GitHub-Bitwarden
/
self-host
mirror of https://github.com/bitwarden/self-host.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Revert some changes

pull/432/head
Vince Grassia 2 weeks ago
parent
fa91fa4fd9
commit
b26c26d606
No known key found for this signature in database
GPG Key ID: 9AD7505E8448CC08
7 changed files with 116 additions and 489 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 10
      bitwarden-lite/CHANGELOG.md
  2. 210
      bitwarden-lite/Dockerfile
  3. 343
      bitwarden-lite/README.md
  4. 36
      bitwarden-lite/docker-compose.yml
  5. 2
      bitwarden-lite/hbs/nginx-config.hbs
  6. 2
      bitwarden-lite/nginx/nginx.conf
  7. 2
      bitwarden-lite/nginx/security-headers.conf

10
bitwarden-lite/CHANGELOG.md
Unescape View File

@ -1,10 +0,0 @@ @@ -1,10 +0,0 @@
# Changelog - Bitwarden lite
All notable changes to Bitwarden lite will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project uses version numbers that align with Bitwarden Server core versions.
## [Unreleased]
<!-- New releases will be added here by automation -->

210
bitwarden-lite/Dockerfile
Unescape View File

@ -2,25 +2,35 @@ @@ -2,25 +2,35 @@
###############################################
# Build stage #
###############################################
FROM --platform=$BUILDPLATFORM alpine:3.21 AS web-setup
FROM --platform=$BUILDPLATFORM alpine:3.22 AS web-setup
ARG WEB_ARTIFACT_PATH
# Add packages
RUN apk add --no-cache \
curl \
git \
jq \
unzip
unzip \
git
WORKDIR /tmp
# Grab last tag/release and download the 'web' client
# Grab last tag/release of the 'web' client
RUN if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
git ls-remote --tags https://github.com/bitwarden/clients.git \
| grep -E 'refs/tags/web-v[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+' \
| cut -d/ -f3 | sort -Vr | head -1 > tag.txt; \
fi
# Extract the version of the 'web' client
RUN if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
TAG=$(git ls-remote --tags https://github.com/bitwarden/clients.git \
| grep -E 'refs/tags/web-v[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+' \
| cut -d/ -f3 | sort -Vr | head -1) \
&& VERSION=$(echo "$TAG" | grep -o -E '[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+') \
&& curl --proto "=https" -L https://github.com/bitwarden/clients/releases/download/$TAG/web-$VERSION-selfhosted-COMMERCIAL.zip -O; \
cat tag.txt | grep -o -E '[0-9]{4}\.([1-9]|1[0-2])\.[0-9]+' > version.txt; \
fi
# Download the built release artifact for the 'web' client
RUN if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
TAG=$(cat tag.txt) \
&& VERSION=$(cat version.txt) \
&& curl --proto "=https" -L https://github.com/bitwarden/clients/releases/download/$TAG/web-$VERSION-selfhosted-COMMERCIAL.zip -O; \
fi
# Copy provided web artifact if available
@ -28,9 +38,10 @@ COPY ${WEB_ARTIFACT_PATH}* /tmp/ @@ -28,9 +38,10 @@ COPY ${WEB_ARTIFACT_PATH}* /tmp/
# Unzip the 'web' client to /tmp/build
RUN if [ -z "${WEB_ARTIFACT_PATH}" ]; then \
unzip web-*-selfhosted-COMMERCIAL.zip; \
VERSION=$(cat version.txt) \
&& unzip web-$VERSION-selfhosted-COMMERCIAL.zip; \
else \
unzip ${WEB_ARTIFACT_PATH} -d /tmp/; \
unzip ${WEB_ARTIFACT_PATH} -d /tmp/; \
fi
###############################################
