netDada Ltd.</b></sub> |  | ||||||
|       </a> |  | ||||||
|   </td> |  | ||||||
|   </tr> |  | ||||||
| </table> |  | ||||||
|  |  | ||||||
| <br/> | <br> | ||||||
|  |  | ||||||
| <table> | ## Disclaimer | ||||||
|   <tr> |  | ||||||
|     <td align="center"> | **This project is not associated with [Bitwarden](https://bitwarden.com/) or Bitwarden, Inc.** | ||||||
|       <a href="https://github.com/Gyarbij" style="width: 75px"> |  | ||||||
|         <sub><b>Chono N</b></sub> | However, one of the active maintainers for Vaultwarden is employed by Bitwarden and is allowed to contribute to the project on their own time. These contributions are independent of Bitwarden and are reviewed by other maintainers. | ||||||
|       </a> |  | ||||||
|     </td> | The maintainers work together to set the direction for the project, focusing on serving the self-hosting community, including individuals, families, and small organizations, while ensuring the project's sustainability. | ||||||
|   </tr> |  | ||||||
|   <tr> | **Please note:** We cannot be held liable for any data loss that may occur while using Vaultwarden. This includes passwords, attachments, and other information handled by the application. We highly recommend performing regular backups of your files and database. However, should you experience data loss, we encourage you to contact us immediately. | ||||||
|     <td align="center"> |  | ||||||
|        <a href="https://github.com/themightychris"> | <br> | ||||||
|         <sub><b>Chris Alfano</b></sub> |  | ||||||
|       </a> | ## Bitwarden_RS | ||||||
|     </td> |  | ||||||
|   </tr> | This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues.<br> | ||||||
| </table> | Please see [#1642 - v1.21.0 release and project rename to Vaultwarden](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation. | ||||||
|   | |||||||
							
								
								
									
										12
									
								
								SECURITY.md
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								SECURITY.md
									
									
									
									
									
								
							| @@ -39,7 +39,11 @@ Thank you for helping keep Vaultwarden and our users safe! | |||||||
|  |  | ||||||
| # How to contact us | # How to contact us | ||||||
|  |  | ||||||
| - You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (user: `@danig:matrix.org`) | - You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (users: `@danig:matrix.org` and/or `@blackdex:matrix.org`) | ||||||
| - You can send an  to report a security issue. | - You can send an  to report a security issue.<br> | ||||||
|   - If you want to send an encrypted email you can use the following GPG key:<br> |   If you want to send an encrypted email you can use the following GPG key: 13BB3A34C9E380258CE43D595CB150B31F6426BC<br> | ||||||
|     https://keyserver.ubuntu.com/pks/lookup?search=0xB9B7A108373276BF3C0406F9FC8A7D14C3CD543A&fingerprint=on&op=index |   It can be found on several public GPG key servers.<br> | ||||||
|  |     * https://keys.openpgp.org/search?q=security%40vaultwarden.org | ||||||
|  |     * https://keys.mailvelope.com/pks/lookup?op=get&search=security%40vaultwarden.org | ||||||
|  |     * https://pgpkeys.eu/pks/lookup?search=security%40vaultwarden.org&fingerprint=on&op=index | ||||||
|  |     * https://keyserver.ubuntu.com/pks/lookup?search=security%40vaultwarden.org&fingerprint=on&op=index | ||||||
|   | |||||||
							
								
								
									
										47
									
								
								build.rs
									
									
									
									
									
								
							
							
						
						
									
										47
									
								
								build.rs
									
									
									
									
									
								
							| @@ -9,20 +9,39 @@ fn main() { | |||||||
|     println!("cargo:rustc-cfg=mysql"); |     println!("cargo:rustc-cfg=mysql"); | ||||||
|     #[cfg(feature = "postgresql")] |     #[cfg(feature = "postgresql")] | ||||||
|     println!("cargo:rustc-cfg=postgresql"); |     println!("cargo:rustc-cfg=postgresql"); | ||||||
|  |     #[cfg(feature = "query_logger")] | ||||||
|  |     println!("cargo:rustc-cfg=query_logger"); | ||||||
|  |  | ||||||
|     #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))] |     #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))] | ||||||
|     compile_error!( |     compile_error!( | ||||||
|         "You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite" |         "You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite" | ||||||
|     ); |     ); | ||||||
|  |  | ||||||
|  |     // Use check-cfg to let cargo know which cfg's we define, | ||||||
|  |     // and avoid warnings when they are used in the code. | ||||||
|  |     println!("cargo::rustc-check-cfg=cfg(sqlite)"); | ||||||
|  |     println!("cargo::rustc-check-cfg=cfg(mysql)"); | ||||||
|  |     println!("cargo::rustc-check-cfg=cfg(postgresql)"); | ||||||
|  |     println!("cargo::rustc-check-cfg=cfg(query_logger)"); | ||||||
|  |  | ||||||
|  |     // Rerun when these paths are changed. | ||||||
|  |     // Someone could have checked-out a tag or specific commit, but no other files changed. | ||||||
|  |     println!("cargo:rerun-if-changed=.git"); | ||||||
|  |     println!("cargo:rerun-if-changed=.git/HEAD"); | ||||||
|  |     println!("cargo:rerun-if-changed=.git/index"); | ||||||
|  |     println!("cargo:rerun-if-changed=.git/refs/tags"); | ||||||
|  |  | ||||||
|  |     #[cfg(all(not(debug_assertions), feature = "query_logger"))] | ||||||
|  |     compile_error!("Query Logging is only allowed during development, it is not intended for production usage!"); | ||||||
|  |  | ||||||
|     // Support $BWRS_VERSION for legacy compatibility, but default to $VW_VERSION. |     // Support $BWRS_VERSION for legacy compatibility, but default to $VW_VERSION. | ||||||
|     // If neither exist, read from git. |     // If neither exist, read from git. | ||||||
|     let maybe_vaultwarden_version = |     let maybe_vaultwarden_version = | ||||||
|         env::var("VW_VERSION").or_else(|_| env::var("BWRS_VERSION")).or_else(|_| version_from_git_info()); |         env::var("VW_VERSION").or_else(|_| env::var("BWRS_VERSION")).or_else(|_| version_from_git_info()); | ||||||
|  |  | ||||||
|     if let Ok(version) = maybe_vaultwarden_version { |     if let Ok(version) = maybe_vaultwarden_version { | ||||||
|         println!("cargo:rustc-env=VW_VERSION={}", version); |         println!("cargo:rustc-env=VW_VERSION={version}"); | ||||||
|         println!("cargo:rustc-env=CARGO_PKG_VERSION={}", version); |         println!("cargo:rustc-env=CARGO_PKG_VERSION={version}"); | ||||||
|     } |     } | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -37,39 +56,39 @@ fn run(args: &[&str]) -> Result<String, std::io::Error> { | |||||||
|  |  | ||||||
| /// This method reads info from Git, namely tags, branch, and revision | /// This method reads info from Git, namely tags, branch, and revision | ||||||
| /// To access these values, use: | /// To access these values, use: | ||||||
| ///    - env!("GIT_EXACT_TAG") | ///    - `env!("GIT_EXACT_TAG")` | ||||||
| ///    - env!("GIT_LAST_TAG") | ///    - `env!("GIT_LAST_TAG")` | ||||||
| ///    - env!("GIT_BRANCH") | ///    - `env!("GIT_BRANCH")` | ||||||
| ///    - env!("GIT_REV") | ///    - `env!("GIT_REV")` | ||||||
| ///    - env!("VW_VERSION") | ///    - `env!("VW_VERSION")` | ||||||
| fn version_from_git_info() -> Result<String, std::io::Error> { | fn version_from_git_info() -> Result<String, std::io::Error> { | ||||||
|     // The exact tag for the current commit, can be empty when |     // The exact tag for the current commit, can be empty when | ||||||
|     // the current commit doesn't have an associated tag |     // the current commit doesn't have an associated tag | ||||||
|     let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok(); |     let exact_tag = run(&["git", "describe", "--abbrev=0", "--tags", "--exact-match"]).ok(); | ||||||
|     if let Some(ref exact) = exact_tag { |     if let Some(ref exact) = exact_tag { | ||||||
|         println!("cargo:rustc-env=GIT_EXACT_TAG={}", exact); |         println!("cargo:rustc-env=GIT_EXACT_TAG={exact}"); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     // The last available tag, equal to exact_tag when |     // The last available tag, equal to exact_tag when | ||||||
|     // the current commit is tagged |     // the current commit is tagged | ||||||
|     let last_tag = run(&["git", "describe", "--abbrev=0", "--tags"])?; |     let last_tag = run(&["git", "describe", "--abbrev=0", "--tags"])?; | ||||||
|     println!("cargo:rustc-env=GIT_LAST_TAG={}", last_tag); |     println!("cargo:rustc-env=GIT_LAST_TAG={last_tag}"); | ||||||
|  |  | ||||||
|     // The current branch name |     // The current branch name | ||||||
|     let branch = run(&["git", "rev-parse", "--abbrev-ref", "HEAD"])?; |     let branch = run(&["git", "rev-parse", "--abbrev-ref", "HEAD"])?; | ||||||
|     println!("cargo:rustc-env=GIT_BRANCH={}", branch); |     println!("cargo:rustc-env=GIT_BRANCH={branch}"); | ||||||
|  |  | ||||||
|     // The current git commit hash |     // The current git commit hash | ||||||
|     let rev = run(&["git", "rev-parse", "HEAD"])?; |     let rev = run(&["git", "rev-parse", "HEAD"])?; | ||||||
|     let rev_short = rev.get(..8).unwrap_or_default(); |     let rev_short = rev.get(..8).unwrap_or_default(); | ||||||
|     println!("cargo:rustc-env=GIT_REV={}", rev_short); |     println!("cargo:rustc-env=GIT_REV={rev_short}"); | ||||||
|  |  | ||||||
|     // Combined version |     // Combined version | ||||||
|     if let Some(exact) = exact_tag { |     if let Some(exact) = exact_tag { | ||||||
|         Ok(exact) |         Ok(exact) | ||||||
|     } else if &branch != "main" && &branch != "master" { |     } else if &branch != "main" && &branch != "master" && &branch != "HEAD" { | ||||||
|         Ok(format!("{}-{} ({})", last_tag, rev_short, branch)) |         Ok(format!("{last_tag}-{rev_short} ({branch})")) | ||||||
|     } else { |     } else { | ||||||
|         Ok(format!("{}-{}", last_tag, rev_short)) |         Ok(format!("{last_tag}-{rev_short}")) | ||||||
|     } |     } | ||||||
| } | } | ||||||
|   | |||||||
							
								
								
									
										29
									
								
								docker/DockerSettings.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								docker/DockerSettings.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,29 @@ | |||||||
|  | --- | ||||||
|  | vault_version: "v2024.6.2c" | ||||||
|  | vault_image_digest: "sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b" | ||||||
|  | # Cross Compile Docker Helper Scripts v1.5.0 | ||||||
|  | # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts | ||||||
|  | # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags | ||||||
|  | xx_image_digest: "sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa" | ||||||
|  | rust_version: 1.82.0 # Rust version to be used | ||||||
|  | debian_version: bookworm # Debian release name to be used | ||||||
|  | alpine_version: "3.20" # Alpine version to be used | ||||||
|  | # For which platforms/architectures will we try to build images | ||||||
|  | platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] | ||||||
|  | # Determine the build images per OS/Arch | ||||||
|  | build_stage_image: | ||||||
|  |   debian: | ||||||
|  |     image: "docker.io/library/rust:{{rust_version}}-slim-{{debian_version}}" | ||||||
|  |     platform: "$BUILDPLATFORM" | ||||||
|  |   alpine: | ||||||
|  |     image: "build_${TARGETARCH}${TARGETVARIANT}" | ||||||
|  |     platform: "linux/amd64" # The Alpine build images only have linux/amd64 images | ||||||
|  |     arch_image: | ||||||
|  |       amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}" | ||||||
|  |       arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}" | ||||||
|  |       armv7: "ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-{{rust_version}}" | ||||||
|  |       armv6: "ghcr.io/blackdex/rust-musl:arm-musleabi-stable-{{rust_version}}" | ||||||
|  | # The final image which will be used to distribute the container images | ||||||
|  | runtime_stage_image: | ||||||
|  |   debian: "docker.io/library/debian:{{debian_version}}-slim" | ||||||
|  |   alpine: "docker.io/library/alpine:{{alpine_version}}" | ||||||
							
								
								
									
										158
									
								
								docker/Dockerfile.alpine
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										158
									
								
								docker/Dockerfile.alpine
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,158 @@ | |||||||
|  | # syntax=docker/dockerfile:1 | ||||||
|  | # check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform | ||||||
|  |  | ||||||
|  | # This file was generated using a Jinja2 template. | ||||||
|  | # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||||
|  | # This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` | ||||||
|  |  | ||||||
|  | # Using multistage build: | ||||||
|  | # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||||
|  | # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||||
|  |  | ||||||
|  | ####################### VAULT BUILD IMAGE ####################### | ||||||
|  | # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||||
|  | # Using the digest instead of the tag name provides better security, | ||||||
|  | # as the digest of an image is immutable, whereas a tag name can later | ||||||
|  | # be changed to point to a malicious image. | ||||||
|  | # | ||||||
|  | # To verify the current digest for a given tag name: | ||||||
|  | # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||||
|  | #   click the tag name to view the digest of the image it currently points to. | ||||||
|  | # - From the command line: | ||||||
|  | #     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c | ||||||
|  | #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c | ||||||
|  | #     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b] | ||||||
|  | # | ||||||
|  | # - Conversely, to get the tag name from the digest: | ||||||
|  | #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b | ||||||
|  | #     [docker.io/vaultwarden/web-vault:v2024.6.2c] | ||||||
|  | # | ||||||
|  | FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault | ||||||
|  |  | ||||||
|  | ########################## ALPINE BUILD IMAGES ########################## | ||||||
|  | ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 | ||||||
|  | ## And for Alpine we define all build images here, they will only be loaded when actually used | ||||||
|  | FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.82.0 AS build_amd64 | ||||||
|  | FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.82.0 AS build_arm64 | ||||||
|  | FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.82.0 AS build_armv7 | ||||||
|  | FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.82.0 AS build_armv6 | ||||||
|  |  | ||||||
|  | ########################## BUILD IMAGE ########################## | ||||||
|  | # hadolint ignore=DL3006 | ||||||
|  | FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} AS build | ||||||
|  | ARG TARGETARCH | ||||||
|  | ARG TARGETVARIANT | ||||||
|  | ARG TARGETPLATFORM | ||||||
|  |  | ||||||
|  | SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||||
|  |  | ||||||
|  | # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||||
|  | ENV DEBIAN_FRONTEND=noninteractive \ | ||||||
|  |     LANG=C.UTF-8 \ | ||||||
|  |     TZ=UTC \ | ||||||
|  |     TERM=xterm-256color \ | ||||||
|  |     CARGO_HOME="/root/.cargo" \ | ||||||
|  |     USER="root" \ | ||||||
|  |     # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||||
|  |     # Debian Bookworm already contains libpq v15 | ||||||
|  |     PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||||
|  |  | ||||||
|  |  | ||||||
|  | # Create CARGO_HOME folder and don't download rust docs | ||||||
|  | RUN mkdir -pv "${CARGO_HOME}" && \ | ||||||
|  |     rustup set profile minimal | ||||||
|  |  | ||||||
|  | # Creates a dummy project used to grab dependencies | ||||||
|  | RUN USER=root cargo new --bin /app | ||||||
|  | WORKDIR /app | ||||||
|  |  | ||||||
|  | # Environment variables for Cargo on Alpine based builds | ||||||
|  | RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ | ||||||
|  |     # Output the current contents of the file | ||||||
|  |     cat /env-cargo | ||||||
|  |  | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     rustup target add "${CARGO_TARGET}" | ||||||
|  |  | ||||||
|  | # Copies over *only* your manifests and build files | ||||||
|  | COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./ | ||||||
|  |  | ||||||
|  | ARG CARGO_PROFILE=release | ||||||
|  |  | ||||||
|  | # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||||
|  | # Enable MiMalloc to improve performance on Alpine builds | ||||||
|  | ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||||
|  |  | ||||||
|  | # Builds your dependencies and removes the | ||||||
|  | # dummy project, except the target folder | ||||||
|  | # This folder contains the compiled dependencies | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||||
|  |     find . -not -path "./target*" -delete | ||||||
|  |  | ||||||
|  | # Copies the complete project | ||||||
|  | # To avoid copying unneeded files, use .dockerignore | ||||||
|  | COPY . . | ||||||
|  |  | ||||||
|  | ARG VW_VERSION | ||||||
|  |  | ||||||
|  | # Builds again, this time it will be the actual source files being build | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||||
|  |     # Also do this for build.rs to ensure the version is rechecked | ||||||
|  |     touch build.rs src/main.rs && \ | ||||||
|  |     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||||
|  |     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||||
|  |     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||||
|  |         ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ | ||||||
|  |     else \ | ||||||
|  |         ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ | ||||||
|  |     fi | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ######################## RUNTIME IMAGE  ######################## | ||||||
|  | # Create a new stage with a minimal image | ||||||
|  | # because we already have a binary built | ||||||
|  | # | ||||||
|  | # To build these images you need to have qemu binfmt support. | ||||||
|  | # See the following pages to help install these tools locally | ||||||
|  | # Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation | ||||||
|  | # Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 | ||||||
|  | # | ||||||
|  | # Or use a Docker image which modifies your host system to support this. | ||||||
|  | # The GitHub Actions Workflow uses the same image as used below. | ||||||
|  | # See: https://github.com/tonistiigi/binfmt | ||||||
|  | # Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||||
|  | # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||||
|  | # | ||||||
|  | # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 | ||||||
|  | FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.20 | ||||||
|  |  | ||||||
|  | ENV ROCKET_PROFILE="release" \ | ||||||
|  |     ROCKET_ADDRESS=0.0.0.0 \ | ||||||
|  |     ROCKET_PORT=80 \ | ||||||
|  |     SSL_CERT_DIR=/etc/ssl/certs | ||||||
|  |  | ||||||
|  | # Create data folder and Install needed libraries | ||||||
|  | RUN mkdir /data && \ | ||||||
|  |     apk --no-cache add \ | ||||||
|  |         ca-certificates \ | ||||||
|  |         curl \ | ||||||
|  |         openssl \ | ||||||
|  |         tzdata | ||||||
|  |  | ||||||
|  | VOLUME /data | ||||||
|  | EXPOSE 80 | ||||||
|  |  | ||||||
|  | # Copies the files from the context (Rocket.toml file and web-vault) | ||||||
|  | # and the binary from the "build" stage to the current stage | ||||||
|  | WORKDIR / | ||||||
|  |  | ||||||
|  | COPY docker/healthcheck.sh docker/start.sh / | ||||||
|  |  | ||||||
|  | COPY --from=vault /web-vault ./web-vault | ||||||
|  | COPY --from=build /app/target/final/vaultwarden . | ||||||
|  |  | ||||||
|  | HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||||
|  |  | ||||||
|  | CMD ["/start.sh"] | ||||||
| @@ -1,34 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
| # The cross-built images have the build arch (`amd64`) embedded in the image |  | ||||||
| # manifest, rather than the target arch. For example: |  | ||||||
| # |  | ||||||
| #   $ docker inspect vaultwarden/server:latest-armv7 | jq -r '.[]|.Architecture' |  | ||||||
| #   amd64 |  | ||||||
| # |  | ||||||
| # Recent versions of Docker have started printing a warning when the image's |  | ||||||
| # claimed arch doesn't match the host arch. For example: |  | ||||||
| # |  | ||||||
| #   WARNING: The requested image's platform (linux/amd64) does not match the |  | ||||||
| #   detected host platform (linux/arm/v7) and no specific platform was requested |  | ||||||
| # |  | ||||||
| # The image still works fine, but the spurious warning creates confusion. |  | ||||||
| # |  | ||||||
| # Docker doesn't seem to provide a way to directly set the arch of an image |  | ||||||
| # at build time. To resolve the build vs. target arch discrepancy, we use |  | ||||||
| # Docker Buildx to build a new set of images with the correct target arch. |  | ||||||
| # |  | ||||||
| # Docker Buildx uses this Dockerfile to build an image for each requested |  | ||||||
| # platform. Since the Dockerfile basically consists of a single `FROM` |  | ||||||
| # instruction, we're effectively telling Buildx to build a platform-specific |  | ||||||
| # image by simply copying the existing cross-built image and setting the |  | ||||||
| # correct target arch as a side effect. |  | ||||||
| # |  | ||||||
| # References: |  | ||||||
| # |  | ||||||
| # - https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images |  | ||||||
| # - https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope |  | ||||||
| # - https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact |  | ||||||
| # |  | ||||||
| ARG LOCAL_REPO |  | ||||||
| ARG DOCKER_TAG |  | ||||||
| FROM ${LOCAL_REPO}:${DOCKER_TAG}-${TARGETARCH}${TARGETVARIANT} |  | ||||||
							
