From b5e5aa4e75505fbaca18addf6c970d3f9133ae3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kevin=20Mu=C3=B1oz?= Date: Wed, 22 Nov 2023 09:40:20 -0500 Subject: [PATCH] added vaultwarden files --- vaultwarden/.SRCINFO | 31 ++++++++++++ vaultwarden/PKGBUILD | 87 +++++++++++++++++++++++++++++++++ vaultwarden/systemd.service | 54 ++++++++++++++++++++ vaultwarden/sysusers.conf | 1 + vaultwarden/tmpfiles.conf | 3 ++ vaultwarden/vaultwarden.install | 32 ++++++++++++ 6 files changed, 208 insertions(+) create mode 100644 vaultwarden/.SRCINFO create mode 100644 vaultwarden/PKGBUILD create mode 100644 vaultwarden/systemd.service create mode 100644 vaultwarden/sysusers.conf create mode 100644 vaultwarden/tmpfiles.conf create mode 100644 vaultwarden/vaultwarden.install diff --git a/vaultwarden/.SRCINFO b/vaultwarden/.SRCINFO new file mode 100644 index 0000000..e16e39f --- /dev/null +++ b/vaultwarden/.SRCINFO @@ -0,0 +1,31 @@ +pkgbase = vaultwarden + pkgdesc = Unofficial Bitwarden compatible server written in Rust + pkgver = 1.30.1 + pkgrel = 1 + url = https://github.com/dani-garcia/vaultwarden + install = vaultwarden.install + arch = x86_64 + license = GPL3 + makedepends = git + makedepends = rust + depends = glibc + depends = gcc-libs + depends = mariadb-libs + depends = openssl + depends = postgresql-libs + depends = sqlite + optdepends = vaultwarden-web: for the web app + provides = bitwarden_rs + replaces = bitwarden_rs + options = !lto + backup = etc/vaultwarden.env + source = vaultwarden::git+https://github.com/dani-garcia/vaultwarden#commit=48836501bf348386d9bb1378fb56db33c19d3732 + source = systemd.service + source = sysusers.conf + source = tmpfiles.conf + b2sums = SKIP + b2sums = ff8e896f820b88f079d3d4f4c2eb394362569c921f53693e25d3badaf9fdca841e4d7665862e09d22421f544802f3a64014696fd92d7f0b923faf41f8d99e472 + b2sums = 6580cf4031f262638abf11e529e8dfc489197afd6cd616c6a7810741e03c004706a5f9358f825aac6644c0ab6b251627ff988ed68f8264120b3575a655972390 + b2sums = 9cdcd6c997c884eb3c1ad0c9b8cd91e68ec6762a27f9b80a7eb6c0cb1ffa4e500a654da6f17e9f985cc67add154efe737761f74e4e5f72892fc0e9d457314973 + +pkgname = vaultwarden diff --git a/vaultwarden/PKGBUILD b/vaultwarden/PKGBUILD new file mode 100644 index 0000000..3e76e6f --- /dev/null +++ b/vaultwarden/PKGBUILD @@ -0,0 +1,87 @@ +# Maintainer: Daniel M. Capella +# Maintainer: George Rawlinson +# Contributor: Markus Richter +# Contributor: Timothée Ravier 1024, you should apply these options via a +# drop-in file +#CapabilityBoundingSet= +#AmbientCapabilities= +#PrivateUsers=yes + +NoNewPrivileges=yes + +LimitNOFILE=1048576 +UMask=0077 + +ProtectSystem=strict +ProtectHome=yes +ReadWritePaths=/var/lib/vaultwarden /var/log/vaultwarden.log +PrivateTmp=yes +PrivateDevices=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native + +EnvironmentFile=/etc/vaultwarden.env + +[Install] +WantedBy=multi-user.target diff --git a/vaultwarden/sysusers.conf b/vaultwarden/sysusers.conf new file mode 100644 index 0000000..5f3fece --- /dev/null +++ b/vaultwarden/sysusers.conf @@ -0,0 +1 @@ +u vaultwarden - "vaultwarden user" diff --git a/vaultwarden/tmpfiles.conf b/vaultwarden/tmpfiles.conf new file mode 100644 index 0000000..7181ec5 --- /dev/null +++ b/vaultwarden/tmpfiles.conf @@ -0,0 +1,3 @@ +d /var/lib/vaultwarden 0750 vaultwarden vaultwarden +h /var/lib/vaultwarden - - - - +C +f /var/log/vaultwarden.log 0640 vaultwarden vaultwarden diff --git a/vaultwarden/vaultwarden.install b/vaultwarden/vaultwarden.install new file mode 100644 index 0000000..0f7512b --- /dev/null +++ b/vaultwarden/vaultwarden.install @@ -0,0 +1,32 @@ +post_install() { + cat << EOF +!NOTE! + bitwarden_rs is now vaultwarden: + https://github.com/dani-garcia/vaultwarden/discussions/1642 + + If upgrading from bitwarden_rs, do not to leave around files/directories + owned by the old bitwarden_rs user/group before removing the old bitwarden_rs + user/group. + +Configure the server via its environment variables in /etc/vaultwarden.env. + +If vaultwarden is run at ports >1024, you should apply these systemd unit +options via a drop-in file: +[Service] +CapabilityBoundingSet= +AmbientCapabilities= +PrivateUsers=yes + +If the service produces too much noise in your journal, you can redirect stdout +to /dev/null (vaultwarden will still also write to /var/log/vaultwarden.log if +configured to do so): +[Service] +StandardOutput=null + +Create or edit drop-in file: +# systemctl edit vaultwarden + +Start vaultwarden and enable its systemd service: +# systemctl enable --now vaultwarden +EOF +}