Update Bitwarden lite with optimizations and best practices

.github/workflows/build-bitwarden-lite.yml

@@ -28,9 +28,6 @@ on:
       - ".github/workflows/build-bitwarden-lite.yml"
       - "bitwarden-lite/**"
 
-env:
-  _AZ_REGISTRY: bitwardenprod.azurecr.io
-
 permissions:
   contents: read
 
@@ -116,14 +113,15 @@ jobs:
           if [[ $SERVER_REF =~ ^refs/tags/v(.+)$ ]]; then
               IMAGE_TAG="${BASH_REMATCH[1]}"
           else
-              IMAGE_TAG="${SERVER_REF#refs/heads/}"
+              IMAGE_TAG=$(echo "${SERVER_REF#refs/heads/}" | \
+              tr '[:upper:]' '[:lower:]' | \
+              sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | \
+              cut -c1-128 | \
+              sed -E 's/[.-]$//')
           fi
 
           if [[ "$IMAGE_TAG" == "main" ]]; then
             IMAGE_TAG=dev
-          elif [[ ("$IMAGE_TAG" == "rc") || ("$IMAGE_TAG" == "hotfix-rc") ]]; then
-            # This if statement can be removed upon release so that 'rc' and 'hotfix-rc' tags are generated correctly.
-            IMAGE_TAG=beta
           fi
 
           echo "Using $IMAGE_TAG for build"
@@ -205,8 +203,8 @@ jobs:
       - name: Sign image with Cosign
         env:
           DIGEST: ${{ steps.build-docker.outputs.digest }}
-          IMAGE_TAG: ghcr.io/bitwarden/lite:${{ steps.tag.outputs.image_tag }}
-        run: cosign sign --yes "${IMAGE_TAG}@${DIGEST}"
+          IMAGE: ghcr.io/bitwarden/lite:${{ steps.tag.outputs.image_tag }}
+        run: cosign sign --yes "${IMAGE}@${DIGEST}"
 
       - name: Scan Docker image
         id: container-scan
@@ -225,48 +223,3 @@ jobs:
 
       - name: Log out of GHCR
         run: docker logout ghcr.io
-
-
-  check-failures:
-    name: Check for failures
-    if: always()
-    runs-on: ubuntu-24.04
-    needs: build-docker
-    permissions:
-      id-token: write
-    steps:
-      - name: Check if any job failed
-        if: |
-          (github.ref == 'refs/heads/main' ||
-          github.ref == 'refs/heads/rc' ||
-          github.ref == 'refs/heads/hotfix-rc') &&
-          contains(needs.*.result, 'failure')
-        run: exit 1
-
-      - name: Log in to Azure
-        if: failure()
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        if: failure()
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "devops-alerts-slack-webhook-url"
-
-      - name: Log out from Azure
-        if: failure()
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Notify Slack on failure
-        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
-        if: failure()
-        env:
-          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
-        with:
-          status: ${{ job.status }}

.github/workflows/cleanup-container-images.yml

@@ -0,0 +1,55 @@
+name: Cleanup Container Images
+
+on:
+  delete:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.ref }}
+  cancel-in-progress: false
+
+jobs:
+  cleanup-images:
+    name: Delete branch container images
+    if: |
+      github.event.ref != 'dev' &&
+      github.event.ref != 'rc' &&
+      github.event.ref != 'hotfix-rc'
+    runs-on: ubuntu-24.04
+    permissions:
+      packages: write
+    steps:
+      - name: Generate image tag to delete
+        id: tag
+        env:
+          EVENT_REF: ${{ github.event.ref }}
+        run: |
+          # Sanitize deleted branch name to match build workflow tag generation
+          BRANCH_NAME="${EVENT_REF}"
+          IMAGE_TAG=$(echo "$BRANCH_NAME" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | cut -c1-128 | sed -E 's/[.-]$//')
+          echo "tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Delete container image version
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          IMAGE_TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          # Get the version ID for this specific tag
+          VERSION_ID=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/orgs/bitwarden/packages/container/lite/versions" \
+            --jq ".[] | select(.metadata.container.tags[] | contains(\"$IMAGE_TAG\")) | .id" \
+            | head -1)
+
+          if [[ -n "$VERSION_ID" ]]; then
+            echo "Deleting image with tag: $IMAGE_TAG (version ID: $VERSION_ID)"
+            gh api \
+              --method DELETE \
+              -H "Accept: application/vnd.github+json" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "/orgs/bitwarden/packages/container/lite/versions/$VERSION_ID"
+            echo "Successfully deleted image"
+          else
+            echo "No image found with tag: $IMAGE_TAG"
+          fi