								
								
									
										201
									
								
								docker/Dockerfile.debian
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										201
									
								
								docker/Dockerfile.debian
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,201 @@ | |||||||
|  | # syntax=docker/dockerfile:1 | ||||||
|  | # check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform | ||||||
|  |  | ||||||
|  | # This file was generated using a Jinja2 template. | ||||||
|  | # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||||
|  | # This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` | ||||||
|  |  | ||||||
|  | # Using multistage build: | ||||||
|  | # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||||
|  | # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||||
|  |  | ||||||
|  | ####################### VAULT BUILD IMAGE ####################### | ||||||
|  | # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||||
|  | # Using the digest instead of the tag name provides better security, | ||||||
|  | # as the digest of an image is immutable, whereas a tag name can later | ||||||
|  | # be changed to point to a malicious image. | ||||||
|  | # | ||||||
|  | # To verify the current digest for a given tag name: | ||||||
|  | # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||||
|  | #   click the tag name to view the digest of the image it currently points to. | ||||||
|  | # - From the command line: | ||||||
|  | #     $ docker pull docker.io/vaultwarden/web-vault:v2024.6.2c | ||||||
|  | #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.6.2c | ||||||
|  | #     [docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b] | ||||||
|  | # | ||||||
|  | # - Conversely, to get the tag name from the digest: | ||||||
|  | #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b | ||||||
|  | #     [docker.io/vaultwarden/web-vault:v2024.6.2c] | ||||||
|  | # | ||||||
|  | FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:409ab328ca931439cb916b388a4bb784bd44220717aaf74cf71620c23e34fc2b AS vault | ||||||
|  |  | ||||||
|  | ########################## Cross Compile Docker Helper Scripts ########################## | ||||||
|  | ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts | ||||||
|  | ## And these bash scripts do not have any significant difference if at all | ||||||
|  | FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:1978e7a58a1777cb0ef0dde76bad60b7914b21da57cfa88047875e4f364297aa AS xx | ||||||
|  |  | ||||||
|  | ########################## BUILD IMAGE ########################## | ||||||
|  | # hadolint ignore=DL3006 | ||||||
|  | FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.82.0-slim-bookworm AS build | ||||||
|  | COPY --from=xx / / | ||||||
|  | ARG TARGETARCH | ||||||
|  | ARG TARGETVARIANT | ||||||
|  | ARG TARGETPLATFORM | ||||||
|  |  | ||||||
|  | SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||||
|  |  | ||||||
|  | # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||||
|  | ENV DEBIAN_FRONTEND=noninteractive \ | ||||||
|  |     LANG=C.UTF-8 \ | ||||||
|  |     TZ=UTC \ | ||||||
|  |     TERM=xterm-256color \ | ||||||
|  |     CARGO_HOME="/root/.cargo" \ | ||||||
|  |     USER="root" | ||||||
|  |  | ||||||
|  | # Install clang to get `xx-cargo` working | ||||||
|  | # Install pkg-config to allow amd64 builds to find all libraries | ||||||
|  | # Install git so build.rs can determine the correct version | ||||||
|  | # Install the libc cross packages based upon the debian-arch | ||||||
|  | RUN apt-get update && \ | ||||||
|  |     apt-get install -y \ | ||||||
|  |         --no-install-recommends \ | ||||||
|  |         clang \ | ||||||
|  |         pkg-config \ | ||||||
|  |         git \ | ||||||
|  |         "libc6-$(xx-info debian-arch)-cross" \ | ||||||
|  |         "libc6-dev-$(xx-info debian-arch)-cross" \ | ||||||
|  |         "linux-libc-dev-$(xx-info debian-arch)-cross" && \ | ||||||
|  |     xx-apt-get install -y \ | ||||||
|  |         --no-install-recommends \ | ||||||
|  |         gcc \ | ||||||
|  |         libmariadb3 \ | ||||||
|  |         libpq-dev \ | ||||||
|  |         libpq5 \ | ||||||
|  |         libssl-dev \ | ||||||
|  |         zlib1g-dev && \ | ||||||
|  |     # Force install arch dependend mariadb dev packages | ||||||
|  |     # Installing them the normal way breaks several other packages (again) | ||||||
|  |     apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ | ||||||
|  |     dpkg --force-all -i ./libmariadb-dev*.deb && \ | ||||||
|  |     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||||
|  |     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||||
|  |  | ||||||
|  | # Create CARGO_HOME folder and don't download rust docs | ||||||
|  | RUN mkdir -pv "${CARGO_HOME}" && \ | ||||||
|  |     rustup set profile minimal | ||||||
|  |  | ||||||
|  | # Creates a dummy project used to grab dependencies | ||||||
|  | RUN USER=root cargo new --bin /app | ||||||
|  | WORKDIR /app | ||||||
|  |  | ||||||
|  | # Environment variables for Cargo on Debian based builds | ||||||
|  | ARG ARCH_OPENSSL_LIB_DIR \ | ||||||
|  |     ARCH_OPENSSL_INCLUDE_DIR | ||||||
|  |  | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     if xx-info is-cross ; then \ | ||||||
|  |         # Some special variables if needed to override some build paths | ||||||
|  |         if [[ -n "${ARCH_OPENSSL_LIB_DIR}" && -n "${ARCH_OPENSSL_INCLUDE_DIR}" ]]; then \ | ||||||
|  |             echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_LIB_DIR=${ARCH_OPENSSL_LIB_DIR}" >> /env-cargo && \ | ||||||
|  |             echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_INCLUDE_DIR=${ARCH_OPENSSL_INCLUDE_DIR}" >> /env-cargo ; \ | ||||||
|  |         fi && \ | ||||||
|  |         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. | ||||||
|  |         # Because of this we generate the needed environment variables here which we can load in the needed steps. | ||||||
|  |         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||||
|  |         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||||
|  |         echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ | ||||||
|  |         echo "export CROSS_COMPILE=1" >> /env-cargo && \ | ||||||
|  |         echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ | ||||||
|  |         echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ | ||||||
|  |     fi && \ | ||||||
|  |     # Output the current contents of the file | ||||||
|  |     cat /env-cargo | ||||||
|  |  | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     rustup target add "${CARGO_TARGET}" | ||||||
|  |  | ||||||
|  | # Copies over *only* your manifests and build files | ||||||
|  | COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./ | ||||||
|  |  | ||||||
|  | ARG CARGO_PROFILE=release | ||||||
|  |  | ||||||
|  | # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||||
|  | ARG DB=sqlite,mysql,postgresql | ||||||
|  |  | ||||||
|  | # Builds your dependencies and removes the | ||||||
|  | # dummy project, except the target folder | ||||||
|  | # This folder contains the compiled dependencies | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||||
|  |     find . -not -path "./target*" -delete | ||||||
|  |  | ||||||
|  | # Copies the complete project | ||||||
|  | # To avoid copying unneeded files, use .dockerignore | ||||||
|  | COPY . . | ||||||
|  |  | ||||||
|  | ARG VW_VERSION | ||||||
|  |  | ||||||
|  | # Builds again, this time it will be the actual source files being build | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||||
|  |     # Also do this for build.rs to ensure the version is rechecked | ||||||
|  |     touch build.rs src/main.rs && \ | ||||||
|  |     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||||
|  |     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||||
|  |     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||||
|  |         ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ | ||||||
|  |     else \ | ||||||
|  |         ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ | ||||||
|  |     fi | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ######################## RUNTIME IMAGE  ######################## | ||||||
|  | # Create a new stage with a minimal image | ||||||
|  | # because we already have a binary built | ||||||
|  | # | ||||||
|  | # To build these images you need to have qemu binfmt support. | ||||||
|  | # See the following pages to help install these tools locally | ||||||
|  | # Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation | ||||||
|  | # Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 | ||||||
|  | # | ||||||
|  | # Or use a Docker image which modifies your host system to support this. | ||||||
|  | # The GitHub Actions Workflow uses the same image as used below. | ||||||
|  | # See: https://github.com/tonistiigi/binfmt | ||||||
|  | # Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||||
|  | # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||||
|  | # | ||||||
|  | # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 | ||||||
|  | FROM --platform=$TARGETPLATFORM docker.io/library/debian:bookworm-slim | ||||||
|  |  | ||||||
|  | ENV ROCKET_PROFILE="release" \ | ||||||
|  |     ROCKET_ADDRESS=0.0.0.0 \ | ||||||
|  |     ROCKET_PORT=80 \ | ||||||
|  |     DEBIAN_FRONTEND=noninteractive | ||||||
|  |  | ||||||
|  | # Create data folder and Install needed libraries | ||||||
|  | RUN mkdir /data && \ | ||||||
|  |     apt-get update && apt-get install -y \ | ||||||
|  |         --no-install-recommends \ | ||||||
|  |         ca-certificates \ | ||||||
|  |         curl \ | ||||||
|  |         libmariadb-dev-compat \ | ||||||
|  |         libpq5 \ | ||||||
|  |         openssl && \ | ||||||
|  |     apt-get clean && \ | ||||||
|  |     rm -rf /var/lib/apt/lists/* | ||||||
|  |  | ||||||
|  | VOLUME /data | ||||||
|  | EXPOSE 80 | ||||||
|  |  | ||||||
|  | # Copies the files from the context (Rocket.toml file and web-vault) | ||||||
|  | # and the binary from the "build" stage to the current stage | ||||||
|  | WORKDIR / | ||||||
|  |  | ||||||
|  | COPY docker/healthcheck.sh docker/start.sh / | ||||||
|  |  | ||||||
|  | COPY --from=vault /web-vault ./web-vault | ||||||
|  | COPY --from=build /app/target/final/vaultwarden . | ||||||
|  |  | ||||||
|  | HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||||
|  |  | ||||||
|  | CMD ["/start.sh"] | ||||||
| @@ -1,66 +1,15 @@ | |||||||
| # syntax=docker/dockerfile:1 | # syntax=docker/dockerfile:1 | ||||||
|  | # check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. | # This file was generated using a Jinja2 template. | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. | # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||||
|  | # This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine` | ||||||
|  |  | ||||||
| {% set build_stage_base_image = "rust:1.61-bullseye" %} |  | ||||||
| {% if "alpine" in target_file %} |  | ||||||
| {%   if "amd64" in target_file %} |  | ||||||
| {%     set build_stage_base_image = "blackdex/rust-musl:x86_64-musl-stable-1.61.0" %} |  | ||||||
| {%     set runtime_stage_base_image = "alpine:3.15" %} |  | ||||||
| {%     set package_arch_target = "x86_64-unknown-linux-musl" %} |  | ||||||
| {%   elif "armv7" in target_file %} |  | ||||||
| {%     set build_stage_base_image = "blackdex/rust-musl:armv7-musleabihf-stable-1.61.0" %} |  | ||||||
| {%     set runtime_stage_base_image = "balenalib/armv7hf-alpine:3.15" %} |  | ||||||
| {%     set package_arch_target = "armv7-unknown-linux-musleabihf" %} |  | ||||||
| {%   elif "armv6" in target_file %} |  | ||||||
| {%     set build_stage_base_image = "blackdex/rust-musl:arm-musleabi-stable-1.61.0" %} |  | ||||||
| {%     set runtime_stage_base_image = "balenalib/rpi-alpine:3.15" %} |  | ||||||
| {%     set package_arch_target = "arm-unknown-linux-musleabi" %} |  | ||||||
| {%   elif "arm64" in target_file %} |  | ||||||
| {%     set build_stage_base_image = "blackdex/rust-musl:aarch64-musl-stable-1.61.0" %} |  | ||||||
| {%     set runtime_stage_base_image = "balenalib/aarch64-alpine:3.15" %} |  | ||||||
| {%     set package_arch_target = "aarch64-unknown-linux-musl" %} |  | ||||||
| {%   endif %} |  | ||||||
| {% elif "amd64" in target_file %} |  | ||||||
| {%   set runtime_stage_base_image = "debian:bullseye-slim" %} |  | ||||||
| {% elif "arm64" in target_file %} |  | ||||||
| {%   set runtime_stage_base_image = "balenalib/aarch64-debian:bullseye" %} |  | ||||||
| {%   set package_arch_name = "arm64" %} |  | ||||||
| {%   set package_arch_target = "aarch64-unknown-linux-gnu" %} |  | ||||||
| {%   set package_cross_compiler = "aarch64-linux-gnu" %} |  | ||||||
| {% elif "armv6" in target_file %} |  | ||||||
| {%   set runtime_stage_base_image = "balenalib/rpi-debian:bullseye" %} |  | ||||||
| {%   set package_arch_name = "armel" %} |  | ||||||
| {%   set package_arch_target = "arm-unknown-linux-gnueabi" %} |  | ||||||
| {%   set package_cross_compiler = "arm-linux-gnueabi" %} |  | ||||||
| {% elif "armv7" in target_file %} |  | ||||||
| {%   set runtime_stage_base_image = "balenalib/armv7hf-debian:bullseye" %} |  | ||||||
| {%   set package_arch_name = "armhf" %} |  | ||||||
| {%   set package_arch_target = "armv7-unknown-linux-gnueabihf" %} |  | ||||||
| {%   set package_cross_compiler = "arm-linux-gnueabihf" %} |  | ||||||
| {% endif %} |  | ||||||
| {% if package_arch_name is defined %} |  | ||||||
| {%   set package_arch_prefix = ":" + package_arch_name %} |  | ||||||
| {% else %} |  | ||||||
| {%   set package_arch_prefix = "" %} |  | ||||||
| {% endif %} |  | ||||||
| {% if package_arch_target is defined %} |  | ||||||
| {%   set package_arch_target_param = " --target=" + package_arch_target %} |  | ||||||
| {% else %} |  | ||||||
| {%   set package_arch_target_param = "" %} |  | ||||||
| {% endif %} |  | ||||||
| {% if "buildx" in target_file %} |  | ||||||
| {%   set mount_rust_cache = "--mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry " %} |  | ||||||
| {% else %} |  | ||||||
| {%   set mount_rust_cache = "" %} |  | ||||||
| {% endif %} |  | ||||||
| # Using multistage build: | # Using multistage build: | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ | # 	https://docs.docker.com/develop/develop-images/multistage-build/ | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ | # 	https://whitfin.io/speeding-up-rust-docker-builds/ | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| {% set vault_version = "2.28.1" %} | ####################### VAULT BUILD IMAGE ####################### | ||||||
| {% set vault_image_digest = "sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5" %} |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. | # The web-vault digest specifies a particular web-vault build on Docker Hub. | ||||||
| # Using the digest instead of the tag name provides better security, | # Using the digest instead of the tag name provides better security, | ||||||
| # as the digest of an image is immutable, whereas a tag name can later | # as the digest of an image is immutable, whereas a tag name can later | ||||||
| @@ -70,20 +19,41 @@ | |||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||||
| #   click the tag name to view the digest of the image it currently points to. | #   click the tag name to view the digest of the image it currently points to. | ||||||
| # - From the command line: | # - From the command line: | ||||||
| #     $ docker pull vaultwarden/web-vault:v{{ vault_version }} | #     $ docker pull docker.io/vaultwarden/web-vault:{{ vault_version }} | ||||||
| #     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" vaultwarden/web-vault:v{{ vault_version }} | #     $ docker image inspect --format "{{ '{{' }}.RepoDigests}}" docker.io/vaultwarden/web-vault:{{ vault_version }} | ||||||
| #     [vaultwarden/web-vault@{{ vault_image_digest }}] | #     [docker.io/vaultwarden/web-vault@{{ vault_image_digest }}] | ||||||
| # | # | ||||||
| # - Conversely, to get the tag name from the digest: | # - Conversely, to get the tag name from the digest: | ||||||
| #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" vaultwarden/web-vault@{{ vault_image_digest }} | #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }} | ||||||
| #     [vaultwarden/web-vault:v{{ vault_version }}] | #     [docker.io/vaultwarden/web-vault:{{ vault_version }}] | ||||||
| # | # | ||||||
| FROM vaultwarden/web-vault@{{ vault_image_digest }} as vault | FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## | {% if base == "debian" %} | ||||||