@ -43,15 +54,18 @@ ARG TARGETPLATFORM @@ -43,15 +54,18 @@ ARG TARGETPLATFORM
# Determine proper runtime value for .NET
# We put the value in a file to be read by later layers.
RUN case "$TARGETPLATFORM" in \
"linux/amd64") RID=linux-musl-x64 ;; \
"linux/arm64") RID=linux-musl-arm64 ;; \
"linux/arm/v7") RID=linux-musl-arm ;; \
esac \
RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
RID=linux-musl-x64 ; \
elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
RID=linux-musl-arm64 ; \
elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
RID=linux-musl-arm ; \
fi \
&& echo "RID=$RID" > /tmp/rid.txt
# Add packages
RUN apk add --no-cache npm
RUN apk add --no-cache \
npm
# Copy csproj files as distinct layers
WORKDIR /source
@ -129,10 +143,12 @@ COPY server/util/SqliteMigrations/. ./util/SqliteMigrations/ @@ -129,10 +143,12 @@ COPY server/util/SqliteMigrations/. ./util/SqliteMigrations/
COPY server/util/EfShared/. ./util/EfShared/
COPY server/bitwarden_license/src/Commercial.Core/. ./bitwarden_license/src/Commercial.Core/
COPY server/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/. ./bitwarden_license/src/Commercial.Infrastructure.EntityFramework/
COPY server/.git/. ./.git/
# Build Admin app
WORKDIR /source/src/Admin
RUN npm install && npm run build
RUN npm install
RUN npm run build
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Admin --no-restore --no-self-contained -r $RID
# Build Api app
@ -157,7 +173,8 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-resto @@ -157,7 +173,8 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Notifications --no-resto
# Build Sso app
WORKDIR /source/bitwarden_license/src/Sso
RUN npm install && npm run build
RUN npm install
RUN npm run build
RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Sso --no-restore --no-self-contained -r $RID
# Build Scim app
@ -169,72 +186,66 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-s @@ -169,72 +186,66 @@ RUN . /tmp/rid.txt && dotnet publish -c release -o /app/Scim --no-restore --no-s
###############################################
FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.21
ARG TARGETPLATFORM
LABEL com.bitwarden.product="bitwarden" \
com.bitwarden.project="lite" \
org.opencontainers.image.description="Bitwarden lite" \
org.opencontainers.image.source="https://github.com/bitwarden/self-host" \
org.opencontainers.image.url="https://bitwarden.com" \
org.opencontainers.image.vendor="Bitwarden Inc."
ENV ASPNETCORE_ENVIRONMENT=Production \
BW_ENABLE_ADMIN=true \
BW_ENABLE_API=true \
BW_ENABLE_EVENTS=false \
BW_ENABLE_ICONS=true \
BW_ENABLE_IDENTITY=true \
BW_ENABLE_NOTIFICATIONS=true \
BW_ENABLE_SCIM=false \
BW_ENABLE_SSO=false \
BW_DB_FILE="/etc/bitwarden/vault.db" \
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false \
globalSettings__selfHosted="true" \
globalSettings__liteDeployment="true" \
globalSettings__pushRelayBaseUri="https://push.bitwarden.com" \
globalSettings__baseServiceUri__internalAdmin="http://localhost:5000" \
globalSettings__baseServiceUri__internalApi="http://localhost:5001" \
globalSettings__baseServiceUri__internalEvents="http://localhost:5003" \
globalSettings__baseServiceUri__internalIcons="http://localhost:5004" \
globalSettings__baseServiceUri__internalIdentity="http://localhost:5005" \
