mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 00:30:40 +03:00 
			
		
		
		
	Compare commits
	
		
			300 Commits
		
	
	
		
			1.30.1
			...
			8e7eeab293
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | 8e7eeab293 | ||
|  | e35c6f8705 | ||
|  | ae7b725c0f | ||
|  | 2a5489a4b2 | ||
|  | 8fd0ee4211 | ||
|  | 4a5516e150 | ||
|  | 7fc94516ce | ||
|  | 5ea0779d6b | ||
|  | a133d4e90c | ||
|  | 49eff787de | ||
|  | cff6c2b3af | ||
|  | a0c76284fd | ||
|  | 318653b0e5 | ||
|  | 5d84f17600 | ||
|  | 0db4b00007 | ||
|  | a0198d8d7c | ||
|  | dfad931dca | ||
|  | 25865efd79 | ||
|  | bcf627930e | ||
|  | ce70cd2cf4 | ||
|  | 2ac589d4b4 | ||
|  | b2e2aef7de | ||
|  | 0755bb19c0 | ||
|  | fee0c1c711 | ||
|  | f58539f0b4 | ||
|  | e718afb441 | ||
|  | 55945ad793 | ||
|  | 4fd22d8e3b | ||
|  | d6a8fb8e48 | ||
|  | 3b48e6e903 | ||
|  | 6b9333b33e | ||
|  | a545636ee5 | ||
|  | f125d5f1a1 | ||
|  | ad75ce281e | ||
|  | 9059437c35 | ||
|  | c84db0daca | ||
|  | 72adc239f5 | ||
|  | 34ebeeca76 | ||
|  | 0469d9ba4c | ||
|  | eaa6ad06ed | ||
|  | 0d3f283c37 | ||
|  | 51a1d641c5 | ||
|  | 90f7e5ff80 | ||
|  | 200999c94e | ||
|  | d363e647e9 | ||
|  | 53f58b14d5 | ||
|  | ef7835d1b0 | ||
|  | 3a44dc963b | ||
|  | a039e227c7 | ||
|  | 602b18fdd6 | ||
|  | bf04c64759 | ||
|  | 2f1d86b7f1 | ||
|  | ff97bcfdda | ||
|  | 73f2441d1a | ||
|  | ad8484a2d5 | ||
|  | 9813e480c0 | ||
|  | bfe172702a | ||
|  | df42b6d6b0 | ||
|  | 2697fe8aba | ||
|  | 674e444d67 | ||
|  | 0d16da440d | ||
|  | 66cf179bca | ||
|  | 025bb90f8f | ||
|  | d5039d9c17 | ||
|  | e7c796a660 | ||
|  | bbbd2f6d15 | ||
|  | a2d7895586 | ||
|  | 8a0cb1137e | ||
|  | f960bf59bb | ||
|  | 3a1f1bae00 | ||
|  | 8dfe805954 | ||
|  | 07b869b3ef | ||
|  | 2a18665288 | ||
|  | 71952a4ab5 | ||
|  | 994d157064 | ||
|  | 1dae6093c9 | ||
|  | 6edceb5f7a | ||
|  | 359a4a088a | ||
|  | 3baffeee9a | ||
|  | d5c353427d | ||
|  | 1f868b8d22 | ||
|  | 8d1df08b81 | ||
|  | 3b6bccde97 | ||
|  | d2b36642a6 | ||
|  | a02fb0fd24 | ||
|  | 1109293992 | ||
|  | 3c29f82974 | ||
|  | 663f88e717 | ||
|  | a3dccee243 | ||
|  | c0ebe0d982 | ||
|  | 1b46c80389 | ||
|  | 2c549984c0 | ||
|  | ecab7a50ea | ||
|  | 2903a3a13a | ||
|  | 952992c85b | ||
|  | c0be36a17f | ||
|  | d1dee04615 | ||
|  | ef2695de0c | ||
|  | 29f2b433f0 | ||
|  | 07f80346b4 | ||
|  | 4f68eafa3e | ||
|  | 327d369188 | ||
|  | ca7483df85 | ||
|  | 16b6d2a71e | ||
|  | 871a3f214a | ||
|  | 10d12676cf | ||
|  | dec3a9603a | ||
|  | 86aaf27659 | ||
|  | bc913d1156 | ||
|  | ef4bff09eb | ||
|  | 4816f77fd7 | ||
|  | dfd9e65396 | ||
|  | b1481c7c1a | ||
|  | d9e0d68f20 | ||
|  | 08183fc999 | ||
|  | d9b043d32c | ||
|  | ed4ad67e73 | ||
|  | a523c82f5f | ||
|  | 4d6d3443ae | ||
|  | 9cd400db6c | ||
|  | fd51230044 | ||
|  | 45e5f06b86 | ||
|  | 620ad92331 | ||
|  | c9860af11c | ||
|  | d7adce97df | ||
|  | 71b3d3c818 | ||
|  | da3701c0cf | ||
|  | 96813b1317 | ||
|  | b0b953f348 | ||
|  | cdfdc6ff4f | ||
|  | 2393c3f3c0 | ||
|  | 0d16b38a68 | ||
|  | ff33534c07 | ||
|  | adb21d5c1a | ||
|  | e927b8aa5e | ||
|  | ba48ca68fc | ||
|  | 294b429436 | ||
|  | 37c14c3c69 | ||
|  | d0581da638 | ||
|  | 38aad4f7be | ||
|  | 20d9e885bf | ||
|  | 2f20ad86f9 | ||
|  | 33bae5fbe9 | ||
|  | f60502a17e | ||
|  | 13f4b66e62 | ||
|  | c967d0ddc1 | ||
|  | ae6ed0ece8 | ||
|  | b7c254eb30 | ||
|  | a47b484172 | ||
|  | 65629a99f0 | ||
|  | 49c5dec9b6 | ||
|  | cd195ff243 | ||
|  | e3541763fd | ||
|  | f0efec7c96 | ||
|  | 040e2a7bb0 | ||
|  | d184c8f08c | ||
|  | 7d6dec6413 | ||
|  | de01111082 | ||
|  | 0bd8f607cb | ||
|  | 21efc0800d | ||
|  | 1031c2e286 | ||
|  | 1bf85201e7 | ||
|  | 6ceed9284d | ||
|  | 25d99e3506 | ||
|  | dca14285fd | ||
|  | 66baa5e7d8 | ||
|  | 248e561b3f | ||
|  | 55623ad9c6 | ||
|  | e9acd8bd3c | ||
|  | 544b7229e8 | ||
|  | 978f009293 | ||
|  | 92f1530e96 | ||
|  | 2b824e8096 | ||
|  | 059661be48 | ||
|  | 0f3f97cc76 | ||
|  | aa0fe7785a | ||
|  | 65d11a9720 | ||
|  | c722006385 | ||
|  | aaab7f9640 | ||
|  | cbdb5657f1 | ||
|  | 669b9db758 | ||
|  | 3466a8040e | ||
|  | 7d47155d83 | ||
|  | 9e26014b4d | ||
|  | 339612c917 | ||
|  | 9eebbf3b9f | ||
|  | b557c11724 | ||
|  | a1204cc935 | ||
|  | 1ea511cbfc | ||
|  | 2e6a6fa39f | ||
|  | e7d5c17ff7 | ||
|  | a7be8fab9b | ||
|  | 39d4d31080 | ||
|  | c28246cf34 | ||
|  | d7df0ad79e | ||
|  | 7c8ba0c232 | ||
|  | d335187172 | ||
|  | f858523d92 | ||
|  | 529c39c6c5 | ||
|  | b428481ac0 | ||
|  | b4b2701905 | ||
|  | de66e56b6c | ||
|  | ecfebaf3c7 | ||
|  | 0e53f58288 | ||
|  | bc7ceb2ee3 | ||
|  | b27e6e30c9 | ||
|  | 505b30eec2 | ||
|  | 54bfcb8bc3 | ||
|  | 035f694d2f | ||
|  | a4ab014ade | ||
|  | 6fedfceaa9 | ||
|  | 8e8483481f | ||
|  | d04b94b77d | ||
|  | 247d0706ff | ||
|  | 0e8b410798 | ||
|  | fda77afc2a | ||
|  | d9835f530c | ||
|  | bd91964170 | ||
|  | d42b264a93 | ||
|  | a4c7fadbf4 | ||
|  | 8e2a87fd79 | ||
|  | 4233dbf3db | ||
|  | a2bf8def2a | ||
|  | 8f05a90b96 | ||
|  | 9082e7cebb | ||
|  | 55fdee3bf8 | ||
|  | 377969ea67 | ||
|  | f05398a6b3 | ||
|  | 9555ac7bb8 | ||
|  | f01ef40a8e | ||
|  | 8e7b27cc36 | ||
|  | d230ee087c | ||
|  | f8f14727b9 | ||
|  | 753a9e0bae | ||
|  | f5fb69b64f | ||
|  | 3261534438 | ||
|  | 46762d9fde | ||
|  | 6cadb2627a | ||
|  | 0fe93edea6 | ||
|  | e9aa5a545e | ||
|  | 9dcc738f85 | ||
|  | 84a7c7da5d | ||
|  | ca9234ed86 | ||
|  | 27dc67fadd | ||
|  | 2ad33ec97f | ||
|  | e1a8df96db | ||
|  | e42a37c6c1 | ||
|  | 129b835ac7 | ||
|  | 2d98aa3045 | ||
|  | 93636eb3c3 | ||
|  | 1e42755187 | ||
|  | ce8efcc48f | ||
|  | 79ce5b49bc | ||
|  | 7c3cad197c | ||
|  | 000c606029 | ||
|  | 29144b2ce0 | ||
|  | ea04b6f151 | ||
|  | 3427217686 | ||
|  | a1fbd6d729 | ||
|  | 2cbfe6fa5b | ||
|  | d86c4f2c23 | ||
|  | 6d73f30b4f | ||
|  | d0c22b9fc9 | ||
|  | d6b97090fa | ||
|  | 94b077cb2d | ||
|  | bb2412d033 | ||
|  | b9bdc9b8e2 | ||
|  | 897bdf8343 | ||
|  | 569add453d | ||
|  | 77cd5b5954 | ||
|  | 4438da39f9 | ||
|  | 0b2383ab56 | ||
|  | ad1d65bdf8 | ||
|  | 3b283c289e | ||
|  | 4b9384cb2b | ||
|  | 0f39d96518 | ||
|  | edf7484a70 | ||
|  | 8b66e34415 | ||
|  | 1d00e34bbb | ||
|  | 1b801406d6 | ||
|  | 5e46a43306 | ||
|  | 5c77431c2d | ||
|  | 2775c6ce8a | ||
|  | 890e668071 | ||
|  | 596c167312 | ||
|  | ae3a153bdb | ||
|  | 2c36993792 | ||
|  | d672ad3f76 | ||
|  | a641b48884 | ||
|  | 98b2178c7d | ||
|  | 76a3f0f531 | ||
|  | c5665e7b77 | ||
|  | cbdcf8ef9f | ||
|  | 3337594d60 | ||
|  | 2daa8be1f1 | ||
|  | eccb3ab947 | ||
|  | 3246251f29 | ||
|  | 8ab200224e | ||
|  | 34e00e1478 | ||
|  | 0fdda3bc2f | 
| @@ -1,40 +1,16 @@ | ||||
| # Local build artifacts | ||||
| target | ||||
| // Ignore everything | ||||
| * | ||||
|  | ||||
| # Data folder | ||||
| data | ||||
|  | ||||
| # Misc | ||||
| .env | ||||
| .env.template | ||||
| .gitattributes | ||||
| .gitignore | ||||
| rustfmt.toml | ||||
|  | ||||
| # IDE files | ||||
| .vscode | ||||
| .idea | ||||
| .editorconfig | ||||
| *.iml | ||||
|  | ||||
| # Documentation | ||||
| .github | ||||
| *.md | ||||
| *.txt | ||||
| *.yml | ||||
| *.yaml | ||||
|  | ||||
| # Docker | ||||
| hooks | ||||
| tools | ||||
| Dockerfile | ||||
| .dockerignore | ||||
| docker/** | ||||
| // Allow what is needed | ||||
| !.git | ||||
| !docker/healthcheck.sh | ||||
| !docker/start.sh | ||||
| !macros | ||||
| !migrations | ||||
| !src | ||||
|  | ||||
| # Web vault | ||||
| web-vault | ||||
|  | ||||
| # Vaultwarden Resources | ||||
| resources | ||||
| !build.rs | ||||
| !Cargo.lock | ||||
| !Cargo.toml | ||||
| !rustfmt.toml | ||||
| !rust-toolchain.toml | ||||
|   | ||||
							
								
								
									
										641
									
								
								.env.template
									
									
									
									
									
								
							
							
						
						
									
										641
									
								
								.env.template
									
									
									
									
									
