setup, build, and run scripts

build.ps1

@@ -0,0 +1,9 @@
+$dir = Split-Path -Parent $MyInvocation.MyCommand.Path
+echo $dir
+
+echo "`nBuilding bitwarden"
+echo "=================="
+
+& $dir\src\Api\build.ps1
+& $dir\src\Identity\build.ps1
+& $dir\nginx\build.ps1

build.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -e
+
+DIR="$(dirname $(readlink -f $0))"
+
+echo -e "\nBuilding bitwarden"
+echo -e "=================="
+
+$DIR/src/Api/build.sh
+$DIR/src/Identity/build.sh
+$DIR/nginx/build.sh

docker/docker-compose.linux.yml

@@ -0,0 +1,15 @@
+version: '3'
+
+services:
+  mssql:
+    volumes:
+      - /etc/bitwarden/mssql_data:/var/opt/mssql/data
+  api:
+    volumes:
+      - /etc/bitwarden/core:/etc/core
+  identity:
+    volumes:
+      - /etc/bitwarden/core:/etc/core
+  nginx:
+    volumes:
+      - /etc/bitwarden/letsencrypt:/etc/letsencrypt

docker/docker-compose.override.yml

@@ -0,0 +1,11 @@
+version: '3'
+
+services:
+  mssql:
+    volumes:
+      - mssql_data:/var/opt/mssql/data
+  nginx:
+    volumes:
+      - c:/bitwarden/letsencrypt:/etc/letsencrypt
+volumes:
+  mssql_data:

docker/docker-compose.windows.yml

@@ -0,0 +1,17 @@
+version: '3'
+
+services:
+  mssql:
+    volumes:
+      - mssql_data:/var/opt/mssql/data
+  api:
+    volumes:
+      - c:/bitwarden/core:/etc/core
+  identity:
+    volumes:
+      - c:/bitwarden/core:/etc/core
+  nginx:
+    volumes:
+      - c:/bitwarden/letsencrypt:/etc/letsencrypt
+volumes:
+  mssql_data:

docker/docker-compose.yml

@@ -5,8 +5,6 @@ services:
     image: microsoft/mssql-server-linux
     container_name: mssql
     restart: always
-    volumes:
-      - mssql_data:/var/opt/mssql/data
     env_file:
       - mssql.env
       - mssql.override.env
@@ -14,33 +12,24 @@ services:
       - '1433:1433'
 
   api:
-    image: api
+    image: bitwarden/api
     container_name: api
     restart: always
-    build: ../src/Api
     env_file:
       - global.env
       - global.override.env
 
   identity:
-    image: identity
+    image: bitwarden/identity
     container_name: identity
-    restart: always
-    build: ../src/Identity
     env_file:
       - global.env
       - global.override.env
 
   nginx:
-    image: nginx
+    image: bitwarden/nginx
     container_name: nginx
     restart: always
-    build: ../nginx
-    volumes:
-      - c:/bitwarden/letsencrypt:/etc/letsencrypt
     ports:
       - '80:80'
       - '443:443'
-
-volumes:
-  mssql_data:

docker/global.env

@@ -3,4 +3,4 @@ globalSettings:selfHosted=true
 globalSettings:baseServiceUri:vault=http://localhost
 globalSettings:baseServiceUri:api=http://localhost/api
 globalSettings:baseServiceUri:identity=http://localhost/identity
-globalSettings:baseServiceUri:identityInternal=http://identity
+globalSettings:baseServiceUri:internalIdentity=http://identity

nginx/build.ps1

@@ -0,0 +1,7 @@
+$dir = Split-Path -Parent $MyInvocation.MyCommand.Path
+
+echo "`n# Building nginx"
+
+echo "`nBuilding docker image"
+docker --version
+docker build -t bitwarden/nginx $dir\.

nginx/build.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+DIR="$(dirname $(readlink -f $0))"
+
+echo -e "\n# Building nginx"
+
+echo -e "\nBuilding docker image"
+docker --version
+docker build -t bitwarden/nginx $DIR/.