globalSettings__baseServiceUri__internalNotifications="http://localhost:5006" \
globalSettings__baseServiceUri__internalSso="http://localhost:5007" \
globalSettings__baseServiceUri__internalScim="http://localhost:5002" \
globalSettings__baseServiceUri__internalVault="http://localhost:8080" \
globalSettings__identityServer__certificatePassword="default_cert_password" \
globalSettings__dataProtection__directory="/etc/bitwarden/data-protection" \
globalSettings__attachment__baseDirectory="/etc/bitwarden/attachments" \
globalSettings__send__baseDirectory="/etc/bitwarden/attachments/send" \
globalSettings__licenseDirectory="/etc/bitwarden/licenses" \
globalSettings__logDirectoryByProject="false" \
globalSettings__logRollBySizeLimit="1073741824"
EXPOSE 8080 8443
LABEL com.bitwarden.product="bitwarden"
LABEL com.bitwarden.project="lite"
ENV ASPNETCORE_ENVIRONMENT=Production
ENV BW_ENABLE_ADMIN=true
ENV BW_ENABLE_API=true
ENV BW_ENABLE_EVENTS=false
ENV BW_ENABLE_ICONS=true
ENV BW_ENABLE_IDENTITY=true
ENV BW_ENABLE_NOTIFICATIONS=true
ENV BW_ENABLE_SCIM=false
ENV BW_ENABLE_SSO=false
ENV BW_DB_FILE="/etc/bitwarden/vault.db"
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
ENV globalSettings__selfHosted="true"
ENV globalSettings__liteDeployment="true"
ENV globalSettings__pushRelayBaseUri="https://push.bitwarden.com"
ENV globalSettings__baseServiceUri__internalAdmin="http://localhost:5000"
ENV globalSettings__baseServiceUri__internalApi="http://localhost:5001"
ENV globalSettings__baseServiceUri__internalEvents="http://localhost:5003"
ENV globalSettings__baseServiceUri__internalIcons="http://localhost:5004"
ENV globalSettings__baseServiceUri__internalIdentity="http://localhost:5005"
ENV globalSettings__baseServiceUri__internalNotifications="http://localhost:5006"
ENV globalSettings__baseServiceUri__internalSso="http://localhost:5007"
ENV globalSettings__baseServiceUri__internalScim="http://localhost:5002"
ENV globalSettings__baseServiceUri__internalVault="http://localhost:8080"
ENV globalSettings__identityServer__certificatePassword="default_cert_password"
ENV globalSettings__dataProtection__directory="/etc/bitwarden/data-protection"
ENV globalSettings__attachment__baseDirectory="/etc/bitwarden/attachments"
ENV globalSettings__send__baseDirectory="/etc/bitwarden/attachments/send"
ENV globalSettings__licenseDirectory="/etc/bitwarden/licenses"
ENV globalSettings__logDirectoryByProject="false"
ENV globalSettings__logRollBySizeLimit="1073741824"
# Add packages
RUN apk add --no-cache \
curl \
gcompat \
icu-libs \
jq \
nginx \
openssl \
su-exec \
supervisor \
tzdata \
unzip
unzip \
su-exec \
icu-libs \
gcompat
# Create required directories
RUN mkdir -p /app \
/etc/bitwarden/attachments/send \
/etc/bitwarden/data-protection \
/etc/bitwarden/licenses \
/etc/bitwarden/logs \
/etc/nginx/http.d \
/etc/supervisor \
/etc/supervisor.d \
/var/lib/nginx/tmp \
/var/log/bitwarden \
/var/log/nginx/logs \
/var/run/nginx \
&& touch /var/run/nginx/nginx.pid
RUN mkdir -p /etc/bitwarden/attachments/send
RUN mkdir -p /etc/bitwarden/data-protection
RUN mkdir -p /etc/bitwarden/licenses
RUN mkdir -p /etc/bitwarden/logs
RUN mkdir -p /etc/supervisor
RUN mkdir -p /etc/supervisor.d
RUN mkdir -p /var/log/bitwarden
RUN mkdir -p /var/log/nginx/logs
RUN mkdir -p /etc/nginx/http.d