| FROM {{ build_stage_base_image }} as build | ########################## Cross Compile Docker Helper Scripts ########################## | ||||||
|  | ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts | ||||||
|  | ## And these bash scripts do not have any significant difference if at all | ||||||
|  | FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx | ||||||
|  | {% elif base == "alpine" %} | ||||||
|  | ########################## ALPINE BUILD IMAGES ########################## | ||||||
|  | ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 | ||||||
|  | ## And for Alpine we define all build images here, they will only be loaded when actually used | ||||||
|  | {% for arch in build_stage_image[base].arch_image %} | ||||||
|  | FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }} | ||||||
|  | {% endfor %} | ||||||
|  | {% endif %} | ||||||
|  |  | ||||||
|  | ########################## BUILD IMAGE ########################## | ||||||
|  | # hadolint ignore=DL3006 | ||||||
|  | FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} AS build | ||||||
|  | {% if base == "debian" %} | ||||||
|  | COPY --from=xx / / | ||||||
|  | {% endif %} | ||||||
|  | ARG TARGETARCH | ||||||
|  | ARG TARGETVARIANT | ||||||
|  | ARG TARGETPLATFORM | ||||||
|  |  | ||||||
|  | SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. | # Build time options to avoid dpkg warnings and help with reproducible builds. | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ | ENV DEBIAN_FRONTEND=noninteractive \ | ||||||
| @@ -92,169 +62,184 @@ ENV DEBIAN_FRONTEND=noninteractive \ | |||||||
|     TERM=xterm-256color \ |     TERM=xterm-256color \ | ||||||
|     CARGO_HOME="/root/.cargo" \ |     CARGO_HOME="/root/.cargo" \ | ||||||
|     USER="root" |     USER="root" | ||||||
|  | {%- if base == "alpine" %} \ | ||||||
|  |     # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11 | ||||||
|  |     # Debian Bookworm already contains libpq v15 | ||||||
|  |     PQ_LIB_DIR="/usr/local/musl/pq15/lib" | ||||||
|  | {% endif %} | ||||||
|  |  | ||||||
| {# {% if "alpine" not in target_file and "buildx" in target_file %} | {% if base == "debian" %} | ||||||
| # Debian based Buildx builds can use some special apt caching to speedup building. |  | ||||||
| # By default Debian based images have some rules to keep docker builds clean, we need to remove this. | # Install clang to get `xx-cargo` working | ||||||
| # See: https://hub.docker.com/r/docker/dockerfile | # Install pkg-config to allow amd64 builds to find all libraries | ||||||
| RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache | # Install git so build.rs can determine the correct version | ||||||
| {% endif %} #} | # Install the libc cross packages based upon the debian-arch | ||||||
|  | RUN apt-get update && \ | ||||||
|  |     apt-get install -y \ | ||||||
|  |         --no-install-recommends \ | ||||||
|  |         clang \ | ||||||
|  |         pkg-config \ | ||||||
|  |         git \ | ||||||
|  |         "libc6-$(xx-info debian-arch)-cross" \ | ||||||
|  |         "libc6-dev-$(xx-info debian-arch)-cross" \ | ||||||
|  |         "linux-libc-dev-$(xx-info debian-arch)-cross" && \ | ||||||
|  |     xx-apt-get install -y \ | ||||||
|  |         --no-install-recommends \ | ||||||
|  |         gcc \ | ||||||
|  |         libmariadb3 \ | ||||||
|  |         libpq-dev \ | ||||||
|  |         libpq5 \ | ||||||
|  |         libssl-dev \ | ||||||
|  |         zlib1g-dev && \ | ||||||
|  |     # Force install arch dependend mariadb dev packages | ||||||
|  |     # Installing them the normal way breaks several other packages (again) | ||||||
|  |     apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ | ||||||
|  |     dpkg --force-all -i ./libmariadb-dev*.deb && \ | ||||||
|  |     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||||
|  |     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||||
|  | {% endif %} | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs | # Create CARGO_HOME folder and don't download rust docs | ||||||
| RUN {{ mount_rust_cache -}} mkdir -pv "${CARGO_HOME}" \ | RUN mkdir -pv "${CARGO_HOME}" && \ | ||||||
|     && rustup set profile minimal |     rustup set profile minimal | ||||||
|  |  | ||||||
| {% if "alpine" in target_file %} |  | ||||||
| {%   if "armv6" in target_file %} |  | ||||||
| # To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location |  | ||||||
| ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/{{ package_arch_target }}/lib/libatomic.a' |  | ||||||
| {%   endif %} |  | ||||||
| {% elif "arm" in target_file %} |  | ||||||
| # |  | ||||||
| # Install required build libs for {{ package_arch_name }} architecture. |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN dpkg --add-architecture {{ package_arch_name }} \ |  | ||||||
|     && apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libssl-dev{{ package_arch_prefix }} \ |  | ||||||
|         libc6-dev{{ package_arch_prefix }} \ |  | ||||||
|         libpq5{{ package_arch_prefix }} \ |  | ||||||
|         libpq-dev{{ package_arch_prefix }} \ |  | ||||||
|         libmariadb3{{ package_arch_prefix }} \ |  | ||||||
|         libmariadb-dev{{ package_arch_prefix }} \ |  | ||||||
|         libmariadb-dev-compat{{ package_arch_prefix }} \ |  | ||||||
|         gcc-{{ package_cross_compiler }} \ |  | ||||||
|     # |  | ||||||
|     # Make sure cargo has the right target config |  | ||||||
|     && echo '[target.{{ package_arch_target }}]' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'linker = "{{ package_cross_compiler }}-gcc"' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'rustflags = ["-L/usr/lib/{{ package_cross_compiler }}"]' >> "${CARGO_HOME}/config" |  | ||||||
|  |  | ||||||
| # Set arm specific environment values |  | ||||||
| ENV CC_{{ package_arch_target | replace("-", "_") }}="/usr/bin/{{ package_cross_compiler }}-gcc" \ |  | ||||||
|     CROSS_COMPILE="1" \ |  | ||||||
|     OPENSSL_INCLUDE_DIR="/usr/include/{{ package_cross_compiler }}" \ |  | ||||||
|     OPENSSL_LIB_DIR="/usr/lib/{{ package_cross_compiler }}" |  | ||||||
|  |  | ||||||
| {% elif "amd64" in target_file %} |  | ||||||
| # Install DB packages |  | ||||||
| RUN apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libmariadb-dev{{ package_arch_prefix }} \ |  | ||||||
|         libpq-dev{{ package_arch_prefix }} \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
| {% endif %} |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies | # Creates a dummy project used to grab dependencies | ||||||
| RUN USER=root cargo new --bin /app | RUN USER=root cargo new --bin /app | ||||||
| WORKDIR /app | WORKDIR /app | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files | {% if base == "debian" %} | ||||||
| COPY ./Cargo.* ./ | # Environment variables for Cargo on Debian based builds | ||||||
| COPY ./rust-toolchain ./rust-toolchain | ARG ARCH_OPENSSL_LIB_DIR \ | ||||||
| COPY ./build.rs ./build.rs |     ARCH_OPENSSL_INCLUDE_DIR | ||||||
|  |  | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     if xx-info is-cross ; then \ | ||||||
|  |         # Some special variables if needed to override some build paths | ||||||
|  |         if [[ -n "${ARCH_OPENSSL_LIB_DIR}" && -n "${ARCH_OPENSSL_INCLUDE_DIR}" ]]; then \ | ||||||
|  |             echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_LIB_DIR=${ARCH_OPENSSL_LIB_DIR}" >> /env-cargo && \ | ||||||
|  |             echo "export $(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_OPENSSL_INCLUDE_DIR=${ARCH_OPENSSL_INCLUDE_DIR}" >> /env-cargo ; \ | ||||||
|  |         fi && \ | ||||||
|  |         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. | ||||||
|  |         # Because of this we generate the needed environment variables here which we can load in the needed steps. | ||||||
|  |         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||||
|  |         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||||
|  |         echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ | ||||||
|  |         echo "export CROSS_COMPILE=1" >> /env-cargo && \ | ||||||
|  |         echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ | ||||||
|  |         echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ | ||||||
|  |     fi && \ | ||||||
|  |     # Output the current contents of the file | ||||||
|  |     cat /env-cargo | ||||||
|  |  | ||||||
|  | {% elif base == "alpine" %} | ||||||
|  | # Environment variables for Cargo on Alpine based builds | ||||||
|  | RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ | ||||||
|  |     # Output the current contents of the file | ||||||
|  |     cat /env-cargo | ||||||
|  |  | ||||||
| {% if package_arch_target is defined %} |  | ||||||
| RUN {{ mount_rust_cache -}} rustup target add {{ package_arch_target }} |  | ||||||
| {% endif %} | {% endif %} | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     rustup target add "${CARGO_TARGET}" | ||||||
|  |  | ||||||
|  | # Copies over *only* your manifests and build files | ||||||
|  | COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./ | ||||||
|  |  | ||||||
|  | ARG CARGO_PROFILE=release | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||||
| {% if "alpine" in target_file %} | {% if base == "debian" %} | ||||||
|  | ARG DB=sqlite,mysql,postgresql | ||||||
|  | {% elif base == "alpine" %} | ||||||
| # Enable MiMalloc to improve performance on Alpine builds | # Enable MiMalloc to improve performance on Alpine builds | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||||
| {% else %} |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
| {% endif %} | {% endif %} | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the | # Builds your dependencies and removes the | ||||||
| # dummy project, except the target folder | # dummy project, except the target folder | ||||||
| # This folder contains the compiled dependencies | # This folder contains the compiled dependencies | ||||||
| RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} \ | RUN source /env-cargo && \ | ||||||
|     && find . -not -path "./target*" -delete |     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||||
|  |     find . -not -path "./target*" -delete | ||||||
|  |  | ||||||
| # Copies the complete project | # Copies the complete project | ||||||
| # To avoid copying unneeded files, use .dockerignore | # To avoid copying unneeded files, use .dockerignore | ||||||
| COPY . . | COPY . . | ||||||
|  |  | ||||||
| # Make sure that we actually build the project | ARG VW_VERSION | ||||||
| RUN touch src/main.rs |  | ||||||
|  | # Builds again, this time it will be the actual source files being build | ||||||
|  | RUN source /env-cargo && \ | ||||||
|  |     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||||
|  |     # Also do this for build.rs to ensure the version is rechecked | ||||||
|  |     touch build.rs src/main.rs && \ | ||||||
|  |     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||||
|  |     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||||
|  |     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||||
|  |         ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \ | ||||||
|  |     else \ | ||||||
|  |         ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \ | ||||||
|  |     fi | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN {{ mount_rust_cache -}} cargo build --features ${DB} --release{{ package_arch_target_param }} |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## | ######################## RUNTIME IMAGE  ######################## | ||||||
| # Create a new stage with a minimal image | # Create a new stage with a minimal image | ||||||
| # because we already have a binary built | # because we already have a binary built | ||||||
| FROM {{ runtime_stage_base_image }} | # | ||||||
|  | # To build these images you need to have qemu binfmt support. | ||||||
|  | # See the following pages to help install these tools locally | ||||||
|  | # Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation | ||||||
|  | # Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64 | ||||||
|  | # | ||||||
|  | # Or use a Docker image which modifies your host system to support this. | ||||||
|  | # The GitHub Actions Workflow uses the same image as used below. | ||||||
|  | # See: https://github.com/tonistiigi/binfmt | ||||||
|  | # Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||||
|  | # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||||
|  | # | ||||||
|  | # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 | ||||||
|  | FROM --platform=$TARGETPLATFORM {{ runtime_stage_image[base] }} | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ | ENV ROCKET_PROFILE="release" \ | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |     ROCKET_ADDRESS=0.0.0.0 \ | ||||||
|     ROCKET_PORT=80 |     ROCKET_PORT=80 | ||||||
| {%- if "alpine" in runtime_stage_base_image %} \ | {%- if base == "debian" %} \ | ||||||
|  |     DEBIAN_FRONTEND=noninteractive | ||||||
|  | {% elif base == "alpine" %} \ | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |     SSL_CERT_DIR=/etc/ssl/certs | ||||||
| {% endif %} | {% endif %} | ||||||
|  |  | ||||||
|  |  | ||||||
| {% if "amd64" not in target_file %} |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
| {% endif %} |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries | # Create data folder and Install needed libraries | ||||||
| RUN mkdir /data \ | RUN mkdir /data && \ | ||||||
| {% if "alpine" in runtime_stage_base_image %} | {% if base == "debian" %} | ||||||
|     && apk add --no-cache \ |     apt-get update && apt-get install -y \ | ||||||
|         openssl \ |         --no-install-recommends \ | ||||||
|         tzdata \ |         ca-certificates \ | ||||||
|         curl \ |         curl \ | ||||||
|         dumb-init \ |         libmariadb-dev-compat \ | ||||||
|         ca-certificates |         libpq5 \ | ||||||
| {% else %} |         openssl && \ | ||||||
|     && apt-get update && apt-get install -y \ |     apt-get clean && \ | ||||||
|     --no-install-recommends \ |     rm -rf /var/lib/apt/lists/* | ||||||
|     openssl \ | {% elif base == "alpine" %} | ||||||
|     ca-certificates \ |     apk --no-cache add \ | ||||||
|     curl \ |         ca-certificates \ | ||||||
|     dumb-init \ |         curl \ | ||||||
|     libmariadb-dev-compat \ |         openssl \ | ||||||
|     libpq5 \ |         tzdata | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
| {% endif %} |  | ||||||
|  |  | ||||||
| {% if "amd64" not in target_file %} |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
| {% endif %} | {% endif %} | ||||||
|  |  | ||||||
| VOLUME /data | VOLUME /data | ||||||
| EXPOSE 80 | EXPOSE 80 | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) | # Copies the files from the context (Rocket.toml file and web-vault) | ||||||
| # and the binary from the "build" stage to the current stage | # and the binary from the "build" stage to the current stage | ||||||
| WORKDIR / | WORKDIR / | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| {% if package_arch_target is defined %} |  | ||||||
| COPY --from=build /app/target/{{ package_arch_target }}/release/vaultwarden . |  | ||||||
| {% else %} |  | ||||||
| COPY --from=build /app/target/release/vaultwarden . |  | ||||||
| {% endif %} |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh | COPY docker/healthcheck.sh docker/start.sh / | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  | COPY --from=vault /web-vault ./web-vault | ||||||
|  | COPY --from=build /app/target/final/vaultwarden . | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] | CMD ["/start.sh"] | ||||||
|   | |||||||
| @@ -1,15 +1,4 @@ | |||||||
| OBJECTS := $(shell find ./ -mindepth 2 -name 'Dockerfile*') | all: | ||||||
|  | 	./render_template Dockerfile.j2 '{"base": "debian"}' > Dockerfile.debian | ||||||
| all: $(OBJECTS) | 	./render_template Dockerfile.j2 '{"base": "alpine"}' > Dockerfile.alpine | ||||||
|  | .PHONY: all | ||||||
| %/Dockerfile: Dockerfile.j2 render_template |  | ||||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" |  | ||||||
|  |  | ||||||
| %/Dockerfile.alpine: Dockerfile.j2 render_template |  | ||||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" |  | ||||||
|  |  | ||||||
| %/Dockerfile.buildx: Dockerfile.j2 render_template |  | ||||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" |  | ||||||
|  |  | ||||||
| %/Dockerfile.buildx.alpine: Dockerfile.j2 render_template |  | ||||||
| 	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@" |  | ||||||
|   | |||||||
							
