#!/bin/bash
# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/
# shellcheck disable=2034,2059
true
SCRIPT_NAME="Bitwarden RS"
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode
# Check if root
root_check
# Check if bitwarden_rs is already installed
if [ -d /home/bitwarden_rs ] || docker ps -a --format '{{.Names}}' | grep -Eq "bitwarden_rs";
then
msg_box "It seems like you have already installed Bitwarden_rs.
You cannot install it again because you would loose all your data and passwords.
If you are certain that you definitely want to delete Bitwarden_rs and all
its data to be able to reinstall it, you can execute the following commands:
'sudo docker stop bitwarden_rs'
'sudo docker rm bitwarden_rs'
'sudo rm -r /home/bitwarden_rs'"
exit 1
fi
# Inform what bitwarden_rs is
msg_box "Bitwarden_rs is an unofficial Bitwarden server API implementation in Rust.
It has less hardware requirements and therefore runs on nearly any hardware.
Since it's unofficial, you need to really trust the maintainer of the project to install it:
https://github.com/dani-garcia/bitwarden_rs
You never know what could hide in an unofficial release.
It's always is recommended to install the official Bitwarden by running:
sudo bash /var/scripts/menu.sh --> Additional Apps --> Bitwarden
Please report issues only to https://github.com/dani-garcia/bitwarden_rs"
msg_box "Are you really sure?
It's always is recommended to install the official Bitwarden by running:
sudo bash /var/scripts/menu.sh --> Additional Apps --> Bitwarden
You will be offered to abort in the next step"
if ! yesno_box_yes "Are you sure you want to install Bitwarden_rs?"
then
exit
fi
SUBDOMAIN=$(input_box "Please enter the Domain that you want to use for Bitwarden RS.")
# curl the lib another time to get the correct https_conf
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)
msg_box "Please make sure that you have you have edited the dns-settings of your domain and open ports 80 and 443."
if ! yesno_box_yes "Have you made the necessary preparations?"
then
exit
fi
# Check if $SUBDOMAIN exists and is reachable
print_text_in_color "$ICyan" "Checking if $SUBDOMAIN exists and is reachable..."
domain_check_200 "$SUBDOMAIN"
# Check open ports with NMAP
check_open_port 80 "$SUBDOMAIN"
check_open_port 443 "$SUBDOMAIN"
# Install Apache2
install_if_not apache2
# Enable Apache2 module's
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
a2enmod headers
a2enmod remoteip
if [ -f "$HTTPS_CONF" ]
then
a2dissite "$SUBDOMAIN.conf"
rm -f "$HTTPS_CONF"
fi
if [ ! -f "$HTTPS_CONF" ];
then
cat << HTTPS_CREATE > "$HTTPS_CONF"
ServerName $SUBDOMAIN:443
SSLEngine on
ServerSignature On
SSLHonorCipherOrder on
SSLCertificateChainFile $CERTFILES/$SUBDOMAIN/chain.pem
SSLCertificateFile $CERTFILES/$SUBDOMAIN/cert.pem
SSLCertificateKeyFile $CERTFILES/$SUBDOMAIN/privkey.pem
SSLOpenSSLConfCmd DHParameters $DHPARAMS_SUB
SSLProtocol TLSv1.2
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog ${APACHE_LOG_DIR}/error.log
# Just in case - see below
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# contra mixed content warnings
RequestHeader set X-Forwarded-Proto "https"
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /notifications/hub(.*) ws://127.0.0.1:3012/$1 [P,L]
# basic proxy settings
ProxyRequests off
ProxyPassMatch (.*)(\/websocket)$ "ws://127.0.0.1:1024/$1$2"
ProxyPass / "http://127.0.0.1:1024/"
ProxyPassReverse / "http://127.0.0.1:1024/"
# Extra (remote) headers
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "frame-ancestors 'self'"
HTTPS_CREATE
if [ -f "$HTTPS_CONF" ];
then
print_text_in_color "$IGreen" "$HTTPS_CONF was successfully created."
sleep 1
else
print_text_in_color "$IRed" "Unable to create vhost, exiting..."