RUN mkdir -p /var/run/nginx
RUN mkdir -p /var/lib/nginx/tmp
RUN touch /var/run/nginx/nginx.pid
RUN mkdir -p /app
# Copy all apps from dotnet-build stage
WORKDIR /app
@ -249,41 +260,34 @@ COPY bitwarden-lite/supervisord/supervisord.conf /etc/supervisor/supervisord.con @@ -249,41 +260,34 @@ COPY bitwarden-lite/supervisord/supervisord.conf /etc/supervisor/supervisord.con
RUN rm -f /etc/supervisord.conf
# Set up nginx
COPY bitwarden-lite/nginx/mime.types \
bitwarden-lite/nginx/nginx.conf \
bitwarden-lite/nginx/proxy.conf \
bitwarden-lite/nginx/security-headers.conf \
bitwarden-lite/nginx/security-headers-ssl.conf \
/etc/nginx/
COPY --chmod=755 bitwarden-lite/nginx/logrotate.sh /
COPY bitwarden-lite/nginx/nginx.conf /etc/nginx
COPY bitwarden-lite/nginx/proxy.conf /etc/nginx
COPY bitwarden-lite/nginx/mime.types /etc/nginx
COPY bitwarden-lite/nginx/security-headers.conf /etc/nginx
COPY bitwarden-lite/nginx/security-headers-ssl.conf /etc/nginx
COPY bitwarden-lite/nginx/logrotate.sh /
RUN chmod +x /logrotate.sh
# Copy configuration templates
COPY bitwarden-lite/hbs/app-id.hbs \
bitwarden-lite/hbs/config.yaml \
bitwarden-lite/hbs/nginx-config.hbs \
/etc/hbs/
# Download and extract hbs tool for generating final configurations
RUN LATEST_VERSION=$(curl --proto "=https" --silent https://api.github.com/repos/bitwarden/Handlebars.conf/git/refs/tags | jq -r 'last(.[].ref)' | sed 's/refs\/tags\///') \
&& case "$TARGETPLATFORM" in \
"linux/amd64") \
curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-x64.zip ;; \
"linux/arm/v7") \
curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm.zip ;; \
"linux/arm64") \
curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm64.zip ;; \
esac \
&& unzip hbs.zip -d /usr/local/bin && mv /usr/local/bin/hbs* /usr/local/bin/hbs && rm hbs.zip \
&& chmod +x /usr/local/bin/hbs
COPY bitwarden-lite/hbs/nginx-config.hbs /etc/hbs/
COPY bitwarden-lite/hbs/app-id.hbs /etc/hbs/
COPY bitwarden-lite/hbs/config.yaml /etc/hbs/
# Download hbs tool for generating final configurations
RUN echo "$(curl --silent https://api.github.com/repos/bitwarden/Handlebars.conf/git/refs/tags | jq -r 'last(.[].ref)' | sed 's/refs\/tags\///')" > /tmp/latest.txt
RUN LATEST_VERSION=$(cat /tmp/latest.txt) && if [ "$TARGETPLATFORM" = "linux/amd64" ] ; then curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-x64.zip; fi
RUN LATEST_VERSION=$(cat /tmp/latest.txt) && if [ "$TARGETPLATFORM" = "linux/arm/v7" ] ; then curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm.zip; fi
RUN LATEST_VERSION=$(cat /tmp/latest.txt) && if [ "$TARGETPLATFORM" = "linux/arm64" ] ; then curl --proto "=https" -L --output hbs.zip https://github.com/bitwarden/Handlebars.conf/releases/download/$LATEST_VERSION/hbs_linux-arm64.zip; fi
# Extract hbs
RUN unzip hbs.zip -d /usr/local/bin && mv /usr/local/bin/hbs* /usr/local/bin/hbs && rm hbs.zip
RUN chmod +x /usr/local/bin/hbs
# Copy entrypoint script and make it executable
COPY --chmod=755 bitwarden-lite/entrypoint.sh /entrypoint.sh
COPY bitwarden-lite/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
VOLUME ["/etc/bitwarden"]
WORKDIR /app
HEALTHCHECK --interval=30s --timeout=3s --start-period=60s --retries=3 \
CMD curl -f http://localhost:8080/alive || exit 1
ENTRYPOINT ["/entrypoint.sh"]