								
							| @@ -10,30 +10,80 @@ | ||||
| ## variable ENV_FILE can be set to the location of this file prior to starting | ||||
| ## Vaultwarden. | ||||
|  | ||||
| #################### | ||||
| ### Data folders ### | ||||
| #################### | ||||
|  | ||||
| ## Main data folder | ||||
| ## This can be a path to local folder or a path to an external location | ||||
| ## depending on features enabled at build time. Possible external locations: | ||||
| ## | ||||
| ## - AWS S3 Bucket (via `s3` feature): s3://bucket-name/path/to/folder | ||||
| ## | ||||
| ## When using an external location, make sure to set TMP_FOLDER, | ||||
| ## TEMPLATES_FOLDER, and DATABASE_URL to local paths and/or a remote database | ||||
| ## location. | ||||
| # DATA_FOLDER=data | ||||
|  | ||||
| ## Individual folders, these override %DATA_FOLDER% | ||||
| # RSA_KEY_FILENAME=data/rsa_key | ||||
| # ICON_CACHE_FOLDER=data/icon_cache | ||||
| # ATTACHMENTS_FOLDER=data/attachments | ||||
| # SENDS_FOLDER=data/sends | ||||
|  | ||||
| ## Temporary folder used for storing temporary file uploads | ||||
| ## Must be a local path. | ||||
| # TMP_FOLDER=data/tmp | ||||
|  | ||||
| ## HTML template overrides data folder | ||||
| ## Must be a local path. | ||||
| # TEMPLATES_FOLDER=data/templates | ||||
| ## Automatically reload the templates for every request, slow, use only for development | ||||
| # RELOAD_TEMPLATES=false | ||||
|  | ||||
| ## Web vault settings | ||||
| # WEB_VAULT_FOLDER=web-vault/ | ||||
| # WEB_VAULT_ENABLED=true | ||||
|  | ||||
| ######################### | ||||
| ### Database settings ### | ||||
| ######################### | ||||
|  | ||||
| ## Database URL | ||||
| ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 | ||||
| ## When using SQLite, this is the path to the DB file, and it defaults to | ||||
| ## %DATA_FOLDER%/db.sqlite3. If DATA_FOLDER is set to an external location, this | ||||
| ## must be set to a local sqlite3 file path. | ||||
| # DATABASE_URL=data/db.sqlite3 | ||||
| ## When using MySQL, specify an appropriate connection URI. | ||||
| ## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html | ||||
| ## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html | ||||
| # DATABASE_URL=mysql://user:password@host[:port]/database_name | ||||
| ## When using PostgreSQL, specify an appropriate connection URI (recommended) | ||||
| ## or keyword/value connection string. | ||||
| ## Details: | ||||
| ## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html | ||||
| ## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html | ||||
| ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING | ||||
| # DATABASE_URL=postgresql://user:password@host[:port]/database_name | ||||
|  | ||||
| ## Database max connections | ||||
| ## Define the size of the connection pool used for connecting to the database. | ||||
| # DATABASE_MAX_CONNS=10 | ||||
| ## Enable WAL for the DB | ||||
| ## Set to false to avoid enabling WAL during startup. | ||||
| ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, | ||||
| ## this setting only prevents Vaultwarden from automatically enabling it on start. | ||||
| ## Please read project wiki page about this setting first before changing the value as it can | ||||
| ## cause performance degradation or might render the service unable to start. | ||||
| # ENABLE_DB_WAL=true | ||||
|  | ||||
| ## Database connection retries | ||||
| ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely | ||||
| # DB_CONNECTION_RETRIES=15 | ||||
|  | ||||
| ## Database timeout | ||||
| ## Timeout when acquiring database connection | ||||
| # DATABASE_TIMEOUT=30 | ||||
|  | ||||
| ## Database max connections | ||||
| ## Define the size of the connection pool used for connecting to the database. | ||||
| # DATABASE_MAX_CONNS=10 | ||||
|  | ||||
| ## Database connection initialization | ||||
| ## Allows SQL statements to be run whenever a new database connection is created. | ||||
| ## This is mainly useful for connection-scoped pragmas. | ||||
| @@ -43,74 +93,36 @@ | ||||
| ## - PostgreSQL: "" | ||||
| # DATABASE_CONN_INIT="" | ||||
|  | ||||
| ## Individual folders, these override %DATA_FOLDER% | ||||
| # RSA_KEY_FILENAME=data/rsa_key | ||||
| # ICON_CACHE_FOLDER=data/icon_cache | ||||
| # ATTACHMENTS_FOLDER=data/attachments | ||||
| # SENDS_FOLDER=data/sends | ||||
| # TMP_FOLDER=data/tmp | ||||
| ################# | ||||
| ### WebSocket ### | ||||
| ################# | ||||
|  | ||||
| ## Templates data folder, by default uses embedded templates | ||||
| ## Check source code to see the format | ||||
| # TEMPLATES_FOLDER=/path/to/templates | ||||
| ## Automatically reload the templates for every request, slow, use only for development | ||||
| # RELOAD_TEMPLATES=false | ||||
| ## Enable websocket notifications | ||||
| # ENABLE_WEBSOCKET=true | ||||
|  | ||||
| ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" | ||||
| ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP | ||||
| # IP_HEADER=X-Real-IP | ||||
|  | ||||
| ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") | ||||
| # ICON_CACHE_TTL=2592000 | ||||
| ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") | ||||
| # ICON_CACHE_NEGTTL=259200 | ||||
|  | ||||
| ## Web vault settings | ||||
| # WEB_VAULT_FOLDER=web-vault/ | ||||
| # WEB_VAULT_ENABLED=true | ||||
|  | ||||
| ## Enables websocket notifications | ||||
| # WEBSOCKET_ENABLED=false | ||||
|  | ||||
| ## Controls the WebSocket server address and port | ||||
| # WEBSOCKET_ADDRESS=0.0.0.0 | ||||
| # WEBSOCKET_PORT=3012 | ||||
| ########################## | ||||
| ### Push notifications ### | ||||
| ########################## | ||||
|  | ||||
| ## Enables push notifications (requires key and id from https://bitwarden.com/host) | ||||
| # PUSH_ENABLED=true | ||||
| ## Details about mobile client push notification: | ||||
| ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification | ||||
| # PUSH_ENABLED=false | ||||
| # PUSH_INSTALLATION_ID=CHANGEME | ||||
| # PUSH_INSTALLATION_KEY=CHANGEME | ||||
| ## Don't change this unless you know what you're doing. | ||||
|  | ||||
| # WARNING: Do not modify the following settings unless you fully understand their implications! | ||||
| # Default Push Relay and Identity URIs | ||||
| # PUSH_RELAY_URI=https://push.bitwarden.com | ||||
| # PUSH_IDENTITY_URI=https://identity.bitwarden.com | ||||
| # European Union Data Region Settings | ||||
| # If you have selected "European Union" as your data region, use the following URIs instead. | ||||
| # PUSH_RELAY_URI=https://api.bitwarden.eu | ||||
| # PUSH_IDENTITY_URI=https://identity.bitwarden.eu | ||||
|  | ||||
| ## Controls whether users are allowed to create Bitwarden Sends. | ||||
| ## This setting applies globally to all users. | ||||
| ## To control this on a per-org basis instead, use the "Disable Send" org policy. | ||||
| # SENDS_ALLOWED=true | ||||
|  | ||||
| ## Controls whether users can enable emergency access to their accounts. | ||||
| ## This setting applies globally to all users. | ||||
| # EMERGENCY_ACCESS_ALLOWED=true | ||||
|  | ||||
| ## Controls whether event logging is enabled for organizations | ||||
| ## This setting applies to organizations. | ||||
| ## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. | ||||
| # ORG_EVENTS_ENABLED=false | ||||
|  | ||||
| ## Controls whether users can change their email. | ||||
| ## This setting applies globally to all users | ||||
| # EMAIL_CHANGE_ALLOWED=true | ||||
|  | ||||
| ## Number of days to retain events stored in the database. | ||||
| ## If unset (the default), events are kept indefinitely and the scheduled job is disabled! | ||||
| # EVENTS_DAYS_RETAIN= | ||||
|  | ||||
| ## BETA FEATURE: Groups | ||||
| ## Controls whether group support is enabled for organizations | ||||
| ## This setting applies to organizations. | ||||
| ## Disabled by default because this is a beta feature, it contains known issues! | ||||
| ## KNOW WHAT YOU ARE DOING! | ||||
| # ORG_GROUPS_ENABLED=false | ||||
| ##################### | ||||
| ### Schedule jobs ### | ||||
| ##################### | ||||
|  | ||||
| ## Job scheduler settings | ||||
| ## | ||||
| @@ -118,7 +130,7 @@ | ||||
| ## and are always in terms of UTC time (regardless of your local time zone settings). | ||||
| ## | ||||
| ## The schedule format is a bit different from crontab as crontab does not contains seconds. | ||||
| ## You can test the the format here: https://crontab.guru, but remove the first digit! | ||||
| ## You can test the format here: https://crontab.guru, but remove the first digit! | ||||
| ## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK | ||||
| ## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri" | ||||
| ## "0   30     *          *            *          *     " | ||||
| @@ -151,39 +163,157 @@ | ||||
| ## Cron schedule of the job that cleans old events from the event table. | ||||
| ## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start. | ||||
| # EVENT_CLEANUP_SCHEDULE="0 10 0 * * *" | ||||
| ## Number of days to retain events stored in the database. | ||||
| ## If unset (the default), events are kept indefinitely and the scheduled job is disabled! | ||||
| # EVENTS_DAYS_RETAIN= | ||||
| ## | ||||
| ## Cron schedule of the job that cleans old auth requests from the auth request. | ||||
| ## Defaults to every minute. Set blank to disable this job. | ||||
| # AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *" | ||||
| ## | ||||
| ## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt. | ||||
| ## Defaults to every minute. Set blank to disable this job. | ||||
| # DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *" | ||||
| # | ||||
| ## Cron schedule of the job that cleans sso nonce from incomplete flow | ||||
| ## Defaults to daily (20 minutes after midnight). Set blank to disable this job. | ||||
| # PURGE_INCOMPLETE_SSO_NONCE="0 20 0 * * *" | ||||
|  | ||||
| ## Enable extended logging, which shows timestamps and targets in the logs | ||||
| # EXTENDED_LOGGING=true | ||||
| ######################## | ||||
| ### General settings ### | ||||
| ######################## | ||||
|  | ||||
| ## Timestamp format used in extended logging. | ||||
| ## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime | ||||
| # LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" | ||||
| ## Domain settings | ||||
| ## The domain must match the address from where you access the server | ||||
| ## It's recommended to configure this value, otherwise certain functionality might not work, | ||||
| ## like attachment downloads, email links and U2F. | ||||
| ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs | ||||
| ## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy | ||||
| ## Details: | ||||
| ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS | ||||
| ## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples | ||||
| ## For development | ||||
| # DOMAIN=http://localhost | ||||
| ## For public server | ||||
| # DOMAIN=https://vw.domain.tld | ||||
| ## For public server (URL with port number) | ||||
| # DOMAIN=https://vw.domain.tld:8443 | ||||
| ## For public server (URL with path) | ||||
| # DOMAIN=https://domain.tld/vw | ||||
|  | ||||
| ## Logging to file | ||||
| # LOG_FILE=/path/to/log | ||||
| ## Controls whether users are allowed to create Bitwarden Sends. | ||||
| ## This setting applies globally to all users. | ||||
| ## To control this on a per-org basis instead, use the "Disable Send" org policy. | ||||
| # SENDS_ALLOWED=true | ||||
|  | ||||
| ## Logging to Syslog | ||||
| ## This requires extended logging | ||||
| # USE_SYSLOG=false | ||||
| ## HIBP Api Key | ||||
| ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key | ||||
| # HIBP_API_KEY= | ||||
|  | ||||
| ## Log level | ||||
| ## Change the verbosity of the log output | ||||
| ## Valid values are "trace", "debug", "info", "warn", "error" and "off" | ||||
| ## Setting it to "trace" or "debug" would also show logs for mounted | ||||
| ## routes and static file, websocket and alive requests | ||||
| # LOG_LEVEL=Info | ||||
| ## Per-organization attachment storage limit (KB) | ||||
| ## Max kilobytes of attachment storage allowed per organization. | ||||
| ## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. | ||||
| # ORG_ATTACHMENT_LIMIT= | ||||
| ## Per-user attachment storage limit (KB) | ||||
| ## Max kilobytes of attachment storage allowed per user. | ||||
| ## When this limit is reached, the user will not be allowed to upload further attachments. | ||||
| # USER_ATTACHMENT_LIMIT= | ||||
| ## Per-user send storage limit (KB) | ||||
| ## Max kilobytes of send storage allowed per user. | ||||
| ## When this limit is reached, the user will not be allowed to upload further sends. | ||||
| # USER_SEND_LIMIT= | ||||
|  | ||||
| ## Enable WAL for the DB | ||||
| ## Set to false to avoid enabling WAL during startup. | ||||
| ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, | ||||
| ## this setting only prevents Vaultwarden from automatically enabling it on start. | ||||
| ## Please read project wiki page about this setting first before changing the value as it can | ||||
| ## cause performance degradation or might render the service unable to start. | ||||
| # ENABLE_DB_WAL=true | ||||
| ## Number of days to wait before auto-deleting a trashed item. | ||||
| ## If unset (the default), trashed items are not auto-deleted. | ||||
| ## This setting applies globally, so make sure to inform all users of any changes to this setting. | ||||
| # TRASH_AUTO_DELETE_DAYS= | ||||
|  | ||||
| ## Database connection retries | ||||
| ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely | ||||
| # DB_CONNECTION_RETRIES=15 | ||||
| ## Number of minutes to wait before a 2FA-enabled login is considered incomplete, | ||||
| ## resulting in an email notification. An incomplete 2FA login is one where the correct | ||||
| ## master password was provided but the required 2FA step was not completed, which | ||||
| ## potentially indicates a master password compromise. Set to 0 to disable this check. | ||||
| ## This setting applies globally to all users. | ||||
| # INCOMPLETE_2FA_TIME_LIMIT=3 | ||||
|  | ||||
| ## Disable icon downloading | ||||
| ## Set to true to disable icon downloading in the internal icon service. | ||||
| ## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external | ||||
| ## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons | ||||
| ## will be deleted eventually, but won't be downloaded again. | ||||
| # DISABLE_ICON_DOWNLOAD=false | ||||
|  | ||||
| ## Controls if new users can register | ||||
| # SIGNUPS_ALLOWED=true | ||||
|  | ||||
| ## Controls if new users need to verify their email address upon registration | ||||
| ## On new client versions, this will require the user to verify their email at signup time. | ||||
| ## On older clients, it will require the user to verify their email before they can log in. | ||||
| ## The welcome email will include a verification link, and login attempts will periodically | ||||
| ## trigger another verification email to be sent. | ||||
| # SIGNUPS_VERIFY=false | ||||
|  | ||||
| ## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time | ||||
| ## an email verification link has been sent another verification email will be sent | ||||
| # SIGNUPS_VERIFY_RESEND_TIME=3600 | ||||
|  | ||||
| ## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification | ||||
| ## email will be re-sent upon an attempted login. | ||||
| # SIGNUPS_VERIFY_RESEND_LIMIT=6 | ||||
|  | ||||
| ## Controls if new users from a list of comma-separated domains can register | ||||
| ## even if SIGNUPS_ALLOWED is set to false | ||||
| # SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org | ||||
|  | ||||
| ## Controls whether event logging is enabled for organizations | ||||
| ## This setting applies to organizations. | ||||
| ## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. | ||||
| # ORG_EVENTS_ENABLED=false | ||||
|  | ||||
| ## Controls which users can create new orgs. | ||||
| ## Blank or 'all' means all users can create orgs (this is the default): | ||||
| # ORG_CREATION_USERS= | ||||
| ## 'none' means no users can create orgs: | ||||
| # ORG_CREATION_USERS=none | ||||
| ## A comma-separated list means only those users can create orgs: | ||||
| # ORG_CREATION_USERS=admin1@example.com,admin2@example.com | ||||
|  | ||||
| ## Allows org admins to invite users, even when signups are disabled | ||||
| # INVITATIONS_ALLOWED=true | ||||
| ## Name shown in the invitation emails that don't come from a specific organization | ||||
| # INVITATION_ORG_NAME=Vaultwarden | ||||
|  | ||||
| ## The number of hours after which an organization invite token, emergency access invite token, | ||||
| ## email verification token and deletion request token will expire (must be at least 1) | ||||
| # INVITATION_EXPIRATION_HOURS=120 | ||||
|  | ||||
| ## Controls whether users can enable emergency access to their accounts. | ||||
| ## This setting applies globally to all users. | ||||
| # EMERGENCY_ACCESS_ALLOWED=true | ||||
|  | ||||
| ## Controls whether users can change their email. | ||||
| ## This setting applies globally to all users | ||||
| # EMAIL_CHANGE_ALLOWED=true | ||||
|  | ||||
| ## Number of server-side passwords hashing iterations for the password hash. | ||||
| ## The default for new users. If changed, it will be updated during login for existing users. | ||||
| # PASSWORD_ITERATIONS=600000 | ||||
|  | ||||
| ## Controls whether users can set or show password hints. This setting applies globally to all users. | ||||
| # PASSWORD_HINTS_ALLOWED=true | ||||
|  | ||||
| ## Controls whether a password hint should be shown directly in the web page if | ||||
| ## SMTP service is not configured and password hints are allowed. | ||||
| ## Not recommended for publicly-accessible instances because this provides | ||||
| ## unauthenticated access to potentially sensitive data. | ||||
| # SHOW_PASSWORD_HINT=false | ||||
|  | ||||
| ######################### | ||||
| ### Advanced settings ### | ||||
| ######################### | ||||
|  | ||||
| ## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" | ||||
| ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP | ||||
| # IP_HEADER=X-Real-IP | ||||
|  | ||||
| ## Icon service | ||||
| ## The predefined icon services are: internal, bitwarden, duckduckgo, google. | ||||
| @@ -206,73 +336,69 @@ | ||||
| ## are currently better supported by the Bitwarden clients. | ||||
| # ICON_REDIRECT_CODE=302 | ||||
|  | ||||
| ## Disable icon downloading | ||||
| ## Set to true to disable icon downloading in the internal icon service. | ||||
| ## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external | ||||
| ## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons | ||||
| ## will be deleted eventually, but won't be downloaded again. | ||||
| # DISABLE_ICON_DOWNLOAD=false | ||||
| ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") | ||||
| ## Default: 2592000 (30 days) | ||||
| # ICON_CACHE_TTL=2592000 | ||||
| ## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") | ||||
| ## Default: 2592000 (3 days) | ||||
| # ICON_CACHE_NEGTTL=259200 | ||||
|  | ||||
| ## Icon download timeout | ||||
| ## Configure the timeout value when downloading the favicons. | ||||
| ## The default is 10 seconds, but this could be to low on slower network connections | ||||
| ## The default is 10 seconds, but this could be too low on slower network connections | ||||
| # ICON_DOWNLOAD_TIMEOUT=10 | ||||
|  | ||||
| ## Icon blacklist Regex | ||||
| ## Any domains or IPs that match this regex won't be fetched by the icon service. | ||||
| ## Block HTTP domains/IPs by Regex | ||||
| ## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. | ||||
| ## Useful to hide other servers in the local network. Check the WIKI for more details | ||||
| ## NOTE: Always enclose this regex withing single quotes! | ||||
| # ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' | ||||
| ## NOTE: Always enclose this regex within single quotes! | ||||
| # HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' | ||||
|  | ||||
| ## Any IP which is not defined as a global IP will be blacklisted. | ||||
| ## Enabling this will cause the internal HTTP client to refuse to connect to any non-global IP address. | ||||
| ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block | ||||
| # ICON_BLACKLIST_NON_GLOBAL_IPS=true | ||||
| # HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true | ||||
|  | ||||
| ## Disable 2FA remember | ||||
| ## Enabling this would force the users to use a second factor to login every time. | ||||
| ## Note that the checkbox would still be present, but ignored. | ||||
| # DISABLE_2FA_REMEMBER=false | ||||
| ## Client Settings | ||||
| ## Enable experimental feature flags for clients. | ||||
| ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". | ||||
| ## Note that clients cache the /api/config endpoint for about 1 hour and it could take some time before they are enabled or disabled! | ||||
| ## | ||||
| ## The following flags are available: | ||||
| ## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. | ||||
| ## - "inline-menu-totp": Enable the use of inline menu TOTP codes in the browser extension. | ||||
| ## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) | ||||
| ## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) | ||||
| ## - "export-attachments": Enable support for exporting attachments (Clients >=2025.4.0) | ||||
| ## - "anon-addy-self-host-alias": Enable configuring self-hosted Anon Addy alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0) | ||||
| ## - "simple-login-self-host-alias": Enable configuring self-hosted Simple Login alias generator. (Needs Android >=2025.3.0, iOS >=2025.4.0) | ||||
| ## - "mutual-tls": Enable the use of mutual TLS on Android (Client >= 2025.2.0) | ||||
| # EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials | ||||
|  | ||||
| ## Maximum attempts before an email token is reset and a new email will need to be sent. | ||||
| # EMAIL_ATTEMPTS_LIMIT=3 | ||||
| ## Require new device emails. When a user logs in an email is required to be sent. | ||||
| ## If sending the email fails the login attempt will fail!! | ||||
| # REQUIRE_DEVICE_EMAIL=false | ||||
|  | ||||
| ## Token expiration time | ||||
| ## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. | ||||
| # EMAIL_EXPIRATION_TIME=600 | ||||
| ## Enable extended logging, which shows timestamps and targets in the logs | ||||
| # EXTENDED_LOGGING=true | ||||
|  | ||||
| ## Email token size | ||||
| ## Number of digits in an email 2FA token (min: 6, max: 255). | ||||
| ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! | ||||
| # EMAIL_TOKEN_SIZE=6 | ||||
| ## Timestamp format used in extended logging. | ||||
| ## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime | ||||
| # LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" | ||||
|  | ||||
| ## Controls if new users can register | ||||
| # SIGNUPS_ALLOWED=true | ||||
| ## Logging to Syslog | ||||
| ## This requires extended logging | ||||
| # USE_SYSLOG=false | ||||
|  | ||||
| ## Controls if new users need to verify their email address upon registration | ||||
| ## Note that setting this option to true prevents logins until the email address has been verified! | ||||
| ## The welcome email will include a verification link, and login attempts will periodically | ||||
| ## trigger another verification email to be sent. | ||||
| # SIGNUPS_VERIFY=false | ||||
| ## Logging to file | ||||
| # LOG_FILE=/path/to/log | ||||
|  | ||||
| ## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time | ||||
| ## an email verification link has been sent another verification email will be sent | ||||
| # SIGNUPS_VERIFY_RESEND_TIME=3600 | ||||
|  | ||||
| ## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification | ||||
| ## email will be re-sent upon an attempted login. | ||||
| # SIGNUPS_VERIFY_RESEND_LIMIT=6 | ||||
|  | ||||
| ## Controls if new users from a list of comma-separated domains can register | ||||
| ## even if SIGNUPS_ALLOWED is set to false | ||||
| # SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org | ||||
|  | ||||
| ## Controls which users can create new orgs. | ||||
| ## Blank or 'all' means all users can create orgs (this is the default): | ||||
| # ORG_CREATION_USERS= | ||||
| ## 'none' means no users can create orgs: | ||||
| # ORG_CREATION_USERS=none | ||||
| ## A comma-separated list means only those users can create orgs: | ||||
| # ORG_CREATION_USERS=admin1@example.com,admin2@example.com | ||||
| ## Log level | ||||
| ## Change the verbosity of the log output | ||||
| ## Valid values are "trace", "debug", "info", "warn", "error" and "off" | ||||
| ## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests | ||||
| ## For a specific module append a comma separated `path::to::module=log_level` | ||||
| ## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug" | ||||
| # LOG_LEVEL=info | ||||
|  | ||||
| ## Token for the admin interface, preferably an Argon2 PCH string | ||||
| ## Vaultwarden has a built-in generator by calling `vaultwarden hash` | ||||
| @@ -289,54 +415,13 @@ | ||||
| ## meant to be used with the use of a separate auth layer in front | ||||
| # DISABLE_ADMIN_TOKEN=false | ||||
|  | ||||
| ## Invitations org admins to invite users, even when signups are disabled | ||||
| # INVITATIONS_ALLOWED=true | ||||
| ## Name shown in the invitation emails that don't come from a specific organization | ||||
| # INVITATION_ORG_NAME=Vaultwarden | ||||
| ## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. | ||||
| # ADMIN_RATELIMIT_SECONDS=300 | ||||
| ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. | ||||
| # ADMIN_RATELIMIT_MAX_BURST=3 | ||||
|  | ||||
| ## The number of hours after which an organization invite token, emergency access invite token, | ||||
| ## email verification token and deletion request token will expire (must be at least 1) | ||||
| # INVITATION_EXPIRATION_HOURS=120 | ||||
|  | ||||
| ## Per-organization attachment storage limit (KB) | ||||
| ## Max kilobytes of attachment storage allowed per organization. | ||||
| ## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. | ||||
| # ORG_ATTACHMENT_LIMIT= | ||||
| ## Per-user attachment storage limit (KB) | ||||
| ## Max kilobytes of attachment storage allowed per user. | ||||
| ## When this limit is reached, the user will not be allowed to upload further attachments. | ||||
| # USER_ATTACHMENT_LIMIT= | ||||
|  | ||||
| ## Number of days to wait before auto-deleting a trashed item. | ||||
| ## If unset (the default), trashed items are not auto-deleted. | ||||
| ## This setting applies globally, so make sure to inform all users of any changes to this setting. | ||||
| # TRASH_AUTO_DELETE_DAYS= | ||||
|  | ||||
| ## Number of minutes to wait before a 2FA-enabled login is considered incomplete, | ||||
| ## resulting in an email notification. An incomplete 2FA login is one where the correct | ||||
| ## master password was provided but the required 2FA step was not completed, which | ||||
| ## potentially indicates a master password compromise. Set to 0 to disable this check. | ||||
| ## This setting applies globally to all users. | ||||
| # INCOMPLETE_2FA_TIME_LIMIT=3 | ||||
|  | ||||
| ## Number of server-side passwords hashing iterations for the password hash. | ||||
| ## The default for new users. If changed, it will be updated during login for existing users. | ||||
| # PASSWORD_ITERATIONS=350000 | ||||
|  | ||||
| ## Controls whether users can set password hints. This setting applies globally to all users. | ||||
| # PASSWORD_HINTS_ALLOWED=true | ||||
|  | ||||
| ## Controls whether a password hint should be shown directly in the web page if | ||||
| ## SMTP service is not configured. Not recommended for publicly-accessible instances | ||||
| ## as this provides unauthenticated access to potentially sensitive data. | ||||
| # SHOW_PASSWORD_HINT=false | ||||
|  | ||||
| ## Domain settings | ||||
| ## The domain must match the address from where you access the server | ||||
| ## It's recommended to configure this value, otherwise certain functionality might not work, | ||||
| ## like attachment downloads, email links and U2F. | ||||
| ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs | ||||
| # DOMAIN=https://vw.domain.tld:8443 | ||||
| ## Set the lifetime of admin sessions to this value (in minutes). | ||||
| # ADMIN_SESSION_LIFETIME=20 | ||||
|  | ||||
| ## Allowed iframe ancestors (Know the risks!) | ||||
| ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors | ||||
| @@ -345,19 +430,91 @@ | ||||
| ## Multiple values must be separated with a whitespace. | ||||
| # ALLOWED_IFRAME_ANCESTORS= | ||||
|  | ||||
| ## Allowed connect-src (Know the risks!) | ||||
| ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src | ||||
| ## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature | ||||
| ## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value. | ||||
| ## Multiple values must be separated with a whitespace. And only HTTPS values are allowed. | ||||
| ## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld" | ||||
| # ALLOWED_CONNECT_SRC="" | ||||
|  | ||||
| ## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. | ||||
| # LOGIN_RATELIMIT_SECONDS=60 | ||||
| ## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. | ||||
| ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. | ||||
| # LOGIN_RATELIMIT_MAX_BURST=10 | ||||
|  | ||||
| ## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. | ||||
| # ADMIN_RATELIMIT_SECONDS=300 | ||||
| ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. | ||||
| # ADMIN_RATELIMIT_MAX_BURST=3 | ||||
| ## BETA FEATURE: Groups | ||||
| ## Controls whether group support is enabled for organizations | ||||
| ## This setting applies to organizations. | ||||
| ## Disabled by default because this is a beta feature, it contains known issues! | ||||
| ## KNOW WHAT YOU ARE DOING! | ||||
| # ORG_GROUPS_ENABLED=false | ||||
|  | ||||
| ## Set the lifetime of admin sessions to this value (in minutes). | ||||
| # ADMIN_SESSION_LIFETIME=20 | ||||
| ## Increase secure note size limit (Know the risks!) | ||||
| ## Sets the secure note size limit to 100_000 instead of the default 10_000. | ||||
| ## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers! | ||||
| ## KNOW WHAT YOU ARE DOING! | ||||
| # INCREASE_NOTE_SIZE_LIMIT=false | ||||
|  | ||||
| ## Enforce Single Org with Reset Password Policy | ||||
| ## Enforce that the Single Org policy is enabled before setting the Reset Password policy | ||||
| ## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available. | ||||
| ## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy. | ||||
| # ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false | ||||
|  | ||||
| ##################################### | ||||
| ### SSO settings (OpenID Connect) ### | ||||
| ##################################### | ||||
|  | ||||
| ## Controls whether users can login using an OpenID Connect identity provider | ||||
| # SSO_ENABLED=false | ||||
|  | ||||
| ## Prevent users from logging in directly without going through SSO | ||||
| # SSO_ONLY=false | ||||
|  | ||||
| ## On SSO Signup if a user with a matching email already exists make the association | ||||
| # SSO_SIGNUPS_MATCH_EMAIL=true | ||||
|  | ||||
| ## Allow unknown email verification status. Allowing this with `SSO_SIGNUPS_MATCH_EMAIL=true` open potential account takeover. | ||||
| # SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=false | ||||
|  | ||||
| ## Base URL of the OIDC server (auto-discovery is used) | ||||
| ##  - Should not include the `/.well-known/openid-configuration` part and no trailing `/` | ||||
| ##  - ${SSO_AUTHORITY}/.well-known/openid-configuration should return a json document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse | ||||
| # SSO_AUTHORITY=https://auth.example.com | ||||
|  | ||||
| ## Authorization request scopes. Optional SSO scopes, override if email and profile are not enough (`openid` is implicit). | ||||
| # SSO_SCOPES="email profile" | ||||
|  | ||||
| ## Additional authorization url parameters (ex: to obtain a `refresh_token` with Google Auth). | ||||
| # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent" | ||||
|  | ||||
| ## Activate PKCE for the Auth Code flow. | ||||
| # SSO_PKCE=true | ||||
|  | ||||
| ## Regex for additional trusted Id token audience (by default only the client_id is trusted). | ||||
| # SSO_AUDIENCE_TRUSTED='^$' | ||||
|  | ||||
| ## Set your Client ID and Client Key | ||||
| # SSO_CLIENT_ID=11111 | ||||
| # SSO_CLIENT_SECRET=AAAAAAAAAAAAAAAAAAAAAAAA | ||||
|  | ||||
| ## Optional Master password policy (minComplexity=[0-4]), `enforceOnLogin` is not supported at the moment. | ||||
| # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' | ||||
|  | ||||
| ## Use sso only for authentication not the session lifecycle | ||||
| # SSO_AUTH_ONLY_NOT_SESSION=false | ||||
|  | ||||
| ## Client cache for discovery endpoint. Duration in seconds (0 to disable). | ||||
| # SSO_CLIENT_CACHE_EXPIRATION=0 | ||||
|  | ||||
| ## Log all the tokens, LOG_LEVEL=debug is required | ||||
| # SSO_DEBUG_TOKENS=false | ||||
|  | ||||
| ######################## | ||||
| ### MFA/2FA settings ### | ||||
| ######################## | ||||
|  | ||||
| ## Yubico (Yubikey) Settings | ||||
| ## Set your Client ID and Secret Key for Yubikey OTP | ||||
| @@ -368,34 +525,61 @@ | ||||
| # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify | ||||
|  | ||||
| ## Duo Settings | ||||
| ## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves | ||||
| ## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support. | ||||
| ## Otherwise users will need to configure it themselves. | ||||
| ## Create an account and protect an application as mentioned in this link (only the first step, not the rest): | ||||
| ## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account | ||||
| ## Then set the following options, based on the values obtained from the last step: | ||||
| # DUO_IKEY=<Integration Key> | ||||
| # DUO_SKEY=<Secret Key> | ||||
| # DUO_IKEY=<Client ID> | ||||
| # DUO_SKEY=<Client Secret> | ||||
| # DUO_HOST=<API Hostname> | ||||
| ## After that, you should be able to follow the rest of the guide linked above, | ||||
| ## ignoring the fields that ask for the values that you already configured beforehand. | ||||
| ## | ||||
| ## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'. | ||||
| ## Duo no longer supports this, but it still works for some integrations. | ||||
| ## If you aren't sure, leave this alone. | ||||
| # DUO_USE_IFRAME=false | ||||
|  | ||||
| ## Email 2FA settings | ||||
| ## Email token size | ||||
| ## Number of digits in an email 2FA token (min: 6, max: 255). | ||||
| ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! | ||||
| # EMAIL_TOKEN_SIZE=6 | ||||
| ## | ||||
| ## Token expiration time | ||||
| ## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. | ||||
| # EMAIL_EXPIRATION_TIME=600 | ||||
| ## | ||||
| ## Maximum attempts before an email token is reset and a new email will need to be sent. | ||||
| # EMAIL_ATTEMPTS_LIMIT=3 | ||||
| ## | ||||
| ## Setup email 2FA on registration regardless of any organization policy | ||||
| # EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false | ||||
| ## Automatically setup email 2FA as fallback provider when needed | ||||
| # EMAIL_2FA_AUTO_FALLBACK=false | ||||
|  | ||||
| ## Other MFA/2FA settings | ||||
| ## Disable 2FA remember | ||||
| ## Enabling this would force the users to use a second factor to login every time. | ||||
| ## Note that the checkbox would still be present, but ignored. | ||||
| # DISABLE_2FA_REMEMBER=false | ||||
| ## | ||||
| ## Authenticator Settings | ||||
| ## Disable authenticator time drifted codes to be valid. | ||||
| ## TOTP codes of the previous and next 30 seconds will be invalid | ||||
| ## | ||||
| ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), | ||||
| ## we allow by default the TOTP code which was valid one step back and one in the future. | ||||
| ## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. | ||||
| ## This can however allow attackers to be a bit more lucky with their attempts because there are 3 valid codes. | ||||
| ## You can disable this, so that only the current TOTP Code is allowed. | ||||
| ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. | ||||
| ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. | ||||
| # AUTHENTICATOR_DISABLE_TIME_DRIFT=false | ||||
|  | ||||
| ## Rocket specific settings | ||||
| ## See https://rocket.rs/v0.4/guide/configuration/ for more details. | ||||
| # ROCKET_ADDRESS=0.0.0.0 | ||||
| # ROCKET_PORT=80  # Defaults to 80 in the Docker images, or 8000 otherwise. | ||||
| # ROCKET_WORKERS=10 | ||||
| # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} | ||||
| ########################### | ||||
| ### SMTP Email settings ### | ||||
| ########################### | ||||
|  | ||||
| ## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service. | ||||
| ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. | ||||
| @@ -403,12 +587,19 @@ | ||||
| # SMTP_HOST=smtp.domain.tld | ||||
| # SMTP_FROM=vaultwarden@domain.tld | ||||
| # SMTP_FROM_NAME=Vaultwarden | ||||
| # SMTP_SECURITY=starttls # ("starttls", "force_tls", "off") Enable a secure connection. Default is "starttls" (Explicit - ports 587 or 25), "force_tls" (Implicit - port 465) or "off", no encryption (port 25) | ||||
| # SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). | ||||
| # SMTP_USERNAME=username | ||||
| # SMTP_PASSWORD=password | ||||
| # SMTP_TIMEOUT=15 | ||||
|  | ||||
| ## Choose the type of secure connection for SMTP. The default is "starttls". | ||||
| ## The available options are: | ||||
| ## - "starttls": The default port is 587. | ||||
| ## - "force_tls": The default port is 465. | ||||
| ## - "off": The default port is 25. | ||||
| ## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). | ||||
| # SMTP_SECURITY=starttls | ||||
| # SMTP_PORT=587 | ||||
|  | ||||
| # Whether to send mail via the `sendmail` command | ||||
| # USE_SENDMAIL=false | ||||
| # Which sendmail command to use. The one found in the $PATH is used if not specified. | ||||
| @@ -417,7 +608,7 @@ | ||||
| ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. | ||||
| ## Possible values: ["Plain", "Login", "Xoauth2"]. | ||||
| ## Multiple options need to be separated by a comma ','. | ||||
| # SMTP_AUTH_MECHANISM="Plain" | ||||
| # SMTP_AUTH_MECHANISM= | ||||
|  | ||||
| ## Server name sent during the SMTP HELO | ||||
| ## By default this value should be is on the machine's hostname, | ||||
| @@ -425,30 +616,34 @@ | ||||
| # HELO_NAME= | ||||
|  | ||||
| ## Embed images as email attachments | ||||
| # SMTP_EMBED_IMAGES=false | ||||
| # SMTP_EMBED_IMAGES=true | ||||
|  | ||||
| ## SMTP debugging | ||||
| ## When set to true this will output very detailed SMTP messages. | ||||
| ## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! | ||||
| # SMTP_DEBUG=false | ||||
|  | ||||
| ## Accept Invalid Hostnames | ||||
| ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! | ||||
| ## Only use this as a last resort if you are not able to use a valid certificate. | ||||
| # SMTP_ACCEPT_INVALID_HOSTNAMES=false | ||||
|  | ||||
| ## Accept Invalid Certificates | ||||
| ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! | ||||
| ## Only use this as a last resort if you are not able to use a valid certificate. | ||||
| ## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. | ||||
| # SMTP_ACCEPT_INVALID_CERTS=false | ||||
|  | ||||
| ## Require new device emails. When a user logs in an email is required to be sent. | ||||
| ## If sending the email fails the login attempt will fail!! | ||||
| # REQUIRE_DEVICE_EMAIL=false | ||||
| ## Accept Invalid Hostnames | ||||
| ## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! | ||||
| ## Only use this as a last resort if you are not able to use a valid certificate. | ||||
| # SMTP_ACCEPT_INVALID_HOSTNAMES=false | ||||
|  | ||||
| ####################### | ||||
| ### Rocket settings ### | ||||
| ####################### | ||||
|  | ||||
| ## Rocket specific settings | ||||
| ## See https://rocket.rs/v0.5/guide/configuration/ for more details. | ||||
| # ROCKET_ADDRESS=0.0.0.0 | ||||
| ## The default port is 8000, unless running in a Docker container, in which case it is 80. | ||||
| # ROCKET_PORT=8000 | ||||
| # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} | ||||
|  | ||||
| ## HIBP Api Key | ||||
| ## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key | ||||
| # HIBP_API_KEY= | ||||
|  | ||||
| # vim: syntax=ini | ||||
|   | ||||
							