print_text_in_color "$IRed" "Please report this issue here $ISSUES"
exit 1
fi
fi
# Install certbot (Let's Encrypt)
install_certbot
# Generate certs and auto-configure if successful
if generate_cert "$SUBDOMAIN"
then
# Generate DHparams chifer
if [ ! -f "$DHPARAMS_SUB" ]
then
openssl dhparam -dsaparam -out "$DHPARAMS_SUB" 4096
fi
print_text_in_color "$IGreen" "Certs are generated!"
a2ensite "$SUBDOMAIN.conf"
restart_webserver
else
# remove settings to be able to start over again
rm -f "$HTTPS_CONF"
last_fail_tls "$SCRIPTS"/apps/tmbitwarden.sh
exit 1
fi
# Install docker
install_docker
# Create dir for Bitwarden RS
mkdir -p /home/bitwarden_rs
chown nobody -R /home/bitwarden_rs
chmod -R 0770 /home/bitwarden_rs
# Generate admin password
ADMIN_PASS=$(gen_passwd "$SHUF" "A-Za-z0-9")
# Install docker-container
docker pull bitwardenrs/server:latest
docker run -d --name bitwarden_rs \
--user nobody \
-e ADMIN_TOKEN="$ADMIN_PASS" \
-e SIGNUPS_VERIFY=true \
-e DOMAIN="https://$SUBDOMAIN" \
-e SIGNUPS_ALLOWED=false \
-p 1024:1024 \
-e ROCKET_PORT=1024 \
-e WEBSOCKET_ENABLED=true \
-p 3012:3012 \
-e LOG_FILE=/data/bitwarden.log \
-e LOG_LEVEL=warn \
-v /home/bitwarden_rs/:/data/ \
-v /etc/timezone:/etc/timezone:ro \
-v /etc/localtime:/etc/localtime:ro \
--restart always \
bitwardenrs/server:latest
# Add prune command
add_dockerprune
# Inform about fail2ban
msg_box "We will now set up fail2ban for you.
You can unban ip addresses by executing the following command:
sudo fail2ban-client set bitwarden_rs unbanip XX.XX.XX.XX
sudo fail2ban-client set bitwarden_rs-admin unbanip XX.XX.XX.XX"
# Install fail2ban
install_if_not fail2ban
systemctl stop fail2ban
# Create all needed files
# Bitwarden RS conf
cat << BW_CONF > /etc/fail2ban/filter.d/bitwarden_rs.local
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$
ignoreregex =
BW_CONF
# Bitwarden RS jail
cat << BW_JAIL_CONF > /etc/fail2ban/jail.d/bitwarden_rs.local
[bitwarden_rs]
enabled = true
port = 80,443,8081
filter = bitwarden_rs
action = iptables-allports[name=bitwarden_rs]
logpath = /home/bitwarden_rs/bitwarden.log
maxretry = 20
bantime = 1209600
findtime = 1800
ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
BW_JAIL_CONF
# bitwarden_rs-admin conf
cat << BWA_CONF > /etc/fail2ban/filter.d/bitwarden_rs-admin.local
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Invalid admin token\. IP: .*$
ignoreregex =
BWA_CONF
# bitwarden_rs-admin jail
cat << BWA_JAIL_CONF > /etc/fail2ban/jail.d/bitwarden_rs-admin.local
[bitwarden_rs-admin]
enabled = true
port = 80,443
filter = bitwarden_rs-admin
action = iptables-allports[name=bitwarden_rs]
logpath = /home/bitwarden_rs/bitwarden.log
maxretry = 5
bantime = 1209600
findtime = 1800
ignoreip = 127.0.0.1/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
BWA_JAIL_CONF
check_command systemctl start fail2ban
countdown "Waiting for fail2ban to start... " 5
check_command fail2ban-client reload
msg_box "Bitwarden_rs with fail2ban have been sucessfully installed!
Please visit https://$SUBDOMAIN/admin to manage all your settings.
Attention! Please note down the password for the admin panel: $ADMIN_PASS
Otherwise you will not have access to your Bitwarden_rs installation and have to reinstall it completely!
It is highly recommended to configure and test the smtp settings for mails first.
Then, if it works, you can easily invite all your user with an e-mail address from this admin-panel.
(You have to click on users in the top-panel)
Please remember to report issues only to https://github.com/dani-garcia/bitwarden_rs"
any_key "Press any key if you are certain to exit the script..."
exit