343
bitwarden-lite/README.md
Unescape View File

@ -1,343 +0,0 @@ @@ -1,343 +0,0 @@
# Bitwarden lite
Bitwarden lite is a streamlined, all-in-one deployment of Bitwarden for self-hosting. All Bitwarden services run in a single container with an embedded web server (nginx) and process manager (supervisor).
## Architecture Overview
Bitwarden lite consolidates multiple .NET services into a single container:
- **Admin** - Administrative portal
- **API** - Core API service
- **Events** - Event logging service
- **Icons** - Website icon fetching service
- **Identity** - Authentication service
- **Notifications** - Push notification service
- **SSO** - Single Sign-On service
- **SCIM** - User provisioning service
- **Web Vault** - Web client UI
- **nginx** - Reverse proxy and SSL termination
All services communicate internally via HTTP on localhost, with nginx providing a unified external interface.
## Quick Start
### Prerequisites
- Docker and Docker Compose
- Supported database: MariaDB, PostgreSQL, MySQL, MS SQL Server, or SQlite
### Basic Deployment
1. **Configure the Docker Compose file**
```bash
curl -O https://raw.githubusercontent.com/bitwarden/self-host/refs/heads/main/bitwarden-lite/docker-compose.yml
# Edit docker-compose.yml with your configuration
```
2. **Configure settings**
```bash
curl -O https://raw.githubusercontent.com/bitwarden/self-host/refs/heads/main/bitwarden-lite/settings.env
# Edit settings.env with your configuration
```
3. **Start services**
```bash
docker compose up -d
```
4. **Access Bitwarden**
- HTTP: http://localhost:80
- HTTPS: https://localhost:443
## Configuration
### Environment Variables
#### Core Settings
| Variable | Default | Description |
|----------|---------|-------------|
| `BW_DOMAIN` | `localhost` | Domain name for your Bitwarden instance |
| `BW_PORT_HTTP` | `8080` | Internal HTTP port |
| `BW_PORT_HTTPS` | `8443` | Internal HTTPS port |
| `BW_ENABLE_SSL` | `true` | Enable SSL certificate generation |
| `BW_SSL_CERT` | `ssl.crt` | SSL certificate filename |
| `BW_SSL_KEY` | `ssl.key` | SSL private key filename |
#### Service Toggles
Enable or disable individual services:
| Variable | Default | Description |
|----------|---------|-------------|
| `BW_ENABLE_ADMIN` | `true` | Admin portal |
| `BW_ENABLE_API` | `true` | Core API |
| `BW_ENABLE_EVENTS` | `false` | Event logging |
| `BW_ENABLE_ICONS` | `true` | Icon service |
| `BW_ENABLE_IDENTITY` | `true` | Authentication |
| `BW_ENABLE_NOTIFICATIONS` | `true` | Push notifications |
| `BW_ENABLE_SSO` | `false` | Single Sign-On |
| `BW_ENABLE_SCIM` | `false` | User provisioning |
#### Database Configuration
| Variable | Required | Description |
|----------|----------|-------------|
| `BW_DB_PROVIDER` | Yes | Database type: `mysql`, `postgresql`, `sqlserver`, or `sqlite` |
| `BW_DB_SERVER` | Yes* | Database host (*not required for SQlite) |
| `BW_DB_DATABASE` | Yes | Database name |
| `BW_DB_USERNAME` | Yes* | Database user (*not required for SQlite) |
| `BW_DB_PASSWORD` | Yes* | Database password (*not required for SQlite) |
| `BW_DB_FILE` | `/etc/bitwarden/vault.db` | SQlite database file path |
#### User/Group Configuration
| Variable | Default | Description |
|----------|---------|-------------|
| `PUID` | `1000` | User ID for running services |
| `PGID` | `1000` | Group ID for running services |
### Global Settings
Additional configuration through environment variables with the `globalSettings__` prefix:
- `globalSettings__pushRelayBaseUri` - Push notification relay URL
- `globalSettings__identityServer__certificatePassword` - Certificate password (⚠ change default!)
- `globalSettings__dataProtection__directory` - Data protection keys directory
- `globalSettings__attachment__baseDirectory` - File attachments directory
- `globalSettings__licenseDirectory` - License files directory
## Port Mapping
### External Ports (docker-compose.yml)
- `80``8080` (HTTP)
- `443``8443` (HTTPS)
## Health Monitoring
### Health Endpoint
- **URL**: `http://localhost:8080/alive`
- **Method**: GET
- **Success Response**: HTTP 200
### Docker Health Check
The container includes a built-in health check that polls the `/alive` endpoint every 30 seconds.
Check container health:
```bash
docker compose ps
docker inspect bitwarden-lite-bitwarden-1 | grep -A 10 Health
```