scripts/install.sh

@@ -1,11 +0,0 @@
-dotnet publish ../src/Api/Api.csproj -f netcoreapp2.0 -o obj/Docker/publish -c "Release"
-dotnet publish ../src/Identity/Identity.csproj -f netcoreapp2.0 -o obj/Docker/publish -c "Release"
-
-docker-compose pull
-docker-compose down
-
-#mkdir -p c:/bitwarden/letsencrypt/live
-#docker run -it --rm -p 80:80 -v c:/bitwarden/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email kyle.spearrin@gmail.com --agree-tos -d bw.kylespearrin.com
-#openssl dhparam -out c:/bitwarden/letsencrypt/live/bw.kylespearrin.com/dhparam.pem 2048
-
-docker-compose up -d

scripts/run.ps1

@@ -0,0 +1,7 @@
+$dockerDir="../docker"
+
+docker --version
+docker-compose --version
+
+docker-compose -f $dockerDir/docker-compose.yml -f $dockerDir/docker-compose.windows.yml down
+docker-compose -f $dockerDir/docker-compose.yml -f $dockerDir/docker-compose.windows.yml up -d

scripts/run.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+DOCKER_DIR=../docker
+
+docker --version
+docker-compose --version
+
+docker-compose -f $DOCKER_DIR/docker-compose.yml -f $DOCKER_DIR/docker-compose.windows.yml down
+docker-compose -f $DOCKER_DIR/docker-compose.yml -f $DOCKER_DIR/docker-compose.windows.yml up -d

scripts/setup.ps1

@@ -0,0 +1,37 @@
+param (
+  [string]$outputDir = "c:/bitwarden",
+  [string]$domain = $( Read-Host "Please enter your domain name (i.e. bitwarden.company.com)" ),
+  [string]$email = $( Read-Host "Please enter your email address (used to generate an HTTPS certificate with LetsEncrypt)" )
+)
+
+$dockerDir="../docker"
+$certPassword=-join ((48..57) + (97..122) | Get-Random -Count 32 | % {[char]$_})
+$databasePassword=-join ((48..57) + (97..122) | Get-Random -Count 32 | % {[char]$_})
+$duoKey=-join ((48..57) + (97..122) | Get-Random -Count 32 | % {[char]$_})
+
+docker --version
+
+#mkdir -p $outputDir/letsencrypt/live/$domain
+#docker run -it --rm -p 80:80 -v $outputDir/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $email --agree-tos -d $domain
+#docker run -it --rm -v $outputDir/letsencrypt/live:/certificates/ bitwarden/openssl openssl dhparam -out /certificates/$domain/dhparam.pem 2048
+
+mkdir -p $outputDir/core
+docker run -it --rm -v $outputDir/core:/certificates bitwarden/openssl openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout /certificates/identity.key -out /certificates/identity.crt -subj "/CN=bitwarden IdentityServer" -days 10950
+docker run -it --rm -v $outputDir/core:/certificates bitwarden/openssl openssl pkcs12 -export -out /certificates/identity.pfx -inkey /certificates/identity.key -in /certificates/identity.crt -certfile /certificates/identity.crt -passout pass:$certPassword
+rm $outputDir/core/identity.key
+rm $outputDir/core/identity.crt
+
+Add-Content $dockerDir/global.override.env "
+globalSettings:baseServiceUri:vault=https://$domain
+globalSettings:baseServiceUri:api=https://$domain/api
+globalSettings:baseServiceUri:identity=https://$domain/identity
+globalSettings:sqlServer:connectionString=Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;Password=$databasePassword;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;
+globalSettings:identityServer:certificatePassword=$certPassword
+globalSettings:duo:aKey=$duoKey
+globalSettings:yubico:clientId=REPLACE
+globalSettings:yubico:REPLACE"
+
+Add-Content $dockerDir/mssql.override.env "
+ACCEPT_EULA=Y
+MSSQL_PID=Express
+SA_PASSWORD=$databasePassword"