								
								
									
										189
									
								
								docker/README.md
									
									
									
									
									
								
							
							
						
						
									
										189
									
								
								docker/README.md
									
									
									
									
									
								
							| @@ -1,3 +1,188 @@ | |||||||
| The arch-specific directory names follow the arch identifiers used by the Docker official images: | # Vaultwarden Container Building | ||||||
|  |  | ||||||
| https://github.com/docker-library/official-images/blob/master/README.md#architectures-other-than-amd64 | To build and release new testing and stable releases of Vaultwarden we use `docker buildx bake`.<br> | ||||||
|  | This can be used locally by running the command yourself, but it is also used by GitHub Actions. | ||||||
|  |  | ||||||
|  | This makes it easier for us to test and maintain the different architectures we provide.<br> | ||||||
|  | We also just have two Dockerfile's one for Debian and one for Alpine based images.<br> | ||||||
|  | With just these two files we can build both Debian and Alpine images for the following platforms: | ||||||
|  |  - amd64 (linux/amd64) | ||||||
|  |  - arm64 (linux/arm64) | ||||||
|  |  - armv7 (linux/arm/v7) | ||||||
|  |  - armv6 (linux/arm/v6) | ||||||
|  |  | ||||||
|  | Some unsupported platforms for Debian based images. These are not built and tested by default and are only provided to make it easier for users to build for these architectures. | ||||||
|  | - 386     (linux/386) | ||||||
|  | - ppc64le (linux/ppc64le) | ||||||
|  | - s390x   (linux/s390x) | ||||||
|  |  | ||||||
|  | To build these containers you need to enable QEMU binfmt support to be able to run/emulate architectures which are different then your host.<br> | ||||||
|  | This ensures the container build process can run binaries from other architectures.<br> | ||||||
|  |  | ||||||
|  | **NOTE**: Run all the examples below from the root of the repo.<br> | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ## How to install QEMU binfmt support | ||||||
|  |  | ||||||
|  | This is different per host OS, but most support this in some way.<br> | ||||||
|  |  | ||||||
|  | ### Ubuntu/Debian | ||||||
|  | ```bash | ||||||
|  | apt install binfmt-support qemu-user-static | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ### Arch Linux (others based upon it) | ||||||
|  | ```bash | ||||||
|  | pacman -S qemu-user-static qemu-user-static-binfmt | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ### Fedora | ||||||
|  | ```bash | ||||||
|  | dnf install qemu-user-static | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ### Others | ||||||
|  | There also is an option to use an other docker container to provide support for this. | ||||||
|  | ```bash | ||||||
|  | # To install and activate | ||||||
|  | docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||||
|  | # To unistall | ||||||
|  | docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ## Single architecture container building | ||||||
|  |  | ||||||
|  | You can build a container per supported architecture as long as you have QEMU binfmt support installed on your system.<br> | ||||||
|  |  | ||||||
|  | ```bash | ||||||
|  | # Default bake triggers a Debian build using the hosts architecture | ||||||
|  | docker buildx bake --file docker/docker-bake.hcl | ||||||
|  |  | ||||||
|  | # Bake Debian ARM64 using a debug build | ||||||
|  | CARGO_PROFILE=dev \ | ||||||
|  | SOURCE_COMMIT="$(git rev-parse HEAD)" \ | ||||||
|  | docker buildx bake --file docker/docker-bake.hcl debian-arm64 | ||||||
|  |  | ||||||
|  | # Bake Alpine ARMv6 as a release build | ||||||
|  | SOURCE_COMMIT="$(git rev-parse HEAD)" \ | ||||||
|  | docker buildx bake --file docker/docker-bake.hcl alpine-armv6 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ## Local Multi Architecture container building | ||||||
|  |  | ||||||
|  | Start the initialization, this only needs to be done once. | ||||||
|  |  | ||||||
|  | ```bash | ||||||
|  | # Create and use a new buildx builder instance which connects to the host network | ||||||
|  | docker buildx create --name vaultwarden --use --driver-opt network=host | ||||||
|  |  | ||||||
|  | # Validate it runs | ||||||
|  | docker buildx inspect --bootstrap | ||||||
|  |  | ||||||
|  | # Create a local container registry directly reachable on the localhost | ||||||
|  | docker run -d --name registry --network host registry:2 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | After that is done, you should be able to build and push to the local registry.<br> | ||||||
|  | Use the following command with the modified variables to bake the Alpine images.<br> | ||||||
|  | Replace `alpine` with `debian` if you want to build the debian multi arch images. | ||||||
|  |  | ||||||
|  | ```bash | ||||||
|  | # Start a buildx bake using a debug build | ||||||
|  | CARGO_PROFILE=dev \ | ||||||
|  | SOURCE_COMMIT="$(git rev-parse HEAD)" \ | ||||||
|  | CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ | ||||||
|  | docker buildx bake --file docker/docker-bake.hcl alpine-multi | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ## Using the `bake.sh` script | ||||||
|  |  | ||||||
|  | To make it a bit more easier to trigger a build, there also is a `bake.sh` script.<br> | ||||||
|  | This script calls `docker buildx bake` with all the right parameters and also generates the `SOURCE_COMMIT` and `SOURCE_VERSION` variables.<br> | ||||||
|  | This script can be called from both the repo root or within the docker directory. | ||||||
|  |  | ||||||
|  | So, if you want to build a Multi Arch Alpine container pushing to your localhost registry you can run this from within the docker directory. (Just make sure you executed the initialization steps above first) | ||||||
|  | ```bash | ||||||
|  | CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ | ||||||
|  | ./bake.sh alpine-multi | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | Or if you want to just build a Debian container from the repo root, you can run this. | ||||||
|  | ```bash | ||||||
|  | docker/bake.sh | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | You can append both `alpine` and `debian` with `-amd64`, `-arm64`, `-armv7` or `-armv6`, which will trigger a build for that specific platform.<br> | ||||||
|  | This will also append those values to the tag so you can see the builded container when running `docker images`. | ||||||
|  |  | ||||||
|  | You can also append extra arguments after the target if you want. This can be useful for example to print what bake will use. | ||||||
|  | ```bash | ||||||
|  | docker/bake.sh alpine-all --print | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | ### Testing baked images | ||||||
|  |  | ||||||
|  | To test these images you can run these images by using the correct tag and provide the platform.<br> | ||||||
|  | For example, after you have build an arm64 image via `./bake.sh debian-arm64` you can run: | ||||||
|  | ```bash | ||||||
|  | docker run --rm -it \ | ||||||
|  |   -e DISABLE_ADMIN_TOKEN=true \ | ||||||
|  |   -e I_REALLY_WANT_VOLATILE_STORAGE=true \ | ||||||
|  |   -p8080:80 --platform=linux/arm64 \ | ||||||
|  |   vaultwarden/server:testing-arm64 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ## Using the `podman-bake.sh` script | ||||||
|  |  | ||||||
|  | To also make building easier using podman, there is a `podman-bake.sh` script.<br> | ||||||
|  | This script calls `podman buildx build` with the needed parameters and the same as `bake.sh`, it will generate some variables automatically.<br> | ||||||
|  | This script can be called from both the repo root or within the docker directory. | ||||||
|  |  | ||||||
|  | **NOTE:** Unlike the `bake.sh` script, this only supports a single `CONTAINER_REGISTRIES`, and a single `BASE_TAGS` value, no comma separated values. It also only supports building separate architectures, no Multi Arch containers. | ||||||
|  |  | ||||||
|  | To build an Alpine arm64 image with only sqlite support and mimalloc, run this: | ||||||
|  | ```bash | ||||||
|  | DB="sqlite,enable_mimalloc" \ | ||||||
|  | ./podman-bake.sh alpine-arm64 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | Or if you want to just build a Debian container from the repo root, you can run this. | ||||||
|  | ```bash | ||||||
|  | docker/podman-bake.sh | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | You can append extra arguments after the target if you want. This can be useful for example to disable cache like this. | ||||||
|  | ```bash | ||||||
|  | ./podman-bake.sh alpine-arm64 --no-cache | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  | For the podman builds you can, just like the `bake.sh` script, also append the architecture to build for that specific platform.<br> | ||||||
|  |  | ||||||
|  | ### Testing podman builded images | ||||||
|  |  | ||||||
|  | The command to start a podman built container is almost the same as for the docker/bake built containers. The images start with `localhost/`, so you need to prepend that. | ||||||
|  |  | ||||||
|  | ```bash | ||||||
|  | podman run --rm -it \ | ||||||
|  |   -e DISABLE_ADMIN_TOKEN=true \ | ||||||
|  |   -e I_REALLY_WANT_VOLATILE_STORAGE=true \ | ||||||
|  |   -p8080:80 --platform=linux/arm64 \ | ||||||
|  |   localhost/vaultwarden/server:testing-arm64 | ||||||
|  | ``` | ||||||
|  |  | ||||||
|  |  | ||||||
|  | ## Variables supported | ||||||
|  | | Variable              | default | description | | ||||||
|  | | --------------------- | ------------------ | ----------- | | ||||||
|  | | CARGO_PROFILE         | null               | Which cargo profile to use. `null` means what is defined in the Dockerfile                                         | | ||||||
|  | | DB                    | null               | Which `features` to build. `null` means what is defined in the Dockerfile                                          | | ||||||
|  | | SOURCE_REPOSITORY_URL | null               | The source repository form where this build is triggered                                                           | | ||||||
|  | | SOURCE_COMMIT         | null               | The commit hash of the current commit for this build                                                               | | ||||||
|  | | SOURCE_VERSION        | null               | The current exact tag of this commit, else the last tag and the first 8 chars of the source commit                 | | ||||||
|  | | BASE_TAGS             | testing            | Tags to be used. Can be a comma separated value like "latest,1.29.2"                                               | | ||||||
|  | | CONTAINER_REGISTRIES  | vaultwarden/server | Comma separated value of container registries. Like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` | | ||||||
|  | | VW_VERSION            | null               | To override the `SOURCE_VERSION` value. This is also used by the `build.rs` code for example                       | | ||||||
|   | |||||||
| @@ -1,132 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # Install DB packages |  | ||||||
| RUN apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libmariadb-dev \ |  | ||||||
|         libpq-dev \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM debian:bullseye-slim |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,124 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:x86_64-musl-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN rustup target add x86_64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,132 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # Install DB packages |  | ||||||
| RUN apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libmariadb-dev \ |  | ||||||
|         libpq-dev \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM debian:bullseye-slim |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,124 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:x86_64-musl-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,156 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Install required build libs for arm64 architecture. |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN dpkg --add-architecture arm64 \ |  | ||||||
|     && apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libssl-dev:arm64 \ |  | ||||||
|         libc6-dev:arm64 \ |  | ||||||
|         libpq5:arm64 \ |  | ||||||
|         libpq-dev:arm64 \ |  | ||||||
|         libmariadb3:arm64 \ |  | ||||||
|         libmariadb-dev:arm64 \ |  | ||||||
|         libmariadb-dev-compat:arm64 \ |  | ||||||
|         gcc-aarch64-linux-gnu \ |  | ||||||
|     # |  | ||||||
|     # Make sure cargo has the right target config |  | ||||||
|     && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config" |  | ||||||
|  |  | ||||||
| # Set arm specific environment values |  | ||||||
| ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ |  | ||||||
|     CROSS_COMPILE="1" \ |  | ||||||
|     OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ |  | ||||||
|     OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN rustup target add aarch64-unknown-linux-gnu |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/aarch64-debian:bullseye |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,128 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:aarch64-musl-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN rustup target add aarch64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/aarch64-alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,156 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Install required build libs for arm64 architecture. |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN dpkg --add-architecture arm64 \ |  | ||||||
|     && apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libssl-dev:arm64 \ |  | ||||||
|         libc6-dev:arm64 \ |  | ||||||
|         libpq5:arm64 \ |  | ||||||
|         libpq-dev:arm64 \ |  | ||||||
|         libmariadb3:arm64 \ |  | ||||||
|         libmariadb-dev:arm64 \ |  | ||||||
|         libmariadb-dev-compat:arm64 \ |  | ||||||
|         gcc-aarch64-linux-gnu \ |  | ||||||
|     # |  | ||||||
|     # Make sure cargo has the right target config |  | ||||||
|     && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config" |  | ||||||
|  |  | ||||||
| # Set arm specific environment values |  | ||||||
| ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \ |  | ||||||
|     CROSS_COMPILE="1" \ |  | ||||||
|     OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \ |  | ||||||
|     OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/aarch64-debian:bullseye |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,128 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:aarch64-musl-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/aarch64-alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,156 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Install required build libs for armel architecture. |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN dpkg --add-architecture armel \ |  | ||||||
|     && apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libssl-dev:armel \ |  | ||||||
|         libc6-dev:armel \ |  | ||||||
|         libpq5:armel \ |  | ||||||
|         libpq-dev:armel \ |  | ||||||
|         libmariadb3:armel \ |  | ||||||
|         libmariadb-dev:armel \ |  | ||||||
|         libmariadb-dev-compat:armel \ |  | ||||||
|         gcc-arm-linux-gnueabi \ |  | ||||||
|     # |  | ||||||
|     # Make sure cargo has the right target config |  | ||||||
|     && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config" |  | ||||||
|  |  | ||||||
| # Set arm specific environment values |  | ||||||
| ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ |  | ||||||
|     CROSS_COMPILE="1" \ |  | ||||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ |  | ||||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN rustup target add arm-unknown-linux-gnueabi |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/rpi-debian:bullseye |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,130 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:arm-musleabi-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location |  | ||||||
| ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a' |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN rustup target add arm-unknown-linux-musleabi |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/rpi-alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,156 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Install required build libs for armel architecture. |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN dpkg --add-architecture armel \ |  | ||||||
|     && apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libssl-dev:armel \ |  | ||||||
|         libc6-dev:armel \ |  | ||||||
|         libpq5:armel \ |  | ||||||
|         libpq-dev:armel \ |  | ||||||
|         libmariadb3:armel \ |  | ||||||
|         libmariadb-dev:armel \ |  | ||||||
|         libmariadb-dev-compat:armel \ |  | ||||||
|         gcc-arm-linux-gnueabi \ |  | ||||||
|     # |  | ||||||
|     # Make sure cargo has the right target config |  | ||||||
|     && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config" |  | ||||||
|  |  | ||||||
| # Set arm specific environment values |  | ||||||
| ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \ |  | ||||||
|     CROSS_COMPILE="1" \ |  | ||||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \ |  | ||||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/rpi-debian:bullseye |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,130 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:arm-musleabi-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location |  | ||||||
| ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a' |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-musleabi |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/rpi-alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,156 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Install required build libs for armhf architecture. |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN dpkg --add-architecture armhf \ |  | ||||||
|     && apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libssl-dev:armhf \ |  | ||||||
|         libc6-dev:armhf \ |  | ||||||
|         libpq5:armhf \ |  | ||||||
|         libpq-dev:armhf \ |  | ||||||
|         libmariadb3:armhf \ |  | ||||||
|         libmariadb-dev:armhf \ |  | ||||||
|         libmariadb-dev-compat:armhf \ |  | ||||||
|         gcc-arm-linux-gnueabihf \ |  | ||||||
|     # |  | ||||||
|     # Make sure cargo has the right target config |  | ||||||
|     && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config" |  | ||||||
|  |  | ||||||
| # Set arm specific environment values |  | ||||||
| ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ |  | ||||||
|     CROSS_COMPILE="1" \ |  | ||||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ |  | ||||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN rustup target add armv7-unknown-linux-gnueabihf |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/armv7hf-debian:bullseye |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,128 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:armv7-musleabihf-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN rustup target add armv7-unknown-linux-musleabihf |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/armv7hf-alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,156 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM rust:1.61-bullseye as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
| # |  | ||||||
| # Install required build libs for armhf architecture. |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN dpkg --add-architecture armhf \ |  | ||||||
|     && apt-get update \ |  | ||||||
|     && apt-get install -y \ |  | ||||||
|         --no-install-recommends \ |  | ||||||
|         libssl-dev:armhf \ |  | ||||||
|         libc6-dev:armhf \ |  | ||||||
|         libpq5:armhf \ |  | ||||||
|         libpq-dev:armhf \ |  | ||||||
|         libmariadb3:armhf \ |  | ||||||
|         libmariadb-dev:armhf \ |  | ||||||
|         libmariadb-dev-compat:armhf \ |  | ||||||
|         gcc-arm-linux-gnueabihf \ |  | ||||||
|     # |  | ||||||
|     # Make sure cargo has the right target config |  | ||||||
|     && echo '[target.armv7-unknown-linux-gnueabihf]' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'linker = "arm-linux-gnueabihf-gcc"' >> "${CARGO_HOME}/config" \ |  | ||||||
|     && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> "${CARGO_HOME}/config" |  | ||||||
|  |  | ||||||
| # Set arm specific environment values |  | ||||||
| ENV CC_armv7_unknown_linux_gnueabihf="/usr/bin/arm-linux-gnueabihf-gcc" \ |  | ||||||
|     CROSS_COMPILE="1" \ |  | ||||||
|     OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabihf" \ |  | ||||||
|     OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabihf" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-gnueabihf |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| ARG DB=sqlite,mysql,postgresql |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-gnueabihf |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/armv7hf-debian:bullseye |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apt-get update && apt-get install -y \ |  | ||||||
|     --no-install-recommends \ |  | ||||||
|     openssl \ |  | ||||||
|     ca-certificates \ |  | ||||||
|     curl \ |  | ||||||
|     dumb-init \ |  | ||||||
|     libmariadb-dev-compat \ |  | ||||||
|     libpq5 \ |  | ||||||
|     && apt-get clean \ |  | ||||||
|     && rm -rf /var/lib/apt/lists/* |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/armv7-unknown-linux-gnueabihf/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
| @@ -1,128 +0,0 @@ | |||||||
| # syntax=docker/dockerfile:1 |  | ||||||
|  |  | ||||||
| # This file was generated using a Jinja2 template. |  | ||||||
| # Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles. |  | ||||||
|  |  | ||||||
| # Using multistage build: |  | ||||||
| # 	https://docs.docker.com/develop/develop-images/multistage-build/ |  | ||||||
| # 	https://whitfin.io/speeding-up-rust-docker-builds/ |  | ||||||
| ####################### VAULT BUILD IMAGE  ####################### |  | ||||||
| # The web-vault digest specifies a particular web-vault build on Docker Hub. |  | ||||||
| # Using the digest instead of the tag name provides better security, |  | ||||||
| # as the digest of an image is immutable, whereas a tag name can later |  | ||||||
| # be changed to point to a malicious image. |  | ||||||
| # |  | ||||||
| # To verify the current digest for a given tag name: |  | ||||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, |  | ||||||
| #   click the tag name to view the digest of the image it currently points to. |  | ||||||
| # - From the command line: |  | ||||||
| #     $ docker pull vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2.28.1 |  | ||||||
| #     [vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5] |  | ||||||
| # |  | ||||||
| # - Conversely, to get the tag name from the digest: |  | ||||||
| #     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 |  | ||||||
| #     [vaultwarden/web-vault:v2.28.1] |  | ||||||
| # |  | ||||||
| FROM vaultwarden/web-vault@sha256:df7f12b1e22bf0dfc1b6b6f46921b4e9e649561931ba65357c1eb1963514b3b5 as vault |  | ||||||
|  |  | ||||||
| ########################## BUILD IMAGE  ########################## |  | ||||||
| FROM blackdex/rust-musl:armv7-musleabihf-stable-1.61.0 as build |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Build time options to avoid dpkg warnings and help with reproducible builds. |  | ||||||
| ENV DEBIAN_FRONTEND=noninteractive \ |  | ||||||
|     LANG=C.UTF-8 \ |  | ||||||
|     TZ=UTC \ |  | ||||||
|     TERM=xterm-256color \ |  | ||||||
|     CARGO_HOME="/root/.cargo" \ |  | ||||||
|     USER="root" |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Create CARGO_HOME folder and don't download rust docs |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \ |  | ||||||
|     && rustup set profile minimal |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # Creates a dummy project used to grab dependencies |  | ||||||
| RUN USER=root cargo new --bin /app |  | ||||||
| WORKDIR /app |  | ||||||
|  |  | ||||||
| # Copies over *only* your manifests and build files |  | ||||||
| COPY ./Cargo.* ./ |  | ||||||
| COPY ./rust-toolchain ./rust-toolchain |  | ||||||
| COPY ./build.rs ./build.rs |  | ||||||
|  |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add armv7-unknown-linux-musleabihf |  | ||||||
|  |  | ||||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above |  | ||||||
| # Enable MiMalloc to improve performance on Alpine builds |  | ||||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc |  | ||||||
|  |  | ||||||
| # Builds your dependencies and removes the |  | ||||||
| # dummy project, except the target folder |  | ||||||
| # This folder contains the compiled dependencies |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf \ |  | ||||||
|     && find . -not -path "./target*" -delete |  | ||||||
|  |  | ||||||
| # Copies the complete project |  | ||||||
| # To avoid copying unneeded files, use .dockerignore |  | ||||||
| COPY . . |  | ||||||
|  |  | ||||||
| # Make sure that we actually build the project |  | ||||||
| RUN touch src/main.rs |  | ||||||
|  |  | ||||||
| # Builds again, this time it'll just be |  | ||||||
| # your actual source files being built |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=armv7-unknown-linux-musleabihf |  | ||||||
|  |  | ||||||
| ######################## RUNTIME IMAGE  ######################## |  | ||||||
| # Create a new stage with a minimal image |  | ||||||
| # because we already have a binary built |  | ||||||
| FROM balenalib/armv7hf-alpine:3.15 |  | ||||||
|  |  | ||||||
| ENV ROCKET_PROFILE="release" \ |  | ||||||
|     ROCKET_ADDRESS=0.0.0.0 \ |  | ||||||
|     ROCKET_PORT=80 \ |  | ||||||
|     SSL_CERT_DIR=/etc/ssl/certs |  | ||||||
|  |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-start" ] |  | ||||||
|  |  | ||||||
| # Create data folder and Install needed libraries |  | ||||||
| RUN mkdir /data \ |  | ||||||
|     && apk add --no-cache \ |  | ||||||
|         openssl \ |  | ||||||
|         tzdata \ |  | ||||||
|         curl \ |  | ||||||
|         dumb-init \ |  | ||||||
|         ca-certificates |  | ||||||
|  |  | ||||||
| # hadolint ignore=DL3059 |  | ||||||
| RUN [ "cross-build-end" ] |  | ||||||
|  |  | ||||||
| VOLUME /data |  | ||||||
| EXPOSE 80 |  | ||||||
| EXPOSE 3012 |  | ||||||
|  |  | ||||||
| # Copies the files from the context (Rocket.toml file and web-vault) |  | ||||||
| # and the binary from the "build" stage to the current stage |  | ||||||
| WORKDIR / |  | ||||||
| COPY --from=vault /web-vault ./web-vault |  | ||||||
| COPY --from=build /app/target/armv7-unknown-linux-musleabihf/release/vaultwarden . |  | ||||||
|  |  | ||||||
| COPY docker/healthcheck.sh /healthcheck.sh |  | ||||||
| COPY docker/start.sh /start.sh |  | ||||||
|  |  | ||||||
| HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"] |  | ||||||
|  |  | ||||||
| # Configures the startup! |  | ||||||
| # We should be able to remove the dumb-init now with Rocket 0.5 |  | ||||||
| # But the balenalib images have some issues with there entry.sh |  | ||||||
| # See: https://github.com/balena-io-library/base-images/issues/735 |  | ||||||
| # Lets keep using dumb-init for now, since that is working fine. |  | ||||||
| ENTRYPOINT ["/usr/bin/dumb-init", "--"] |  | ||||||
| CMD ["/start.sh"] |  | ||||||
							