## Volumes
### Data Persistence
| Volume | Mount Point | Purpose |
|--------|-------------|---------|
| `bitwarden` | `/etc/bitwarden` | Configuration, certificates, database (SQlite), attachments |
| `logs` | `/var/log/bitwarden` | Application logs |
| `data` | Varies | Database data (MariaDB/PostgreSQL/MSSQL) |
### Important Files
- `/etc/bitwarden/vault.db` - SQlite database (if using SQlite)
- `/etc/bitwarden/ssl.crt` - SSL certificate
- `/etc/bitwarden/ssl.key` - SSL private key
- `/etc/bitwarden/identity.pfx` - Identity server certificate
- `/etc/bitwarden/attachments/` - File attachments
- `/etc/bitwarden/data-protection/` - ASP.NET data protection keys
- `/var/log/bitwarden/*.log` - Service logs
## Database Options
### SQlite (Default)
Simplest option for small deployments:
```yaml
env_file:
- settings.env
```
```bash
# settings.env
BW_DB_PROVIDER=sqlite
BW_DB_FILE=/etc/bitwarden/vault.db
```
### MariaDB/MySQL
For production deployments:
```yaml
services:
db:
image: mariadb:10
environment:
MARIADB_USER: "bitwarden"
MARIADB_PASSWORD: "<strong_password>"
MARIADB_DATABASE: "bitwarden_vault"
MARIADB_RANDOM_ROOT_PASSWORD: "true"
```
```bash
# settings.env
BW_DB_PROVIDER=mysql
BW_DB_SERVER=db
BW_DB_DATABASE=bitwarden_vault
BW_DB_USERNAME=bitwarden
BW_DB_PASSWORD=<strong_password>
```
### PostgreSQL
```yaml
services:
db:
image: postgres:14
environment:
POSTGRES_USER: "bitwarden"
POSTGRES_PASSWORD: "<strong_password>"
POSTGRES_DB: "bitwarden_vault"
```
```bash
# settings.env
BW_DB_PROVIDER=postgresql
BW_DB_SERVER=db
BW_DB_DATABASE=bitwarden_vault
BW_DB_USERNAME=bitwarden
BW_DB_PASSWORD=<strong_password>
```
### MS SQL Server
```yaml
services:
db:
image: mcr.microsoft.com/mssql/server:2022-latest
environment:
MSSQL_SA_PASSWORD: "<strong_password>"
ACCEPT_EULA: "Y"
```
```bash
# settings.env
BW_DB_PROVIDER=sqlserver
BW_DB_SERVER=db
BW_DB_DATABASE=bitwarden_vault
BW_DB_USERNAME=sa
BW_DB_PASSWORD=<strong_password>
```
## SSL/TLS Configuration
### Auto-Generated Certificates
By default, Bitwarden lite generates a self-signed certificate on first startup:
```bash
BW_ENABLE_SSL=true
BW_DOMAIN=your-domain.com
```
Certificate is stored at `/etc/bitwarden/ssl.crt` and `/etc/bitwarden/ssl.key`.
### Custom Certificates
To use your own certificates:
1. Place certificate and key in the `bitwarden` volume
2. Configure environment variables:
```bash
BW_SSL_CERT=your-cert.crt
BW_SSL_KEY=your-key.key
```
### Let's Encrypt / Reverse Proxy
For production deployments, consider using:
- **Traefik** with automatic Let's Encrypt
- **nginx-proxy** with Let's Encrypt companion
- **Caddy** with automatic HTTPS
## Logs
### Viewing Logs
```bash
# All services
docker compose logs -f
# Specific service logs
docker exec bitwarden-lite-bitwarden-1 cat /var/log/bitwarden/api.log
# nginx logs
docker exec bitwarden-lite-bitwarden-1 cat /var/log/nginx/access.log
docker exec bitwarden-lite-bitwarden-1 cat /var/log/nginx/error.log
```
### Log Rotation
- **Supervisor logs**: Automatically rotated at 10MB, 5 backups kept
- **nginx logs**: Rotated daily by custom script, compressed after 1 day, deleted after 32 days
## Backup and Restore
### Backup
```bash
# Stop containers
docker compose down
# Backup volumes
docker run --rm -v bitwarden-lite_bitwarden:/data -v $(pwd):/backup alpine tar czf /backup/bitwarden-backup.tar.gz /data
# Backup database (if using external DB)
docker compose exec db mysqldump -u bitwarden -p bitwarden_vault > bitwarden-db-backup.sql
# Restart containers
docker compose up -d
```
### Restore
```bash
# Stop containers
docker compose down
# Restore volumes
docker run --rm -v bitwarden-lite_bitwarden:/data -v $(pwd):/backup alpine sh -c "cd / && tar xzf /backup/bitwarden-backup.tar.gz"
# Restore database (if using external DB)
docker compose exec -T db mysql -u bitwarden -p bitwarden_vault < bitwarden-db-backup.sql
# Restart containers
docker compose up -d
```
## Upgrading
```bash
# Pull latest image
docker compose pull
# Restart with new image
docker compose up -d
```
Database migrations run automatically on startup.
## Support
- **Documentation**: https://bitwarden.com/help/
- **Community**: https://community.bitwarden.com/
- **Issues**: https://github.com/bitwarden/server/issues/2480
## License
Copyright © Bitwarden Inc. - See LICENSE file for details.