bitwarden-lite/.dockerignore

@@ -0,0 +1,53 @@
+# Git files
+.git
+.gitignore
+.gitattributes
+
+# CI/CD
+.github
+
+# Documentation
+*.md
+README
+LICENSE
+
+# IDE and editor files
+.vscode
+.idea
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Logs
+*.log
+logs/
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+
+# Build artifacts (if any local builds exist)
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Editor config
+.editorconfig
+
+# Test files
+**/test/
+**/tests/
+**/*_test.go
+**/*_test.py
+**/*.test.js
+
+# Node modules (if any exist locally)
+**/node_modules/
+
+# Environment files
+.env
+.env.*
+!.env.example

bitwarden-lite/.env.example

@@ -1,3 +1,3 @@
 COMPOSE_PROJECT_NAME=bitwarden
-REGISTRY=bitwarden
+REGISTRY=ghcr.io/bitwarden
 TAG=dev

bitwarden-lite/Dockerfile

@@ -2,35 +2,25 @@
 ###############################################
 #                 Build stage                 #
 ###############################################
-FROM --platform=$BUILDPLATFORM alpine:3.22 AS web-setup
+FROM --platform=$BUILDPLATFORM alpine:3.21 AS web-setup
 ARG WEB_ARTIFACT_PATH
 
 # Add packages
 RUN apk add --no-cache \
     curl \
+    git \
     jq \
-    unzip \
-    git
+    unzip
 
 WORKDIR /tmp
 
-# Grab last tag/release of the 'web' client
-RUN  if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
-    git ls-remote --tags https://github.com/bitwarden/clients.git \
-    | grep -E 'refs/tags/web-v[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+' \
-    | cut -d/ -f3 | sort -Vr | head -1 > tag.txt; \
-    fi
-
-# Extract the version of the 'web' client
+# Grab last tag/release and download the 'web' client
 RUN if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
-    cat tag.txt | grep -o -E '[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+' > version.txt; \
-    fi
-
-# Download the built release artifact for the 'web' client
-RUN if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
-    TAG=$(cat tag.txt) \
-    && VERSION=$(cat version.txt) \
-    && curl --proto "=https" -L https://github.com/bitwarden/clients/releases/download/$TAG/web-$VERSION-selfhosted-COMMERCIAL.zip -O; \
+      TAG=$(git ls-remote --tags https://github.com/bitwarden/clients.git \
+        | grep -E 'refs/tags/web-v[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+' \
+        | cut -d/ -f3 | sort -Vr | head -1) \
+      && VERSION=$(echo "$TAG" | grep -o -E '[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+') \
+      && curl --proto "=https" -L https://github.com/bitwarden/clients/releases/download/$TAG/web-$VERSION-selfhosted-COMMERCIAL.zip -O; \
     fi
 
 # Copy provided web artifact if available
@@ -38,10 +28,9 @@ COPY ${WEB_ARTIFACT_PATH}* /tmp/
 
 # Unzip the 'web' client to /tmp/build
 RUN if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
-    VERSION=$(cat version.txt) \
-    && unzip web-$VERSION-selfhosted-COMMERCIAL.zip; \
+      unzip web-*-selfhosted-COMMERCIAL.zip; \
     else \
-    unzip ${WEB_ARTIFACT_PATH} -d /tmp/; \
+      unzip ${WEB_ARTIFACT_PATH} -d /tmp/; \
     fi
 
 ###############################################
@@ -54,18 +43,15 @@ ARG TARGETPLATFORM
 
 # Determine proper runtime value for .NET
 # We put the value in a file to be read by later layers.
-RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
-    RID=linux-musl-x64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
-    RID=linux-musl-arm64 ; \
-    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
-    RID=linux-musl-arm ; \
-    fi \
+RUN case "$TARGETPLATFORM" in \
+      "linux/amd64") RID=linux-musl-x64 ;; \
+      "linux/arm64") RID=linux-musl-arm64 ;; \
+      "linux/arm/v7") RID=linux-musl-arm ;; \
+    esac \
     && echo "RID=$RID" > /tmp/rid.txt
 