								
								
									
										15
									
								
								docker/bake.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										15
									
								
								docker/bake.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,15 @@ | |||||||
|  | #!/usr/bin/env bash | ||||||
|  |  | ||||||
|  | # Determine the basedir of this script. | ||||||
|  | # It should be located in the same directory as the docker-bake.hcl | ||||||
|  | # This ensures you can run this script from both inside and outside of the docker directory | ||||||
|  | BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")") | ||||||
|  |  | ||||||
|  | # Load build env's | ||||||
|  | source "${BASEDIR}/bake_env.sh" | ||||||
|  |  | ||||||
|  | # Be verbose on what is being executed | ||||||
|  | set -x | ||||||
|  |  | ||||||
|  | # Make sure we set the context to `..` so it will go up one directory | ||||||
|  | docker buildx bake --progress plain --set "*.context=${BASEDIR}/.." -f "${BASEDIR}/docker-bake.hcl" "$@" | ||||||
							
								
								
									
										33
									
								
								docker/bake_env.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								docker/bake_env.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | |||||||
|  | #!/usr/bin/env bash | ||||||
|  |  | ||||||
|  | # If SOURCE_COMMIT is provided via env skip this | ||||||
|  | if [ -z "${SOURCE_COMMIT+x}" ]; then | ||||||
|  |     SOURCE_COMMIT="$(git rev-parse HEAD)" | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | # If VW_VERSION is provided via env use it as SOURCE_VERSION | ||||||
|  | # Else define it using git | ||||||
|  | if [[ -n "${VW_VERSION}" ]]; then | ||||||
|  |     SOURCE_VERSION="${VW_VERSION}" | ||||||
|  | else | ||||||
|  |     GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null)" | ||||||
|  |     if [[ -n "${GIT_EXACT_TAG}" ]]; then | ||||||
|  |         SOURCE_VERSION="${GIT_EXACT_TAG}" | ||||||
|  |     else | ||||||
|  |         GIT_LAST_TAG="$(git describe --tags --abbrev=0)" | ||||||
|  |         SOURCE_VERSION="${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | ||||||
|  |         GIT_BRANCH="$(git rev-parse --abbrev-ref HEAD)" | ||||||
|  |         case "${GIT_BRANCH}" in | ||||||
|  |             main|master|HEAD) | ||||||
|  |                 # Do not add the branch name for these branches | ||||||
|  |                 ;; | ||||||
|  |             *) | ||||||
|  |                 SOURCE_VERSION="${SOURCE_VERSION} (${GIT_BRANCH})" | ||||||
|  |                 ;; | ||||||
|  |         esac | ||||||
|  |     fi | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | # Export the rendered variables above so bake will use them | ||||||
|  | export SOURCE_COMMIT | ||||||
|  | export SOURCE_VERSION | ||||||
							
								
								
									
										269
									
								
								docker/docker-bake.hcl
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										269
									
								
								docker/docker-bake.hcl
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,269 @@ | |||||||
|  | // ==== Baking Variables ==== | ||||||
|  |  | ||||||
|  | // Set which cargo profile to use, dev or release for example | ||||||
|  | // Use the value provided in the Dockerfile as default | ||||||
|  | variable "CARGO_PROFILE" { | ||||||
|  |   default = null | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Set which DB's (features) to enable | ||||||
|  | // Use the value provided in the Dockerfile as default | ||||||
|  | variable "DB" { | ||||||
|  |   default = null | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // The repository this build was triggered from | ||||||
|  | variable "SOURCE_REPOSITORY_URL" { | ||||||
|  |   default = null | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // The commit hash of of the current commit this build was triggered on | ||||||
|  | variable "SOURCE_COMMIT" { | ||||||
|  |   default = null | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // The version of this build | ||||||
|  | // Typically the current exact tag of this commit, | ||||||
|  | // else the last tag and the first 8 characters of the source commit | ||||||
|  | variable "SOURCE_VERSION" { | ||||||
|  |   default = null | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // This can be used to overwrite SOURCE_VERSION | ||||||
|  | // It will be used during the build.rs building stage | ||||||
|  | variable "VW_VERSION" { | ||||||
|  |   default = null | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // The base tag(s) to use | ||||||
|  | // This can be a comma separated value like "testing,1.29.2" | ||||||
|  | variable "BASE_TAGS" { | ||||||
|  |   default = "testing" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Which container registries should be used for the tagging | ||||||
|  | // This can be a comma separated value | ||||||
|  | // Use a full URI like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` | ||||||
|  | variable "CONTAINER_REGISTRIES" { | ||||||
|  |   default = "vaultwarden/server" | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | // ==== Baking Groups ==== | ||||||
|  |  | ||||||
|  | group "default" { | ||||||
|  |   targets = ["debian"] | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | // ==== Shared Baking ==== | ||||||
|  | function "labels" { | ||||||
|  |   params = [] | ||||||
|  |   result = { | ||||||
|  |     "org.opencontainers.image.description" = "Unofficial Bitwarden compatible server written in Rust - ${SOURCE_VERSION}" | ||||||
|  |     "org.opencontainers.image.licenses" = "AGPL-3.0-only" | ||||||
|  |     "org.opencontainers.image.documentation" = "https://github.com/dani-garcia/vaultwarden/wiki" | ||||||
|  |     "org.opencontainers.image.url" = "https://github.com/dani-garcia/vaultwarden" | ||||||
|  |     "org.opencontainers.image.created" =  "${formatdate("YYYY-MM-DD'T'hh:mm:ssZZZZZ", timestamp())}" | ||||||
|  |     "org.opencontainers.image.source" = "${SOURCE_REPOSITORY_URL}" | ||||||
|  |     "org.opencontainers.image.revision" = "${SOURCE_COMMIT}" | ||||||
|  |     "org.opencontainers.image.version" = "${SOURCE_VERSION}" | ||||||
|  |   } | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "_default_attributes" { | ||||||
|  |   labels = labels() | ||||||
|  |   args = { | ||||||
|  |     DB = "${DB}" | ||||||
|  |     CARGO_PROFILE = "${CARGO_PROFILE}" | ||||||
|  |     VW_VERSION = "${VW_VERSION}" | ||||||
|  |   } | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | // ==== Debian Baking ==== | ||||||
|  |  | ||||||
|  | // Default Debian target, will build a container using the hosts platform architecture | ||||||
|  | target "debian" { | ||||||
|  |   inherits = ["_default_attributes"] | ||||||
|  |   dockerfile = "docker/Dockerfile.debian" | ||||||
|  |   tags = generate_tags("", platform_tag()) | ||||||
|  |   output = ["type=docker"] | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Multi Platform target, will build one tagged manifest with all supported architectures | ||||||
|  | // This is mainly used by GitHub Actions to build and push new containers | ||||||
|  | target "debian-multi" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] | ||||||
|  |   tags = generate_tags("", "") | ||||||
|  |   output = [join(",", flatten([["type=registry"], image_index_annotations()]))] | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Per platform targets, to individually test building per platform locally | ||||||
|  | target "debian-amd64" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/amd64"] | ||||||
|  |   tags = generate_tags("", "-amd64") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "debian-arm64" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/arm64"] | ||||||
|  |   tags = generate_tags("", "-arm64") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "debian-armv7" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/arm/v7"] | ||||||
|  |   tags = generate_tags("", "-armv7") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "debian-armv6" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/arm/v6"] | ||||||
|  |   tags = generate_tags("", "-armv6") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // ==== Start of unsupported Debian architecture targets === | ||||||
|  | // These are provided just to help users build for these rare platforms | ||||||
|  | // They will not be built by default | ||||||
|  | target "debian-386" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/386"] | ||||||
|  |   tags = generate_tags("", "-386") | ||||||
|  |   args = { | ||||||
|  |     ARCH_OPENSSL_LIB_DIR = "/usr/lib/i386-linux-gnu" | ||||||
|  |     ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/i386-linux-gnu" | ||||||
|  |   } | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "debian-ppc64le" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/ppc64le"] | ||||||
|  |   tags = generate_tags("", "-ppc64le") | ||||||
|  |   args = { | ||||||
|  |     ARCH_OPENSSL_LIB_DIR = "/usr/lib/powerpc64le-linux-gnu" | ||||||
|  |     ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/powerpc64le-linux-gnu" | ||||||
|  |   } | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "debian-s390x" { | ||||||
|  |   inherits = ["debian"] | ||||||
|  |   platforms = ["linux/s390x"] | ||||||
|  |   tags = generate_tags("", "-s390x") | ||||||
|  |   args = { | ||||||
|  |     ARCH_OPENSSL_LIB_DIR = "/usr/lib/s390x-linux-gnu" | ||||||
|  |     ARCH_OPENSSL_INCLUDE_DIR = "/usr/include/s390x-linux-gnu" | ||||||
|  |   } | ||||||
|  | } | ||||||
|  | // ==== End of unsupported Debian architecture targets === | ||||||
|  |  | ||||||
|  | // A Group to build all platforms individually for local testing | ||||||
|  | group "debian-all" { | ||||||
|  |   targets = ["debian-amd64", "debian-arm64", "debian-armv7", "debian-armv6"] | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | // ==== Alpine Baking ==== | ||||||
|  |  | ||||||
|  | // Default Alpine target, will build a container using the hosts platform architecture | ||||||
|  | target "alpine" { | ||||||
|  |   inherits = ["_default_attributes"] | ||||||
|  |   dockerfile = "docker/Dockerfile.alpine" | ||||||
|  |   tags = generate_tags("-alpine", platform_tag()) | ||||||
|  |   output = ["type=docker"] | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Multi Platform target, will build one tagged manifest with all supported architectures | ||||||
|  | // This is mainly used by GitHub Actions to build and push new containers | ||||||
|  | target "alpine-multi" { | ||||||
|  |   inherits = ["alpine"] | ||||||
|  |   platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] | ||||||
|  |   tags = generate_tags("-alpine", "") | ||||||
|  |   output = [join(",", flatten([["type=registry"], image_index_annotations()]))] | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Per platform targets, to individually test building per platform locally | ||||||
|  | target "alpine-amd64" { | ||||||
|  |   inherits = ["alpine"] | ||||||
|  |   platforms = ["linux/amd64"] | ||||||
|  |   tags = generate_tags("-alpine", "-amd64") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "alpine-arm64" { | ||||||
|  |   inherits = ["alpine"] | ||||||
|  |   platforms = ["linux/arm64"] | ||||||
|  |   tags = generate_tags("-alpine", "-arm64") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "alpine-armv7" { | ||||||
|  |   inherits = ["alpine"] | ||||||
|  |   platforms = ["linux/arm/v7"] | ||||||
|  |   tags = generate_tags("-alpine", "-armv7") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | target "alpine-armv6" { | ||||||
|  |   inherits = ["alpine"] | ||||||
|  |   platforms = ["linux/arm/v6"] | ||||||
|  |   tags = generate_tags("-alpine", "-armv6") | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // A Group to build all platforms individually for local testing | ||||||
|  | group "alpine-all" { | ||||||
|  |   targets = ["alpine-amd64", "alpine-arm64", "alpine-armv7", "alpine-armv6"] | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | // ==== Bake everything locally ==== | ||||||
|  |  | ||||||
|  | group "all" { | ||||||
|  |   targets = ["debian-all", "alpine-all"] | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | // ==== Baking functions ==== | ||||||
|  |  | ||||||
|  | // This will return the local platform as amd64, arm64 or armv7 for example | ||||||
|  | // It can be used for creating a local image tag | ||||||
|  | function "platform_tag" { | ||||||
|  |   params = [] | ||||||
|  |   result = "-${replace(replace(BAKE_LOCAL_PLATFORM, "linux/", ""), "/", "")}" | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | function "get_container_registries" { | ||||||
|  |   params = [] | ||||||
|  |   result = flatten(split(",", CONTAINER_REGISTRIES)) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | function "get_base_tags" { | ||||||
|  |   params = [] | ||||||
|  |   result = flatten(split(",", BASE_TAGS)) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | function "generate_tags" { | ||||||
|  |   params = [ | ||||||
|  |     suffix,   // What to append to the BASE_TAG when needed, like `-alpine` for example | ||||||
|  |     platform  // the platform we are building for if needed | ||||||
|  |   ] | ||||||
|  |   result = flatten([ | ||||||
|  |     for registry in get_container_registries() : | ||||||
|  |       [for base_tag in get_base_tags() : | ||||||
|  |         concat( | ||||||
|  |           # If the base_tag contains latest, and the suffix contains `-alpine` add a `:alpine` tag too | ||||||
|  |           base_tag == "latest" ? suffix == "-alpine" ? ["${registry}:alpine${platform}"] : [] : [], | ||||||
|  |           # The default tagging strategy | ||||||
|  |           ["${registry}:${base_tag}${suffix}${platform}"] | ||||||
|  |         ) | ||||||
|  |       ] | ||||||
|  |   ]) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | function "image_index_annotations" { | ||||||
|  |   params = [] | ||||||
|  |   result = flatten([ | ||||||
|  |     for key, value in labels() : | ||||||
|  |       value != null ? formatlist("annotation-index.%s=%s", "${key}", "${value}") : [] | ||||||
|  |   ]) | ||||||
|  | } | ||||||
| @@ -1,16 +1,24 @@ | |||||||
| #!/bin/sh | #!/usr/bin/env sh | ||||||
|  |  | ||||||
| # Use the value of the corresponding env var (if present), | # Use the value of the corresponding env var (if present), | ||||||
| # or a default value otherwise. | # or a default value otherwise. | ||||||
| : ${DATA_FOLDER:="data"} | : "${DATA_FOLDER:="/data"}" | ||||||
| : ${ROCKET_PORT:="80"} | : "${ROCKET_PORT:="80"}" | ||||||
|  | : "${ENV_FILE:="/.env"}" | ||||||
|  |  | ||||||
| CONFIG_FILE="${DATA_FOLDER}"/config.json | CONFIG_FILE="${DATA_FOLDER}"/config.json | ||||||
|  |  | ||||||
|  | # Check if the $ENV_FILE file exist and is readable | ||||||
|  | # If that is the case, load it into the environment before running any check | ||||||
|  | if [ -r "${ENV_FILE}" ]; then | ||||||
|  |     # shellcheck disable=SC1090 | ||||||
|  |     . "${ENV_FILE}" | ||||||
|  | fi | ||||||
|  |  | ||||||
| # Given a config key, return the corresponding config value from the | # Given a config key, return the corresponding config value from the | ||||||
| # config file. If the key doesn't exist, return an empty string. | # config file. If the key doesn't exist, return an empty string. | ||||||
| get_config_val() { | get_config_val() { | ||||||
|     local key="$1" |     key="$1" | ||||||
|     # Extract a line of the form: |     # Extract a line of the form: | ||||||
|     #   "domain": "https://bw.example.com/path", |     #   "domain": "https://bw.example.com/path", | ||||||
|     grep "\"${key}\":" "${CONFIG_FILE}" | |     grep "\"${key}\":" "${CONFIG_FILE}" | | ||||||
| @@ -45,9 +53,13 @@ if [ -r "${CONFIG_FILE}" ]; then | |||||||
|     fi |     fi | ||||||
| fi | fi | ||||||
|  |  | ||||||
|  | addr="${ROCKET_ADDRESS}" | ||||||
|  | if [ -z "${addr}" ] || [ "${addr}" = '0.0.0.0' ] || [ "${addr}" = '::' ]; then | ||||||
|  |     addr='localhost' | ||||||
|  | fi | ||||||
| base_path="$(get_base_path "${DOMAIN}")" | base_path="$(get_base_path "${DOMAIN}")" | ||||||
| if [ -n "${ROCKET_TLS}" ]; then | if [ -n "${ROCKET_TLS}" ]; then | ||||||
|     s='s' |     s='s' | ||||||
| fi | fi | ||||||
| curl --insecure --fail --silent --show-error \ | curl --insecure --fail --silent --show-error \ | ||||||
|      "http${s}://localhost:${ROCKET_PORT}${base_path}/alive" || exit 1 |      "http${s}://${addr}:${ROCKET_PORT}${base_path}/alive" || exit 1 | ||||||
|   | |||||||
							