36
bitwarden-lite/docker-compose.yml
Unescape View File

@ -2,37 +2,15 @@ @@ -2,37 +2,15 @@
services:
bitwarden:
cap_add:
- CHOWN
- SETGID
- SETUID
cap_drop:
- ALL
depends_on:
- db
deploy:
resources:
limits:
cpus: '2'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
env_file:
- settings.env
healthcheck:
interval: 30s
retries: 3
start_period: 60s
test: ["CMD", "curl", "-f", "http://localhost:8080/alive"]
timeout: 3s
image: ${REGISTRY:-ghcr.io/bitwarden}/lite:${TAG:-beta}
restart: always
ports:
- "80:8080"
- "443:8443"
restart: always
security_opt:
- no-new-privileges:true
volumes:
- bitwarden:/etc/bitwarden
- logs:/var/log/bitwarden
@ -40,10 +18,10 @@ services: @@ -40,10 +18,10 @@ services:
# MariaDB Example
db:
environment:
MARIADB_DATABASE: "bitwarden_vault"
MARIADB_USER: "bitwarden"
MARIADB_PASSWORD: "super_strong_password"
MARIADB_DATABASE: "bitwarden_vault"
MARIADB_RANDOM_ROOT_PASSWORD: "true"
MARIADB_USER: "bitwarden"
image: mariadb:10
restart: always
volumes:
@ -52,9 +30,9 @@ services: @@ -52,9 +30,9 @@ services:
# PostgreSQL Example
# db:
# environment:
# POSTGRES_DB: "bitwarden_vault"
# POSTGRES_PASSWORD: "super_strong_password"
# POSTGRES_USER: "bitwarden"
# POSTGRES_PASSWORD: "super_strong_password"
# POSTGRES_DB: "bitwarden_vault"
# image: postgres:14
# restart: always
# volumes:
@ -64,8 +42,8 @@ services: @@ -64,8 +42,8 @@ services:
# Docs: https://learn.microsoft.com/en-us/sql/linux/sql-server-linux-docker-container-deployment
# db:
# environment:
# ACCEPT_EULA: Y
# MSSQL_SA_PASSWORD: "super_strong_password"
# ACCEPT_EULA: Y
# image: mcr.microsoft.com/mssql/server:2022-latest
# restart: always
# volumes:
@ -73,5 +51,5 @@ services: @@ -73,5 +51,5 @@ services:
volumes:
bitwarden:
data:
logs:
data:

2
bitwarden-lite/hbs/nginx-config.hbs
Unescape View File

@ -9,7 +9,7 @@ server { @@ -9,7 +9,7 @@ server {
server {
listen {{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
listen [::]:{{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
#listen [::]:{{{String.Coalesce env.BW_PORT_HTTPS "8443"}}} ssl http2;
server_name {{{String.Coalesce env.BW_DOMAIN "localhost"}}};
ssl_certificate /etc/bitwarden/{{{String.Coalesce env.BW_SSL_CERT "ssl.crt"}}};

2
bitwarden-lite/nginx/nginx.conf
Unescape View File

@ -4,7 +4,7 @@ @@ -4,7 +4,7 @@
daemon off;
# Run as a less privileged user for security reasons.
user nginx nginx;
# user www www;
# How many worker threads to run;
# "auto" sets it to the number of CPU cores available in the system, and

2
bitwarden-lite/nginx/security-headers.conf
Unescape View File

@ -1,5 +1,3 @@ @@ -1,5 +1,3 @@
add_header Referrer-Policy same-origin;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-XSS-Protection "1; mode=block";
Write Preview
Loading…
Cancel
Save