diff options
author | szaimen <szaimen@e.mail.de> | 2020-08-12 14:33:42 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-12 14:33:42 +0300 |
commit | 58ba0388f3c48945b4928a23105449a40fa3a97f (patch) | |
tree | 615d95357ff76573491579d9f26765a3fa482dcf /apps/tmbitwarden.sh | |
parent | 8721ea0c7c3ca283d34e200114f948d5fefb9845 (diff) |
update bitwarden to allow subdomains (#1362)
Co-authored-by: Daniel Hansson <github@hanssonit.se>
Diffstat (limited to 'apps/tmbitwarden.sh')
-rw-r--r-- | apps/tmbitwarden.sh | 165 |
1 files changed, 145 insertions, 20 deletions
diff --git a/apps/tmbitwarden.sh b/apps/tmbitwarden.sh index 31900bc4..9fd83432 100644 --- a/apps/tmbitwarden.sh +++ b/apps/tmbitwarden.sh @@ -41,9 +41,8 @@ print_text_in_color "$ICyan" "Installing Bitwarden password manager..." msg_box "Bitwarden is a password manager that is seperate from Nextcloud, though we provide this service because it's self hosted and secure. -If you just want to run Bitwarden locally (not connecting your smartphone) then you can use 'localhost' as domain. -If you on the other hand want to run this on a domain, then please create a DNS record and point it to this server. -In the process of setting up Bitwarden you will be asked to generate an TLS cert with Let's Enrypt so no need to get your own prior to this setup. +To be able to use Bitwarden, you need a seperate subdomain. Please create a DNS record and point it to this server, e.g: bitwarden.yourdomain.com. +After Bitwarden is setup, we will automatically generate a TLS cert with Let's Enrypt. There's no need to get your own prior to this setup, nor during the Bitwarden setup. The script is based on this documentation: https://help.bitwarden.com/article/install-on-premise/ It's a good idea to read that before you start this script. @@ -51,8 +50,8 @@ It's a good idea to read that before you start this script. Please also report any issues regarding this script setup to $ISSUES" msg_box "The necessary preparations to run expose Bitwarden to the internet are: -1. The HTTP proxy and HTTPS ports for Bitwarden are 8080 and 8443, please open those ports before running this script. -2. Please create a DNS record and point that to this server. +1. Please open port 443 and 80 and point to this server. +2. Please create a DNS record for your subdomain and point that to this server. 3. Raise the amount of RAM to this server to at least 3 GB." if [[ "no" == $(ask_yes_or_no "Have you made the necessary preparations?") ]] @@ -61,39 +60,165 @@ msg_box "OK, please do the necessary preparations before you run this script and To run this script again, execute $SCRIPTS/menu.sh and choose Additional Apps --> Bitwarden" exit -else - sleep 0.1 fi +msg_box "IMPORTANT, PLEASE READ! + +In the next steps you will be asked to answer some questions. +The questions are from the Bitwarden setup script, and therefore nothing that we control. + +It's important that you answer the questions correclty for the rest of the setup to work properly, +and to be able to generate a valid TLS certificate automatically with our own (this) script. + +Basically: +1. Enter the domain for Bitwarden +2. Answer 'no' to the question if you want Let's Encrypt +3. Enter your installation id and keys +4. Continue to answer 'no' to everything related to SSL/TLS. + +Please have a look at how the questions are answered here if you are uncertain: +https://i.imgur.com/YPynDAf.png" + # Install Docker install_docker install_if_not docker-compose -# Stop Apache to not conflict when LE is run -check_command systemctl stop apache2.service - # Install Bitwarden install_if_not curl cd /root curl_to_dir "https://raw.githubusercontent.com/bitwarden/core/master/scripts" "bitwarden.sh" "/root" chmod +x /root/bitwarden.sh check_command ./bitwarden.sh install -sed -i "s|http_port.*|http_port: 8080|g" /root/bwdata/config.yml -sed -i "s|https_port.*|https_port: 8443|g" /root/bwdata/config.yml + +# Check if all ssl settings were entered correctly +if grep ^url /root/bwdata/config.yml | grep -q https || grep ^url /root/bwdata/config.yml | grep -q localhost +then + message "It seems like you have entered some wrong settings. We will remove bitwarden now again so that you can start over again." + check_command ./bitwarden.sh install + docker system prune -af + rm -rf /root/bwdata + exit 1 +fi + +# Continue with the installation +sed -i "s|http_port.