scripts/setup.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -e
+
+echo "Please enter your domain name (i.e. bitwarden.company.com): "
+read DOMAIN
+echo -e "\nPlease enter your email address (used to generate an HTTPS certificate with LetsEncrypt): "
+read EMAIL
+
+OUTPUT_DIR=./bitwarden
+DOCKER_DIR=../docker
+CERT_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
+DATABASE_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
+DUO_KEY=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 64)
+
+docker --version
+
+#mkdir -p $OUTPUT_DIR/letsencrypt/live/$DOMAIN
+#docker run -it --rm -p 80:80 -v $OUTPUT_DIR/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $EMAIL --agree-tos -d $DOMAIN
+#docker run -it --rm -v $OUTPUT_DIR/letsencrypt/live:/certificates/ bitwarden/openssl openssl dhparam -out /certificates/$DOMAIN/dhparam.pem 2048
+
+mkdir -p $OUTPUT_DIR/core
+docker run -it --rm -v $OUTPUT_DIR/core:/certificates bitwarden/openssl openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout /certificates/identity.key -out /certificates/identity.crt -subj "/CN=bitwarden IdentityServer" -days 10950
+docker run -it --rm -v $OUTPUT_DIR/core:/certificates bitwarden/openssl openssl pkcs12 -export -out /certificates/identity.pfx -inkey /certificates/identity.key -in /certificates/identity.crt -certfile /certificates/identity.crt -passout pass:$CERT_PASSWORD
+rm $OUTPUT_DIR/core/identity.key
+rm $OUTPUT_DIR/core/identity.crt
+
+cat >> $DOCKER_DIR/global.override.env << EOF
+globalSettings:baseServiceUri:vault=https://$DOMAIN
+globalSettings:baseServiceUri:api=https://$DOMAIN/api
+globalSettings:baseServiceUri:identity=https://$DOMAIN/identity
+globalSettings:sqlServer:connectionString=Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;Password=$DATABASE_PASSWORD;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=True;Connection Timeout=30;
+globalSettings:identityServer:certificatePassword=$CERT_PASSWORD
+globalSettings:duo:aKey=$DUO_KEY
+globalSettings:yubico:clientId=REPLACE
+globalSettings:yubico:REPLACE
+EOF
+
+cat >> $DOCKER_DIR/mssql.override.env << EOF
+ACCEPT_EULA=Y
+MSSQL_PID=Express
+SA_PASSWORD=$DATABASE_PASSWORD
+EOF

src/Api/Dockerfile

@@ -19,8 +19,7 @@ done
 
 # Custom
 
-ARG source
 WORKDIR /app
 EXPOSE 80
-COPY ${source:-obj/Docker/publish} .
+COPY obj/Docker/publish .
 ENTRYPOINT ["dotnet", "Api.dll"]

src/Api/build.ps1

@@ -0,0 +1,11 @@
+$dir = Split-Path -Parent $MyInvocation.MyCommand.Path
+
+echo "`n# Building API"
+
+echo "`nBuilding app"
+echo ".NET Core version $(dotnet --version)"
+dotnet publish $dir\Api.csproj -f netcoreapp2.0 -c "Release" -o $dir\obj\Docker\publish
+
+echo "`nBuilding docker image"
+docker --version
+docker build -t bitwarden/api $dir\.

src/Api/build.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -e
+
+DIR="$(dirname $(readlink -f $0))"
+
+echo -e "\n# Building API"
+
+echo -e "\nBuilding app"
+echo -e ".NET Core version $(dotnet --version)"
+dotnet publish $DIR/Api.csproj -f netcoreapp2.0 -c "Release" -o $DIR/obj/Docker/publish
+
+echo -e "\nBuilding docker image"
+docker --version
+docker build -t bitwarden/api $DIR/.