								
								
									
										6
									
								
								.github/CODEOWNERS
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								.github/CODEOWNERS
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| /.github @dani-garcia @BlackDex | ||||
| /.github/** @dani-garcia @BlackDex | ||||
| /.github/CODEOWNERS @dani-garcia @BlackDex | ||||
| /.github/ISSUE_TEMPLATE/** @dani-garcia @BlackDex | ||||
| /.github/workflows/** @dani-garcia @BlackDex | ||||
| /SECURITY.md @dani-garcia @BlackDex | ||||
							
								
								
									
										66
									
								
								.github/ISSUE_TEMPLATE/bug_report.md
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										66
									
								
								.github/ISSUE_TEMPLATE/bug_report.md
									
									
									
									
										vendored
									
									
								
							| @@ -1,66 +0,0 @@ | ||||
| --- | ||||
| name: Bug report | ||||
| about: Use this ONLY for bugs in vaultwarden itself. Use the Discourse forum (link below) to request features or get help with usage/configuration. If in doubt, use the forum. | ||||
| title: '' | ||||
| labels: '' | ||||
| assignees: '' | ||||
|  | ||||
| --- | ||||
| <!-- | ||||
|     # ### | ||||
|     NOTE: Please update to the latest version of vaultwarden before reporting an issue! | ||||
|     This saves you and us a lot of time and troubleshooting. | ||||
|     See: | ||||
|     * https://github.com/dani-garcia/vaultwarden/issues/1180 | ||||
|     * https://github.com/dani-garcia/vaultwarden/wiki/Updating-the-vaultwarden-image | ||||
|     # ### | ||||
| --> | ||||
|  | ||||
| <!-- | ||||
| Please fill out the following template to make solving your problem easier and faster for us. | ||||
| This is only a guideline. If you think that parts are unnecessary for your issue, feel free to remove them. | ||||
|  | ||||
| Remember to hide/redact personal or confidential information, | ||||
| such as passwords, IP addresses, and DNS names as appropriate. | ||||
| --> | ||||
|  | ||||
| ### Subject of the issue | ||||
| <!-- Describe your issue here. --> | ||||
|  | ||||
| ### Deployment environment | ||||
|  | ||||
| <!-- | ||||
|     ========================================================================================= | ||||
|     Preferably, use the `Generate Support String` button on the admin page's Diagnostics tab. | ||||
|     That will auto-generate most of the info requested in this section. | ||||
|     ========================================================================================= | ||||
| --> | ||||
|  | ||||
| <!-- The version number, obtained from the logs (at startup) or the admin diagnostics page --> | ||||
| <!-- This is NOT the version number shown on the web vault, which is versioned separately from vaultwarden --> | ||||
| <!-- Remember to check if your issue exists on the latest version first! --> | ||||
| * vaultwarden version: | ||||
|  | ||||
| <!-- How the server was installed: Docker image, OS package, built from source, etc. --> | ||||
| * Install method: | ||||
|  | ||||
| * Clients used: <!-- web vault, desktop, Android, iOS, etc. (if applicable) --> | ||||
|  | ||||
| * Reverse proxy and version: <!-- if applicable --> | ||||
|  | ||||
| * MySQL/MariaDB or PostgreSQL version: <!-- if applicable --> | ||||
|  | ||||
| * Other relevant details: | ||||
|  | ||||
| ### Steps to reproduce | ||||
| <!-- Tell us how to reproduce this issue. What parameters did you set (differently from the defaults) | ||||
| and how did you start vaultwarden? --> | ||||
|  | ||||
| ### Expected behaviour | ||||
| <!-- Tell us what you expected to happen --> | ||||
|  | ||||
| ### Actual behaviour | ||||
| <!-- Tell us what actually happened --> | ||||
|  | ||||
| ### Troubleshooting data | ||||
| <!-- Share any log files, screenshots, or other relevant troubleshooting data --> | ||||
							
								
								
									
										182
									
								
								.github/ISSUE_TEMPLATE/bug_report.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										182
									
								
								.github/ISSUE_TEMPLATE/bug_report.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,182 @@ | ||||
| name: Bug Report | ||||
| description: File a bug report | ||||
| labels: ["bug"] | ||||
| body: | ||||
|   # | ||||
|   - type: markdown | ||||
|     attributes: | ||||
|       value: | | ||||
|         Thanks for taking the time to fill out this bug report! | ||||
|  | ||||
|         Please **do not** submit feature requests or ask for help on how to configure Vaultwarden here! | ||||
|  | ||||
|         The [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions/) has sections for Questions and Ideas. | ||||
|  | ||||
|         Our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki/) has topics on how to configure Vaultwarden. | ||||
|  | ||||
|         Also, make sure you are running [](https://github.com/dani-garcia/vaultwarden/releases/latest) of Vaultwarden! | ||||
|  | ||||
|         Be sure to check and validate the Vaultwarden Admin Diagnostics (`/admin/diagnostics`) page for any errors! | ||||
|         See here [how to enable the admin page](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page). | ||||
|  | ||||
|         > [!IMPORTANT] | ||||
|         > ## :bangbang: Search for existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) regarding your topic before posting! :bangbang: | ||||
|   # | ||||
|   - type: checkboxes | ||||
|     id: checklist | ||||
|     attributes: | ||||
|       label: Prerequisites | ||||
|       description: Please confirm you have completed the following before submitting an issue! | ||||
|       options: | ||||
|         - label: I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) | ||||
|           required: true | ||||
|         - label: I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) | ||||
|           required: true | ||||
|   # | ||||
|   - id: support-string | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Vaultwarden Support String | ||||
|       description: Output of the **Generate Support String** from the `/admin/diagnostics` page. | ||||
|       placeholder: | | ||||
|         1. Go to the Vaultwarden Admin of your instance https://example.domain.tld/admin/diagnostics | ||||
|         2. Click on `Generate Support String` | ||||
|         3. Click on `Copy To Clipboard` | ||||
|         4. Replace this text by pasting it into this textarea without any modifications | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: version | ||||
|     type: input | ||||
|     attributes: | ||||
|       label: Vaultwarden Build Version | ||||
|       description: What version of Vaultwarden are you running? | ||||
|       placeholder: ex. v1.34.0 or v1.34.1-53f58b14 | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: deployment | ||||
|     type: dropdown | ||||
|     attributes: | ||||
|       label: Deployment method | ||||
|       description: How did you deploy Vaultwarden? | ||||
|       multiple: false | ||||
|       options: | ||||
|         - Official Container Image | ||||
|         - Build from source | ||||
|         - OS Package (apt, yum/dnf, pacman, apk, nix, ...) | ||||
|         - Manually Extracted from Container Image | ||||
|         - Downloaded from GitHub Actions Release Workflow | ||||
|         - Other method | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: deployment-other | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Custom deployment method | ||||
|       description: If you deployed Vaultwarden via any other method, please describe how. | ||||
|   # | ||||
|   - id: reverse-proxy | ||||
|     type: input | ||||
|     attributes: | ||||
|       label: Reverse Proxy | ||||
|       description: Are you using a reverse proxy, if so which and what version? | ||||
|       placeholder: ex. nginx 1.29.0, caddy 2.10.0, traefik 3.4.4, haproxy 3.2 | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: os | ||||
|     type: dropdown | ||||
|     attributes: | ||||
|       label: Host/Server Operating System | ||||
|       description: On what operating system are you running the Vaultwarden server? | ||||
|       multiple: false | ||||
|       options: | ||||
|         - Linux | ||||
|         - NAS/SAN | ||||
|         - Cloud | ||||
|         - Windows | ||||
|         - macOS | ||||
|         - Other | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: os-version | ||||
|     type: input | ||||
|     attributes: | ||||
|       label: Operating System Version | ||||
|       description: What version of the operating system(s) are you seeing the problem on? | ||||
|       placeholder: ex. Arch Linux, Ubuntu 24.04, Kubernetes, Synology DSM 7.x, Windows 11 | ||||
|   # | ||||
|   - id: clients | ||||
|     type: dropdown | ||||
|     attributes: | ||||
|       label: Clients | ||||
|       description: What client(s) are you seeing the problem on? | ||||
|       multiple: true | ||||
|       options: | ||||
|         - Web Vault | ||||
|         - Browser Extension | ||||
|         - CLI | ||||
|         - Desktop | ||||
|         - Android | ||||
|         - iOS | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: client-version | ||||
|     type: input | ||||
|     attributes: | ||||
|       label: Client Version | ||||
|       description: What version(s) of the client(s) are you seeing the problem on? | ||||
|       placeholder: ex. CLI v2025.7.0, Firefox 140 - v2025.6.1 | ||||
|   # | ||||
|   - id: reproduce | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Steps To Reproduce | ||||
|       description: How can we reproduce the behavior. | ||||
|       value: | | ||||
|         1. Go to '...' | ||||
|         2. Click on '....' | ||||
|         3. Scroll down to '....' | ||||
|         4. Click on '...' | ||||
|         5. Etc '...' | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: expected | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Expected Result | ||||
|       description: A clear and concise description of what you expected to happen. | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: actual | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Actual Result | ||||
|       description: A clear and concise description of what is happening. | ||||
|     validations: | ||||
|       required: true | ||||
|   # | ||||
|   - id: logs | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Logs | ||||
|       description: Provide the logs generated by Vaultwarden during the time this issue occurs. | ||||
|       render: text | ||||
|   # | ||||
|   - id: screenshots | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Screenshots or Videos | ||||
|       description: If applicable, add screenshots and/or a short video to help explain your problem. | ||||
|   # | ||||
|   - id: additional-context | ||||
|     type: textarea | ||||
|     attributes: | ||||
|       label: Additional Context | ||||
|       description: Add any other context about the problem here. | ||||
							
								
								
									
										10
									
								
								.github/ISSUE_TEMPLATE/config.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										10
									
								
								.github/ISSUE_TEMPLATE/config.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,8 +1,8 @@ | ||||
| blank_issues_enabled: false | ||||
| contact_links: | ||||
|   - name: Discourse forum for vaultwarden | ||||
|     url: https://vaultwarden.discourse.group/ | ||||
|     about: Use this forum to request features or get help with usage/configuration. | ||||
|   - name: GitHub Discussions for vaultwarden | ||||
|   - name: GitHub Discussions for Vaultwarden | ||||
|     url: https://github.com/dani-garcia/vaultwarden/discussions | ||||
|     about: An alternative to the Discourse forum, if this is easier for you. | ||||
|     about: Use the discussions to request features or get help with usage/configuration. | ||||
|   - name: Discourse forum for Vaultwarden | ||||
|     url: https://vaultwarden.discourse.group/ | ||||
|     about: An alternative to the GitHub Discussions, if this is easier for you. | ||||
|   | ||||
							
								
								
									
										107
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										107
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,4 +1,5 @@ | ||||
| name: Build | ||||
| permissions: {} | ||||
|  | ||||
| on: | ||||
|   push: | ||||
| @@ -13,6 +14,7 @@ on: | ||||
|       - "diesel.toml" | ||||
|       - "docker/Dockerfile.j2" | ||||
|       - "docker/DockerSettings.yaml" | ||||
|  | ||||
|   pull_request: | ||||
|     paths: | ||||
|       - ".github/workflows/build.yml" | ||||
| @@ -28,12 +30,17 @@ on: | ||||
|  | ||||
| jobs: | ||||
|   build: | ||||
|     name: Build and Test ${{ matrix.channel }} | ||||
|     permissions: | ||||
|       actions: write | ||||
|       contents: read | ||||
|     # We use Ubuntu 22.04 here because this matches the library versions used within the Debian docker containers | ||||
|     runs-on: ubuntu-22.04 | ||||
|     timeout-minutes: 120 | ||||
|     # Make warnings errors, this is to prevent warnings slipping through. | ||||
|     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes. | ||||
|     env: | ||||
|       RUSTFLAGS: "-D warnings" | ||||
|       RUSTFLAGS: "-Dwarnings" | ||||
|     strategy: | ||||
|       fail-fast: false | ||||
|       matrix: | ||||
| @@ -41,32 +48,33 @@ jobs: | ||||
|           - "rust-toolchain" # The version defined in rust-toolchain | ||||
|           - "msrv" # The supported MSRV | ||||
|  | ||||
|     name: Build and Test ${{ matrix.channel }} | ||||
|  | ||||
|     steps: | ||||
|       # Checkout the repo | ||||
|       - name: "Checkout" | ||||
|         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||||
|       # End Checkout the repo | ||||
|  | ||||
|  | ||||
|       # Install dependencies | ||||
|       - name: "Install dependencies Ubuntu" | ||||
|         run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config | ||||
|       # End Install dependencies | ||||
|  | ||||
|       # Checkout the repo | ||||
|       - name: "Checkout" | ||||
|         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 | ||||
|         with: | ||||
|           persist-credentials: false | ||||
|           fetch-depth: 0 | ||||
|       # End Checkout the repo | ||||
|  | ||||
|       # Determine rust-toolchain version | ||||
|       - name: Init Variables | ||||
|         id: toolchain | ||||
|         shell: bash | ||||
|         env: | ||||
|           CHANNEL: ${{ matrix.channel }} | ||||
|         run: | | ||||
|           if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then | ||||
|           if [[ "${CHANNEL}" == 'rust-toolchain' ]]; then | ||||
|             RUST_TOOLCHAIN="$(grep -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)" | ||||
|           elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then | ||||
|           elif [[ "${CHANNEL}" == 'msrv' ]]; then | ||||
|             RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)" | ||||
|           else | ||||
|             RUST_TOOLCHAIN="${{ matrix.channel }}" | ||||
|             RUST_TOOLCHAIN="${CHANNEL}" | ||||
|           fi | ||||
|           echo "RUST_TOOLCHAIN=${RUST_TOOLCHAIN}" | tee -a "${GITHUB_OUTPUT}" | ||||
|       # End Determine rust-toolchain version | ||||
| @@ -74,7 +82,7 @@ jobs: | ||||
|  | ||||
|       # Only install the clippy and rustfmt components on the default rust-toolchain | ||||
|       - name: "Install rust-toolchain version" | ||||
|         uses: dtolnay/rust-toolchain@439cf607258077187679211f12aa6f19af4a0af7 # master @ 2023-09-19 - 05:31 PM GMT+2 | ||||
|         uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master @ Apr 29, 2025, 9:22 PM GMT+2 | ||||
|         if: ${{ matrix.channel == 'rust-toolchain' }} | ||||
|         with: | ||||
|           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" | ||||
| @@ -84,7 +92,7 @@ jobs: | ||||
|  | ||||
|       # Install the any other channel to be used for which we do not execute clippy and rustfmt | ||||
|       - name: "Install MSRV version" | ||||
|         uses: dtolnay/rust-toolchain@439cf607258077187679211f12aa6f19af4a0af7 # master @ 2023-09-19 - 05:31 PM GMT+2 | ||||
|         uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # master @ Apr 29, 2025, 9:22 PM GMT+2 | ||||
|         if: ${{ matrix.channel != 'rust-toolchain' }} | ||||
|         with: | ||||
|           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" | ||||
| @@ -92,11 +100,13 @@ jobs: | ||||
|  | ||||
|       # Set the current matrix toolchain version as default | ||||
|       - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default" | ||||
|         env: | ||||
|           RUST_TOOLCHAIN: ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} | ||||
|         run: | | ||||
|           # Remove the rust-toolchain.toml | ||||
|           rm rust-toolchain.toml | ||||
|           # Set the default | ||||
|           rustup default ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} | ||||
|           rustup default "${RUST_TOOLCHAIN}" | ||||
|  | ||||
|       # Show environment | ||||
|       - name: "Show environment" | ||||
| @@ -106,7 +116,8 @@ jobs: | ||||
|       # End Show environment | ||||
|  | ||||
|       # Enable Rust Caching | ||||
|       - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0 | ||||
|       - name: Rust Caching | ||||
|         uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0 # v2.8.0 | ||||
|         with: | ||||
|           # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes. | ||||
|           # Like changing the build host from Ubuntu 20.04 to 22.04 for example. | ||||
| @@ -116,33 +127,39 @@ jobs: | ||||
|  | ||||
|       # Run cargo tests | ||||
|       # First test all features together, afterwards test them separately. | ||||
|       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc,query_logger" | ||||
|         id: test_sqlite_mysql_postgresql_mimalloc_logger | ||||
|         if: ${{ !cancelled() }} | ||||
|         run: | | ||||
|           cargo test --features sqlite,mysql,postgresql,enable_mimalloc,query_logger | ||||
|  | ||||
|       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc" | ||||
|         id: test_sqlite_mysql_postgresql_mimalloc | ||||
|         if: $${{ always() }} | ||||
|         if: ${{ !cancelled() }} | ||||
|         run: | | ||||
|           cargo test --features sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
|       - name: "test features: sqlite,mysql,postgresql" | ||||
|         id: test_sqlite_mysql_postgresql | ||||
|         if: $${{ always() }} | ||||
|         if: ${{ !cancelled() }} | ||||
|         run: | | ||||
|           cargo test --features sqlite,mysql,postgresql | ||||
|  | ||||
|       - name: "test features: sqlite" | ||||
|         id: test_sqlite | ||||
|         if: $${{ always() }} | ||||
|         if: ${{ !cancelled() }} | ||||
|         run: | | ||||
|           cargo test --features sqlite | ||||
|  | ||||
|       - name: "test features: mysql" | ||||
|         id: test_mysql | ||||
|         if: $${{ always() }} | ||||
|         if: ${{ !cancelled() }} | ||||
|         run: | | ||||
|           cargo test --features mysql | ||||
|  | ||||
|       - name: "test features: postgresql" | ||||
|         id: test_postgresql | ||||
|         if: $${{ always() }} | ||||
|         if: ${{ !cancelled() }} | ||||
|         run: | | ||||
|           cargo test --features postgresql | ||||
|       # End Run cargo tests | ||||
| @@ -151,16 +168,16 @@ jobs: | ||||
|       # Run cargo clippy, and fail on warnings | ||||
|       - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc" | ||||
|         id: clippy | ||||
|         if: ${{ always() && matrix.channel == 'rust-toolchain' }} | ||||
|         if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }} | ||||
|         run: | | ||||
|           cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings | ||||
|           cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc | ||||
|       # End Run cargo clippy | ||||
|  | ||||
|  | ||||
|       # Run cargo fmt (Only run on rust-toolchain defined version) | ||||
|       - name: "check formatting" | ||||
|         id: formatting | ||||
|         if: ${{ always() && matrix.channel == 'rust-toolchain' }} | ||||
|         if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }} | ||||
|         run: | | ||||
|           cargo fmt --all -- --check | ||||
|       # End Run cargo fmt | ||||
| @@ -170,21 +187,31 @@ jobs: | ||||
|       # This is useful so all test/clippy/fmt actions are done, and they can all be addressed | ||||
|       - name: "Some checks failed" | ||||
|         if: ${{ failure() }} | ||||
|         env: | ||||
|           TEST_DB_M_L: ${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }} | ||||
|           TEST_DB_M: ${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }} | ||||
|           TEST_DB: ${{ steps.test_sqlite_mysql_postgresql.outcome }} | ||||
|           TEST_SQLITE: ${{ steps.test_sqlite.outcome }} | ||||
|           TEST_MYSQL: ${{ steps.test_mysql.outcome }} | ||||
|           TEST_POSTGRESQL: ${{ steps.test_postgresql.outcome }} | ||||
|           CLIPPY: ${{ steps.clippy.outcome }} | ||||
|           FMT: ${{ steps.formatting.outcome }} | ||||
|         run: | | ||||
|           echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|---|------|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY | ||||
|           echo "" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "### :x: Checks Failed!" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|Job|Status|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|---|------|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${TEST_DB_M_L}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${TEST_DB_M}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|test (sqlite,mysql,postgresql)|${TEST_DB}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|test (sqlite)|${TEST_SQLITE}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|test (mysql)|${TEST_MYSQL}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|test (postgresql)|${TEST_POSTGRESQL}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${CLIPPY}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "|fmt|${FMT}|" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "Please check the failed jobs and fix where needed." >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           exit 1 | ||||
|  | ||||
|  | ||||
| @@ -193,5 +220,5 @@ jobs: | ||||
|       - name: "All checks passed" | ||||
|         if: ${{ success() }} | ||||
|         run: | | ||||
|           echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "" >> $GITHUB_STEP_SUMMARY | ||||
|           echo "### :tada: Checks Passed!" >> "${GITHUB_STEP_SUMMARY}" | ||||
|           echo "" >> "${GITHUB_STEP_SUMMARY}" | ||||
|   | ||||
							