 # Add packages
-RUN apk add --no-cache \
-    npm
+RUN apk add --no-cache npm
 
 # Copy csproj files as distinct layers
 WORKDIR /source
@@ -143,12 +129,10 @@ COPY server/util/SqliteMigrations/. ./util/SqliteMigrations/
 COPY server/util/EfShared/. ./util/EfShared/
 COPY server/bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
 COPY server/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
-COPY server/.git/. ./.git/
 
 # Build Admin app
 WORKDIR /source/src/Admin
-RUN npm install
-RUN npm run build
+RUN npm install && npm run build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
 
 # Build Api app
@@ -173,8 +157,7 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-resto
 
 # Build Sso app
 WORKDIR /source/bitwarden_license/src/Sso
-RUN npm install
-RUN npm run build
+RUN npm install && npm run build
 RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
 
 # Build Scim app
@@ -186,66 +169,72 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-s
 ###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.21
 ARG TARGETPLATFORM
-LABEL com.bitwarden.product="bitwarden"
-LABEL com.bitwarden.project="lite"
-ENV ASPNETCORE_ENVIRONMENT=Production
-ENV BW_ENABLE_ADMIN=true
-ENV BW_ENABLE_API=true
-ENV BW_ENABLE_EVENTS=false
-ENV BW_ENABLE_ICONS=true
-ENV BW_ENABLE_IDENTITY=true
-ENV BW_ENABLE_NOTIFICATIONS=true
-ENV BW_ENABLE_SCIM=false
-ENV BW_ENABLE_SSO=false
-ENV BW_DB_FILE="/etc/bitwarden/vault.db"
-ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
-ENV globalSettings__selfHosted="true"
-ENV globalSettings__liteDeployment="true"
-ENV globalSettings__pushRelayBaseUri="https://push.bitwarden.com"
-ENV globalSettings__baseServiceUri__internalAdmin="http://localhost:5000"
-ENV globalSettings__baseServiceUri__internalApi="http://localhost:5001"
-ENV globalSettings__baseServiceUri__internalEvents="http://localhost:5003"
-ENV globalSettings__baseServiceUri__internalIcons="http://localhost:5004"
-ENV globalSettings__baseServiceUri__internalIdentity="http://localhost:5005"
-ENV globalSettings__baseServiceUri__internalNotifications="http://localhost:5006"
-ENV globalSettings__baseServiceUri__internalSso="http://localhost:5007"
-ENV globalSettings__baseServiceUri__internalScim="http://localhost:5002"
-ENV globalSettings__baseServiceUri__internalVault="http://localhost:8080"
-ENV globalSettings__identityServer__certificatePassword="default_cert_password"
-ENV globalSettings__dataProtection__directory="/etc/bitwarden/data-protection"
-ENV globalSettings__attachment__baseDirectory="/etc/bitwarden/attachments"
-ENV globalSettings__send__baseDirectory="/etc/bitwarden/attachments/send"
-ENV globalSettings__licenseDirectory="/etc/bitwarden/licenses"
-ENV globalSettings__logDirectoryByProject="false"
-ENV globalSettings__logRollBySizeLimit="1073741824"
+LABEL com.bitwarden.product="bitwarden" \
+      com.bitwarden.project="lite" \
+      org.opencontainers.image.description="Bitwarden lite" \
+      org.opencontainers.image.source="https://github.com/bitwarden/self-host" \
+      org.opencontainers.image.url="https://bitwarden.com" \
+      org.opencontainers.image.vendor="Bitwarden Inc."
+ENV ASPNETCORE_ENVIRONMENT=Production \
+    BW_ENABLE_ADMIN=true \
+    BW_ENABLE_API=true \
+    BW_ENABLE_EVENTS=false \
+    BW_ENABLE_ICONS=true \
+    BW_ENABLE_IDENTITY=true \
+    BW_ENABLE_NOTIFICATIONS=true \
+    BW_ENABLE_SCIM=false \
+    BW_ENABLE_SSO=false \
+    BW_DB_FILE="/etc/bitwarden/vault.db" \
+    DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false \
+    globalSettings__selfHosted="true" \
+    globalSettings__liteDeployment="true" \
+    globalSettings__pushRelayBaseUri="https://push.bitwarden.com" \
+    globalSettings__baseServiceUri__internalAdmin="http://localhost:5000" \
+    globalSettings__baseServiceUri__internalApi="http://localhost:5001" \
+    globalSettings__baseServiceUri__internalEvents="http://localhost:5003" \
+    globalSettings__baseServiceUri__internalIcons="http://localhost:5004" \
+    globalSettings__baseServiceUri__internalIdentity="http://localhost:5005" \
+    globalSettings__baseServiceUri__internalNotifications="http://localhost:5006" \
+    globalSettings__baseServiceUri__internalSso="http://localhost:5007" \
+    globalSettings__baseServiceUri__internalScim="http://localhost:5002" \
+    globalSettings__baseServiceUri__internalVault="http://localhost:8080" \
+    globalSettings__identityServer__certificatePassword="default_cert_password" \
+    globalSettings__dataProtection__directory="/etc/bitwarden/data-protection" \
+    globalSettings__attachment__baseDirectory="/etc/bitwarden/attachments" \
+    globalSettings__send__baseDirectory="/etc/bitwarden/attachments/send" \
+    globalSettings__licenseDirectory="/etc/bitwarden/licenses" \
+    globalSettings__logDirectoryByProject="false" \
+    globalSettings__logRollBySizeLimit="1073741824"
+
+EXPOSE 8080 8443
 
