Centos下安装部署Vaultwarden和Caddy1
Bitwarden的一个开放项目Vaultwarden基于rust编写, 可以使用Bitwarden的浏览器插件然后配置使用自建的服务器.
Caddy比nginx配置更简单自动SSL方便, teddy有编译好直接拿来用.
注意:小内存编译需要4GB的swap
配套资料
官方资源页面: https://bitwarden.com/download/
Windows桌面软件: https://vault.bitwarden.com/download/?app=desktop&platform=windows
MacOS APP安装: https://itunes.apple.com/app/bitwarden/id1352778147
Chrome插件: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
Firefox插件: https://addons.mozilla.org/firefox/addon/bitwarden-password-manager/
微软EDGE插件: https://microsoftedge.microsoft.com/addons/detail/jbkfoedolllekgbhcbcoahefnbanhhlh
#定义参数
DOMAIN='vault.Server.com';
PREFIX='/opt/vault/';
VERSION='2.24.1';
#yum安装需要的包
yum -y -q install epel-release
yum -y -q install wget git gcc tar sqlite-devel openssl-devel certbot
#安装rust
wget https://sh.rustup.rs -O rs.sh
sh rs.sh -y
source ~/.cargo/env
rustup update
#从github获取源码进行安装
cd /tmp
git clone https://github.com/dani-garcia/vaultwarden
cd vaultwarden
cargo build --features sqlite --release
strip ./target/release/vaultwarden
install target/release/vaultwarden /usr/bin/
chmod +x /usr/bin/vaultwarden
#获取vaultwarden的web文件
mkdir -p ${PREFIX}/data/
#wget https://github.com/dani-garcia/bw_web_builds/releases/download/v${VERSION}/bw_web_v${VERSION}.tar.gz -O - | tar xz -C ${PREFIX}
wget $(curl -Ss https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest |grep browser_download_url | cut -d '"' -f 4) -O - | tar xz -C ${PREFIX}
#生成vaultwarden配置参数
cat>${PREFIX}/vaultwarden.env<<EOF
#ADMIN_TOKEN=$(openssl rand -base64 48)
SIGNUPS_ALLOWED=true
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=127.0.0.1
WEBSOCKET_PORT=3012
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=8000
EOF
#生成vaultwarden的systemctl管理
cat>/etc/systemd/system/vaultwarden.service<<EOF
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
User=root
Group=root
EnvironmentFile=${PREFIX}/vaultwarden.env
ExecStart=/usr/bin/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=${PREFIX}
ReadWriteDirectories=${PREFIX}
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
#安装caddy 1
wget -c https://dl.lamp.sh/files/caddy_linux_amd64 -O /usr/bin/caddy
chmod +x /usr/bin/caddy
chown -R nobody:root /usr/bin/caddy
mkdir /etc/caddy/
#生成caddy服务
cat>/usr/lib/systemd/system/caddy.service<<EOF
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target
[Service]
User=caddy
Group=caddy
Environment=CADDYPATH=/var/lib/caddy
EnvironmentFile=-/etc/caddy/envfile
ExecStartPre=/usr/bin/caddy -conf /etc/caddy/caddy.conf -validate
ExecStart=/usr/bin/caddy -conf /etc/caddy/caddy.conf -root /tmp -agree
ExecReload=/usr/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectHome=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
#生成caddy配置
cat>/etc/caddy/caddy.conf<<EOF
http://${DOMAIN} {
redir https://${DOMAIN} {uri}
}
https://${DOMAIN} {
gzip
browse
timeouts none
tls admin@${DOMAIN}
header / {
Strict-Transport-Security "max-age=31536000;"
}
proxy /notifications/hub/negotiate 127.0.0.1:8000 {
transparent
header_upstream -Origin
}
proxy /notifications/hub 127.0.0.1:3012 {
websocket
header_upstream -Origin
}
proxy / 127.0.0.1:8000 {
transparent
header_upstream -Origin
}
}
import conf.d/*.conf
EOF
#启动服务
systemctl daemon-reload
systemctl enable vaultwarden.service
systemctl restart vaultwarden.service
systemctl enable caddy.service
systemctl restart caddy.service
teddysun有编译好的也能直接拿来用.
wget -c https://dl.lamp.sh/files/caddy_linux_amd64 -O /usr/bin/caddy
chmod +x /usr/bin/caddy
chown -R nobody:root /usr/bin/caddy
cat>/usr/lib/systemd/system/caddy.service<<EOF
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target
[Service]
User=caddy
Group=caddy
Environment=CADDYPATH=/var/lib/caddy
EnvironmentFile=-/etc/caddy/envfile
ExecStartPre=/usr/bin/caddy -conf /etc/caddy/caddy.conf -validate
ExecStart=/usr/bin/caddy -conf /etc/caddy/caddy.conf -root /tmp -agree
ExecReload=/usr/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectHome=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
nginx反向代理配置方案 (SSL自行配置)
server {
listen 80;
#root /opt/vault/;
server_name 域名;
location /admin { return 404; }
location / {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3012;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate { proxy_pass http://127.0.0.1:8000; }
}