								
								
									
										29
									
								
								.github/workflows/check-templates.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										29
									
								
								.github/workflows/check-templates.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,29 @@ | ||||
| name: Check templates | ||||
| permissions: {} | ||||
|  | ||||
| on: [ push, pull_request ] | ||||
|  | ||||
| jobs: | ||||
|   docker-templates: | ||||
|     name: Validate docker templates | ||||
|     permissions: | ||||
|       contents: read | ||||
|     runs-on: ubuntu-24.04 | ||||
|     timeout-minutes: 30 | ||||
|  | ||||
|     steps: | ||||
|       # Checkout the repo | ||||
|       - name: "Checkout" | ||||
|         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 | ||||
|         with: | ||||
|           persist-credentials: false | ||||
|       # End Checkout the repo | ||||
|  | ||||
|       - name: Run make to rebuild templates | ||||
|         working-directory: docker | ||||
|         run: make | ||||
|  | ||||
|       - name: Check for unstaged changes | ||||
|         working-directory: docker | ||||
|         run: git diff --exit-code | ||||
|         continue-on-error: false | ||||
							
								
								
									
										46
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										46
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,20 +1,28 @@ | ||||
| name: Hadolint | ||||
| permissions: {} | ||||
|  | ||||
| on: [ | ||||
|       push, | ||||
|       pull_request | ||||
|     ] | ||||
| on: [ push, pull_request ] | ||||
|  | ||||
| jobs: | ||||
|   hadolint: | ||||
|     name: Validate Dockerfile syntax | ||||
|     runs-on: ubuntu-22.04 | ||||
|     permissions: | ||||
|       contents: read | ||||
|     runs-on: ubuntu-24.04 | ||||
|     timeout-minutes: 30 | ||||
|  | ||||
|     steps: | ||||
|       # Checkout the repo | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||||
|       # End Checkout the repo | ||||
|       # Start Docker Buildx | ||||
|       - name: Setup Docker Buildx | ||||
|         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | ||||
|         # https://github.com/moby/buildkit/issues/3969 | ||||
|         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills | ||||
|         with: | ||||
|           buildkitd-config-inline: | | ||||
|             [worker.oci] | ||||
|               max-parallelism = 2 | ||||
|           driver-opts: | | ||||
|             network=host | ||||
|  | ||||
|       # Download hadolint - https://github.com/hadolint/hadolint/releases | ||||
|       - name: Download hadolint | ||||
| @@ -25,9 +33,25 @@ jobs: | ||||
|         env: | ||||
|           HADOLINT_VERSION: 2.12.0 | ||||
|       # End Download hadolint | ||||
|       # Checkout the repo | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 | ||||
|         with: | ||||
|           persist-credentials: false | ||||
|       # End Checkout the repo | ||||
|  | ||||
|       # Test Dockerfiles | ||||
|       # Test Dockerfiles with hadolint | ||||
|       - name: Run hadolint | ||||
|         shell: bash | ||||
|         run: hadolint docker/Dockerfile.{debian,alpine} | ||||
|       # End Test Dockerfiles | ||||
|       # End Test Dockerfiles with hadolint | ||||
|  | ||||
|       # Test Dockerfiles with docker build checks | ||||
|       - name: Run docker build check | ||||
|         shell: bash | ||||
|         run: | | ||||
|           echo "Checking docker/Dockerfile.debian" | ||||
|           docker build --check . -f docker/Dockerfile.debian | ||||
|           echo "Checking docker/Dockerfile.alpine" | ||||
|           docker build --check . -f docker/Dockerfile.alpine | ||||
|       # End Test Dockerfiles with docker build checks | ||||
|   | ||||
							
								
								
									
										240
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										240
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,53 +1,55 @@ | ||||
| name: Release | ||||
| permissions: {} | ||||
|  | ||||
| on: | ||||
|   push: | ||||
|     paths: | ||||
|       - ".github/workflows/release.yml" | ||||
|       - "src/**" | ||||
|       - "migrations/**" | ||||
|       - "docker/**" | ||||
|       - "Cargo.*" | ||||
|       - "build.rs" | ||||
|       - "diesel.toml" | ||||
|       - "rust-toolchain.toml" | ||||
|  | ||||
|     branches: # Only on paths above | ||||
|     branches: | ||||
|       - main | ||||
|       - release-build-revision | ||||
|  | ||||
|     tags: # Always, regardless of paths above | ||||
|       - '*' | ||||
|     tags: | ||||
|       # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet | ||||
|       - '[1-2].[0-9]+.[0-9]+' | ||||
|  | ||||
| jobs: | ||||
|   # https://github.com/marketplace/actions/skip-duplicate-actions | ||||
|   # Some checks to determine if we need to continue with building a new docker. | ||||
|   # We will skip this check if we are creating a tag, because that has the same hash as a previous run already. | ||||
|   skip_check: | ||||
|     runs-on: ubuntu-22.04 | ||||
|     # Only run this in the upstream repo and not on forks | ||||
|     if: ${{ github.repository == 'dani-garcia/vaultwarden' }} | ||||
|     name: Cancel older jobs when running | ||||
|     permissions: | ||||
|       actions: write | ||||
|     runs-on: ubuntu-24.04 | ||||
|     outputs: | ||||
|       should_skip: ${{ steps.skip_check.outputs.should_skip }} | ||||
|  | ||||
|     steps: | ||||
|       - name: Skip Duplicates Actions | ||||
|         id: skip_check | ||||
|         uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0 | ||||
|         uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 | ||||
|         with: | ||||
|           cancel_others: 'true' | ||||
|         # Only run this when not creating a tag | ||||
|         if: ${{ github.ref_type == 'branch' }} | ||||
|  | ||||
|   docker-build: | ||||
|     runs-on: ubuntu-22.04 | ||||
|     timeout-minutes: 120 | ||||
|     needs: skip_check | ||||
|     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} | ||||
|     # TODO: Start a local docker registry to be used to extract the final Alpine static build images | ||||
|     # services: | ||||
|     #   registry: | ||||
|     #     image: registry:2 | ||||
|     #     ports: | ||||
|     #       - 5000:5000 | ||||
|     name: Build Vaultwarden containers | ||||
|     permissions: | ||||
|       packages: write | ||||
|       contents: read | ||||
|       attestations: write | ||||
|       id-token: write | ||||
|     runs-on: ubuntu-24.04 | ||||
|     timeout-minutes: 120 | ||||
|     # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them | ||||
|     services: | ||||
|       registry: | ||||
|         image: registry@sha256:1fc7de654f2ac1247f0b67e8a459e273b0993be7d2beda1f3f56fbf1001ed3e7 # v3.0.0 | ||||
|         ports: | ||||
|           - 5000:5000 | ||||
|     env: | ||||
|       SOURCE_COMMIT: ${{ github.sha }} | ||||
|       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" | ||||
| @@ -67,37 +69,42 @@ jobs: | ||||
|         base_image: ["debian","alpine"] | ||||
|  | ||||
|     steps: | ||||
|       # Checkout the repo | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||||
|         with: | ||||
|           fetch-depth: 0 | ||||
|  | ||||
|       - name: Initialize QEMU binfmt support | ||||
|         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | ||||
|         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 | ||||
|         with: | ||||
|           platforms: "arm64,arm" | ||||
|  | ||||
|       # Start Docker Buildx | ||||
|       - name: Setup Docker Buildx | ||||
|         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | ||||
|         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | ||||
|         # https://github.com/moby/buildkit/issues/3969 | ||||
|         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions | ||||
|         # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills | ||||
|         with: | ||||
|           config-inline: | | ||||
|           cache-binary: false | ||||
|           buildkitd-config-inline: | | ||||
|             [worker.oci] | ||||
|               max-parallelism = 2 | ||||
|           driver-opts: | | ||||
|             network=host | ||||
|  | ||||
|       # Checkout the repo | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 | ||||
|         # We need fetch-depth of 0 so we also get all the tag metadata | ||||
|         with: | ||||
|           persist-credentials: false | ||||
|           fetch-depth: 0 | ||||
|  | ||||
|       # Determine Base Tags and Source Version | ||||
|       - name: Determine Base Tags and Source Version | ||||
|         shell: bash | ||||
|         env: | ||||
|           REF_TYPE: ${{ github.ref_type }} | ||||
|         run: | | ||||
|           # Check which main tag we are going to build determined by github.ref_type | ||||
|           if [[ "${{ github.ref_type }}" == "tag" ]]; then | ||||
|           # Check which main tag we are going to build determined by ref_type | ||||
|           if [[ "${REF_TYPE}" == "tag" ]]; then | ||||
|             echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}" | ||||
|           elif [[ "${{ github.ref_type }}" == "branch" ]]; then | ||||
|           elif [[ "${REF_TYPE}" == "branch" ]]; then | ||||
|             echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}" | ||||
|           fi | ||||
|  | ||||
| @@ -113,7 +120,7 @@ jobs: | ||||
|  | ||||
|       # Login to Docker Hub | ||||
|       - name: Login to Docker Hub | ||||
|         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||||
|         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | ||||
|         with: | ||||
|           username: ${{ secrets.DOCKERHUB_USERNAME }} | ||||
|           password: ${{ secrets.DOCKERHUB_TOKEN }} | ||||
| @@ -122,12 +129,14 @@ jobs: | ||||
|       - name: Add registry for DockerHub | ||||
|         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} | ||||
|         shell: bash | ||||
|         env: | ||||
|           DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }} | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|           echo "CONTAINER_REGISTRIES=${DOCKERHUB_REPO}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       # Login to GitHub Container Registry | ||||
|       - name: Login to GitHub Container Registry | ||||
|         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||||
|         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | ||||
|         with: | ||||
|           registry: ghcr.io | ||||
|           username: ${{ github.repository_owner }} | ||||
| @@ -137,12 +146,14 @@ jobs: | ||||
|       - name: Add registry for ghcr.io | ||||
|         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|         shell: bash | ||||
|         env: | ||||
|           GHCR_REPO: ${{ vars.GHCR_REPO }} | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${GHCR_REPO}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       # Login to Quay.io | ||||
|       - name: Login to Quay.io | ||||
|         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||||
|         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | ||||
|         with: | ||||
|           registry: quay.io | ||||
|           username: ${{ secrets.QUAY_USERNAME }} | ||||
| @@ -152,11 +163,36 @@ jobs: | ||||
|       - name: Add registry for Quay.io | ||||
|         if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} | ||||
|         shell: bash | ||||
|         env: | ||||
|           QUAY_REPO: ${{ vars.QUAY_REPO }} | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       - name: Configure build cache from/to | ||||
|         shell: bash | ||||
|         env: | ||||
|           GHCR_REPO: ${{ vars.GHCR_REPO }} | ||||
|           BASE_IMAGE: ${{ matrix.base_image }} | ||||
|         run: | | ||||
|           # | ||||
|           # Check if there is a GitHub Container Registry Login and use it for caching | ||||
|           if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then | ||||
|             echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}" | tee -a "${GITHUB_ENV}" | ||||
|             echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}" | ||||
|           else | ||||
|             echo "BAKE_CACHE_FROM=" | ||||
|             echo "BAKE_CACHE_TO=" | ||||
|           fi | ||||
|           # | ||||
|  | ||||
|       - name: Add localhost registry | ||||
|         shell: bash | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       - name: Bake ${{ matrix.base_image }} containers | ||||
|         uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0 | ||||
|         id: bake_vw | ||||
|         uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8 # v6.8.0 | ||||
|         env: | ||||
|           BASE_TAGS: "${{ env.BASE_TAGS }}" | ||||
|           SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" | ||||
| @@ -166,5 +202,121 @@ jobs: | ||||
|         with: | ||||
|           pull: true | ||||
|           push: true | ||||
|           source: . | ||||
|           files: docker/docker-bake.hcl | ||||
|           targets: "${{ matrix.base_image }}-multi" | ||||
|           set: | | ||||
|             *.cache-from=${{ env.BAKE_CACHE_FROM }} | ||||
|             *.cache-to=${{ env.BAKE_CACHE_TO }} | ||||
|  | ||||
|       - name: Extract digest SHA | ||||
|         shell: bash | ||||
|         env: | ||||
|           BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }} | ||||
|           BASE_IMAGE: ${{ matrix.base_image }} | ||||
|         run: | | ||||
|           GET_DIGEST_SHA="$(jq -r --arg base "$BASE_IMAGE" '.[$base + "-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")" | ||||
|           echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       # Attest container images | ||||
|       - name: Attest - docker.io - ${{ matrix.base_image }} | ||||
|         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} | ||||
|         uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | ||||
|         with: | ||||
|           subject-name: ${{ vars.DOCKERHUB_REPO }} | ||||
|           subject-digest: ${{ env.DIGEST_SHA }} | ||||
|           push-to-registry: true | ||||
|  | ||||
|       - name: Attest - ghcr.io - ${{ matrix.base_image }} | ||||
|         if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} | ||||
|         uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | ||||
|         with: | ||||
|           subject-name: ${{ vars.GHCR_REPO }} | ||||
|           subject-digest: ${{ env.DIGEST_SHA }} | ||||
|           push-to-registry: true | ||||
|  | ||||
|       - name: Attest - quay.io - ${{ matrix.base_image }} | ||||
|         if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} | ||||
|         uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | ||||
|         with: | ||||
|           subject-name: ${{ vars.QUAY_REPO }} | ||||
|           subject-digest: ${{ env.DIGEST_SHA }} | ||||
|           push-to-registry: true | ||||
|  | ||||
|  | ||||
|       # Extract the Alpine binaries from the containers | ||||
|       - name: Extract binaries | ||||
|         shell: bash | ||||
|         env: | ||||
|           REF_TYPE: ${{ github.ref_type }} | ||||
|           BASE_IMAGE: ${{ matrix.base_image }} | ||||
|         run: | | ||||
|           # Check which main tag we are going to build determined by ref_type | ||||
|           if [[ "${REF_TYPE}" == "tag" ]]; then | ||||
|             EXTRACT_TAG="latest" | ||||
|           elif [[ "${REF_TYPE}" == "branch" ]]; then | ||||
|             EXTRACT_TAG="testing" | ||||
|           fi | ||||
|  | ||||
|           # Check which base_image was used and append -alpine if needed | ||||
|           if [[ "${BASE_IMAGE}" == "alpine" ]]; then | ||||
|             EXTRACT_TAG="${EXTRACT_TAG}-alpine" | ||||
|           fi | ||||
|  | ||||
|           # After each extraction the image is removed. | ||||
|           # This is needed because using different platforms doesn't trigger a new pull/download | ||||
|  | ||||
|           # Extract amd64 binary | ||||
|           docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|           docker cp amd64:/vaultwarden vaultwarden-amd64-${BASE_IMAGE} | ||||
|           docker rm --force amd64 | ||||
|           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|  | ||||
|           # Extract arm64 binary | ||||
|           docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|           docker cp arm64:/vaultwarden vaultwarden-arm64-${BASE_IMAGE} | ||||
|           docker rm --force arm64 | ||||
|           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|  | ||||
|           # Extract armv7 binary | ||||
|           docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|           docker cp armv7:/vaultwarden vaultwarden-armv7-${BASE_IMAGE} | ||||
|           docker rm --force armv7 | ||||
|           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|  | ||||
|           # Extract armv6 binary | ||||
|           docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|           docker cp armv6:/vaultwarden vaultwarden-armv6-${BASE_IMAGE} | ||||
|           docker rm --force armv6 | ||||
|           docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}" | ||||
|  | ||||
|       # Upload artifacts to Github Actions and Attest the binaries | ||||
|       - name: "Upload amd64 artifact ${{ matrix.base_image }}" | ||||
|         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64-${{ matrix.base_image }} | ||||
|           path: vaultwarden-amd64-${{ matrix.base_image }} | ||||
|  | ||||
|       - name: "Upload arm64 artifact ${{ matrix.base_image }}" | ||||
|         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64-${{ matrix.base_image }} | ||||
|           path: vaultwarden-arm64-${{ matrix.base_image }} | ||||
|  | ||||
|       - name: "Upload armv7 artifact ${{ matrix.base_image }}" | ||||
|         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7-${{ matrix.base_image }} | ||||
|           path: vaultwarden-armv7-${{ matrix.base_image }} | ||||
|  | ||||
|       - name: "Upload armv6 artifact ${{ matrix.base_image }}" | ||||
|         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6-${{ matrix.base_image }} | ||||
|           path: vaultwarden-armv6-${{ matrix.base_image }} | ||||
|  | ||||
|       - name: "Attest artifacts ${{ matrix.base_image }}" | ||||
|         uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 | ||||
|         with: | ||||
|           subject-path: vaultwarden-* | ||||
|       # End Upload artifacts to Github Actions | ||||
|   | ||||
							
								
								
									
										30
									
								
								.github/workflows/releasecache-cleanup.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								.github/workflows/releasecache-cleanup.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,30 @@ | ||||
| name: Cleanup | ||||
| permissions: {} | ||||
|  | ||||
| on: | ||||
|   workflow_dispatch: | ||||
|     inputs: | ||||
|       manual_trigger: | ||||
|         description: "Manual trigger buildcache cleanup" | ||||
|         required: false | ||||
|         default: "" | ||||
|  | ||||
|   schedule: | ||||
|     - cron: '0 1 * * FRI' | ||||
|  | ||||
| jobs: | ||||
|   releasecache-cleanup: | ||||
|     name: Releasecache Cleanup | ||||
|     permissions: | ||||
|       packages: write | ||||
|     runs-on: ubuntu-24.04 | ||||
|     continue-on-error: true | ||||
|     timeout-minutes: 30 | ||||
|     steps: | ||||
|       - name: Delete vaultwarden-buildcache containers | ||||
|         uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0 | ||||
|         with: | ||||
|           package-name: 'vaultwarden-buildcache' | ||||
|           package-type: 'container' | ||||
|           min-versions-to-keep: 0 | ||||
|           delete-only-untagged-versions: 'false' | ||||
							
								
								
									
										40
									
								
								.github/workflows/trivy.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										40
									