 # Add packages
 RUN apk add --no-cache \
     curl \
+    gcompat \
+    icu-libs \
     jq \
     nginx \
     openssl \
+    su-exec \
     supervisor \
     tzdata \
-    unzip \
-    su-exec \
-    icu-libs \
-    gcompat
+    unzip
 
 # Create required directories
-RUN mkdir -p /etc/bitwarden/attachments/send
-RUN mkdir -p /etc/bitwarden/data-protection
-RUN mkdir -p /etc/bitwarden/licenses
-RUN mkdir -p /etc/bitwarden/logs
-RUN mkdir -p /etc/supervisor
-RUN mkdir -p /etc/supervisor.d
-RUN mkdir -p /var/log/bitwarden
-RUN mkdir -p /var/log/nginx/logs
-RUN mkdir -p /etc/nginx/http.d
-RUN mkdir -p /var/run/nginx
-RUN mkdir -p /var/lib/nginx/tmp
-RUN touch /var/run/nginx/nginx.pid
-RUN mkdir -p /app
+RUN mkdir -p /app \
+             /etc/bitwarden/attachments/send \
+             /etc/bitwarden/data-protection \
+             /etc/bitwarden/licenses \
+             /etc/bitwarden/logs \
+             /etc/nginx/http.d \
+             /etc/supervisor \
+             /etc/supervisor.d \
+             /var/lib/nginx/tmp \
+             /var/log/bitwarden \
+             /var/log/nginx/logs \
+             /var/run/nginx \
+    && touch /var/run/nginx/nginx.pid
 
 # Copy all apps from dotnet-build stage
 WORKDIR /app
@@ -260,34 +249,41 @@ COPY bitwarden-lite/supervisord/supervisord.conf /etc/supervisor/supervisord.con
 RUN rm -f /etc/supervisord.conf
 
 # Set up nginx
-COPY bitwarden-lite/nginx/nginx.conf /etc/nginx
-COPY bitwarden-lite/nginx/proxy.conf /etc/nginx
-COPY bitwarden-lite/nginx/mime.types /etc/nginx
-COPY bitwarden-lite/nginx/security-headers.conf /etc/nginx
-COPY bitwarden-lite/nginx/security-headers-ssl.conf /etc/nginx
-COPY bitwarden-lite/nginx/logrotate.sh /
-RUN chmod +x /logrotate.sh
+COPY bitwarden-lite/nginx/mime.types \
+     bitwarden-lite/nginx/nginx.conf \
+     bitwarden-lite/nginx/proxy.conf \
+     bitwarden-lite/nginx/security-headers.conf \
+     bitwarden-lite/nginx/security-headers-ssl.conf \
+     /etc/nginx/
+COPY --chmod=755 bitwarden-lite/nginx/logrotate.sh /
 