								
								
									
										105
									
								
								docker/podman-bake.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										105
									
								
								docker/podman-bake.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,105 @@ | |||||||
|  | #!/usr/bin/env bash | ||||||
|  |  | ||||||
|  | # Determine the basedir of this script. | ||||||
|  | # It should be located in the same directory as the docker-bake.hcl | ||||||
|  | # This ensures you can run this script from both inside and outside of the docker directory | ||||||
|  | BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")" || exit; pwd)/$(basename "${SP}")") | ||||||
|  |  | ||||||
|  | # Load build env's | ||||||
|  | source "${BASEDIR}/bake_env.sh" | ||||||
|  |  | ||||||
|  | # Check if a target is given as first argument | ||||||
|  | # If not we assume the defaults and pass the given arguments to the podman command | ||||||
|  | case "${1}" in | ||||||
|  |     alpine*|debian*) | ||||||
|  |         TARGET="${1}" | ||||||
|  |         # Now shift the $@ array so we only have the rest of the arguments | ||||||
|  |         # This allows us too append these as extra arguments too the podman buildx build command | ||||||
|  |         shift | ||||||
|  |     ;; | ||||||
|  | esac | ||||||
|  |  | ||||||
|  | LABEL_ARGS=( | ||||||
|  |     --label org.opencontainers.image.description="Unofficial Bitwarden compatible server written in Rust" | ||||||
|  |     --label org.opencontainers.image.licenses="AGPL-3.0-only" | ||||||
|  |     --label org.opencontainers.image.documentation="https://github.com/dani-garcia/vaultwarden/wiki" | ||||||
|  |     --label org.opencontainers.image.url="https://github.com/dani-garcia/vaultwarden" | ||||||
|  |     --label org.opencontainers.image.created="$(date --utc --iso-8601=seconds)" | ||||||
|  | ) | ||||||
|  | if [[ -n "${SOURCE_REPOSITORY_URL}" ]]; then | ||||||
|  |     LABEL_ARGS+=(--label org.opencontainers.image.source="${SOURCE_REPOSITORY_URL}") | ||||||
|  | fi | ||||||
|  | if [[ -n "${SOURCE_COMMIT}" ]]; then | ||||||
|  |     LABEL_ARGS+=(--label org.opencontainers.image.revision="${SOURCE_COMMIT}") | ||||||
|  | fi | ||||||
|  | if [[ -n "${SOURCE_VERSION}" ]]; then | ||||||
|  |     LABEL_ARGS+=(--label org.opencontainers.image.version="${SOURCE_VERSION}") | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | # Check if and which --build-arg arguments we need to configure | ||||||
|  | BUILD_ARGS=() | ||||||
|  | if [[ -n "${DB}" ]]; then | ||||||
|  |     BUILD_ARGS+=(--build-arg DB="${DB}") | ||||||
|  | fi | ||||||
|  | if [[ -n "${CARGO_PROFILE}" ]]; then | ||||||
|  |     BUILD_ARGS+=(--build-arg CARGO_PROFILE="${CARGO_PROFILE}") | ||||||
|  | fi | ||||||
|  | if [[ -n "${VW_VERSION}" ]]; then | ||||||
|  |     BUILD_ARGS+=(--build-arg VW_VERSION="${VW_VERSION}") | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | # Set the default BASE_TAGS if non are provided | ||||||
|  | if [[ -z "${BASE_TAGS}" ]]; then | ||||||
|  |     BASE_TAGS="testing" | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | # Set the default CONTAINER_REGISTRIES if non are provided | ||||||
|  | if [[ -z "${CONTAINER_REGISTRIES}" ]]; then | ||||||
|  |     CONTAINER_REGISTRIES="vaultwarden/server" | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | # Check which Dockerfile we need to use, default is debian | ||||||
|  | case "${TARGET}" in | ||||||
|  |     alpine*) | ||||||
|  |         BASE_TAGS="${BASE_TAGS}-alpine" | ||||||
|  |         DOCKERFILE="Dockerfile.alpine" | ||||||
|  |         ;; | ||||||
|  |     *) | ||||||
|  |         DOCKERFILE="Dockerfile.debian" | ||||||
|  |         ;; | ||||||
|  | esac | ||||||
|  |  | ||||||
|  | # Check which platform we need to build and append the BASE_TAGS with the architecture | ||||||
|  | case "${TARGET}" in | ||||||
|  |     *-arm64) | ||||||
|  |         BASE_TAGS="${BASE_TAGS}-arm64" | ||||||
|  |         PLATFORM="linux/arm64" | ||||||
|  |         ;; | ||||||
|  |     *-armv7) | ||||||
|  |         BASE_TAGS="${BASE_TAGS}-armv7" | ||||||
|  |         PLATFORM="linux/arm/v7" | ||||||
|  |         ;; | ||||||
|  |     *-armv6) | ||||||
|  |         BASE_TAGS="${BASE_TAGS}-armv6" | ||||||
|  |         PLATFORM="linux/arm/v6" | ||||||
|  |         ;; | ||||||
|  |     *) | ||||||
|  |         BASE_TAGS="${BASE_TAGS}-amd64" | ||||||
|  |         PLATFORM="linux/amd64" | ||||||
|  |         ;; | ||||||
|  | esac | ||||||
|  |  | ||||||
|  | # Be verbose on what is being executed | ||||||
|  | set -x | ||||||
|  |  | ||||||
|  | # Build the image with podman | ||||||
|  | # We use the docker format here since we are using `SHELL`, which is not supported by OCI | ||||||
|  | # shellcheck disable=SC2086 | ||||||
|  | podman buildx build \ | ||||||
|  |   --platform="${PLATFORM}" \ | ||||||
|  |   --tag="${CONTAINER_REGISTRIES}:${BASE_TAGS}" \ | ||||||
|  |   --format=docker \ | ||||||
|  |   "${LABEL_ARGS[@]}" \ | ||||||
|  |   "${BUILD_ARGS[@]}" \ | ||||||
|  |   --file="${BASEDIR}/${DOCKERFILE}" "$@" \ | ||||||
|  |   "${BASEDIR}/.." | ||||||
| @@ -1,17 +1,31 @@ | |||||||
| #!/usr/bin/env python3 | #!/usr/bin/env python3 | ||||||
|  |  | ||||||
| import os, argparse, json | import os | ||||||
|  | import argparse | ||||||
|  | import json | ||||||
|  | import yaml | ||||||
| import jinja2 | import jinja2 | ||||||
|  |  | ||||||
|  | # Load settings file | ||||||
|  | with open("DockerSettings.yaml", 'r') as yaml_file: | ||||||
|  | 	yaml_data = yaml.safe_load(yaml_file) | ||||||
|  |  | ||||||
|  | settings_env = jinja2.Environment( | ||||||
|  | 	loader=jinja2.FileSystemLoader(os.getcwd()), | ||||||
|  | ) | ||||||
|  | settings_yaml = yaml.safe_load(settings_env.get_template("DockerSettings.yaml").render(yaml_data)) | ||||||
|  |  | ||||||
| args_parser = argparse.ArgumentParser() | args_parser = argparse.ArgumentParser() | ||||||
| args_parser.add_argument('template_file', help='Jinja2 template file to render.') | args_parser.add_argument('template_file', help='Jinja2 template file to render.') | ||||||
| args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.') | args_parser.add_argument('render_vars', help='JSON-encoded data to pass to the templating engine.') | ||||||
| cli_args = args_parser.parse_args() | cli_args = args_parser.parse_args() | ||||||
|  |  | ||||||
|  | # Merge the default config yaml with the json arguments given. | ||||||
| render_vars = json.loads(cli_args.render_vars) | render_vars = json.loads(cli_args.render_vars) | ||||||
|  | settings_yaml.update(render_vars) | ||||||
|  |  | ||||||
| environment = jinja2.Environment( | environment = jinja2.Environment( | ||||||
| 	loader=jinja2.FileSystemLoader(os.getcwd()), | 	loader=jinja2.FileSystemLoader(os.getcwd()), | ||||||
| 	trim_blocks=True, | 	trim_blocks=True, | ||||||
| ) | ) | ||||||
| print(environment.get_template(cli_args.template_file).render(render_vars)) | print(environment.get_template(cli_args.template_file).render(settings_yaml)) | ||||||
|   | |||||||
| @@ -1,5 +1,9 @@ | |||||||
| #!/bin/sh | #!/bin/sh | ||||||
|  |  | ||||||
|  | if [ -n "${UMASK}" ]; then | ||||||
|  |     umask "${UMASK}" | ||||||
|  | fi | ||||||
|  |  | ||||||
| if [ -r /etc/vaultwarden.sh ]; then | if [ -r /etc/vaultwarden.sh ]; then | ||||||
|     . /etc/vaultwarden.sh |     . /etc/vaultwarden.sh | ||||||
| elif [ -r /etc/bitwarden_rs.sh ]; then | elif [ -r /etc/bitwarden_rs.sh ]; then | ||||||
| @@ -9,15 +13,15 @@ fi | |||||||
|  |  | ||||||
| if [ -d /etc/vaultwarden.d ]; then | if [ -d /etc/vaultwarden.d ]; then | ||||||
|     for f in /etc/vaultwarden.d/*.sh; do |     for f in /etc/vaultwarden.d/*.sh; do | ||||||
|         if [ -r $f ]; then |         if [ -r "${f}" ]; then | ||||||
|             . $f |             . "${f}" | ||||||
|         fi |         fi | ||||||
|     done |     done | ||||||
| elif [ -d /etc/bitwarden_rs.d ]; then | elif [ -d /etc/bitwarden_rs.d ]; then | ||||||
|     echo "### You are using the old /etc/bitwarden_rs.d script directory, please migrate to /etc/vaultwarden.d ###" |     echo "### You are using the old /etc/bitwarden_rs.d script directory, please migrate to /etc/vaultwarden.d ###" | ||||||
|     for f in /etc/bitwarden_rs.d/*.sh; do |     for f in /etc/bitwarden_rs.d/*.sh; do | ||||||
|         if [ -r $f ]; then |         if [ -r "${f}" ]; then | ||||||
|             . $f |             . "${f}" | ||||||
|         fi |         fi | ||||||
|     done |     done | ||||||
| fi | fi | ||||||
|   | |||||||
							
								
								
									
										2
									
								
								dylint.toml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								dylint.toml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | [workspace.metadata.dylint] | ||||||
|  | libraries = [{ path = "dylints/*" }] | ||||||
							
								
								
									
										7
									
								
								dylints/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								dylints/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | |||||||
|  | # How to run Lints | ||||||
|  |  | ||||||
|  | ```sh | ||||||
|  | cargo install cargo-dylint dylint-link | ||||||
|  |  | ||||||
|  | RUSTFLAGS="-Aunreachable_patterns" cargo dylint --all -- --features sqlite | ||||||
|  | ``` | ||||||
							
								
								
									
										2
									
								
								dylints/non_authenticated_routes/.cargo/config.toml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								dylints/non_authenticated_routes/.cargo/config.toml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | [target.'cfg(all())'] | ||||||
|  | linker = "dylint-link" | ||||||
							
								
								
									
										1
									
								
								dylints/non_authenticated_routes/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								dylints/non_authenticated_routes/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | |||||||
|  | /target | ||||||
							
								
								
									
										1659
									
								
								dylints/non_authenticated_routes/Cargo.lock
									
									
									
										generated
									
									
									
										Normal file
									
								
							
							
						
						
									
										1659
									
								
								dylints/non_authenticated_routes/Cargo.lock
									
									
									
										generated
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										20
									
								
								dylints/non_authenticated_routes/Cargo.toml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								dylints/non_authenticated_routes/Cargo.toml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | |||||||
|  | [package] | ||||||
|  | name = "non_authenticated_routes" | ||||||
|  | version = "0.1.0" | ||||||
|  | authors = ["authors go here"] | ||||||
|  | description = "description goes here" | ||||||
|  | edition = "2021" | ||||||
|  | publish = false | ||||||
|  |  | ||||||
|  | [lib] | ||||||
|  | crate-type = ["cdylib"] | ||||||
|  |  | ||||||
|  | [dependencies] | ||||||
|  | clippy_utils = { git = "https://github.com/rust-lang/rust-clippy", rev = "4f0e46b74dbc8441daf084b6f141a7fe414672a2" } | ||||||
|  | dylint_linting = "3.2.1" | ||||||
|  |  | ||||||
|  | [dev-dependencies] | ||||||
|  | dylint_testing = "3.2.1" | ||||||
|  |  | ||||||
|  | [package.metadata.rust-analyzer] | ||||||
|  | rustc_private = true | ||||||
							
								
								