								
								.github/workflows/trivy.yml
									
									
									
									
										vendored
									
									
								
							| @@ -1,35 +1,45 @@ | ||||
| name: trivy | ||||
| name: Trivy | ||||
| permissions: {} | ||||
|  | ||||
| on: | ||||
|   push: | ||||
|     branches: | ||||
|       - main | ||||
|       - release-build-revision | ||||
|  | ||||
|     tags: | ||||
|       - '*' | ||||
|   pull_request: | ||||
|     branches: [ "main" ] | ||||
|   schedule: | ||||
|     - cron: '00 12 * * *' | ||||
|  | ||||
| permissions: | ||||
|   contents: read | ||||
|   pull_request: | ||||
|     branches: | ||||
|       - main | ||||
|  | ||||
|   schedule: | ||||
|     - cron: '08 11 * * *' | ||||
|  | ||||
| jobs: | ||||
|   trivy-scan: | ||||
|     name: Check | ||||
|     runs-on: ubuntu-22.04 | ||||
|     timeout-minutes: 30 | ||||
|     # Only run this in the upstream repo and not on forks | ||||
|     # When all forks run this at the same time, it is causing `Too Many Requests` issues | ||||
|     if: ${{ github.repository == 'dani-garcia/vaultwarden' }} | ||||
|     name: Trivy Scan | ||||
|     permissions: | ||||
|       contents: read | ||||
|       security-events: write | ||||
|       actions: read | ||||
|       security-events: write | ||||
|     runs-on: ubuntu-24.04 | ||||
|     timeout-minutes: 30 | ||||
|  | ||||
|     steps: | ||||
|       - name: Checkout code | ||||
|         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||||
|         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 | ||||
|         with: | ||||
|           persist-credentials: false | ||||
|  | ||||
|       - name: Run Trivy vulnerability scanner | ||||
|         uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1 | ||||
|         uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0 | ||||
|         env: | ||||
|           TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 | ||||
|           TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 | ||||
|         with: | ||||
|           scan-type: repo | ||||
|           ignore-unfixed: true | ||||
| @@ -38,6 +48,6 @@ jobs: | ||||
|           severity: CRITICAL,HIGH | ||||
|  | ||||
|       - name: Upload Trivy scan results to GitHub Security tab | ||||
|         uses: github/codeql-action/upload-sarif@bad341350a2f5616f9e048e51360cedc49181ce8 # v2.22.4 | ||||
|         uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4 | ||||
|         with: | ||||
|           sarif_file: 'trivy-results.sarif' | ||||
|   | ||||
							
								
								
									
										28
									
								
								.github/workflows/zizmor.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								.github/workflows/zizmor.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| name: Security Analysis with zizmor | ||||
|  | ||||
| on: | ||||
|   push: | ||||
|     branches: ["main"] | ||||
|   pull_request: | ||||
|     branches: ["**"] | ||||
|  | ||||
| permissions: {} | ||||
|  | ||||
| jobs: | ||||
|   zizmor: | ||||
|     name: Run zizmor | ||||
|     runs-on: ubuntu-latest | ||||
|     permissions: | ||||
|       security-events: write | ||||
|     steps: | ||||
|       - name: Checkout repository | ||||
|         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||||
|         with: | ||||
|           persist-credentials: false | ||||
|  | ||||
|       - name: Run zizmor | ||||
|         uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1 | ||||
|         with: | ||||
|           # intentionally not scanning the entire repository, | ||||
|           # since it contains integration tests. | ||||
|           inputs: ./.github/ | ||||
| @@ -1,7 +1,7 @@ | ||||
| --- | ||||
| repos: | ||||
| -   repo: https://github.com/pre-commit/pre-commit-hooks | ||||
|     rev: v4.5.0 | ||||
|     rev: v5.0.0 | ||||
|     hooks: | ||||
|     - id: check-yaml | ||||
|     - id: check-json | ||||
| @@ -31,7 +31,7 @@ repos: | ||||
|       language: system | ||||
|       args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--"] | ||||
|       types_or: [rust, file] | ||||
|       files: (Cargo.toml|Cargo.lock|rust-toolchain|.*\.rs$) | ||||
|       files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$) | ||||
|       pass_filenames: false | ||||
|     - id: cargo-clippy | ||||
|       name: cargo clippy | ||||
| @@ -40,5 +40,13 @@ repos: | ||||
|       language: system | ||||
|       args: ["--features", "sqlite,mysql,postgresql,enable_mimalloc", "--", "-D", "warnings"] | ||||
|       types_or: [rust, file] | ||||
|       files: (Cargo.toml|Cargo.lock|rust-toolchain|clippy.toml|.*\.rs$) | ||||
|       files: (Cargo.toml|Cargo.lock|rust-toolchain.toml|rustfmt.toml|.*\.rs$) | ||||
|       pass_filenames: false | ||||
|     - id: check-docker-templates | ||||
|       name: check docker templates | ||||
|       description: Check if the Docker templates are updated | ||||
|       language: system | ||||
|       entry: sh | ||||
|       args: | ||||
|         - "-c" | ||||
|         - "cd docker && make" | ||||
|   | ||||
							
								
								
									
										4750
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
							
						
						
									
										4750
									
								
								Cargo.lock
									
									
									
										generated
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										254
									
								
								Cargo.toml
									
									
									
									
									
								
							
							
						
						
									
										254
									
								
								Cargo.toml
									
									
									
									
									
								
							| @@ -1,9 +1,12 @@ | ||||
| [workspace] | ||||
| members = ["macros"] | ||||
|  | ||||
| [package] | ||||
| name = "vaultwarden" | ||||
| version = "1.0.0" | ||||
| authors = ["Daniel García <dani-garcia@users.noreply.github.com>"] | ||||
| edition = "2021" | ||||
| rust-version = "1.71.1" | ||||
| rust-version = "1.87.0" | ||||
| resolver = "2" | ||||
|  | ||||
| repository = "https://github.com/dani-garcia/vaultwarden" | ||||
| @@ -18,160 +21,195 @@ build = "build.rs" | ||||
| enable_syslog = [] | ||||
| mysql = ["diesel/mysql", "diesel_migrations/mysql"] | ||||
| postgresql = ["diesel/postgres", "diesel_migrations/postgres"] | ||||
| sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "libsqlite3-sys"] | ||||
| sqlite = ["diesel/sqlite", "diesel_migrations/sqlite", "dep:libsqlite3-sys"] | ||||
| # Enable to use a vendored and statically linked openssl | ||||
| vendored_openssl = ["openssl/vendored"] | ||||
| # Enable MiMalloc memory allocator to replace the default malloc | ||||
| # This can improve performance for Alpine builds | ||||
| enable_mimalloc = ["mimalloc"] | ||||
| enable_mimalloc = ["dep:mimalloc"] | ||||
| # This is a development dependency, and should only be used during development! | ||||
| # It enables the usage of the diesel_logger crate, which is able to output the generated queries. | ||||
| # You also need to set an env variable `QUERY_LOGGER=1` to fully activate this so you do not have to re-compile | ||||
| # if you want to turn off the logging for a specific run. | ||||
| query_logger = ["diesel_logger"] | ||||
| query_logger = ["dep:diesel_logger"] | ||||
| s3 = ["opendal/services-s3", "dep:aws-config", "dep:aws-credential-types", "dep:aws-smithy-runtime-api", "dep:anyhow", "dep:http", "dep:reqsign"] | ||||
|  | ||||
| # OIDC specific features | ||||
| oidc-accept-rfc3339-timestamps = ["openidconnect/accept-rfc3339-timestamps"] | ||||
| oidc-accept-string-booleans = ["openidconnect/accept-string-booleans"] | ||||
|  | ||||
| # Enable unstable features, requires nightly | ||||
| # Currently only used to enable rusts official ip support | ||||
| unstable = [] | ||||
|  | ||||
| [target."cfg(not(windows))".dependencies] | ||||
| [target."cfg(unix)".dependencies] | ||||
| # Logging | ||||
| syslog = "6.1.0" | ||||
| syslog = "7.0.0" | ||||
|  | ||||
| [dependencies] | ||||
| macros = { path = "./macros" } | ||||
|  | ||||
| # Logging | ||||
| log = "0.4.20" | ||||
| fern = { version = "0.6.2", features = ["syslog-6", "reopen-1"] } | ||||
| tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work | ||||
| log = "0.4.27" | ||||
| fern = { version = "0.7.1", features = ["syslog-7", "reopen-1"] } | ||||
| tracing = { version = "0.1.41", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work | ||||
|  | ||||
| # A `dotenv` implementation for Rust | ||||
| dotenvy = { version = "0.15.7", default-features = false } | ||||
|  | ||||
| # Lazy initialization | ||||
| once_cell = "1.18.0" | ||||
| once_cell = "1.21.3" | ||||
|  | ||||
| # Numerical libraries | ||||
| num-traits = "0.2.17" | ||||
| num-derive = "0.4.1" | ||||
| num-traits = "0.2.19" | ||||
| num-derive = "0.4.2" | ||||
| bigdecimal = "0.4.8" | ||||
|  | ||||
| # Web framework | ||||
| rocket = { version = "0.5.0-rc.4", features = ["tls", "json"], default-features = false } | ||||
| rocket_ws = { version ="0.1.0-rc.4" } | ||||
| rocket = { version = "0.5.1", features = ["tls", "json"], default-features = false } | ||||
| rocket_ws = { version ="0.1.1" } | ||||
|  | ||||
| # WebSockets libraries | ||||
| tokio-tungstenite = "0.20.1" | ||||
| rmpv = "1.0.1" # MessagePack library | ||||
| rmpv = "1.3.0" # MessagePack library | ||||
|  | ||||
| # Concurrent HashMap used for WebSocket messaging and favicons | ||||
| dashmap = "5.5.3" | ||||
| dashmap = "6.1.0" | ||||
|  | ||||
| # Async futures | ||||
| futures = "0.3.29" | ||||
| tokio = { version = "1.34.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] } | ||||
| futures = "0.3.31" | ||||
| tokio = { version = "1.47.1", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal", "net"] } | ||||
| tokio-util = { version = "0.7.16", features = ["compat"]} | ||||
|  | ||||
| # A generic serialization/deserialization framework | ||||
| serde = { version = "1.0.192", features = ["derive"] } | ||||
| serde_json = "1.0.108" | ||||
| serde = { version = "1.0.219", features = ["derive"] } | ||||
| serde_json = "1.0.142" | ||||
|  | ||||
| # A safe, extensible ORM and Query builder | ||||
| diesel = { version = "2.1.4", features = ["chrono", "r2d2"] } | ||||
| diesel_migrations = "2.1.0" | ||||
| diesel_logger = { version = "0.3.0", optional = true } | ||||
| diesel = { version = "2.2.12", features = ["chrono", "r2d2", "numeric"] } | ||||
| diesel_migrations = "2.2.0" | ||||
| diesel_logger = { version = "0.4.0", optional = true } | ||||
|  | ||||
| derive_more = { version = "2.0.1", features = ["from", "into", "as_ref", "deref", "display"] } | ||||
| diesel-derive-newtype = "2.1.2" | ||||
|  | ||||
| # Bundled/Static SQLite | ||||
| libsqlite3-sys = { version = "0.27.0", features = ["bundled"], optional = true } | ||||
| libsqlite3-sys = { version = "0.35.0", features = ["bundled"], optional = true } | ||||
|  | ||||
| # Crypto-related libraries | ||||
| rand = { version = "0.8.5", features = ["small_rng"] } | ||||
| ring = "0.17.5" | ||||
| rand = "0.9.2" | ||||
| ring = "0.17.14" | ||||
| subtle = "2.6.1" | ||||
|  | ||||
| # UUID generation | ||||
| uuid = { version = "1.5.0", features = ["v4"] } | ||||
| uuid = { version = "1.17.0", features = ["v4"] } | ||||
|  | ||||
| # Date and time libraries | ||||
| chrono = { version = "0.4.31", features = ["clock", "serde"], default-features = false } | ||||
| chrono-tz = "0.8.4" | ||||
| time = "0.3.30" | ||||
| chrono = { version = "0.4.41", features = ["clock", "serde"], default-features = false } | ||||
| chrono-tz = "0.10.4" | ||||
| time = "0.3.41" | ||||
|  | ||||
| # Job scheduler | ||||
| job_scheduler_ng = "2.0.4" | ||||
| job_scheduler_ng = "2.2.0" | ||||
|  | ||||
| # Data encoding library Hex/Base32/Base64 | ||||
| data-encoding = "2.4.0" | ||||
| data-encoding = "2.9.0" | ||||
|  | ||||
| # JWT library | ||||
| jsonwebtoken = "9.1.0" | ||||
| jsonwebtoken = "9.3.1" | ||||
|  | ||||
| # TOTP library | ||||
| totp-lite = "2.0.1" | ||||
|  | ||||
| # Yubico Library | ||||
| yubico = { version = "0.11.0", features = ["online-tokio"], default-features = false } | ||||
| yubico = { package = "yubico_ng", version = "0.13.0", features = ["online-tokio"], default-features = false } | ||||
|  | ||||
| # WebAuthn libraries | ||||
| webauthn-rs = "0.3.2" | ||||
| # danger-allow-state-serialisation is needed to save the state in the db | ||||
| # danger-credential-internals is needed to support U2F to Webauthn migration | ||||
| # danger-user-presence-only-security-keys is needed to disable UV | ||||
| webauthn-rs = { version = "0.5.2", features = ["danger-allow-state-serialisation", "danger-credential-internals", "danger-user-presence-only-security-keys"] } | ||||
| webauthn-rs-proto = "0.5.2" | ||||
| webauthn-rs-core = "0.5.2" | ||||
|  | ||||
| # Handling of URL's for WebAuthn and favicons | ||||
| url = "2.4.1" | ||||
| url = "2.5.4" | ||||
|  | ||||
| # Email libraries | ||||
| lettre = { version = "0.11.1", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false } | ||||
| percent-encoding = "2.3.0" # URL encoding library used for URL's in the emails | ||||
| email_address = "0.2.4" | ||||
| lettre = { version = "0.11.18", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false } | ||||
| percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails | ||||
| email_address = "0.2.9" | ||||
|  | ||||
| # HTML Template library | ||||
| handlebars = { version = "4.5.0", features = ["dir_source"] } | ||||
| handlebars = { version = "6.3.2", features = ["dir_source"] } | ||||
|  | ||||
| # HTTP client (Used for favicons, version check, DUO and HIBP API) | ||||
| reqwest = { version = "0.11.22", features = ["stream", "json", "deflate", "gzip", "brotli", "socks", "cookies", "trust-dns", "native-tls-alpn"] } | ||||
| reqwest = { version = "0.12.22", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false} | ||||
| hickory-resolver = "0.25.2" | ||||
|  | ||||
| # Favicon extraction libraries | ||||
| html5gum = "0.5.7" | ||||
| regex = { version = "1.10.2", features = ["std", "perf", "unicode-perl"], default-features = false } | ||||
| data-url = "0.3.0" | ||||
| bytes = "1.5.0" | ||||
| html5gum = "0.7.0" | ||||
| regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false } | ||||
| data-url = "0.3.1" | ||||
| bytes = "1.10.1" | ||||
| svg-hush = "0.9.5" | ||||
|  | ||||
| # Cache function results (Used for version check and favicon fetching) | ||||
| cached = { version = "0.46.1", features = ["async"] } | ||||
| cached = { version = "0.56.0", features = ["async"] } | ||||
|  | ||||
| # Used for custom short lived cookie jar during favicon extraction | ||||
| cookie = "0.16.2" | ||||
| cookie_store = "0.19.1" | ||||
| cookie = "0.18.1" | ||||
| cookie_store = "0.21.1" | ||||
|  | ||||
| # Used by U2F, JWT and PostgreSQL | ||||
| openssl = "=0.10.57" | ||||
| # Set openssl-sys fixed to v0.9.92 to prevent building issues with musl, arm and 32bit pointer width | ||||
| # It will force add a dynamically linked library which prevents the build from being static | ||||
| openssl-sys = "=0.9.92" | ||||
| openssl = "0.10.73" | ||||
|  | ||||
| # CLI argument parsing | ||||
| pico-args = "0.5.0" | ||||
|  | ||||
| # Macro ident concatenation | ||||
| paste = "1.0.14" | ||||
| governor = "0.6.0" | ||||
| pastey = "0.1.0" | ||||
| governor = "0.10.1" | ||||
|  | ||||
| # OIDC for SSO | ||||
| openidconnect = { version = "4.0.1", features = ["reqwest", "native-tls"] } | ||||
| mini-moka = "0.10.3" | ||||
|  | ||||
| # Check client versions for specific features. | ||||
| semver = "1.0.20" | ||||
| semver = "1.0.26" | ||||
|  | ||||
| # Allow overriding the default memory allocator | ||||
| # Mainly used for the musl builds, since the default musl malloc is very slow | ||||
| mimalloc = { version = "0.1.39", features = ["secure"], default-features = false, optional = true } | ||||
| which = "5.0.0" | ||||
| mimalloc = { version = "0.1.47", features = ["secure"], default-features = false, optional = true } | ||||
|  | ||||
| which = "8.0.0" | ||||
|  | ||||
| # Argon2 library with support for the PHC format | ||||
| argon2 = "0.5.2" | ||||
| argon2 = "0.5.3" | ||||
|  | ||||
| # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN | ||||
| rpassword = "7.3.1" | ||||
| rpassword = "7.4.0" | ||||
|  | ||||
| # Loading a dynamic CSS Stylesheet | ||||
| grass_compiler = { version = "0.13.4", default-features = false } | ||||
|  | ||||
| # File are accessed through Apache OpenDAL | ||||
| opendal = { version = "0.54.0", features = ["services-fs"], default-features = false } | ||||
|  | ||||
| # For retrieving AWS credentials, including temporary SSO credentials | ||||
| anyhow = { version = "1.0.98", optional = true } | ||||
| aws-config = { version = "1.8.4", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true } | ||||
| aws-credential-types = { version = "1.2.5", optional = true } | ||||
| aws-smithy-runtime-api = { version = "1.8.7", optional = true } | ||||
| http = { version = "1.3.1", optional = true } | ||||
| reqsign = { version = "0.16.5", optional = true } | ||||
|  | ||||
| # Strip debuginfo from the release builds | ||||
| # Also enable thin LTO for some optimizations | ||||
| # The debug symbols are to provide better panic traces | ||||
| # Also enable fat LTO and use 1 codegen unit for optimizations | ||||
| [profile.release] | ||||
| strip = "debuginfo" | ||||
| lto = "thin" | ||||
|  | ||||
| lto = "fat" | ||||
| codegen-units = 1 | ||||
|  | ||||
| # A little bit of a speedup | ||||
| [profile.dev] | ||||
| @@ -181,3 +219,93 @@ split-debuginfo = "unpacked" | ||||
| # This is a huge speed improvement during testing | ||||
| [profile.dev.package.argon2] | ||||
| opt-level = 3 | ||||
|  | ||||
| # Optimize for size | ||||
| [profile.release-micro] | ||||
| inherits = "release" | ||||
| opt-level = "z" | ||||
| strip = "symbols" | ||||
| lto = "fat" | ||||
| codegen-units = 1 | ||||
| panic = "abort" | ||||
|  | ||||
| # Profile for systems with low resources | ||||
| # It will use less resources during build | ||||
| [profile.release-low] | ||||
| inherits = "release" | ||||
| strip = "symbols" | ||||
| lto = "thin" | ||||
| codegen-units = 16 | ||||
|  | ||||
| # Linting config | ||||
| # https://doc.rust-lang.org/rustc/lints/groups.html | ||||
| [workspace.lints.rust] | ||||
| # Forbid | ||||
| unsafe_code = "forbid" | ||||
| non_ascii_idents = "forbid" | ||||
|  | ||||
| # Deny | ||||
| deprecated_in_future = "deny" | ||||
| future_incompatible = { level = "deny", priority = -1 } | ||||
| keyword_idents = { level = "deny", priority = -1 } | ||||
| let_underscore = { level = "deny", priority = -1 } | ||||
| noop_method_call = "deny" | ||||
| refining_impl_trait = { level = "deny", priority = -1 } | ||||
| rust_2018_idioms = { level = "deny", priority = -1 } | ||||
| rust_2021_compatibility = { level = "deny", priority = -1 } | ||||
| rust_2024_compatibility = { level = "deny", priority = -1 } | ||||
| edition_2024_expr_fragment_specifier = "allow" # Once changed to Rust 2024 this should be removed and macro's should be validated again | ||||
| single_use_lifetimes = "deny" | ||||
| trivial_casts = "deny" | ||||
| trivial_numeric_casts = "deny" | ||||
| unused = { level = "deny", priority = -1 } | ||||
| unused_import_braces = "deny" | ||||
| unused_lifetimes = "deny" | ||||
| unused_qualifications = "deny" | ||||
| variant_size_differences = "deny" | ||||
| # Allow the following lints since these cause issues with Rust v1.84.0 or newer | ||||
| # Building Vaultwarden with Rust v1.85.0 and edition 2024 also works without issues | ||||
| if_let_rescope = "allow" | ||||
| tail_expr_drop_order = "allow" | ||||
|  | ||||
| # https://rust-lang.github.io/rust-clippy/stable/index.html | ||||
| [workspace.lints.clippy] | ||||
| # Warn | ||||
| dbg_macro = "warn" | ||||
| todo = "warn" | ||||
|  | ||||
| # Ignore/Allow | ||||
| result_large_err = "allow" | ||||
|  | ||||
| # Deny | ||||
| case_sensitive_file_extension_comparisons = "deny" | ||||
| cast_lossless = "deny" | ||||
| clone_on_ref_ptr = "deny" | ||||
| equatable_if_let = "deny" | ||||
| filter_map_next = "deny" | ||||
| float_cmp_const = "deny" | ||||
| implicit_clone = "deny" | ||||
| inefficient_to_string = "deny" | ||||
| iter_on_empty_collections = "deny" | ||||
| iter_on_single_items = "deny" | ||||
| linkedlist = "deny" | ||||
| macro_use_imports = "deny" | ||||
| manual_assert = "deny" | ||||
| manual_instant_elapsed = "deny" | ||||
| manual_string_new = "deny" | ||||
| match_wildcard_for_single_variants = "deny" | ||||
| mem_forget = "deny" | ||||
| needless_continue = "deny" | ||||
| needless_lifetimes = "deny" | ||||
| option_option = "deny" | ||||
| string_add_assign = "deny" | ||||
| unnecessary_join = "deny" | ||||
| unnecessary_self_imports = "deny" | ||||
| unnested_or_patterns = "deny" | ||||
| unused_async = "deny" | ||||
| unused_self = "deny" | ||||
| verbose_file_reads = "deny" | ||||
| zero_sized_map_values = "deny" | ||||
|  | ||||
| [lints] | ||||
| workspace = true | ||||
|   | ||||
							
								
								
