-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
159 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,159 @@ | ||
# Podman Bitwarden RS Project | ||
## _Bitwarden RS Powered by Podman_ | ||
|
||
[![N|Solid](https://raw.githubusercontent.com/containers/podman/master/logo/podman-logo.png)](https://podman.io/getting-started/) | ||
|
||
This project want to build a podman container to host a complete solution of [Bitwarden RS API][bitwarden-rs] and a [Web vault][Web-vault]: interface. which is proxified by an Apache web server and initialized by Systemd in a rootless environment. | ||
|
||
- Podman don't need a daemon to run a container | ||
- Bitwarden RS API don't need to be register | ||
- Web vault can be accessed by mobile client or browser | ||
|
||
Make sure you can do the difference between the official clients and the Web Vault powered by Bitwarden Inc and the unofficial Bitwarden RS API a fork written in Rust by his author Dani Garcia. | ||
|
||
## Features | ||
|
||
- Support Fedora 33 and CentOS 8 as image containers | ||
- Bitwarden RS and the Web vault are built from sources | ||
- You can import your own certificates or create a self-signed set | ||
- Token and password are automatically generated | ||
- Full automation process | ||
|
||
Podman can be used in almost all modern linux distribution even in [WSL2].Fedora like (CentOS, Red Hat) or Debian like (Ubuntu, Raspian) are well supported. Running Bitwarden RS with its own web server make this solution highly portable and secure because you can run the container without root privileges. System administrators will appreciate the fact that the two services will be handled by systemd with all the capabilities associate to this init manager | ||
|
||
> the main goal is to build from scratch all the stuff under you eyes. | ||
> we pull image container direclty from well known repositories | ||
> https://fr2.rpmfind.net/linux/fedora/linux/releases/33/Container for Fedora | ||
> https://cloud.centos.org/centos/8/ for CentOS8 | ||
> clone sources from there git repositories | ||
> All tools are fresh installed | ||
> the system is upgraded to the last version. | ||
When all your passwords are stored in a vault you have to be sure than no one can put things over your control. | ||
|
||
## Tech | ||
|
||
We use a number of open-source projects to work properly: | ||
|
||
- [AngularJS] - HTML enhanced for web apps! | ||
- [gcc] - GCC, the GNU Compiler Collection | ||
- [Rust] - A language empowering everyone to build reliable and efficient software. | ||
- [Apache] - The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server | ||
- [node.js] - Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. | ||
- [Sass] - Sass is the most mature, stable, and powerful professional grade CSS extension language in the world. | ||
- [npm] - npm is the world's largest software registry. | ||
- [Gulp] A toolkit to automate & enhance your workflow | ||
|
||
And of course, This project itself is open source and located on GitHub. | ||
|
||
## Installation | ||
|
||
#### Prerequisites: | ||
|
||
You need to install at least Podman version 3.0 and git (or download the last release from github) | ||
Your firewall should accept connection on port 443 by default or the port where the web server is listening | ||
The name of web server must be resolvable, preferrably via a DNS registration | ||
you will need 4 GB of disk space during the built process, even if the final result turn around 290 to 340 MB | ||
|
||
#### Built Process: | ||
```sh | ||
git clone https://github.com/vpolaris/Podman-Bitwarden.git | ||
cd Podman-Bitwarden | ||
chmod u+x setup.sh;./setup.sh | ||
``` | ||
|
||
What the setup does, it create a dedicated user named bitwarden on the host, this user will be responsible to build the image, store persistent data and run the container with the less privileges possible. A systemd service will be created and the container will be launch every time the host server is restarted. The service will be owned by the bitwarden user | ||
|
||
+ No login or sudo available | ||
+ Only the rights to manage containers | ||
