update bitwarden to allow subdomains (#1362)

Co-authored-by: Daniel Hansson <github@hanssonit.se>

1 files changed, 145 insertions, 20 deletions

diff --git a/apps/tmbitwarden.sh b/apps/tmbitwarden.sh
index 31900bc4..9fd83432 100644
--- a/apps/tmbitwarden.sh
+++ b/apps/tmbitwarden.sh
@@ -41,9 +41,8 @@ print_text_in_color "$ICyan" "Installing Bitwarden password manager..."
 
 msg_box "Bitwarden is a password manager that is seperate from Nextcloud, though we provide this service because it's self hosted and secure.
 
-If you just want to run Bitwarden locally (not connecting your smartphone) then you can use 'localhost' as domain.
-If you on the other hand want to run this on a domain, then please create a DNS record and point it to this server.
-In the process of setting up Bitwarden you will be asked to generate an TLS cert with Let's Enrypt so no need to get your own prior to this setup.
+To be able to use Bitwarden, you need a seperate subdomain. Please create a DNS record and point it to this server, e.g: bitwarden.yourdomain.com.
+After Bitwarden is setup, we will automatically generate a TLS cert with Let's Enrypt. There's no need to get your own prior to this setup, nor during the Bitwarden setup.
 
 The script is based on this documentation: https://help.bitwarden.com/article/install-on-premise/
 It's a good idea to read that before you start this script.
@@ -51,8 +50,8 @@ It's a good idea to read that before you start this script.
 Please also report any issues regarding this script setup to $ISSUES"
 
 msg_box "The necessary preparations to run expose Bitwarden to the internet are:
-1. The HTTP proxy and HTTPS ports for Bitwarden are 8080 and 8443, please open those ports before running this script.
-2. Please create a DNS record and point that to this server.
+1. Please open port 443 and 80 and point to this server.
+2. Please create a DNS record for your subdomain and point that to this server.
 3. Raise the amount of RAM to this server to at least 3 GB."
 
 if [[ "no" == $(ask_yes_or_no "Have you made the necessary preparations?") ]]
@@ -61,39 +60,165 @@ msg_box "OK, please do the necessary preparations before you run this script and
 
 To run this script again, execute $SCRIPTS/menu.sh and choose Additional Apps --> Bitwarden"
     exit
-else
-    sleep 0.1
 fi
 
+msg_box "IMPORTANT, PLEASE READ!
+
+In the next steps you will be asked to answer some questions.
+The questions are from the Bitwarden setup script, and therefore nothing that we control.
+
+It's important that you answer the questions correclty for the rest of the setup to work properly,
+and to be able to generate a valid TLS certificate automatically with our own (this) script.
+
+Basically:
+1. Enter the domain for Bitwarden
+2. Answer 'no' to the question if you want Let's Encrypt
+3. Enter your installation id and keys
+4. Continue to answer 'no' to everything related to SSL/TLS.
+
+Please have a look at how the questions are answered here if you are uncertain:
+https://i.imgur.com/YPynDAf.png"
+
 # Install Docker
 install_docker
 install_if_not docker-compose
 