									
										3
									
								
								dylints/non_authenticated_routes/rust-toolchain
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								dylints/non_authenticated_routes/rust-toolchain
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | [toolchain] | ||||||
|  | channel = "nightly-2024-11-09" | ||||||
|  | components = ["llvm-tools-preview", "rustc-dev"] | ||||||
							
								
								
									
										167
									
								
								dylints/non_authenticated_routes/src/lib.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										167
									
								
								dylints/non_authenticated_routes/src/lib.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,167 @@ | |||||||
|  | #![feature(rustc_private)] | ||||||
|  | #![feature(let_chains)] | ||||||
|  |  | ||||||
|  | extern crate rustc_arena; | ||||||
|  | extern crate rustc_ast; | ||||||
|  | extern crate rustc_ast_pretty; | ||||||
|  | extern crate rustc_attr; | ||||||
|  | extern crate rustc_data_structures; | ||||||
|  | extern crate rustc_errors; | ||||||
|  | extern crate rustc_hir; | ||||||
|  | extern crate rustc_hir_pretty; | ||||||
|  | extern crate rustc_index; | ||||||
|  | extern crate rustc_infer; | ||||||
|  | extern crate rustc_lexer; | ||||||
|  | extern crate rustc_middle; | ||||||
|  | extern crate rustc_mir_dataflow; | ||||||
|  | extern crate rustc_parse; | ||||||
|  | extern crate rustc_span; | ||||||
|  | extern crate rustc_target; | ||||||
|  | extern crate rustc_trait_selection; | ||||||
|  |  | ||||||
|  | use clippy_utils::diagnostics::span_lint; | ||||||
|  | use rustc_hir::{def_id::DefId, Item, ItemKind, QPath, TyKind}; | ||||||
|  | use rustc_lint::{LateContext, LateLintPass}; | ||||||
|  | use rustc_span::{symbol::Ident, Span, Symbol}; | ||||||
|  |  | ||||||
|  | dylint_linting::impl_late_lint! { | ||||||
|  |     /// ### What it does | ||||||
|  |     /// | ||||||
|  |     /// ### Why is this bad? | ||||||
|  |     /// | ||||||
|  |     /// ### Known problems | ||||||
|  |     /// Remove if none. | ||||||
|  |     /// | ||||||
|  |     /// ### Example | ||||||
|  |     /// ```rust | ||||||
|  |     /// // example code where a warning is issued | ||||||
|  |     /// ``` | ||||||
|  |     /// Use instead: | ||||||
|  |     /// ```rust | ||||||
|  |     /// // example code that does not raise a warning | ||||||
|  |     /// ``` | ||||||
|  |     pub NON_AUTHENTICATED_ROUTES, | ||||||
|  |     Warn, | ||||||
|  |     "description goes here", | ||||||
|  |     NonAuthenticatedRoutes::default() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | #[derive(Default)] | ||||||
|  | pub struct NonAuthenticatedRoutes { | ||||||
|  |     last_function_item: Option<(Ident, Span, bool)>, | ||||||
|  | } | ||||||
|  |  | ||||||
|  | // Collect all the attribute macros that are applied to the given span | ||||||
|  | fn attr_def_ids(mut span: rustc_span::Span) -> Vec<(DefId, Symbol, Option<DefId>)> { | ||||||
|  |     use rustc_span::hygiene::{walk_chain, ExpnKind, MacroKind}; | ||||||
|  |     use rustc_span::{ExpnData, SyntaxContext}; | ||||||
|  |  | ||||||
|  |     let mut def_ids = Vec::new(); | ||||||
|  |     while span.ctxt() != SyntaxContext::root() { | ||||||
|  |         if let ExpnData { | ||||||
|  |             kind: ExpnKind::Macro(MacroKind::Attr, macro_symbol), | ||||||
|  |             macro_def_id: Some(def_id), | ||||||
|  |             parent_module, | ||||||
|  |             .. | ||||||
|  |         } = span.ctxt().outer_expn_data() | ||||||
|  |         { | ||||||
|  |             def_ids.push((def_id, macro_symbol, parent_module)); | ||||||
|  |         } | ||||||
|  |         span = walk_chain(span, SyntaxContext::root()); | ||||||
|  |     } | ||||||
|  |     def_ids | ||||||
|  | } | ||||||
|  |  | ||||||
|  | const ROCKET_MACRO_EXCEPTIONS: [(&str, &str); 1] = [("rocket::catch", "catch")]; | ||||||
|  |  | ||||||
|  | const VALID_AUTH_HEADERS: [&str; 6] = [ | ||||||
|  |     "auth::Headers", | ||||||
|  |     "auth::OrgHeaders", | ||||||
|  |     "auth::AdminHeaders", | ||||||
|  |     "auth::ManagerHeaders", | ||||||
|  |     "auth::ManagerHeadersLoose", | ||||||
|  |     "auth::OwnerHeaders", | ||||||
|  | ]; | ||||||
|  |  | ||||||
|  | impl<'tcx> LateLintPass<'tcx> for NonAuthenticatedRoutes { | ||||||
|  |     fn check_item(&mut self, cx: &LateContext<'tcx>, item: &'tcx Item) { | ||||||
|  |         if let ItemKind::Fn(sig, ..) = item.kind { | ||||||
|  |             let mut has_auth_headers = false; | ||||||
|  |  | ||||||
|  |             for input in sig.decl.inputs { | ||||||
|  |                 let TyKind::Path(QPath::Resolved(_, path)) = input.kind else { | ||||||
|  |                     continue; | ||||||
|  |                 }; | ||||||
|  |  | ||||||
|  |                 for seg in path.segments { | ||||||
|  |                     if let Some(def_id) = seg.res.opt_def_id() { | ||||||
|  |                         let def = cx.tcx.def_path_str(def_id); | ||||||
|  |                         if VALID_AUTH_HEADERS.contains(&def.as_str()) { | ||||||
|  |                             has_auth_headers = true; | ||||||
|  |                         } | ||||||
|  |                     } | ||||||
|  |                 } | ||||||
|  |             } | ||||||
|  |  | ||||||
|  |             self.last_function_item = Some((item.ident, sig.span, has_auth_headers)); | ||||||
|  |             return; | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         let ItemKind::Struct(_data, _generics) = item.kind else { | ||||||
|  |             return; | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         let def_ids = attr_def_ids(item.span); | ||||||
|  |  | ||||||
|  |         let mut is_rocket_route = false; | ||||||
|  |  | ||||||
|  |         for (def_id, sym, parent) in &def_ids { | ||||||
|  |             let def_id = cx.tcx.def_path_str(*def_id); | ||||||
|  |             let sym = sym.as_str(); | ||||||
|  |             let parent = parent.map(|parent| cx.tcx.def_path_str(parent)); | ||||||
|  |  | ||||||
|  |             if ROCKET_MACRO_EXCEPTIONS.contains(&(&def_id, sym)) { | ||||||
|  |                 is_rocket_route = false; | ||||||
|  |                 break; | ||||||
|  |             } | ||||||
|  |  | ||||||
|  |             if def_id.starts_with("rocket::") || parent.as_deref() == Some("rocket_codegen") { | ||||||
|  |                 is_rocket_route = true; | ||||||
|  |                 break; | ||||||
|  |             } | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         if !is_rocket_route { | ||||||
|  |             return; | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         let Some((func_ident, func_span, has_auth_headers)) = self.last_function_item.take() else { | ||||||
|  |             span_lint(cx, NON_AUTHENTICATED_ROUTES, item.span, "No function found before the expanded route"); | ||||||
|  |             return; | ||||||
|  |         }; | ||||||
|  |  | ||||||
|  |         if func_ident != item.ident { | ||||||
|  |             span_lint( | ||||||
|  |                 cx, | ||||||
|  |                 NON_AUTHENTICATED_ROUTES, | ||||||
|  |                 item.span, | ||||||
|  |                 "The function before the expanded route does not match the route", | ||||||
|  |             ); | ||||||
|  |             return; | ||||||
|  |         } | ||||||
|  |  | ||||||
|  |         if !has_auth_headers { | ||||||
|  |             span_lint( | ||||||
|  |                 cx, | ||||||
|  |                 NON_AUTHENTICATED_ROUTES, | ||||||
|  |                 func_span, | ||||||
|  |                 "This Rocket route does not have any authentication headers", | ||||||
|  |             ); | ||||||
|  |         } | ||||||
|  |     } | ||||||
|  | } | ||||||
|  |  | ||||||
|  | #[test] | ||||||
|  | fn ui() { | ||||||
|  |     dylint_testing::ui_test(env!("CARGO_PKG_NAME"), "ui"); | ||||||
|  | } | ||||||
							
								
								
									
										1
									
								
								dylints/non_authenticated_routes/ui/main.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								dylints/non_authenticated_routes/ui/main.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | |||||||
|  | fn main() {} | ||||||
							
								
								
									
										0
									
								
								dylints/non_authenticated_routes/ui/main.stderr
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										0
									
								
								dylints/non_authenticated_routes/ui/main.stderr
									
									
									
									
									
										Normal file
									
								
							| @@ -1,20 +0,0 @@ | |||||||
| The hooks in this directory are used to create multi-arch images using Docker Hub automated builds. |  | ||||||
|  |  | ||||||
| Docker Hub hooks provide these predefined [environment variables](https://docs.docker.com/docker-hub/builds/advanced/#environment-variables-for-building-and-testing): |  | ||||||
|  |  | ||||||
| * `SOURCE_BRANCH`: the name of the branch or the tag that is currently being tested. |  | ||||||
| * `SOURCE_COMMIT`: the SHA1 hash of the commit being tested. |  | ||||||
| * `COMMIT_MSG`: the message from the commit being tested and built. |  | ||||||
| * `DOCKER_REPO`: the name of the Docker repository being built. |  | ||||||
| * `DOCKERFILE_PATH`: the dockerfile currently being built. |  | ||||||
| * `DOCKER_TAG`: the Docker repository tag being built. |  | ||||||
| * `IMAGE_NAME`: the name and tag of the Docker repository being built. (This variable is a combination of `DOCKER_REPO:DOCKER_TAG`.) |  | ||||||
|  |  | ||||||
| The current multi-arch image build relies on the original vaultwarden Dockerfiles, which use cross-compilation for architectures other than `amd64`, and don't yet support all arch/distro combinations. However, cross-compilation is much faster than QEMU-based builds (e.g., using `docker buildx`). This situation may need to be revisited at some point. |  | ||||||
|  |  | ||||||
| ## References |  | ||||||
|  |  | ||||||
| * https://docs.docker.com/docker-hub/builds/advanced/ |  | ||||||
| * https://docs.docker.com/engine/reference/commandline/manifest/ |  | ||||||
| * https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/ |  | ||||||
| * https://success.docker.com/article/how-do-i-authenticate-with-the-v2-api |  | ||||||
| @@ -1,11 +0,0 @@ | |||||||
| # The default Debian-based images support these arches for all database backends. |  | ||||||
| arches=( |  | ||||||
|     amd64 |  | ||||||
|     armv6 |  | ||||||
|     armv7 |  | ||||||
|     arm64 |  | ||||||
| ) |  | ||||||
|  |  | ||||||
| if [[ "${DOCKER_TAG}" == *alpine ]]; then |  | ||||||
|     distro_suffix=.alpine |  | ||||||
| fi |  | ||||||
							
								
								
									
										50
									
								
								hooks/build
									
									
									
									
									
								
							
							
						
						
									
										50
									
								
								hooks/build
									
									
									
									
									
								
							| @@ -1,50 +0,0 @@ | |||||||
| #!/bin/bash |  | ||||||
|  |  | ||||||
| echo ">>> Building images..." |  | ||||||
|  |  | ||||||
| source ./hooks/arches.sh |  | ||||||
|  |  | ||||||
| if [[ -z "${SOURCE_COMMIT}" ]]; then |  | ||||||
|     # This var is typically predefined by Docker Hub, but it won't be |  | ||||||
|     # when testing locally. |  | ||||||
|     SOURCE_COMMIT="$(git rev-parse HEAD)" |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| # Construct a version string in the style of `build.rs`. |  | ||||||
| GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null)" |  | ||||||
| if [[ -n "${GIT_EXACT_TAG}" ]]; then |  | ||||||
|     SOURCE_VERSION="${GIT_EXACT_TAG}" |  | ||||||
| else |  | ||||||
|     GIT_LAST_TAG="$(git describe --tags --abbrev=0)" |  | ||||||
|     SOURCE_VERSION="${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| LABELS=( |  | ||||||
|     # https://github.com/opencontainers/image-spec/blob/master/annotations.md |  | ||||||
|     org.opencontainers.image.created="$(date --utc --iso-8601=seconds)" |  | ||||||
|     org.opencontainers.image.documentation="https://github.com/dani-garcia/vaultwarden/wiki" |  | ||||||
|     org.opencontainers.image.licenses="GPL-3.0-only" |  | ||||||
|     org.opencontainers.image.revision="${SOURCE_COMMIT}" |  | ||||||
|     org.opencontainers.image.source="${SOURCE_REPOSITORY_URL}" |  | ||||||
|     org.opencontainers.image.url="https://hub.docker.com/r/${DOCKER_REPO#*/}" |  | ||||||
|     org.opencontainers.image.version="${SOURCE_VERSION}" |  | ||||||
| ) |  | ||||||
| LABEL_ARGS=() |  | ||||||
| for label in "${LABELS[@]}"; do |  | ||||||
|     LABEL_ARGS+=(--label "${label}") |  | ||||||
| done |  | ||||||
|  |  | ||||||
| # Check if DOCKER_BUILDKIT is set, if so, use the Dockerfile.buildx as template |  | ||||||
| if [[ -n "${DOCKER_BUILDKIT}" ]]; then |  | ||||||
|     buildx_suffix=.buildx |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| set -ex |  | ||||||
|  |  | ||||||
| for arch in "${arches[@]}"; do |  | ||||||
|     docker build \ |  | ||||||
|            "${LABEL_ARGS[@]}" \ |  | ||||||
|            -t "${DOCKER_REPO}:${DOCKER_TAG}-${arch}" \ |  | ||||||
|            -f docker/${arch}/Dockerfile${buildx_suffix}${distro_suffix} \ |  | ||||||
|            . |  | ||||||
| done |  | ||||||
| @@ -1,28 +0,0 @@ | |||||||
| #!/bin/bash |  | ||||||
|  |  | ||||||
| set -ex |  | ||||||
|  |  | ||||||
| # If requested, print some environment info for troubleshooting. |  | ||||||
| if [[ -n "${DOCKER_HUB_DEBUG}" ]]; then |  | ||||||
|     id |  | ||||||
|     pwd |  | ||||||
|     df -h |  | ||||||
|     env |  | ||||||
|     docker info |  | ||||||
|     docker version |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| # Install build dependencies. |  | ||||||
| deps=( |  | ||||||
|     jq |  | ||||||
| ) |  | ||||||
| apt-get update |  | ||||||
| apt-get install -y "${deps[@]}" |  | ||||||
|  |  | ||||||
| # Docker Hub uses a shallow clone and doesn't fetch tags, which breaks some |  | ||||||
| # Git operations that we perform later, so fetch the complete history and |  | ||||||
| # tags first. Note that if the build is cached, the clone may have been |  | ||||||
| # unshallowed already; if so, unshallowing will fail, so skip it. |  | ||||||
| if [[ -f .git/shallow ]]; then |  | ||||||
|     git fetch --unshallow --tags |  | ||||||
| fi |  | ||||||
							
								
								
									
										149
									
								
								hooks/push
									
									
									
									
									
								
							
							
						
						
									
										149
									
								
								hooks/push
									
									
									