									
										197
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										197
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,95 +1,146 @@ | ||||
| ### Alternative implementation of the Bitwarden server API written in Rust and compatible with [upstream Bitwarden clients](https://bitwarden.com/download/)*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. | ||||
|  | ||||
|  | ||||
| 📢 Note: This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues. Please see [#1642](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation. | ||||
| An alternative server implementation of the Bitwarden Client API, written in Rust and compatible with [official Bitwarden clients](https://bitwarden.com/download/) [[disclaimer](#disclaimer)], perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. | ||||
|  | ||||
| --- | ||||
| [](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml) | ||||
| [](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden) | ||||
| [](https://hub.docker.com/r/vaultwarden/server) | ||||
| [](https://quay.io/repository/vaultwarden/server) | ||||
| [](https://deps.rs/repo/github/dani-garcia/vaultwarden) | ||||
| [](https://github.com/dani-garcia/vaultwarden/releases/latest) | ||||
| [](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) | ||||
| [](https://matrix.to/#/#vaultwarden:matrix.org) | ||||
|  | ||||
| Image is based on [Rust implementation of Bitwarden API](https://github.com/dani-garcia/vaultwarden). | ||||
| [](https://github.com/dani-garcia/vaultwarden/releases/latest) | ||||
| [](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden) | ||||
| [](https://hub.docker.com/r/vaultwarden/server) | ||||
| [](https://quay.io/repository/vaultwarden/server) <br> | ||||
| [](https://github.com/dani-garcia/vaultwarden/graphs/contributors) | ||||
| [](https://github.com/dani-garcia/vaultwarden/network/members) | ||||
| [](https://github.com/dani-garcia/vaultwarden/stargazers) | ||||
| [](https://github.com/dani-garcia/vaultwarden/issues) | ||||
| [](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue+is%3Aclosed) | ||||
| [](https://github.com/dani-garcia/vaultwarden/blob/main/LICENSE.txt) <br> | ||||
| [%3D'svg'%5D%2F*%5Blocal-name()%3D'g'%5D%5B2%5D%2F*%5Blocal-name()%3D'text'%5D%5B4%5D&style=flat-square&logo=rust&label=dependencies&color=005AA4)](https://deps.rs/repo/github/dani-garcia/vaultwarden) | ||||
| [](https://github.com/dani-garcia/vaultwarden/actions/workflows/release.yml) | ||||
| [](https://github.com/dani-garcia/vaultwarden/actions/workflows/build.yml) <br> | ||||
| [](https://matrix.to/#/#vaultwarden:matrix.org) | ||||
| [](https://github.com/dani-garcia/vaultwarden/discussions) | ||||
| [](https://vaultwarden.discourse.group/) | ||||
|  | ||||
| **This project is not associated with the [Bitwarden](https://bitwarden.com/) project nor Bitwarden, Inc.** | ||||
| > [!IMPORTANT] | ||||
| > **When using this server, please report any bugs or suggestions directly to us (see [Get in touch](#get-in-touch)), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official Bitwarden support channels.** | ||||
|  | ||||
| #### ⚠️**IMPORTANT**⚠️: When using this server, please report any bugs or suggestions to us directly (look at the bottom of this page for ways to get in touch), regardless of whatever clients you are using (mobile, desktop, browser...). DO NOT use the official support channels. | ||||
|  | ||||
| --- | ||||
| <br> | ||||
|  | ||||
| ## Features | ||||
|  | ||||
| Basically full implementation of Bitwarden API is provided including: | ||||
| A nearly complete implementation of the Bitwarden Client API is provided, including: | ||||
|  | ||||
|  * Organizations support | ||||
|  * Attachments and Send | ||||
|  * Vault API support | ||||
|  * Serving the static files for Vault interface | ||||
|  * Website icons API | ||||
|  * Authenticator and U2F support | ||||
|  * YubiKey and Duo support | ||||
|  * Emergency Access | ||||
|  * [Personal Vault](https://bitwarden.com/help/managing-items/) | ||||
|  * [Send](https://bitwarden.com/help/about-send/) | ||||
|  * [Attachments](https://bitwarden.com/help/attachments/) | ||||
|  * [Website icons](https://bitwarden.com/help/website-icons/) | ||||
|  * [Personal API Key](https://bitwarden.com/help/personal-api-key/) | ||||
|  * [Organizations](https://bitwarden.com/help/getting-started-organizations/) | ||||
|    - [Collections](https://bitwarden.com/help/about-collections/), | ||||
|      [Password Sharing](https://bitwarden.com/help/sharing/), | ||||
|      [Member Roles](https://bitwarden.com/help/user-types-access-control/), | ||||
|      [Groups](https://bitwarden.com/help/about-groups/), | ||||
|      [Event Logs](https://bitwarden.com/help/event-logs/), | ||||
|      [Admin Password Reset](https://bitwarden.com/help/admin-reset/), | ||||
|      [Directory Connector](https://bitwarden.com/help/directory-sync/), | ||||
|      [Policies](https://bitwarden.com/help/policies/) | ||||
|  * [Multi/Two Factor Authentication](https://bitwarden.com/help/bitwarden-field-guide-two-step-login/) | ||||
|    - [Authenticator](https://bitwarden.com/help/setup-two-step-login-authenticator/), | ||||
|      [Email](https://bitwarden.com/help/setup-two-step-login-email/), | ||||
|      [FIDO2 WebAuthn](https://bitwarden.com/help/setup-two-step-login-fido/), | ||||
|      [YubiKey](https://bitwarden.com/help/setup-two-step-login-yubikey/), | ||||
|      [Duo](https://bitwarden.com/help/setup-two-step-login-duo/) | ||||
|  * [Emergency Access](https://bitwarden.com/help/emergency-access/) | ||||
|  * [Vaultwarden Admin Backend](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page) | ||||
|  * [Modified Web Vault client](https://github.com/dani-garcia/bw_web_builds) (Bundled within our containers) | ||||
|  | ||||
| ## Installation | ||||
| Pull the docker image and mount a volume from the host for persistent storage: | ||||
|  | ||||
| ```sh | ||||
| docker pull vaultwarden/server:latest | ||||
| docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest | ||||
| ``` | ||||
| This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you. | ||||
|  | ||||
| **IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost. | ||||
|  | ||||
| This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)). | ||||
|  | ||||
| If you have an available domain name, you can get HTTPS certificates with [Let's Encrypt](https://letsencrypt.org/), or you can generate self-signed certificates with utilities like [mkcert](https://github.com/FiloSottile/mkcert). Some proxies automatically do this step, like Caddy (see examples linked above). | ||||
| <br> | ||||
|  | ||||
| ## Usage | ||||
| See the [vaultwarden wiki](https://github.com/dani-garcia/vaultwarden/wiki) for more information on how to configure and run the vaultwarden server. | ||||
|  | ||||
| > [!IMPORTANT] | ||||
| > The web-vault requires the use a secure context for the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API). | ||||
| > That means it will only work via `http://localhost:8000` (using the port from the example below) or if you [enable HTTPS](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS). | ||||
|  | ||||
| The recommended way to install and use Vaultwarden is via our container images which are published to [ghcr.io](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden), [docker.io](https://hub.docker.com/r/vaultwarden/server) and [quay.io](https://quay.io/repository/vaultwarden/server). | ||||
| See [which container image to use](https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use) for an explanation of the provided tags. | ||||
|  | ||||
| There are also [community driven packages](https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages) which can be used, but those might be lagging behind the latest version or might deviate in the way Vaultwarden is configured, as described in our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki). | ||||
|  | ||||
| Alternatively, you can also [build Vaultwarden](https://github.com/dani-garcia/vaultwarden/wiki/Building-binary) yourself. | ||||
|  | ||||
| While Vaultwarden is based upon the [Rocket web framework](https://rocket.rs) which has built-in support for TLS our recommendation would be that you setup a reverse proxy (see [proxy examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)). | ||||
|  | ||||
| > [!TIP] | ||||
| >**For more detailed examples on how to install, use and configure Vaultwarden you can check our [Wiki](https://github.com/dani-garcia/vaultwarden/wiki).** | ||||
|  | ||||
| ### Docker/Podman CLI | ||||
|  | ||||
| Pull the container image and mount a volume from the host for persistent storage.<br> | ||||
| You can replace `docker` with `podman` if you prefer to use podman. | ||||
|  | ||||
| ```shell | ||||
| docker pull vaultwarden/server:latest | ||||
| docker run --detach --name vaultwarden \ | ||||
|   --env DOMAIN="https://vw.domain.tld" \ | ||||
|   --volume /vw-data/:/data/ \ | ||||
|   --restart unless-stopped \ | ||||
|   --publish 127.0.0.1:8000:80 \ | ||||
|   vaultwarden/server:latest | ||||
| ``` | ||||
|  | ||||
| This will preserve any persistent data under `/vw-data/`, you can adapt the path to whatever suits you. | ||||
|  | ||||
| ### Docker Compose | ||||
|  | ||||
| To use Docker compose you need to create a `compose.yaml` which will hold the configuration to run the Vaultwarden container. | ||||
|  | ||||
| ```yaml | ||||
| services: | ||||
|   vaultwarden: | ||||
|     image: vaultwarden/server:latest | ||||
|     container_name: vaultwarden | ||||
|     restart: unless-stopped | ||||
|     environment: | ||||
|       DOMAIN: "https://vw.domain.tld" | ||||
|     volumes: | ||||
|       - ./vw-data/:/data/ | ||||
|     ports: | ||||
|       - 127.0.0.1:8000:80 | ||||
| ``` | ||||
|  | ||||
| <br> | ||||
|  | ||||
| ## Get in touch | ||||
| To ask a question, offer suggestions or new features or to get help configuring or installing the software, please use [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [the forum](https://vaultwarden.discourse.group/). | ||||
|  | ||||
| If you spot any bugs or crashes with vaultwarden itself, please [create an issue](https://github.com/dani-garcia/vaultwarden/issues/). Make sure you are on the latest version and there aren't any similar issues open, though! | ||||
| Have a question, suggestion or need help? Join our community on [Matrix](https://matrix.to/#/#vaultwarden:matrix.org), [GitHub Discussions](https://github.com/dani-garcia/vaultwarden/discussions) or [Discourse Forums](https://vaultwarden.discourse.group/). | ||||
|  | ||||
| If you prefer to chat, we're usually hanging around at [#vaultwarden:matrix.org](https://matrix.to/#/#vaultwarden:matrix.org) room on Matrix. Feel free to join us! | ||||
| Encountered a bug or crash? Please search our issue tracker and discussions to see if it's already been reported. If not, please [start a new discussion](https://github.com/dani-garcia/vaultwarden/discussions) or [create a new issue](https://github.com/dani-garcia/vaultwarden/issues/). Ensure you're using the latest version of Vaultwarden and there aren't any similar issues open or closed! | ||||
|  | ||||
| <br> | ||||
|  | ||||
| ## Contributors | ||||
|  | ||||
| ### Sponsors | ||||
| Thanks for your contribution to the project! | ||||
|  | ||||
| <!-- | ||||
| <table> | ||||
|   <tr> | ||||
|     <td align="center"> | ||||
|       <a href="https://github.com/username"> | ||||
|         <img src="https://avatars.githubusercontent.com/u/725423?s=75&v=4" width="75px;" alt="username"/> | ||||
|         <br /> | ||||
|         <sub><b>username</b></sub> | ||||
|       </a> | ||||
|   </td> | ||||
|   </tr> | ||||
| </table> | ||||
| [](https://github.com/dani-garcia/vaultwarden/graphs/contributors)<br> | ||||
| [](https://github.com/dani-garcia/vaultwarden/graphs/contributors) | ||||
|  | ||||
| <br/> | ||||
| --> | ||||
| <br> | ||||
|  | ||||
| <table> | ||||
|   <tr> | ||||
|     <td align="center"> | ||||
|        <a href="https://github.com/themightychris" style="width: 75px"> | ||||
|         <sub><b>Chris Alfano</b></sub> | ||||
|       </a> | ||||
|     </td> | ||||
|   </tr> | ||||
|   <tr> | ||||
|     <td align="center"> | ||||
|       <a href="https://github.com/numberly" style="width: 75px"> | ||||
|         <sub><b>Numberly</b></sub> | ||||
|       </a> | ||||
|     </td> | ||||
|   </tr> | ||||
| </table> | ||||
| ## Disclaimer | ||||
|  | ||||
| **This project is not associated with [Bitwarden](https://bitwarden.com/) or Bitwarden, Inc.** | ||||
|  | ||||
| However, one of the active maintainers for Vaultwarden is employed by Bitwarden and is allowed to contribute to the project on their own time. These contributions are independent of Bitwarden and are reviewed by other maintainers. | ||||
|  | ||||
| The maintainers work together to set the direction for the project, focusing on serving the self-hosting community, including individuals, families, and small organizations, while ensuring the project's sustainability. | ||||
|  | ||||
| **Please note:** We cannot be held liable for any data loss that may occur while using Vaultwarden. This includes passwords, attachments, and other information handled by the application. We highly recommend performing regular backups of your files and database. However, should you experience data loss, we encourage you to contact us immediately. | ||||
|  | ||||
| <br> | ||||
|  | ||||
| ## Bitwarden_RS | ||||
|  | ||||
| This project was known as Bitwarden_RS and has been renamed to separate itself from the official Bitwarden server in the hopes of avoiding confusion and trademark/branding issues.<br> | ||||
| Please see [#1642 - v1.21.0 release and project rename to Vaultwarden](https://github.com/dani-garcia/vaultwarden/discussions/1642) for more explanation. | ||||
|   | ||||
							
								
								
									
										14
									
								
								SECURITY.md
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								SECURITY.md
									
									
									
									
									
								
							| @@ -21,7 +21,7 @@ notify us. We welcome working with you to resolve the issue promptly. Thanks in | ||||
| The following bug classes are out-of scope: | ||||
|  | ||||
| - Bugs that are already reported on Vaultwarden's issue tracker (https://github.com/dani-garcia/vaultwarden/issues) | ||||
| - Bugs that are not part of Vaultwarden, like on the the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated | ||||
| - Bugs that are not part of Vaultwarden, like on the web-vault or mobile and desktop clients. These issues need to be reported in the respective project issue tracker at https://github.com/bitwarden to which we are not associated | ||||
| - Issues in an upstream software dependency (ex: Rust, or External Libraries) which are already reported to the upstream maintainer | ||||
| - Attacks requiring physical access to a user's device | ||||
| - Issues related to software or protocols not under Vaultwarden's control | ||||
| @@ -39,7 +39,11 @@ Thank you for helping keep Vaultwarden and our users safe! | ||||
|  | ||||
| # How to contact us | ||||
|  | ||||
| - You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (user: `@danig:matrix.org`) | ||||
| - You can send an  to report a security issue. | ||||
|   - If you want to send an encrypted email you can use the following GPG key:<br> | ||||
|     https://keyserver.ubuntu.com/pks/lookup?search=0xB9B7A108373276BF3C0406F9FC8A7D14C3CD543A&fingerprint=on&op=index | ||||
| - You can contact us on Matrix https://matrix.to/#/#vaultwarden:matrix.org (users: `@danig:matrix.org` and/or `@blackdex:matrix.org`) | ||||
| - You can send an  to report a security issue.<br> | ||||
|   If you want to send an encrypted email you can use the following GPG key: 13BB3A34C9E380258CE43D595CB150B31F6426BC<br> | ||||
|   It can be found on several public GPG key servers.<br> | ||||
|     * https://keys.openpgp.org/search?q=security%40vaultwarden.org | ||||
|     * https://keys.mailvelope.com/pks/lookup?op=get&search=security%40vaultwarden.org | ||||
|     * https://pgpkeys.eu/pks/lookup?search=security%40vaultwarden.org&fingerprint=on&op=index | ||||
|     * https://keyserver.ubuntu.com/pks/lookup?search=security%40vaultwarden.org&fingerprint=on&op=index | ||||
|   | ||||
							
								
								
									
										31
									
								
								build.rs
									
									
									
									
									
								
							
							
						
						
									
										31
									
								
								build.rs
									
									
									
									
									