src/Core/GlobalSettings.cs

@@ -61,6 +61,7 @@
         public class IdentityServerSettings
         {
             public string CertificateThumbprint { get; set; }
+            public string CertificatePassword { get; set; }
         }
 
         public class DataProtectionSettings

src/Core/Utilities/CoreHelpers.cs

@@ -98,7 +98,7 @@ namespace Bit.Core.Utilities
         {
             // Clean possible garbage characters from thumbprint copy/paste
             // ref http://stackoverflow.com/questions/8448147/problems-with-x509store-certificates-find-findbythumbprint
-            thumbprint = Regex.Replace(thumbprint, @"[^\da-zA-z]", string.Empty).ToUpper();
+            thumbprint = Regex.Replace(thumbprint, @"[^\da-fA-F]", string.Empty).ToUpper();
 
             X509Certificate2 cert = null;
             var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
@@ -113,6 +113,11 @@ namespace Bit.Core.Utilities
             return cert;
         }
 
+        public static X509Certificate2 GetCertificate(string file, string password)
+        {
+            return new X509Certificate2(file, password);
+        }
+
         public static long ToEpocMilliseconds(DateTime date)
         {
             return (long)Math.Round((date - _epoc).TotalMilliseconds, 0);

src/Core/Utilities/ServiceCollectionExtensions.cs

@@ -144,6 +144,13 @@ namespace Bit.Core.Utilities
             {
                 identityServerBuilder.AddTemporarySigningCredential();
             }
+            else if(!string.IsNullOrWhiteSpace(globalSettings.IdentityServer.CertificatePassword) &&
+                System.IO.File.Exists("identity.pfx"))
+            {
+                var identityServerCert = CoreHelpers.GetCertificate("identity.pfx", 
+                    globalSettings.IdentityServer.CertificatePassword);
+                identityServerBuilder.AddSigningCredential(identityServerCert);
+            }
             else
             {
                 var identityServerCert = CoreHelpers.GetCertificate(globalSettings.IdentityServer.CertificateThumbprint);
@@ -161,7 +168,7 @@ namespace Bit.Core.Utilities
             this IServiceCollection services, IHostingEnvironment env, GlobalSettings globalSettings)
         {
 #if NET461
-            if(!env.IsDevelopment())
+            if(!env.IsDevelopment() && !globalSettings.SelfHosted)
             {
                 var dataProtectionCert = CoreHelpers.GetCertificate(globalSettings.DataProtection.CertificateThumbprint);
                 var storageAccount = CloudStorageAccount.Parse(globalSettings.Storage.ConnectionString);

src/Identity/.dockerignore

@@ -1,3 +1,4 @@
 *
 !obj/Docker/publish/*
 !obj/Docker/empty/
+!entrypoint.sh

src/Identity/Dockerfile

@@ -19,8 +19,10 @@ done
 
 # Custom
 
-ARG source
 WORKDIR /app
 EXPOSE 80
-COPY ${source:-obj/Docker/publish} .
+COPY obj/Docker/publish .
-ENTRYPOINT ["dotnet", "Identity.dll"]
+
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

src/Identity/build.ps1

@@ -0,0 +1,11 @@
+$dir = Split-Path -Parent $MyInvocation.MyCommand.Path
+
+echo "`n# Building Identity"
+
+echo "`nBuilding app"
+echo ".NET Core version $(dotnet --version)"
+dotnet publish $dir\Identity.csproj -f netcoreapp2.0 -c "Release" -o $dir\obj\Docker\publish
+
+echo "`nBuilding docker image"
+docker --version
+docker build -t bitwarden/identity $dir\.

src/Identity/build.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+set -e
+
+DIR="$(dirname $(readlink -f $0))"
+
+echo -e "\n# Building Identity"
+
+echo -e "\nBuilding app"
+echo -e ".NET Core version $(dotnet --version)"
+dotnet publish $DIR/Identity.csproj -f netcoreapp2.0 -c "Release" -o $DIR/obj/Docker/publish
+
+echo -e "\nBuilding docker image"
+docker --version
+docker build -t bitwarden/identity $DIR/.

src/Identity/entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cp /etc/core/identity.pfx /app/identity.pfx
+
+dotnet /app/Identity.dll