									
									
								
							| @@ -1,149 +0,0 @@ | |||||||
| #!/bin/bash |  | ||||||
|  |  | ||||||
| source ./hooks/arches.sh |  | ||||||
|  |  | ||||||
| export DOCKER_CLI_EXPERIMENTAL=enabled |  | ||||||
|  |  | ||||||
| # Join a list of args with a single char. |  | ||||||
| # Ref: https://stackoverflow.com/a/17841619 |  | ||||||
| join() { local IFS="$1"; shift; echo "$*"; } |  | ||||||
|  |  | ||||||
| set -ex |  | ||||||
|  |  | ||||||
| echo ">>> Starting local Docker registry when needed..." |  | ||||||
|  |  | ||||||
| # Docker Buildx's `docker-container` driver is needed for multi-platform |  | ||||||
| # builds, but it can't access existing images on the Docker host (like the |  | ||||||
| # cross-compiled ones we just built). Those images first need to be pushed to |  | ||||||
| # a registry -- Docker Hub could be used, but since it's not trivial to clean |  | ||||||
| # up those intermediate images on Docker Hub, it's easier to just run a local |  | ||||||
| # Docker registry, which gets cleaned up automatically once the build job ends. |  | ||||||
| # |  | ||||||
| # https://docs.docker.com/registry/deploying/ |  | ||||||
| # https://hub.docker.com/_/registry |  | ||||||
| # |  | ||||||
| # Use host networking so the buildx container can access the registry via |  | ||||||
| # localhost. |  | ||||||
| # |  | ||||||
| # First check if there already is a registry container running, else skip it. |  | ||||||
| # This will only happen either locally or running it via Github Actions |  | ||||||
| # |  | ||||||
| if ! timeout 5 bash -c 'cat < /dev/null > /dev/tcp/localhost/5000'; then |  | ||||||
|     # defaults to port 5000 |  | ||||||
|     docker run -d --name registry --network host registry:2 |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| # Docker Hub sets a `DOCKER_REPO` env var with the format `index.docker.io/user/repo`. |  | ||||||
| # Strip the registry portion to construct a local repo path for use in `Dockerfile.buildx`. |  | ||||||
| LOCAL_REGISTRY="localhost:5000" |  | ||||||
| REPO="${DOCKER_REPO#*/}" |  | ||||||
| LOCAL_REPO="${LOCAL_REGISTRY}/${REPO}" |  | ||||||
|  |  | ||||||
| echo ">>> Pushing images to local registry..." |  | ||||||
|  |  | ||||||
| for arch in ${arches[@]}; do |  | ||||||
|     docker_image="${DOCKER_REPO}:${DOCKER_TAG}-${arch}" |  | ||||||
|     local_image="${LOCAL_REPO}:${DOCKER_TAG}-${arch}" |  | ||||||
|     docker tag "${docker_image}" "${local_image}" |  | ||||||
|     docker push "${local_image}" |  | ||||||
| done |  | ||||||
|  |  | ||||||
| echo ">>> Setting up Docker Buildx..." |  | ||||||
|  |  | ||||||
| # Same as earlier, use host networking so the buildx container can access the |  | ||||||
| # registry via localhost. |  | ||||||
| # |  | ||||||
| # Ref: https://github.com/docker/buildx/issues/94#issuecomment-534367714 |  | ||||||
| # |  | ||||||
| # Check if there already is a builder running, else skip this and use the existing. |  | ||||||
| # This will only happen either locally or running it via Github Actions |  | ||||||
| # |  | ||||||
| if ! docker buildx inspect builder > /dev/null 2>&1 ; then |  | ||||||
|     docker buildx create --name builder --use --driver-opt network=host |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| echo ">>> Running Docker Buildx..." |  | ||||||
|  |  | ||||||
| tags=("${DOCKER_REPO}:${DOCKER_TAG}") |  | ||||||
|  |  | ||||||
| # If the Docker tag starts with a version number, assume the latest release |  | ||||||
| # is being pushed. Add an extra tag (`latest` or `alpine`, as appropriate) |  | ||||||
| # to make it easier for users to track the latest release. |  | ||||||
| if [[ "${DOCKER_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then |  | ||||||
|     if [[ "${DOCKER_TAG}" == *alpine ]]; then |  | ||||||
|         tags+=(${DOCKER_REPO}:alpine) |  | ||||||
|     else |  | ||||||
|         tags+=(${DOCKER_REPO}:latest) |  | ||||||
|     fi |  | ||||||
| fi |  | ||||||
|  |  | ||||||
| tag_args=() |  | ||||||
| for tag in "${tags[@]}"; do |  | ||||||
|     tag_args+=(--tag "${tag}") |  | ||||||
| done |  | ||||||
|  |  | ||||||
| # Docker Buildx takes a list of target platforms (OS/arch/variant), so map |  | ||||||
| # the arch list to a platform list (assuming the OS is always `linux`). |  | ||||||
| declare -A arch_to_platform=( |  | ||||||
|     [amd64]="linux/amd64" |  | ||||||
|     [armv6]="linux/arm/v6" |  | ||||||
|     [armv7]="linux/arm/v7" |  | ||||||
|     [arm64]="linux/arm64" |  | ||||||
| ) |  | ||||||
| platforms=() |  | ||||||
| for arch in ${arches[@]}; do |  | ||||||
|     platforms+=("${arch_to_platform[$arch]}") |  | ||||||
| done |  | ||||||
| platforms="$(join "," "${platforms[@]}")" |  | ||||||
|  |  | ||||||
| # Run the build, pushing the resulting images and multi-arch manifest list to |  | ||||||
| # Docker Hub. The Dockerfile is read from stdin to avoid sending any build |  | ||||||
| # context, which isn't needed here since the actual cross-compiled images |  | ||||||
| # have already been built. |  | ||||||
| docker buildx build \ |  | ||||||
|        --network host \ |  | ||||||
|        --build-arg LOCAL_REPO="${LOCAL_REPO}" \ |  | ||||||
|        --build-arg DOCKER_TAG="${DOCKER_TAG}" \ |  | ||||||
|        --platform "${platforms}" \ |  | ||||||
|        "${tag_args[@]}" \ |  | ||||||
|        --push \ |  | ||||||
|        - < ./docker/Dockerfile.buildx |  | ||||||
|  |  | ||||||
| # Add an extra arch-specific tag for `arm32v6`; Docker can't seem to properly |  | ||||||
| # auto-select that image on ARMv6 platforms like Raspberry Pi 1 and Zero |  | ||||||
| # (https://github.com/moby/moby/issues/41017). |  | ||||||
| # |  | ||||||
| # Note that we use `arm32v6` instead of `armv6` to be consistent with the |  | ||||||
| # existing vaultwarden tags, which adhere to the naming conventions of the |  | ||||||
| # Docker per-architecture repos (e.g., https://hub.docker.com/u/arm32v6). |  | ||||||
| # Unfortunately, these per-arch repo names aren't always consistent with the |  | ||||||
| # corresponding platform (OS/arch/variant) IDs, particularly in the case of |  | ||||||
| # 32-bit ARM arches (e.g., `linux/arm/v6` is used, not `linux/arm32/v6`). |  | ||||||
| # |  | ||||||
| # TODO: It looks like this issue should be fixed starting in Docker 20.10.0, |  | ||||||
| # so this step can be removed once fixed versions are in wider distribution. |  | ||||||
| # |  | ||||||
| # Tags: |  | ||||||
| # |  | ||||||
| #   testing        => testing-arm32v6 |  | ||||||
| #   testing-alpine => <ignored> |  | ||||||
| #   x.y.z          => x.y.z-arm32v6, latest-arm32v6 |  | ||||||
| #   x.y.z-alpine   => <ignored> |  | ||||||
| # |  | ||||||
| if [[ "${DOCKER_TAG}" != *alpine ]]; then |  | ||||||
|     image="${DOCKER_REPO}":"${DOCKER_TAG}" |  | ||||||
|  |  | ||||||
|     # Fetch the multi-arch manifest list and find the digest of the armv6 image. |  | ||||||
|     filter='.manifests|.[]|select(.platform.architecture=="arm" and .platform.variant=="v6")|.digest' |  | ||||||
|     digest="$(docker manifest inspect "${image}" | jq -r "${filter}")" |  | ||||||
|  |  | ||||||
|     # Pull the armv6 image by digest, retag it, and repush it. |  | ||||||
|     docker pull "${DOCKER_REPO}"@"${digest}" |  | ||||||
|     docker tag "${DOCKER_REPO}"@"${digest}" "${image}"-arm32v6 |  | ||||||
|     docker push "${image}"-arm32v6 |  | ||||||
|  |  | ||||||
|     if [[ "${DOCKER_TAG}" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then |  | ||||||
|         docker tag "${image}"-arm32v6 "${DOCKER_REPO}:latest"-arm32v6 |  | ||||||
|         docker push "${DOCKER_REPO}:latest"-arm32v6 |  | ||||||
|     fi |  | ||||||
| fi |  | ||||||
| @@ -0,0 +1,3 @@ | |||||||
|  | DROP TABLE `groups`; | ||||||
|  | DROP TABLE groups_users; | ||||||
|  | DROP TABLE collections_groups; | ||||||
							
								
								
									
										23
									
								
								migrations/mysql/2022-07-27-110000_add_group_support/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								migrations/mysql/2022-07-27-110000_add_group_support/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | |||||||
|  | CREATE TABLE `groups` ( | ||||||
|  |   uuid                              CHAR(36) NOT NULL PRIMARY KEY, | ||||||
|  |   organizations_uuid                VARCHAR(40) NOT NULL REFERENCES organizations (uuid), | ||||||
|  |   name                              VARCHAR(100) NOT NULL, | ||||||
|  |   access_all                        BOOLEAN NOT NULL, | ||||||
|  |   external_id                       VARCHAR(300) NULL, | ||||||
|  |   creation_date                     DATETIME NOT NULL, | ||||||
|  |   revision_date                     DATETIME NOT NULL | ||||||
|  | ); | ||||||
|  |  | ||||||
|  | CREATE TABLE groups_users ( | ||||||
|  |   groups_uuid                       CHAR(36) NOT NULL REFERENCES `groups` (uuid), | ||||||
|  |   users_organizations_uuid          VARCHAR(36) NOT NULL REFERENCES users_organizations (uuid), | ||||||
|  |   UNIQUE (groups_uuid, users_organizations_uuid) | ||||||
|  | ); | ||||||
|  |  | ||||||
|  | CREATE TABLE collections_groups ( | ||||||
|  |   collections_uuid                  VARCHAR(40) NOT NULL REFERENCES collections (uuid), | ||||||
|  |   groups_uuid                       CHAR(36) NOT NULL REFERENCES `groups` (uuid), | ||||||
|  |   read_only                         BOOLEAN NOT NULL, | ||||||
|  |   hide_passwords                    BOOLEAN NOT NULL, | ||||||
|  |   UNIQUE (collections_uuid, groups_uuid) | ||||||
|  | ); | ||||||
							
								
								
									
										1
									
								
								migrations/mysql/2022-10-18-170602_add_events/down.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								migrations/mysql/2022-10-18-170602_add_events/down.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | |||||||
|  | DROP TABLE event; | ||||||
							
								
								
									
										19
									
								
								migrations/mysql/2022-10-18-170602_add_events/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								migrations/mysql/2022-10-18-170602_add_events/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | CREATE TABLE event ( | ||||||
|  |   uuid               CHAR(36)    NOT NULL PRIMARY KEY, | ||||||
|  |   event_type         INTEGER     NOT NULL, | ||||||
|  |   user_uuid          CHAR(36), | ||||||
|  |   org_uuid           CHAR(36), | ||||||
|  |   cipher_uuid        CHAR(36), | ||||||
|  |   collection_uuid    CHAR(36), | ||||||
|  |   group_uuid         CHAR(36), | ||||||
|  |   org_user_uuid      CHAR(36), | ||||||
|  |   act_user_uuid      CHAR(36), | ||||||
|  |   device_type        INTEGER, | ||||||
|  |   ip_address         TEXT, | ||||||
|  |   event_date         DATETIME    NOT NULL, | ||||||
|  |   policy_uuid        CHAR(36), | ||||||
|  |   provider_uuid      CHAR(36), | ||||||
|  |   provider_user_uuid CHAR(36), | ||||||
|  |   provider_org_uuid  CHAR(36), | ||||||
|  |   UNIQUE (uuid) | ||||||
|  | ); | ||||||
| @@ -0,0 +1,2 @@ | |||||||
|  | ALTER TABLE users_organizations | ||||||
|  | ADD COLUMN reset_password_key TEXT; | ||||||
| @@ -0,0 +1,2 @@ | |||||||
|  | ALTER TABLE users | ||||||
|  | ADD COLUMN avatar_color VARCHAR(7); | ||||||
							
								
								
									
										7
									
								
								migrations/mysql/2023-01-31-222222_add_argon2/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								migrations/mysql/2023-01-31-222222_add_argon2/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | |||||||
|  | ALTER TABLE users | ||||||
|  |     ADD COLUMN | ||||||
|  |     client_kdf_memory INTEGER DEFAULT NULL; | ||||||
|  |  | ||||||
|  | ALTER TABLE users | ||||||
|  |     ADD COLUMN | ||||||
|  |     client_kdf_parallelism INTEGER DEFAULT NULL; | ||||||
| @@ -0,0 +1 @@ | |||||||
|  | ALTER TABLE devices ADD COLUMN push_uuid TEXT; | ||||||
| @@ -0,0 +1,10 @@ | |||||||
|  | CREATE TABLE organization_api_key ( | ||||||
|  | 	uuid			CHAR(36) NOT NULL, | ||||||
|  | 	org_uuid		CHAR(36) NOT NULL REFERENCES organizations(uuid), | ||||||
|  | 	atype			INTEGER NOT NULL, | ||||||
|  | 	api_key			VARCHAR(255) NOT NULL, | ||||||
|  | 	revision_date	DATETIME NOT NULL, | ||||||
|  | 	PRIMARY KEY(uuid, org_uuid) | ||||||
|  | ); | ||||||
|  |  | ||||||
|  | ALTER TABLE users ADD COLUMN external_id TEXT; | ||||||
| @@ -0,0 +1,19 @@ | |||||||
|  | CREATE TABLE auth_requests ( | ||||||
|  | 	uuid            CHAR(36) NOT NULL PRIMARY KEY, | ||||||
|  | 	user_uuid	    CHAR(36) NOT NULL, | ||||||
|  | 	organization_uuid           CHAR(36), | ||||||
|  | 	request_device_identifier         CHAR(36) NOT NULL, | ||||||
|  | 	device_type         INTEGER NOT NULL, | ||||||
|  | 	request_ip         TEXT NOT NULL, | ||||||
|  | 	response_device_id         CHAR(36), | ||||||
|  | 	access_code         TEXT NOT NULL, | ||||||
|  | 	public_key         TEXT NOT NULL, | ||||||
|  | 	enc_key         TEXT NOT NULL, | ||||||
|  | 	master_password_hash         TEXT NOT NULL, | ||||||
|  | 	approved         BOOLEAN, | ||||||
|  | 	creation_date         DATETIME NOT NULL, | ||||||
|  | 	response_date         DATETIME, | ||||||
|  | 	authentication_date         DATETIME, | ||||||
|  | 	FOREIGN KEY(user_uuid) REFERENCES users(uuid), | ||||||
|  | 	FOREIGN KEY(organization_uuid) REFERENCES organizations(uuid) | ||||||
|  | ); | ||||||
| @@ -0,0 +1 @@ | |||||||
|  | ALTER TABLE collections ADD COLUMN external_id TEXT; | ||||||
| @@ -0,0 +1,5 @@ | |||||||
|  | ALTER TABLE auth_requests | ||||||
|  | MODIFY master_password_hash TEXT; | ||||||
|  |  | ||||||
|  | ALTER TABLE auth_requests | ||||||
|  | MODIFY enc_key TEXT; | ||||||
| @@ -0,0 +1,2 @@ | |||||||
|  | ALTER TABLE users_organizations | ||||||
|  | ADD COLUMN external_id TEXT; | ||||||
							
								
								
									
										2
									
								
								migrations/mysql/2023-10-21-221242_add_cipher_key/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								migrations/mysql/2023-10-21-221242_add_cipher_key/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | |||||||
|  | ALTER TABLE ciphers | ||||||
|  | ADD COLUMN `key` TEXT; | ||||||
| @@ -0,0 +1 @@ | |||||||
|  | ALTER TABLE attachments MODIFY file_size BIGINT NOT NULL; | ||||||
| @@ -0,0 +1 @@ | |||||||
|  | ALTER TABLE twofactor MODIFY last_used BIGINT NOT NULL; | ||||||
| @@ -0,0 +1 @@ | |||||||
|  | DROP TABLE twofactor_duo_ctx; | ||||||
| @@ -0,0 +1,8 @@ | |||||||
|  | CREATE TABLE twofactor_duo_ctx ( | ||||||
|  |     state      VARCHAR(64)  NOT NULL, | ||||||
|  |     user_email VARCHAR(255) NOT NULL, | ||||||
|  |     nonce      VARCHAR(64)  NOT NULL, | ||||||
|  |     exp        BIGINT       NOT NULL, | ||||||
|  |  | ||||||
|  |     PRIMARY KEY (state) | ||||||
|  | ); | ||||||
| @@ -0,0 +1 @@ | |||||||
|  | ALTER TABLE `twofactor_incomplete` DROP COLUMN `device_type`; | ||||||
| @@ -0,0 +1 @@ | |||||||
|  | ALTER TABLE twofactor_incomplete ADD COLUMN device_type INTEGER NOT NULL DEFAULT 14; -- 14 = Unknown Browser | ||||||
| @@ -0,0 +1,3 @@ | |||||||
|  | DROP TABLE groups; | ||||||
|  | DROP TABLE groups_users; | ||||||
|  | DROP TABLE collections_groups; | ||||||
| @@ -0,0 +1,23 @@ | |||||||
|  | CREATE TABLE groups ( | ||||||
|  |   uuid                              CHAR(36) NOT NULL PRIMARY KEY, | ||||||
|  |   organizations_uuid                 VARCHAR(40) NOT NULL REFERENCES organizations (uuid), | ||||||
|  |   name                              VARCHAR(100) NOT NULL, | ||||||
|  |   access_all                        BOOLEAN NOT NULL, | ||||||
|  |   external_id                       VARCHAR(300) NULL, | ||||||
|  |   creation_date                     TIMESTAMP NOT NULL, | ||||||
|  |   revision_date                     TIMESTAMP NOT NULL | ||||||
|  | ); | ||||||
|  |  | ||||||
|  | CREATE TABLE groups_users ( | ||||||
|  |   groups_uuid                       CHAR(36) NOT NULL REFERENCES groups (uuid), | ||||||
|  |   users_organizations_uuid          VARCHAR(36) NOT NULL REFERENCES users_organizations (uuid), | ||||||
|  |   PRIMARY KEY (groups_uuid, users_organizations_uuid) | ||||||
|  | ); | ||||||
|  |  | ||||||
|  | CREATE TABLE collections_groups ( | ||||||
|  |   collections_uuid                  VARCHAR(40) NOT NULL REFERENCES collections (uuid), | ||||||
|  |   groups_uuid                       CHAR(36) NOT NULL REFERENCES groups (uuid), | ||||||
|  |   read_only                         BOOLEAN NOT NULL, | ||||||
|  |   hide_passwords                    BOOLEAN NOT NULL, | ||||||
|  |   PRIMARY KEY (collections_uuid, groups_uuid) | ||||||
|  | ); | ||||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user