								
							| @@ -11,12 +11,29 @@ fn main() { | ||||
|     println!("cargo:rustc-cfg=postgresql"); | ||||
|     #[cfg(feature = "query_logger")] | ||||
|     println!("cargo:rustc-cfg=query_logger"); | ||||
|     #[cfg(feature = "s3")] | ||||
|     println!("cargo:rustc-cfg=s3"); | ||||
|  | ||||
|     #[cfg(not(any(feature = "sqlite", feature = "mysql", feature = "postgresql")))] | ||||
|     compile_error!( | ||||
|         "You need to enable one DB backend. To build with previous defaults do: cargo build --features sqlite" | ||||
|     ); | ||||
|  | ||||
|     // Use check-cfg to let cargo know which cfg's we define, | ||||
|     // and avoid warnings when they are used in the code. | ||||
|     println!("cargo::rustc-check-cfg=cfg(sqlite)"); | ||||
|     println!("cargo::rustc-check-cfg=cfg(mysql)"); | ||||
|     println!("cargo::rustc-check-cfg=cfg(postgresql)"); | ||||
|     println!("cargo::rustc-check-cfg=cfg(query_logger)"); | ||||
|     println!("cargo::rustc-check-cfg=cfg(s3)"); | ||||
|  | ||||
|     // Rerun when these paths are changed. | ||||
|     // Someone could have checked-out a tag or specific commit, but no other files changed. | ||||
|     println!("cargo:rerun-if-changed=.git"); | ||||
|     println!("cargo:rerun-if-changed=.git/HEAD"); | ||||
|     println!("cargo:rerun-if-changed=.git/index"); | ||||
|     println!("cargo:rerun-if-changed=.git/refs/tags"); | ||||
|  | ||||
|     #[cfg(all(not(debug_assertions), feature = "query_logger"))] | ||||
|     compile_error!("Query Logging is only allowed during development, it is not intended for production usage!"); | ||||
|  | ||||
| @@ -34,19 +51,19 @@ fn main() { | ||||
| fn run(args: &[&str]) -> Result<String, std::io::Error> { | ||||
|     let out = Command::new(args[0]).args(&args[1..]).output()?; | ||||
|     if !out.status.success() { | ||||
|         use std::io::{Error, ErrorKind}; | ||||
|         return Err(Error::new(ErrorKind::Other, "Command not successful")); | ||||
|         use std::io::Error; | ||||
|         return Err(Error::other("Command not successful")); | ||||
|     } | ||||
|     Ok(String::from_utf8(out.stdout).unwrap().trim().to_string()) | ||||
| } | ||||
|  | ||||
| /// This method reads info from Git, namely tags, branch, and revision | ||||
| /// To access these values, use: | ||||
| ///    - env!("GIT_EXACT_TAG") | ||||
| ///    - env!("GIT_LAST_TAG") | ||||
| ///    - env!("GIT_BRANCH") | ||||
| ///    - env!("GIT_REV") | ||||
| ///    - env!("VW_VERSION") | ||||
| ///    - `env!("GIT_EXACT_TAG")` | ||||
| ///    - `env!("GIT_LAST_TAG")` | ||||
| ///    - `env!("GIT_BRANCH")` | ||||
| ///    - `env!("GIT_REV")` | ||||
| ///    - `env!("VW_VERSION")` | ||||
| fn version_from_git_info() -> Result<String, std::io::Error> { | ||||
|     // The exact tag for the current commit, can be empty when | ||||
|     // the current commit doesn't have an associated tag | ||||
|   | ||||
| @@ -1,12 +1,13 @@ | ||||
| --- | ||||
| vault_version: "v2023.10.0" | ||||
| vault_image_digest: "sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935" | ||||
| # Cross Compile Docker Helper Scripts v1.3.0 | ||||
| vault_version: "v2025.7.0" | ||||
| vault_image_digest: "sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e" | ||||
| # Cross Compile Docker Helper Scripts v1.6.1 | ||||
| # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts | ||||
| xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc" | ||||
| rust_version: 1.73.0 # Rust version to be used | ||||
| # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags | ||||
| xx_image_digest: "sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894" | ||||
| rust_version: 1.89.0 # Rust version to be used | ||||
| debian_version: bookworm # Debian release name to be used | ||||
| alpine_version: 3.18 # Alpine version to be used | ||||
| alpine_version: "3.22" # Alpine version to be used | ||||
| # For which platforms/architectures will we try to build images | ||||
| platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"] | ||||
| # Determine the build images per OS/Arch | ||||
|   | ||||
| @@ -1,4 +1,5 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
| # check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||
| @@ -18,27 +19,27 @@ | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.10.0 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.10.0 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935] | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2025.7.0 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.7.0 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.10.0] | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e | ||||
| #     [docker.io/vaultwarden/web-vault:v2025.7.0] | ||||
| # | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 as vault | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e AS vault | ||||
|  | ||||
| ########################## ALPINE BUILD IMAGES ########################## | ||||
| ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 | ||||
| ## And for Alpine we define all build images here, they will only be loaded when actually used | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.73.0 as build_amd64 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.73.0 as build_arm64 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.73.0 as build_armv7 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.73.0 as build_armv6 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.89.0 AS build_amd64 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.89.0 AS build_arm64 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.89.0 AS build_armv7 | ||||
| FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.89.0 AS build_armv6 | ||||
|  | ||||
| ########################## BUILD IMAGE ########################## | ||||
| # hadolint ignore=DL3006 | ||||
| FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} as build | ||||
| FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} AS build | ||||
| ARG TARGETARCH | ||||
| ARG TARGETVARIANT | ||||
| ARG TARGETPLATFORM | ||||
| @@ -58,33 +59,30 @@ ENV DEBIAN_FRONTEND=noninteractive \ | ||||
|  | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
| RUN mkdir -pv "${CARGO_HOME}" && \ | ||||
|     rustup set profile minimal | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Shared variables across Debian and Alpine | ||||
| # Environment variables for Cargo on Alpine based builds | ||||
| RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ | ||||
|     # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic | ||||
|     if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     rustup target add "${CARGO_TARGET}" | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
| COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./ | ||||
| COPY ./macros ./macros | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| @@ -97,10 +95,13 @@ RUN source /env-cargo && \ | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Builds again, this time it will be the actual source files being build | ||||
| RUN source /env-cargo && \ | ||||
|     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||
|     touch src/main.rs && \ | ||||
|     # Also do this for build.rs to ensure the version is rechecked | ||||
|     touch build.rs src/main.rs && \ | ||||
|     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||
| @@ -126,7 +127,7 @@ RUN source /env-cargo && \ | ||||
| # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||
| # | ||||
| # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742 | ||||
| FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.18 | ||||
| FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.22 | ||||
|  | ||||
| ENV ROCKET_PROFILE="release" \ | ||||
|     ROCKET_ADDRESS=0.0.0.0 \ | ||||
| @@ -143,14 +144,12 @@ RUN mkdir /data && \ | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
| COPY docker/healthcheck.sh docker/start.sh / | ||||
|  | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/final/vaultwarden . | ||||
|   | ||||
| @@ -1,4 +1,5 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
| # check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||
| @@ -18,24 +19,24 @@ | ||||
| # - From https://hub.docker.com/r/vaultwarden/web-vault/tags, | ||||
| #   click the tag name to view the digest of the image it currently points to. | ||||
| # - From the command line: | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2023.10.0 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.10.0 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935] | ||||
| #     $ docker pull docker.io/vaultwarden/web-vault:v2025.7.0 | ||||
| #     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.7.0 | ||||
| #     [docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e] | ||||
| # | ||||
| # - Conversely, to get the tag name from the digest: | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 | ||||
| #     [docker.io/vaultwarden/web-vault:v2023.10.0] | ||||
| #     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e | ||||
| #     [docker.io/vaultwarden/web-vault:v2025.7.0] | ||||
| # | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 as vault | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:f6ac819a2cd9e226f2cd2ec26196ede94a41e672e9672a11b5f307a19278b15e AS vault | ||||
|  | ||||
| ########################## Cross Compile Docker Helper Scripts ########################## | ||||
| ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts | ||||
| ## And these bash scripts do not have any significant difference if at all | ||||
| FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc AS xx | ||||
| FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894 AS xx | ||||
|  | ||||
| ########################## BUILD IMAGE ########################## | ||||
| # hadolint ignore=DL3006 | ||||
| FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.73.0-slim-bookworm as build | ||||
| FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.89.0-slim-bookworm AS build | ||||
| COPY --from=xx / / | ||||
| ARG TARGETARCH | ||||
| ARG TARGETVARIANT | ||||
| @@ -64,57 +65,63 @@ RUN apt-get update && \ | ||||
|         "libc6-$(xx-info debian-arch)-cross" \ | ||||
|         "libc6-dev-$(xx-info debian-arch)-cross" \ | ||||
|         "linux-libc-dev-$(xx-info debian-arch)-cross" && \ | ||||
|     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||
|     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||
|  | ||||
| RUN xx-apt-get install -y \ | ||||
|     xx-apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc \ | ||||
|         libmariadb3 \ | ||||
|         libpq-dev \ | ||||
|         libpq5 \ | ||||
|         libssl-dev && \ | ||||
|         libssl-dev \ | ||||
|         zlib1g-dev && \ | ||||
|     # Force install arch dependend mariadb dev packages | ||||
|     # Installing them the normal way breaks several other packages (again) | ||||
|     apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ | ||||
|     dpkg --force-all -i ./libmariadb-dev*.deb | ||||
|     dpkg --force-all -i ./libmariadb-dev*.deb && \ | ||||
|     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||
|     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
| RUN mkdir -pv "${CARGO_HOME}" && \ | ||||
|     rustup set profile minimal | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| # Environment variables for cargo across Debian and Alpine | ||||
| # Environment variables for Cargo on Debian based builds | ||||
| ARG TARGET_PKG_CONFIG_PATH | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     if xx-info is-cross ; then \ | ||||
|         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. | ||||
|         # Because of this we generate the needed environment variables here which we can load in the needed steps. | ||||
|         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ | ||||
|         echo "export CROSS_COMPILE=1" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ | ||||
|         echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \ | ||||
|         # For some architectures `xx-info` returns a triple which doesn't matches the path on disk | ||||
|         # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg | ||||
|         if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \ | ||||
|             echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \ | ||||
|         else \ | ||||
|             echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \ | ||||
|         fi && \ | ||||
|         echo "# End of env-cargo" >> /env-cargo ; \ | ||||
|     fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     rustup target add "${CARGO_TARGET}" | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
| COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./ | ||||
| COPY ./macros ./macros | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| @@ -127,10 +134,13 @@ RUN source /env-cargo && \ | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Builds again, this time it will be the actual source files being build | ||||
| RUN source /env-cargo && \ | ||||
|     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||
|     touch src/main.rs && \ | ||||
|     # Also do this for build.rs to ensure the version is rechecked | ||||
|     touch build.rs src/main.rs && \ | ||||
|     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||
| @@ -177,14 +187,12 @@ RUN mkdir /data && \ | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
| COPY docker/healthcheck.sh docker/start.sh / | ||||
|  | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/final/vaultwarden . | ||||
|   | ||||
| @@ -1,4 +1,5 @@ | ||||
| # syntax=docker/dockerfile:1 | ||||
| # check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform | ||||
|  | ||||
| # This file was generated using a Jinja2 template. | ||||
| # Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make` | ||||
| @@ -26,7 +27,7 @@ | ||||
| #     $ docker image inspect --format "{{ '{{' }}.RepoTags}}" docker.io/vaultwarden/web-vault@{{ vault_image_digest }} | ||||
| #     [docker.io/vaultwarden/web-vault:{{ vault_version }}] | ||||
| # | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} as vault | ||||
| FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@{{ vault_image_digest }} AS vault | ||||
|  | ||||
| {% if base == "debian" %} | ||||
| ########################## Cross Compile Docker Helper Scripts ########################## | ||||
| @@ -38,13 +39,13 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@{{ xx_image_digest }} AS xx | ||||
| ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64 | ||||
| ## And for Alpine we define all build images here, they will only be loaded when actually used | ||||
| {% for arch in build_stage_image[base].arch_image %} | ||||
| FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} as build_{{ arch }} | ||||
| FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].arch_image[arch] }} AS build_{{ arch }} | ||||
| {% endfor %} | ||||
| {% endif %} | ||||
|  | ||||
| ########################## BUILD IMAGE ########################## | ||||
| # hadolint ignore=DL3006 | ||||
| FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} as build | ||||
| FROM --platform={{ build_stage_image[base].platform }} {{ build_stage_image[base].image }} AS build | ||||
| {% if base == "debian" %} | ||||
| COPY --from=xx / / | ||||
| {% endif %} | ||||
| @@ -82,70 +83,77 @@ RUN apt-get update && \ | ||||
|         "libc6-$(xx-info debian-arch)-cross" \ | ||||
|         "libc6-dev-$(xx-info debian-arch)-cross" \ | ||||
|         "linux-libc-dev-$(xx-info debian-arch)-cross" && \ | ||||
|     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||
|     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||
|  | ||||
| RUN xx-apt-get install -y \ | ||||
|     xx-apt-get install -y \ | ||||
|         --no-install-recommends \ | ||||
|         gcc \ | ||||
|         libmariadb3 \ | ||||
|         libpq-dev \ | ||||
|         libpq5 \ | ||||
|         libssl-dev && \ | ||||
|         libssl-dev \ | ||||
|         zlib1g-dev && \ | ||||
|     # Force install arch dependend mariadb dev packages | ||||
|     # Installing them the normal way breaks several other packages (again) | ||||
|     apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \ | ||||
|     dpkg --force-all -i ./libmariadb-dev*.deb | ||||
|     dpkg --force-all -i ./libmariadb-dev*.deb && \ | ||||
|     # Run xx-cargo early, since it sometimes seems to break when run at a later stage | ||||
|     echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo | ||||
| {% endif %} | ||||
|  | ||||
| # Create CARGO_HOME folder and don't download rust docs | ||||
| RUN mkdir -pv "${CARGO_HOME}" \ | ||||
|     && rustup set profile minimal | ||||
| RUN mkdir -pv "${CARGO_HOME}" && \ | ||||
|     rustup set profile minimal | ||||
|  | ||||
| # Creates a dummy project used to grab dependencies | ||||
| RUN USER=root cargo new --bin /app | ||||
| WORKDIR /app | ||||
|  | ||||
| {% if base == "debian" %} | ||||
| # Environment variables for cargo across Debian and Alpine | ||||
| # Environment variables for Cargo on Debian based builds | ||||
| ARG TARGET_PKG_CONFIG_PATH | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     if xx-info is-cross ; then \ | ||||
|         # We can't use xx-cargo since that uses clang, which doesn't work for our libraries. | ||||
|         # Because of this we generate the needed environment variables here which we can load in the needed steps. | ||||
|         echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \ | ||||
|         echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \ | ||||
|         echo "export CROSS_COMPILE=1" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \ | ||||
|         echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \ | ||||
|         echo "export PKG_CONFIG_ALLOW_CROSS=1" >> /env-cargo && \ | ||||
|         # For some architectures `xx-info` returns a triple which doesn't matches the path on disk | ||||
|         # In those cases you can override this by setting the `TARGET_PKG_CONFIG_PATH` build-arg | ||||
|         if [[ -n "${TARGET_PKG_CONFIG_PATH}" ]]; then \ | ||||
|             echo "export TARGET_PKG_CONFIG_PATH=${TARGET_PKG_CONFIG_PATH}" >> /env-cargo ; \ | ||||
|         else \ | ||||
|             echo "export PKG_CONFIG_PATH=/usr/lib/$(xx-info)/pkgconfig" >> /env-cargo ; \ | ||||
|         fi && \ | ||||
|         echo "# End of env-cargo" >> /env-cargo ; \ | ||||
|     fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
| {% elif base == "alpine" %} | ||||
| # Shared variables across Debian and Alpine | ||||
| # Environment variables for Cargo on Alpine based builds | ||||
| RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \ | ||||
|     # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic | ||||
|     if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \ | ||||
|     # Output the current contents of the file | ||||
|     cat /env-cargo | ||||
|  | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
| {% endif %} | ||||
|  | ||||
| RUN source /env-cargo && \ | ||||
|     rustup target add "${CARGO_TARGET}" | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Copies over *only* your manifests and build files | ||||
| COPY ./Cargo.* ./ | ||||
| COPY ./rust-toolchain.toml ./rust-toolchain.toml | ||||
| COPY ./build.rs ./build.rs | ||||
| COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./ | ||||
| COPY ./macros ./macros | ||||
|  | ||||
| ARG CARGO_PROFILE=release | ||||
|  | ||||
| # Configure the DB ARG as late as possible to not invalidate the cached layers above | ||||
| {% if base == "debian" %} | ||||
| ARG DB=sqlite,mysql,postgresql | ||||
| {% elif base == "alpine" %} | ||||
| # Enable MiMalloc to improve performance on Alpine builds | ||||
| ARG DB=sqlite,mysql,postgresql,enable_mimalloc | ||||
| {% endif %} | ||||
|  | ||||
| # Builds your dependencies and removes the | ||||
| # dummy project, except the target folder | ||||
| @@ -158,10 +166,13 @@ RUN source /env-cargo && \ | ||||
| # To avoid copying unneeded files, use .dockerignore | ||||
| COPY . . | ||||
|  | ||||
| ARG VW_VERSION | ||||
|  | ||||
| # Builds again, this time it will be the actual source files being build | ||||
| RUN source /env-cargo && \ | ||||
|     # Make sure that we actually build the project by updating the src/main.rs timestamp | ||||
|     touch src/main.rs && \ | ||||
|     # Also do this for build.rs to ensure the version is rechecked | ||||
|     touch build.rs src/main.rs && \ | ||||
|     # Create a symlink to the binary target folder to easy copy the binary in the final stage | ||||
|     cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \ | ||||
|     if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \ | ||||
| @@ -220,14 +231,12 @@ RUN mkdir /data && \ | ||||
|  | ||||
| VOLUME /data | ||||
| EXPOSE 80 | ||||
| EXPOSE 3012 | ||||
|  | ||||
| # Copies the files from the context (Rocket.toml file and web-vault) | ||||
| # and the binary from the "build" stage to the current stage | ||||
| WORKDIR / | ||||
|  | ||||
| COPY docker/healthcheck.sh /healthcheck.sh | ||||
| COPY docker/start.sh /start.sh | ||||
| COPY docker/healthcheck.sh docker/start.sh / | ||||
|  | ||||
| COPY --from=vault /web-vault ./web-vault | ||||
| COPY --from=build /app/target/final/vaultwarden . | ||||
|   | ||||
| @@ -11,6 +11,11 @@ With just these two files we can build both Debian and Alpine images for the fol | ||||
|  - armv7 (linux/arm/v7) | ||||
|  - armv6 (linux/arm/v6) | ||||
|  | ||||
| Some unsupported platforms for Debian based images. These are not built and tested by default and are only provided to make it easier for users to build for these architectures. | ||||
| - 386     (linux/386) | ||||
| - ppc64le (linux/ppc64le) | ||||
| - s390x   (linux/s390x) | ||||
|  | ||||
| To build these containers you need to enable QEMU binfmt support to be able to run/emulate architectures which are different then your host.<br> | ||||
| This ensures the container build process can run binaries from other architectures.<br> | ||||
|  | ||||
| @@ -41,7 +46,7 @@ There also is an option to use an other docker container to provide support for | ||||
| ```bash | ||||
| # To install and activate | ||||
| docker run --privileged --rm tonistiigi/binfmt --install arm64,arm | ||||
| # To unistall | ||||
| # To uninstall | ||||
| docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' | ||||
| ``` | ||||
|  | ||||
|   | ||||
| @@ -17,7 +17,7 @@ variable "SOURCE_REPOSITORY_URL" { | ||||
|   default = null | ||||
| } | ||||
|  | ||||
| // The commit hash of of the current commit this build was triggered on | ||||
| // The commit hash of the current commit this build was triggered on | ||||
| variable "SOURCE_COMMIT" { | ||||
|   default = null | ||||
| } | ||||
| @@ -125,6 +125,31 @@ target "debian-armv6" { | ||||
|   tags = generate_tags("", "-armv6") | ||||
| } | ||||
|  | ||||
| // ==== Start of unsupported Debian architecture targets === | ||||
| // These are provided just to help users build for these rare platforms | ||||
| // They will not be built by default | ||||
| target "debian-386" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/386"] | ||||
|   tags = generate_tags("", "-386") | ||||
|   args = { | ||||
|     TARGET_PKG_CONFIG_PATH = "/usr/lib/i386-linux-gnu/pkgconfig" | ||||
|   } | ||||
| } | ||||
|  | ||||
| target "debian-ppc64le" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/ppc64le"] | ||||
|   tags = generate_tags("", "-ppc64le") | ||||
| } | ||||
|  | ||||
| target "debian-s390x" { | ||||
|   inherits = ["debian"] | ||||
|   platforms = ["linux/s390x"] | ||||
|   tags = generate_tags("", "-s390x") | ||||
| } | ||||
| // ==== End of unsupported Debian architecture targets === | ||||
|  | ||||
| // A Group to build all platforms individually for local testing | ||||
| group "debian-all" { | ||||
|   targets = ["debian-amd64", "debian-arm64", "debian-armv7", "debian-armv6"] | ||||
|   | ||||
| @@ -1,12 +1,20 @@ | ||||
| #!/bin/sh | ||||
| #!/usr/bin/env sh | ||||
|  | ||||
| # Use the value of the corresponding env var (if present), | ||||
| # or a default value otherwise. | ||||
| : "${DATA_FOLDER:="data"}" | ||||
| : "${DATA_FOLDER:="/data"}" | ||||
| : "${ROCKET_PORT:="80"}" | ||||
| : "${ENV_FILE:="/.env"}" | ||||
|  | ||||
| CONFIG_FILE="${DATA_FOLDER}"/config.json | ||||
|  | ||||
| # Check if the $ENV_FILE file exist and is readable | ||||
| # If that is the case, load it into the environment before running any check | ||||
| if [ -r "${ENV_FILE}" ]; then | ||||
|     # shellcheck disable=SC1090 | ||||
|     . "${ENV_FILE}" | ||||
| fi | ||||
|  | ||||
| # Given a config key, return the corresponding config value from the | ||||
| # config file. If the key doesn't exist, return an empty string. | ||||
| get_config_val() { | ||||
|   | ||||
| @@ -1,5 +1,9 @@ | ||||
| #!/bin/sh | ||||
|  | ||||
| if [ -n "${UMASK}" ]; then | ||||
|     umask "${UMASK}" | ||||
| fi | ||||
|  | ||||
| if [ -r /etc/vaultwarden.sh ]; then | ||||
|     . /etc/vaultwarden.sh | ||||
| elif [ -r /etc/bitwarden_rs.sh ]; then | ||||
|   | ||||
							
								
								
									
										16
									
								
								macros/Cargo.toml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								macros/Cargo.toml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| [package] | ||||
| name = "macros" | ||||
| version = "0.1.0" | ||||
| edition = "2021" | ||||
|  | ||||
| [lib] | ||||
| name = "macros" | ||||
| path = "src/lib.rs" | ||||
| proc-macro = true | ||||
|  | ||||
| [dependencies] | ||||
| quote = "1.0.40" | ||||
| syn = "2.0.104" | ||||
|  | ||||
| [lints] | ||||
| workspace = true | ||||
							
								
								
									
										56
									
								
								macros/src/lib.rs
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										56
									
								
								macros/src/lib.rs
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,56 @@ | ||||
| use proc_macro::TokenStream; | ||||
| use quote::quote; | ||||
|  | ||||
| #[proc_macro_derive(UuidFromParam)] | ||||
| pub fn derive_uuid_from_param(input: TokenStream) -> TokenStream { | ||||
|     let ast = syn::parse(input).unwrap(); | ||||
|  | ||||
|     impl_derive_uuid_macro(&ast) | ||||
| } | ||||
|  | ||||
| fn impl_derive_uuid_macro(ast: &syn::DeriveInput) -> TokenStream { | ||||
|     let name = &ast.ident; | ||||
|     let gen_derive = quote! { | ||||
|         #[automatically_derived] | ||||
|         impl<'r> rocket::request::FromParam<'r> for #name { | ||||
|             type Error = (); | ||||
|  | ||||
|             #[inline(always)] | ||||
|             fn from_param(param: &'r str) -> Result<Self, Self::Error> { | ||||
|                 if uuid::Uuid::parse_str(param).is_ok() { | ||||
|                     Ok(Self(param.to_string())) | ||||
|                 } else { | ||||
|                     Err(()) | ||||
|                 } | ||||
|             } | ||||
|         } | ||||
|     }; | ||||
|     gen_derive.into() | ||||
| } | ||||
|  | ||||
| #[proc_macro_derive(IdFromParam)] | ||||
| pub fn derive_id_from_param(input: TokenStream) -> TokenStream { | ||||
|     let ast = syn::parse(input).unwrap(); | ||||
|  | ||||
|     impl_derive_safestring_macro(&ast) | ||||
| } | ||||
|  | ||||
| fn impl_derive_safestring_macro(ast: &syn::DeriveInput) -> TokenStream { | ||||
|     let name = &ast.ident; | ||||
|     let gen_derive = quote! { | ||||
|         #[automatically_derived] | ||||
|         impl<'r> rocket::request::FromParam<'r> for #name { | ||||
|             type Error = (); | ||||
|  | ||||
|             #[inline(always)] | ||||
|             fn from_param(param: &'r str) -> Result<Self, Self::Error> { | ||||
|                 if param.chars().all(|c| matches!(c, 'a'..='z' | 'A'..='Z' |'0'..='9' | '-')) { | ||||
|                     Ok(Self(param.to_string())) | ||||
|                 } else { | ||||
|                     Err(()) | ||||
|                 } | ||||
|             } | ||||
|         } | ||||
|     }; | ||||
|     gen_derive.into() | ||||
| } | ||||
							
								
								
									
										1
									
								
								migrations/mysql/2023-09-10-133000_add_sso/down.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								migrations/mysql/2023-09-10-133000_add_sso/down.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| DROP TABLE sso_nonce; | ||||
							
								
								
									
										4
									
								
								migrations/mysql/2023-09-10-133000_add_sso/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								migrations/mysql/2023-09-10-133000_add_sso/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| CREATE TABLE sso_nonce ( | ||||
|   nonce               CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE users_organizations DROP COLUMN invited_by_email; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE attachments MODIFY file_size BIGINT NOT NULL; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE twofactor MODIFY last_used BIGINT NOT NULL; | ||||
| @@ -0,0 +1,6 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|   nonce               CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP | ||||
| ); | ||||
| @@ -0,0 +1,8 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
| 	state               VARCHAR(512) NOT NULL PRIMARY KEY, | ||||
|   	nonce               TEXT NOT NULL, | ||||
|   	redirect_uri 		TEXT NOT NULL, | ||||
|   	created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1,8 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|     state               VARCHAR(512) NOT NULL PRIMARY KEY, | ||||
|     nonce               TEXT NOT NULL, | ||||
|     redirect_uri        TEXT NOT NULL, | ||||
|     created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1,9 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|     state               VARCHAR(512) NOT NULL PRIMARY KEY, | ||||
|   	nonce               TEXT NOT NULL, | ||||
|     verifier            TEXT, | ||||
|   	redirect_uri 		TEXT NOT NULL, | ||||
|   	created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| DROP TABLE IF EXISTS sso_users; | ||||
							
								
								
									
										7
									
								
								migrations/mysql/2024-03-06-170000_add_sso_users/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								migrations/mysql/2024-03-06-170000_add_sso_users/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| CREATE TABLE sso_users ( | ||||
|   user_uuid           CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   identifier          VARCHAR(768) NOT NULL UNIQUE, | ||||
|   created_at          TIMESTAMP NOT NULL DEFAULT now(), | ||||
|  | ||||
|   FOREIGN KEY(user_uuid) REFERENCES users(uuid) | ||||
| ); | ||||
| @@ -0,0 +1,2 @@ | ||||
| ALTER TABLE sso_users DROP FOREIGN KEY `sso_users_ibfk_1`; | ||||
| ALTER TABLE sso_users ADD FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE; | ||||
| @@ -0,0 +1 @@ | ||||
| DROP TABLE twofactor_duo_ctx; | ||||
| @@ -0,0 +1,8 @@ | ||||
| CREATE TABLE twofactor_duo_ctx ( | ||||
|     state      VARCHAR(64)  NOT NULL, | ||||
|     user_email VARCHAR(255) NOT NULL, | ||||
|     nonce      VARCHAR(64)  NOT NULL, | ||||
|     exp        BIGINT       NOT NULL, | ||||
|  | ||||
|     PRIMARY KEY (state) | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE `twofactor_incomplete` DROP COLUMN `device_type`; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE twofactor_incomplete ADD COLUMN device_type INTEGER NOT NULL DEFAULT 14; -- 14 = Unknown Browser | ||||
							
								
								
									
										5
									
								
								migrations/mysql/2025-01-09-172300_add_manage/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								migrations/mysql/2025-01-09-172300_add_manage/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | ||||
| ALTER TABLE users_collections | ||||
| ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE; | ||||
|  | ||||
| ALTER TABLE collections_groups | ||||
| ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE; | ||||
							
								
								
									
										1
									
								
								migrations/postgresql/2023-09-10-133000_add_sso/down.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								migrations/postgresql/2023-09-10-133000_add_sso/down.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| DROP TABLE sso_nonce; | ||||
							
								
								