 # Copy configuration templates
-COPY bitwarden-lite/hbs/nginx-config.hbs /etc/hbs/
-COPY bitwarden-lite/hbs/app-id.hbs /etc/hbs/
-COPY bitwarden-lite/hbs/config.yaml /etc/hbs/
-
-# Download hbs tool for generating final configurations
-RUN echo "$(curl --silent https://api.github.com/repos/bitwarden/Handlebars.conf/git/refs/tags | jq -r 'last(.[].ref)' | sed 's/refs\/tags\///')"  > /tmp/latest.txt
-RUN LATEST_VERSION=$(cat /tmp/latest.txt) && if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-x64.zip; fi
-RUN LATEST_VERSION=$(cat /tmp/latest.txt) && if [ "$TARGETPLATFORM" = "linux/arm/v7" ] ; then curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm.zip; fi
-RUN LATEST_VERSION=$(cat /tmp/latest.txt) && if [ "$TARGETPLATFORM" = "linux/arm64" ] ; then curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm64.zip; fi
-
-# Extract hbs
-RUN unzip hbs.zip -d /usr/local/bin && mv /usr/local/bin/hbs* /usr/local/bin/hbs && rm hbs.zip
-RUN chmod +x /usr/local/bin/hbs
+COPY bitwarden-lite/hbs/app-id.hbs \
+     bitwarden-lite/hbs/config.yaml \
+     bitwarden-lite/hbs/nginx-config.hbs \
+     /etc/hbs/
+
+# Download and extract hbs tool for generating final configurations
+RUN LATEST_VERSION=$(curl --proto "=https" --silent https://api.github.com/repos/bitwarden/Handlebars.conf/git/refs/tags | jq -r 'last(.[].ref)' | sed 's/refs\/tags\///') \
+    && case "$TARGETPLATFORM" in \
+         "linux/amd64") \
+           curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-x64.zip ;; \
+         "linux/arm/v7") \
+           curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm.zip ;; \
+         "linux/arm64") \
+           curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm64.zip ;; \
+       esac \
+    && unzip hbs.zip -d /usr/local/bin && mv /usr/local/bin/hbs* /usr/local/bin/hbs && rm hbs.zip \
+    && chmod +x /usr/local/bin/hbs
 
 # Copy entrypoint script and make it executable
-COPY bitwarden-lite/entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
+COPY --chmod=755 bitwarden-lite/entrypoint.sh /entrypoint.sh
 
 VOLUME ["/etc/bitwarden"]
 
 WORKDIR /app
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
+  CMD curl -f http://localhost:8080/alive || exit 1
+
 ENTRYPOINT ["/entrypoint.sh"]

bitwarden-lite/docker-compose.yml

@@ -14,6 +14,28 @@ services:
     volumes:
       - bitwarden:/etc/bitwarden
       - logs:/var/log/bitwarden
+    deploy:
+      resources:
+        limits:
+          cpus: '2'
+          memory: 2G
+        reservations:
+          cpus: '0.5'
+          memory: 512M
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/alive"]
+      interval: 30s
+      timeout: 3s
+      start_period: 60s
+      retries: 3
 
   # MariaDB Example
   db:

bitwarden-lite/entrypoint.sh

@@ -1,4 +1,5 @@
 #!/bin/sh
+set -eu
 
 # Set up user group
 PGID="${PGID:-1000}"
@@ -65,8 +66,10 @@ cp /etc/bitwarden/identity.pfx /app/Sso/identity.pfx
 
 # Generate SSL certificates
 if [ "$BW_ENABLE_SSL" = "true" ] && [ ! -f /etc/bitwarden/${BW_SSL_KEY:-ssl.key} ]; then
-  TMP_OPENSSL_CONF="/tmp/openssl_san.cnf"
+  TMP_OPENSSL_CONF="/tmp/openssl_san.cnf.$$"
+  umask 0077
   cat /usr/lib/ssl/openssl.cnf > "$TMP_OPENSSL_CONF"
+  umask 0022
   printf "\n[SAN]\nsubjectAltName=DNS:${BW_DOMAIN:-localhost}\nbasicConstraints=CA:true\n" >> "$TMP_OPENSSL_CONF"
   openssl req \
   -x509 \
@@ -89,14 +92,14 @@ fi
 /usr/local/bin/hbs
 