*|http_port: 5178|g" /root/bwdata/config.yml +sed -i "s|https_port.*|https_port: 5179|g" /root/bwdata/config.yml +# Get Subdomain from config.yml and change it to https +SUBDOMAIN=$(grep ^url /root/bwdata/config.yml) +SUBDOMAIN=${SUBDOMAIN##*url: http://} +sed -i "s|^url: .*|url: https://$SUBDOMAIN|g" /root/bwdata/config.yml +sed -i 's|http://|https://|g' /root/bwdata/env/global.override.env check_command ./bitwarden.sh rebuild check_command ./bitwarden.sh start -if check_command ./bitwarden.sh updatedb +check_command ./bitwarden.sh updatedb + +# Produce reverse-proxy config and get lets-encrypt certificate +msg_box "We'll now setup the Apache Proxy that will act as TLS front for your Bitwarden installation." + +# Curl the lib another time to get the correct HTTPS_CONF +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check if $SUBDOMAIN exists and is reachable +print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..." +domain_check_200 "$SUBDOMAIN" + +# Check open ports with NMAP +check_open_port 80 "$SUBDOMAIN" +check_open_port 443 "$SUBDOMAIN" + +# Install Apache2 +install_if_not apache2 + +# Enable Apache2 module's +a2enmod proxy +a2enmod proxy_wstunnel +a2enmod proxy_http +a2enmod ssl + +if [ -f "$HTTPS_CONF" ] then -msg_box "Bitwarden was sucessfully installed! Please visit $(grep 'url:' /root/bwdata/config.yml | awk '{print$2}'):8443 to setup your account. + a2dissite "$SUBDOMAIN.conf" + rm -f "$HTTPS_CONF" +fi -After the account it setup, please disable user registration by running sudo bash $SCRIPTS/menu.sh and choose: -Additional Apps --> Bitwarden Registration" +if [ ! -f "$HTTPS_CONF" ]; +then + cat << HTTPS_CREATE > "$HTTPS_CONF" +<VirtualHost *:443> + ServerName $SUBDOMAIN:443 + SSLEngine on + ServerSignature On + SSLHonorCipherOrder on + SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem + SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem + SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem + SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB + + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined + ErrorLog ${APACHE_LOG_DIR}/error.log + # Just in case - see below + SSLProxyEngine On + SSLProxyVerify None + SSLProxyCheckPeerCN Off + SSLProxyCheckPeerName Off + # contra mixed content warnings + RequestHeader set X-Forwarded-Proto "https" + # basic proxy settings + ProxyRequests off + ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.1:5178/$1$2" + ProxyPass / "http://127.0.0.1:5178/" + ProxyPassReverse / "http://127.0.0.1:5178/" + + <Location /> + ProxyPassReverse / + </Location> +</VirtualHost> +HTTPS_CREATE + + if [ -f "$HTTPS_CONF" ]; + then + print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created." + sleep 1 + else + print_text_in_color "$IRed" "Unable to create vhost, exiting..." + print_text_in_color "$IRed" "Please report this issue here $ISSUES" + exit 1 + fi +fi + +# Install certbot (Let's Encrypt) +install_certbot + +# Generate certs and auto-configure if successful +if generate_cert "$SUBDOMAIN" +then + # Generate DHparams chifer + if [ ! -f "$DHPARAMS_SUB" ] + then + openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096 + fi + print_text_in_color "$IGreen" "Certs are generated!" + a2ensite "$SUBDOMAIN.conf" + restart_webserver else -msg_box "Bitwarden installation failed! We will now remove necessary configs to be able to run this script again" - rm -rf /root/bwdata/ + # remove settings to be able to start over again + rm -f "$HTTPS_CONF" + last_fail_tls "$SCRIPTS"/apps/tmbitwarden.sh + ./bitwarden stop && docker system prune -af + rm -rf /root/bwdata + exit 1 fi -# Start Apache2 -check_command systemctl start apache2.service +# Add prune command +add_dockerprune + +msg_box "Bitwarden was sucessfully installed! Please visit $SUBDOMAIN to setup your account. + +After the account it setup, please disable user registration by running sudo bash $SCRIPTS/menu.sh and choose: +Additional Apps --> Bitwarden Registration" exit |