									
										4
									
								
								migrations/postgresql/2023-09-10-133000_add_sso/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								migrations/postgresql/2023-09-10-133000_add_sso/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| CREATE TABLE sso_nonce ( | ||||
|   nonce               CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE users_organizations DROP COLUMN invited_by_email; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL; | ||||
| @@ -0,0 +1,3 @@ | ||||
| ALTER TABLE attachments | ||||
| ALTER COLUMN file_size TYPE BIGINT, | ||||
| ALTER COLUMN file_size SET NOT NULL; | ||||
| @@ -0,0 +1,3 @@ | ||||
| ALTER TABLE twofactor | ||||
| ALTER COLUMN last_used TYPE BIGINT, | ||||
| ALTER COLUMN last_used SET NOT NULL; | ||||
| @@ -0,0 +1,6 @@ | ||||
| DROP TABLE sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|   nonce               CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1,8 @@ | ||||
| DROP TABLE sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
| 	state               TEXT NOT NULL PRIMARY KEY, | ||||
|   	nonce               TEXT NOT NULL, | ||||
|   	redirect_uri 		TEXT NOT NULL, | ||||
|   	created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1,8 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|     state               TEXT NOT NULL PRIMARY KEY, | ||||
|     nonce               TEXT NOT NULL, | ||||
|     redirect_uri        TEXT NOT NULL, | ||||
|     created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1,9 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|     state               TEXT NOT NULL PRIMARY KEY, | ||||
|     nonce               TEXT NOT NULL, | ||||
|     verifier            TEXT, | ||||
|     redirect_uri        TEXT NOT NULL, | ||||
|     created_at          TIMESTAMP NOT NULL DEFAULT now() | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| DROP TABLE IF EXISTS sso_users; | ||||
| @@ -0,0 +1,7 @@ | ||||
| CREATE TABLE sso_users ( | ||||
|   user_uuid           CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   identifier          TEXT NOT NULL UNIQUE, | ||||
|   created_at          TIMESTAMP NOT NULL DEFAULT now(), | ||||
|  | ||||
|   FOREIGN KEY(user_uuid) REFERENCES users(uuid) | ||||
| ); | ||||
| @@ -0,0 +1,3 @@ | ||||
| ALTER TABLE sso_users | ||||
|   DROP CONSTRAINT "sso_users_user_uuid_fkey", | ||||
|   ADD CONSTRAINT "sso_users_user_uuid_fkey" FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE; | ||||
| @@ -0,0 +1 @@ | ||||
| DROP TABLE twofactor_duo_ctx; | ||||
| @@ -0,0 +1,8 @@ | ||||
| CREATE TABLE twofactor_duo_ctx ( | ||||
|     state      VARCHAR(64) NOT NULL, | ||||
|     user_email VARCHAR(255)  NOT NULL, | ||||
|     nonce      VARCHAR(64) NOT NULL, | ||||
|     exp        BIGINT        NOT NULL, | ||||
|  | ||||
|     PRIMARY KEY (state) | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE twofactor_incomplete DROP COLUMN device_type; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE twofactor_incomplete ADD COLUMN device_type INTEGER NOT NULL DEFAULT 14; -- 14 = Unknown Browser | ||||
| @@ -0,0 +1,5 @@ | ||||
| ALTER TABLE users_collections | ||||
| ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE; | ||||
|  | ||||
| ALTER TABLE collections_groups | ||||
| ADD COLUMN manage BOOLEAN NOT NULL DEFAULT FALSE; | ||||
							
								
								
									
										1
									
								
								migrations/sqlite/2023-09-10-133000_add_sso/down.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								migrations/sqlite/2023-09-10-133000_add_sso/down.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| DROP TABLE sso_nonce; | ||||
							
								
								
									
										4
									
								
								migrations/sqlite/2023-09-10-133000_add_sso/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								migrations/sqlite/2023-09-10-133000_add_sso/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| CREATE TABLE sso_nonce ( | ||||
|   nonce               CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE users_organizations DROP COLUMN invited_by_email; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE users_organizations ADD COLUMN invited_by_email TEXT DEFAULT NULL; | ||||
| @@ -0,0 +1 @@ | ||||
| -- Integer size in SQLite is already i64, so we don't need to do anything | ||||
| @@ -0,0 +1 @@ | ||||
| -- Integer size in SQLite is already i64, so we don't need to do anything | ||||
| @@ -0,0 +1,6 @@ | ||||
| DROP TABLE sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|   nonce               CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP | ||||
| ); | ||||
| @@ -0,0 +1,8 @@ | ||||
| DROP TABLE sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|   state               TEXT NOT NULL PRIMARY KEY, | ||||
|   nonce               TEXT NOT NULL, | ||||
|   redirect_uri        TEXT NOT NULL, | ||||
|   created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP | ||||
| ); | ||||
| @@ -0,0 +1,8 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|   state               TEXT NOT NULL PRIMARY KEY, | ||||
|   nonce               TEXT NOT NULL, | ||||
|   redirect_uri        TEXT NOT NULL, | ||||
|   created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP | ||||
| ); | ||||
| @@ -0,0 +1,9 @@ | ||||
| DROP TABLE IF EXISTS sso_nonce; | ||||
|  | ||||
| CREATE TABLE sso_nonce ( | ||||
|   state               TEXT NOT NULL PRIMARY KEY, | ||||
|   nonce               TEXT NOT NULL, | ||||
|   verifier            TEXT, | ||||
|   redirect_uri        TEXT NOT NULL, | ||||
|   created_at          DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| DROP TABLE IF EXISTS sso_users; | ||||
							
								
								
									
										7
									
								
								migrations/sqlite/2024-03-06-170000_add_sso_users/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								migrations/sqlite/2024-03-06-170000_add_sso_users/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| CREATE TABLE sso_users ( | ||||
|   user_uuid           CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   identifier          TEXT NOT NULL UNIQUE, | ||||
|   created_at          TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, | ||||
|  | ||||
|   FOREIGN KEY(user_uuid) REFERENCES users(uuid) | ||||
| ); | ||||
| @@ -0,0 +1,9 @@ | ||||
| DROP TABLE IF EXISTS sso_users; | ||||
|  | ||||
| CREATE TABLE sso_users ( | ||||
|   user_uuid           CHAR(36) NOT NULL PRIMARY KEY, | ||||
|   identifier          TEXT NOT NULL UNIQUE, | ||||
|   created_at          TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, | ||||
|  | ||||
|   FOREIGN KEY(user_uuid) REFERENCES users(uuid) ON UPDATE CASCADE ON DELETE CASCADE | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| DROP TABLE twofactor_duo_ctx; | ||||
| @@ -0,0 +1,8 @@ | ||||
| CREATE TABLE twofactor_duo_ctx ( | ||||
|     state      TEXT    NOT NULL, | ||||
|     user_email TEXT    NOT NULL, | ||||
|     nonce      TEXT    NOT NULL, | ||||
|     exp        INTEGER NOT NULL, | ||||
|  | ||||
|     PRIMARY KEY (state) | ||||
| ); | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE `twofactor_incomplete` DROP COLUMN `device_type`; | ||||
| @@ -0,0 +1 @@ | ||||
| ALTER TABLE twofactor_incomplete ADD COLUMN device_type INTEGER NOT NULL DEFAULT 14; -- 14 = Unknown Browser | ||||
							
								
								
									
										5
									
								
								migrations/sqlite/2025-01-09-172300_add_manage/up.sql
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								migrations/sqlite/2025-01-09-172300_add_manage/up.sql
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | ||||
| ALTER TABLE users_collections | ||||
| ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE | ||||
|  | ||||
| ALTER TABLE collections_groups | ||||
| ADD COLUMN manage BOOLEAN NOT NULL DEFAULT 0; -- FALSE | ||||
							
								
								
									
										64
									
								
								playwright/.env.template
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										64
									
								
								playwright/.env.template
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,64 @@ | ||||
| ################################# | ||||
| ### Conf to run dev instances ### | ||||
| ################################# | ||||
| ENV=dev | ||||
| DC_ENV_FILE=.env | ||||
| COMPOSE_IGNORE_ORPHANS=True | ||||
| DOCKER_BUILDKIT=1 | ||||
|  | ||||
| ################ | ||||
| # Users Config # | ||||
| ################ | ||||
| TEST_USER=test | ||||
| TEST_USER_PASSWORD=${TEST_USER} | ||||
| TEST_USER_MAIL=${TEST_USER}@yopmail.com | ||||
|  | ||||
| TEST_USER2=test2 | ||||
| TEST_USER2_PASSWORD=${TEST_USER2} | ||||
| TEST_USER2_MAIL=${TEST_USER2}@yopmail.com | ||||
|  | ||||
| TEST_USER3=test3 | ||||
| TEST_USER3_PASSWORD=${TEST_USER3} | ||||
| TEST_USER3_MAIL=${TEST_USER3}@yopmail.com | ||||
|  | ||||
| ################### | ||||
| # Keycloak Config # | ||||
| ################### | ||||
| KEYCLOAK_ADMIN=admin | ||||
| KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN} | ||||
| KC_HTTP_HOST=127.0.0.1 | ||||
| KC_HTTP_PORT=8080 | ||||
|  | ||||
| # Script parameters (use Keycloak and Vaultwarden config too) | ||||
| TEST_REALM=test | ||||
| DUMMY_REALM=dummy | ||||
| DUMMY_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${DUMMY_REALM} | ||||
|  | ||||
| ###################### | ||||
| # Vaultwarden Config # | ||||
| ###################### | ||||
| ROCKET_ADDRESS=0.0.0.0 | ||||
| ROCKET_PORT=8000 | ||||
| DOMAIN=http://127.0.0.1:${ROCKET_PORT} | ||||
| LOG_LEVEL=info,oidcwarden::sso=debug | ||||
| I_REALLY_WANT_VOLATILE_STORAGE=true | ||||
|  | ||||
| SSO_ENABLED=true | ||||
| SSO_ONLY=false | ||||
| SSO_CLIENT_ID=warden | ||||
| SSO_CLIENT_SECRET=warden | ||||
| SSO_AUTHORITY=http://${KC_HTTP_HOST}:${KC_HTTP_PORT}/realms/${TEST_REALM} | ||||
|  | ||||
| SMTP_HOST=127.0.0.1 | ||||
| SMTP_PORT=1025 | ||||
| SMTP_SECURITY=off | ||||
| SMTP_TIMEOUT=5 | ||||
| SMTP_FROM=vaultwarden@test | ||||
| SMTP_FROM_NAME=Vaultwarden | ||||
|  | ||||
| ######################################################## | ||||
| # DUMMY values for docker-compose to stop bothering us # | ||||
| ######################################################## | ||||
| MARIADB_PORT=3305 | ||||
| MYSQL_PORT=3307 | ||||
| POSTGRES_PORT=5432 | ||||
							
								
								
									
										6
									
								
								playwright/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								playwright/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| logs | ||||
| node_modules/ | ||||
| /test-results/ | ||||
| /playwright-report/ | ||||
| /playwright/.cache/ | ||||
| temp | ||||
							
								
								
									
										169
									
								
								playwright/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										169
									
								
								playwright/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,169 @@ | ||||
| # Integration tests | ||||
|  | ||||
| This allows running integration tests using [Playwright](https://playwright.dev/). | ||||
|  | ||||
| It uses its own `test.env` with different ports to not collide with a running dev instance. | ||||
|  | ||||
| ## Install | ||||
|  | ||||
| This relies on `docker` and the `compose` [plugin](https://docs.docker.com/compose/install/). | ||||
| Databases (`Mariadb`, `Mysql` and `Postgres`) and `Playwright` will run in containers. | ||||
|  | ||||
| ### Running Playwright outside docker | ||||
|  | ||||
| It is possible to run `Playwright` outside of the container, this removes the need to rebuild the image for each change. | ||||
| You will additionally need `nodejs` then run: | ||||
|  | ||||
| ```bash | ||||
| npm install | ||||
| npx playwright install-deps | ||||
| npx playwright install firefox | ||||
| ``` | ||||
|  | ||||
| ## Usage | ||||
|  | ||||
| To run all the tests: | ||||
|  | ||||
| ```bash | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright | ||||
| ``` | ||||
|  | ||||
| To force a rebuild of the Playwright image: | ||||
| ```bash | ||||
| DOCKER_BUILDKIT=1 docker compose --env-file test.env build Playwright | ||||
| ``` | ||||
|  | ||||
| To access the UI to easily run test individually and debug if needed (this will not work in docker): | ||||
|  | ||||
| ```bash | ||||
| npx playwright test --ui | ||||
| ``` | ||||
|  | ||||
| ### DB | ||||
|  | ||||
| Projects are configured to allow to run tests only on specific database. | ||||
|  | ||||
| You can use: | ||||
|  | ||||
| ```bash | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=mariadb | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=mysql | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=postgres | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite | ||||
| ``` | ||||
|  | ||||
| ### SSO | ||||
|  | ||||
| To run the SSO tests: | ||||
|  | ||||
| ```bash | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project sso-sqlite | ||||
| ``` | ||||
|  | ||||
| ### Keep services running | ||||
|  | ||||
| If you want you can keep the DB and Keycloak runnning (states are not impacted by the tests): | ||||
|  | ||||
| ```bash | ||||
| PW_KEEP_SERVICE_RUNNNING=true npx playwright test | ||||
| ``` | ||||
|  | ||||
| ### Running specific tests | ||||
|  | ||||
| To run a whole file you can : | ||||
|  | ||||
| ```bash | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite tests/login.spec.ts | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite login | ||||
| ``` | ||||
|  | ||||
| To run only a specifc test (It might fail if it has dependency): | ||||
|  | ||||
| ```bash | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite -g "Account creation" | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env run Playwright test --project=sqlite tests/login.spec.ts:16 | ||||
| ``` | ||||
|  | ||||
| ## Writing scenario | ||||
|  | ||||
| When creating new scenario use the recorder to more easily identify elements | ||||
| (in general try to rely on visible hint to identify elements and not hidden IDs). | ||||
| This does not start the server, you will need to start it manually. | ||||
|  | ||||
| ```bash | ||||
| npx playwright codegen "http://127.0.0.1:8000" | ||||
| ``` | ||||
|  | ||||
| ## Override web-vault | ||||
|  | ||||
| It is possible to change the `web-vault` used by referencing a different `bw_web_builds` commit. | ||||
|  | ||||
| ```bash | ||||
| export PW_WV_REPO_URL=https://github.com/Timshel/oidc_web_builds.git | ||||
| export PW_WV_COMMIT_HASH=8707dc76df3f0cceef2be5bfae37bb29bd17fae6 | ||||
| DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env build Playwright | ||||
| ``` | ||||
|  | ||||
| # OpenID Connect test setup | ||||
|  | ||||
| Additionally this `docker-compose` template allows to run locally Vaultwarden, | ||||
| [Keycloak](https://www.keycloak.org/) and [Maildev](https://github.com/timshel/maildev) to test OIDC. | ||||
|  | ||||
| ## Setup | ||||
|  | ||||
| This rely on `docker` and the `compose` [plugin](https://docs.docker.com/compose/install/). | ||||
| First create a copy of `.env.template` as `.env` (This is done to prevent committing your custom settings, Ex `SMTP_`). | ||||
|  | ||||
| ## Usage | ||||
|  | ||||
| Then start the stack (the `profile` is required to run `Vaultwarden`) : | ||||
|  | ||||
| ```bash | ||||
| > docker compose --profile vaultwarden --env-file .env up | ||||
| .... | ||||
| keycloakSetup_1  | Logging into http://127.0.0.1:8080 as user admin of realm master | ||||
| keycloakSetup_1  | Created new realm with id 'test' | ||||
| keycloakSetup_1  | 74af4933-e386-4e64-ba15-a7b61212c45e | ||||
| oidc_keycloakSetup_1 exited with code 0 | ||||
| ``` | ||||
|  | ||||
| Wait until `oidc_keycloakSetup_1 exited with code 0` which indicates the correct setup of the Keycloak realm, client and user | ||||
| (It is normal for this container to stop once the configuration is done). | ||||
|  | ||||
| Then you can access : | ||||
|  | ||||
| - `Vaultwarden` on http://0.0.0.0:8000 with the default user `test@yopmail.com/test`. | ||||
| - `Keycloak` on http://0.0.0.0:8080/admin/master/console/ with the default user `admin/admin` | ||||
| - `Maildev` on http://0.0.0.0:1080 | ||||
|  | ||||
| To proceed with an SSO login after you enter the email, on the screen prompting for `Master Password` the SSO button should be visible. | ||||
| To use your computer external ip (for example when testing with a phone) you will have to configure `KC_HTTP_HOST` and `DOMAIN`. | ||||
|  | ||||
| ## Running only Keycloak | ||||
|  | ||||
| You can run just `Keycloak` with `--profile keycloak`: | ||||
|  | ||||
| ```bash | ||||
| > docker compose --profile keycloak --env-file .env up | ||||
| ``` | ||||
| When running with a local Vaultwarden, you can use a front-end build from [dani-garcia/bw_web_builds](https://github.com/dani-garcia/bw_web_builds/releases). | ||||
|  | ||||
| ## Rebuilding the Vaultwarden | ||||
|  | ||||
| To force rebuilding the Vaultwarden image you can run | ||||
|  | ||||
| ```bash | ||||
| docker compose --profile vaultwarden --env-file .env build VaultwardenPrebuild Vaultwarden | ||||
| ``` | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| All configuration for `keycloak` / `Vaultwarden` / `keycloak_setup.sh` can be found in [.env](.env.template). | ||||
| The content of the file will be loaded as environment variables in all containers. | ||||
|  | ||||
| - `keycloak` [configuration](https://www.keycloak.org/server/all-config) includes `KEYCLOAK_ADMIN` / `KEYCLOAK_ADMIN_PASSWORD` and any variable prefixed `KC_` ([more information](https://www.keycloak.org/server/configuration#_example_configuring_the_db_url_host_parameter)). | ||||
| - All `Vaultwarden` configuration can be set (EX: `SMTP_*`) | ||||
|  | ||||
| ## Cleanup | ||||
|  | ||||
| Use `docker compose --profile vaultwarden down`. | ||||
							
								
								
									
										40
									
								
								playwright/compose/keycloak/Dockerfile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								playwright/compose/keycloak/Dockerfile
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,40 @@ | ||||
| FROM docker.io/library/debian:bookworm-slim as build | ||||
|  | ||||
| ENV DEBIAN_FRONTEND=noninteractive | ||||
| ARG KEYCLOAK_VERSION | ||||
|  | ||||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||
|  | ||||
| RUN apt-get update \ | ||||
|     && apt-get install -y ca-certificates curl wget \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| WORKDIR / | ||||
|  | ||||
| RUN wget -c https://github.com/keycloak/keycloak/releases/download/${KEYCLOAK_VERSION}/keycloak-${KEYCLOAK_VERSION}.tar.gz -O - | tar -xz | ||||
|  | ||||
| FROM docker.io/library/debian:bookworm-slim | ||||
|  | ||||
| ENV DEBIAN_FRONTEND=noninteractive | ||||
| ARG KEYCLOAK_VERSION | ||||
|  | ||||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||||
|  | ||||
| RUN apt-get update \ | ||||
|     && apt-get install -y ca-certificates curl wget \ | ||||
|     && rm -rf /var/lib/apt/lists/* | ||||
|  | ||||
| ARG JAVA_URL | ||||
| ARG JAVA_VERSION | ||||
|  | ||||
| ENV JAVA_VERSION=${JAVA_VERSION} | ||||
|  | ||||
| RUN mkdir -p /opt/openjdk && cd /opt/openjdk \ | ||||
|     && wget -c "${JAVA_URL}"  -O - | tar -xz | ||||
|  | ||||
| WORKDIR / | ||||
|  | ||||
| COPY setup.sh /setup.sh | ||||
| COPY --from=build /keycloak-${KEYCLOAK_VERSION}/bin /opt/keycloak/bin | ||||
|  | ||||
| CMD "/setup.sh" | ||||
							
								
								
									
										36
									
								
								playwright/compose/keycloak/setup.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										36
									
								
								playwright/compose/keycloak/setup.sh
									
									
									
									
									
										Executable file
									
								
							| @@ -0,0 +1,36 @@ | ||||
| #!/bin/bash | ||||
|  | ||||
| export PATH=/opt/keycloak/bin:/opt/openjdk/jdk-${JAVA_VERSION}/bin:$PATH | ||||
| export JAVA_HOME=/opt/openjdk/jdk-${JAVA_VERSION} | ||||
|  | ||||
| STATUS_CODE=0 | ||||
| while [[ "$STATUS_CODE" != "404" ]] ; do | ||||
|     echo "Will retry in 2 seconds" | ||||
|     sleep 2 | ||||
|  | ||||
|     STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}"  "$DUMMY_AUTHORITY") | ||||
|  | ||||
|     if [[ "$STATUS_CODE" = "200" ]]; then | ||||
|         echo "Setup should already be done. Will not run." | ||||
|         exit 0 | ||||
|     fi | ||||
| done | ||||
|  | ||||
| set -e | ||||
|  | ||||
| kcadm.sh config credentials --server "http://${KC_HTTP_HOST}:${KC_HTTP_PORT}" --realm master --user "$KEYCLOAK_ADMIN" --password "$KEYCLOAK_ADMIN_PASSWORD" --client admin-cli | ||||
|  | ||||
| kcadm.sh create realms -s realm="$TEST_REALM" -s enabled=true -s "accessTokenLifespan=600" | ||||
| kcadm.sh create clients -r test -s "clientId=$SSO_CLIENT_ID" -s "secret=$SSO_CLIENT_SECRET" -s "redirectUris=[\"$DOMAIN/*\"]" -i | ||||
|  | ||||
| TEST_USER_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER" -s "firstName=$TEST_USER" -s "lastName=$TEST_USER" -s "email=$TEST_USER_MAIL"  -s emailVerified=true -s enabled=true -i) | ||||
| kcadm.sh update users/$TEST_USER_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER_PASSWORD" -n | ||||
|  | ||||
| TEST_USER2_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER2" -s "firstName=$TEST_USER2" -s "lastName=$TEST_USER2" -s "email=$TEST_USER2_MAIL"  -s emailVerified=true -s enabled=true -i) | ||||
| kcadm.sh update users/$TEST_USER2_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER2_PASSWORD" -n | ||||
|  | ||||
| TEST_USER3_ID=$(kcadm.sh create users -r "$TEST_REALM" -s "username=$TEST_USER3" -s "firstName=$TEST_USER3" -s "lastName=$TEST_USER3" -s "email=$TEST_USER3_MAIL"  -s emailVerified=true -s enabled=true -i) | ||||
| kcadm.sh update users/$TEST_USER3_ID/reset-password -r "$TEST_REALM" -s type=password -s "value=$TEST_USER3_PASSWORD" -n | ||||
|  | ||||
| # Dummy realm to mark end of setup | ||||
| kcadm.sh create realms -s realm="$DUMMY_REALM" -s enabled=true -s "accessTokenLifespan=600" | ||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user