-# Stop Apache to not conflict when LE is run
-check_command systemctl stop apache2.service
-
 # Install Bitwarden 
 install_if_not curl
 cd /root
 curl_to_dir "https://raw.githubusercontent.com/bitwarden/core/master/scripts" "bitwarden.sh" "/root"
 chmod +x /root/bitwarden.sh
 check_command ./bitwarden.sh install
-sed -i "s|http_port.*|http_port: 8080|g" /root/bwdata/config.yml
-sed -i "s|https_port.*|https_port: 8443|g" /root/bwdata/config.yml
+
+# Check if all ssl settings were entered correctly
+if grep ^url /root/bwdata/config.yml | grep -q https || grep ^url /root/bwdata/config.yml | grep -q localhost
+then
+    message "It seems like you have entered some wrong settings. We will remove bitwarden now again so that you can start over again."
+    check_command ./bitwarden.sh install
+    docker system prune -af
+    rm -rf /root/bwdata
+    exit 1
+fi
+
+# Continue with the installation
+sed -i "s|http_port.*|http_port: 5178|g" /root/bwdata/config.yml
+sed -i "s|https_port.*|https_port: 5179|g" /root/bwdata/config.yml
+# Get Subdomain from config.yml and change it to https
+SUBDOMAIN=$(grep ^url /root/bwdata/config.yml)
+SUBDOMAIN=${SUBDOMAIN##*url: http://}
+sed -i "s|^url: .*|url: https://$SUBDOMAIN|g" /root/bwdata/config.yml
+sed -i 's|http://|https://|g' /root/bwdata/env/global.override.env
 check_command ./bitwarden.sh rebuild
 check_command ./bitwarden.sh start
-if check_command ./bitwarden.sh updatedb
+check_command ./bitwarden.sh updatedb
+
+# Produce reverse-proxy config and get lets-encrypt certificate
+msg_box "We'll now setup the Apache Proxy that will act as TLS front for your Bitwarden installation."
+
+# Curl the lib another time to get the correct HTTPS_CONF
+# shellcheck source=lib.sh
+. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
+
+# Check if $SUBDOMAIN exists and is reachable
+print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
+domain_check_200 "$SUBDOMAIN"
+
+# Check open ports with NMAP
+check_open_port 80 "$SUBDOMAIN"
+check_open_port 443 "$SUBDOMAIN"
+
+# Install Apache2
+install_if_not apache2
+
+# Enable Apache2 module's
+a2enmod proxy
+a2enmod proxy_wstunnel
+a2enmod proxy_http
+a2enmod ssl
+
+if [ -f "$HTTPS_CONF" ]
 then
-msg_box "Bitwarden was sucessfully installed! Please visit $(grep 'url:' /root/bwdata/config.yml | awk '{print$2}'):8443 to setup your account.
+    a2dissite "$SUBDOMAIN.conf"
+    rm -f "$HTTPS_CONF"
+fi
 
-After the account it setup, please disable user registration by running sudo bash $SCRIPTS/menu.sh and choose:
-Additional Apps --> Bitwarden Registration"
+if [ ! -f "$HTTPS_CONF" ];
+then
+    cat << HTTPS_CREATE > "$HTTPS_CONF"
+<VirtualHost *:443>
+    ServerName $SUBDOMAIN:443
+    SSLEngine on
+    ServerSignature On
+    SSLHonorCipherOrder on
+    SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
+    SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
+    SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
+    SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
+    
+    SSLProtocol             all -SSLv2 -SSLv3
+    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
+    ErrorLog ${APACHE_LOG_DIR}/error.log
+    # Just in case - see below
+    SSLProxyEngine On
+    SSLProxyVerify None
+    SSLProxyCheckPeerCN Off
+    SSLProxyCheckPeerName Off
+    # contra mixed content warnings
+    RequestHeader set X-Forwarded-Proto "https"
+    # basic proxy settings
+    ProxyRequests off
+    ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.1:5178/$1$2"
+    ProxyPass / "http://127.0.0.1:5178/"
+    ProxyPassReverse / "http://127.0.0.1:5178/"
+        
+    <Location />
+        ProxyPassReverse /
+    </Location>
+</VirtualHost>
+HTTPS_CREATE
+
+    if [ -f "$HTTPS_CONF" ];
+    then
+        print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
+        sleep 1
+    else
+        print_text_in_color "$IRed" "Unable to create vhost, exiting..."
+        print_text_in_color "$IRed" "Please report this issue here $ISSUES"
+        exit 1
+    fi
+fi
+
+# Install certbot (Let's Encrypt)
+install_certbot
+
+# Generate certs and  auto-configure  if successful
+if generate_cert  "$SUBDOMAIN"
+then
+    # Generate DHparams chifer
+    if [ ! -f "$DHPARAMS_SUB" ]
+    then
+        openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096
+    fi
+    print_text_in_color "$IGreen" "Certs are generated!"
+    a2ensite "$SUBDOMAIN.conf"
+    restart_webserver
 else
-msg_box "Bitwarden installation failed! We will now remove necessary configs to be able to run this script again"
-    rm -rf /root/bwdata/
+    # remove settings to be able to start over again
+    rm -f "$HTTPS_CONF"
+    last_fail_tls "$SCRIPTS"/apps/tmbitwarden.sh
+    ./bitwarden stop && docker system prune -af
+    rm -rf /root/bwdata
+    exit 1
 fi
 
-# Start Apache2
-check_command systemctl start apache2.service
+# Add prune command
+add_dockerprune
+
+msg_box "Bitwarden was sucessfully installed! Please visit $SUBDOMAIN to setup your account.
+
+After the account it setup, please disable user registration by running sudo bash $SCRIPTS/menu.sh and choose:
+Additional Apps --> Bitwarden Registration"
 
 exit