|
||
Answer the questions | ||
|
||
+ TOKEN and Admin password are generated randomly, you can modify their values when asked | ||
+ Domain name, by default will be vault.bitwarden.lan, this name has to be resolvable by all machines accessing the vault. You can use the hosts file but for a broader usage it's preferable to use a DNS record | ||
+ Port number, 443 by default (https) | ||
+ The tag version, this number will be append to the image name | ||
+ Certificate, if you have a set of PEM certificates (CA and web server) and you want to use it to setup the apache server, answer yes and indicate their locations. Only useful to the first run as these certificates will be conserved between each build | ||
|
||
At the end of questions, you can start the process immediately or copy the information for a later usage | ||
|
||
## Acces | ||
you can access by default to the vault via | ||
https://vault.bitwarden.lan | ||
or the domain nameyou provided | ||
|
||
## Manage the container | ||
|
||
Even if the user is locked, you can run commands if you use the correct syntax. | ||
|
||
##### To visualize the user journal | ||
```sh | ||
sudo su -s /bin/bash -c "export XDG_RUNTIME_DIR=/run/user/10500 ;journalctl --user -xe" bitwarden | ||
``` | ||
##### To visualize container service status | ||
```sh | ||
sudo su -s /bin/bash -c "export XDG_RUNTIME_DIR=/run/user/10500 ; systemctl --user status container-bitwarden.service" bitwarden | ||
``` | ||
As you understood all commands need to be prefixed with | ||
sudo su -s /bin/bash -c "export XDG_RUNTIME_DIR=/run/user/10500 | ||
and will be finished by the user name | ||
|
||
As the container is managed by systemd do not use podman command to stop/start the container. Prefer this way: | ||
|
||
##### Stop the container | ||
|
||
```sh | ||
sudo su -s /bin/bash -c "export XDG_RUNTIME_DIR=/run/user/10500 ; systemctl --user stop container-bitwarden.service" bitwarden | ||
``` | ||
|
||
##### Start the container | ||
```sh | ||
sudo su -s /bin/bash -c "export XDG_RUNTIME_DIR=/run/user/10500 ; systemctl --user start container-bitwarden.service" bitwarden | ||
``` | ||
## Log Files | ||
You can monitor service's activities through two dedicated directories exported outside the container | ||
|
||
#### Bitwarden log file | ||
Accessible by default to this location | ||
```sh | ||
tail /home/bitwarden/.persistent_storage/bitwarden/logs/bitwarden/bitwarden.log | ||
``` | ||
#### Apache log files | ||
you can monitor the httpd service through 4 log files located under the directory /home/bitwarden/.persistent_storage/bitwarden/logs/bitwarden/httpd | ||
|
||
+ access_log record all access activities | ||
+ error_log record all httpd service error | ||
+ ssl_access_log record all ssl/tls attempts | ||
+ ssl_error_log record all ssl failures | ||
|
||
## Sources: | ||
I found my inspiration from these web site | ||
https://fiat-tux.fr/2019/01/14/installer-un-serveur-bitwarden_rs/ | ||
https://illuad.fr/2020/06/11/install-a-bitwarden-rs-server.html | ||
|
||
|
||
|
||
## License | ||
|
||
AGPL-3.0 License | ||
|
||
**Free Software, Hell Yeah!** | ||
|
||
[//]: # (These are reference links used in the body of this note and get stripped out when the markdown processor does its job. There is no need to format nicely because it shouldn't be seen. Thanks SO - http://stackoverflow.com/questions/4823468/store-comments-in-markdown-syntax) | ||
|
||
[Web-vault]: https://bitwarden.com/ | ||
[bitwarden-rs]: <https://github.com/dani-garcia/bitwarden_rs/wiki> | ||
[gcc]: <https://gcc.gnu.org/> | ||
[npm]: <https://docs.npmjs.com/about-npm> | ||
[Rust]: <https://www.rust-lang.org/> | ||
[Apache]: <https://httpd.apache.org/> | ||
[Sass]: <hhttps://sass-lang.com/> | ||
[WSL2]: <https://www.redhat.com/sysadmin/podman-windows-wsl2> | ||
[node.js]: <http://nodejs.org> | ||
[Twitter Bootstrap]: <http://twitter.github.com/bootstrap/> | ||
[jQuery]: <http://jquery.com> | ||
[@tjholowaychuk]: <http://twitter.com/tjholowaychuk> | ||
[express]: <http://expressjs.com> | ||
[AngularJS]: <http://angularjs.org> | ||
[Gulp]: <http://gulpjs.com> | ||
|