 # Enable/Disable services
-sed -i "s/autostart=true/autostart=${BW_ENABLE_ADMIN}/" /etc/supervisor.d/admin.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_API}/" /etc/supervisor.d/api.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_EVENTS}/" /etc/supervisor.d/events.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_ICONS}/" /etc/supervisor.d/icons.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_IDENTITY}/" /etc/supervisor.d/identity.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_NOTIFICATIONS}/" /etc/supervisor.d/notifications.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_SCIM}/" /etc/supervisor.d/scim.ini
-sed -i "s/autostart=true/autostart=${BW_ENABLE_SSO}/" /etc/supervisor.d/sso.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_ADMIN}|" /etc/supervisor.d/admin.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_API}|" /etc/supervisor.d/api.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_EVENTS}|" /etc/supervisor.d/events.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_ICONS}|" /etc/supervisor.d/icons.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_IDENTITY}|" /etc/supervisor.d/identity.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_NOTIFICATIONS}|" /etc/supervisor.d/notifications.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_SCIM}|" /etc/supervisor.d/scim.ini
+sed -i "s|autostart=true|autostart=${BW_ENABLE_SSO}|" /etc/supervisor.d/sso.ini
 
 chown -R $PUID:$PGID \
     /app \

bitwarden-lite/hbs/nginx-config.hbs

@@ -9,7 +9,7 @@ server {
 
 server {
   listen {{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
-  #listen [::]:{{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
+  listen [::]:{{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
   server_name {{{String.Coalesce env.BW_DOMAIN "localhost"}}};
 
   ssl_certificate /etc/bitwarden/{{{String.Coalesce env.BW_SSL_CERT "ssl.crt"}}};

bitwarden-lite/nginx/nginx.conf

@@ -4,7 +4,7 @@
 daemon off;
 
 # Run as a less privileged user for security reasons.
-# user www www;
+user nginx nginx;
 
 # How many worker threads to run;
 # "auto" sets it to the number of CPU cores available in the system, and

bitwarden-lite/nginx/security-headers.conf

@@ -1,3 +1,5 @@
 add_header Referrer-Policy same-origin;
 add_header X-Content-Type-Options nosniff;
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Permitted-Cross-Domain-Policies none;
 add_header X-XSS-Protection "1; mode=block";

bitwarden-lite/supervisord/admin.ini

@@ -4,6 +4,9 @@ autorestart=true
 command=/usr/bin/dotnet "Admin.dll"
 directory=/app/Admin
 environment=ASPNETCORE_URLS="http://+:5000"
+priority=3
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/admin.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5

bitwarden-lite/supervisord/api.ini

@@ -4,6 +4,9 @@ autorestart=true
 command=/usr/bin/dotnet "Api.dll"
 directory=/app/Api
 environment=ASPNETCORE_URLS="http://+:5001"
+priority=2
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/api.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5

bitwarden-lite/supervisord/events.ini

@@ -4,6 +4,9 @@ autorestart=true
 command=/usr/bin/dotnet "Events.dll"
 directory=/app/Events
 environment=ASPNETCORE_URLS="http://+:5003"
+priority=3
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/events.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5

bitwarden-lite/supervisord/icons.ini

@@ -4,6 +4,9 @@ autorestart=true
 command=/usr/bin/dotnet "Icons.dll"
 directory=/app/Icons
 environment=ASPNETCORE_URLS="http://+:5004"
+priority=3
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/icons.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5

bitwarden-lite/supervisord/identity.ini

@@ -8,3 +8,5 @@ priority=1
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/identity.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5

bitwarden-lite/supervisord/notifications.ini

@@ -4,6 +4,9 @@ autorestart=true
 command=/usr/bin/dotnet "Notifications.dll"
 directory=/app/Notifications
 environment=ASPNETCORE_URLS="http://+:5006"
+priority=3
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/notifications.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5

bitwarden-lite/supervisord/scim.ini

@@ -4,6 +4,9 @@ autorestart=true
 command=/usr/bin/dotnet "Scim.dll"
 directory=/app/Scim
 environment=ASPNETCORE_URLS="http://+:5002"
+priority=4
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/scim.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5

bitwarden-lite/supervisord/sso.ini

@@ -4,6 +4,9 @@ autorestart=true
 command=/usr/bin/dotnet "Sso.dll"
 directory=/app/Sso
 environment=ASPNETCORE_URLS="http://+:5007"
+priority=4
 redirect_stderr=true
 startsecs=15
 stdout_logfile=/var/log/bitwarden/sso.log
+stdout_logfile_maxbytes=10485760
+stdout_logfile_backups=5