vaultwardenub/README.md

151 lines
3.2 KiB
Markdown
Raw Normal View History

2024-06-29 02:32:50 +02:00
# What we need
2024-06-29 02:49:55 +02:00
* server with Ubuntu
2024-06-29 02:32:50 +02:00
* DNS entry
* SSL certificates via https://onlinetools.zfn.uni-bremen.de/server/content/onlinetools/
# Install notes
2024-06-29 03:26:00 +02:00
```
2024-06-29 02:26:38 +02:00
apt update
apt upgrade
2024-06-29 03:27:30 +02:00
apt install git pkg-config libssl-dev curl mc argon2 ca-certificates net-tools
2024-06-29 02:26:38 +02:00
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
2024-06-29 03:21:53 +02:00
echo "{" > /etc/docker/daemon.json
echo ' "iptables": false' >> /etc/docker/daemon.json
echo "}" >> /etc/docker/daemon.json
2024-06-29 02:26:38 +02:00
2024-06-29 03:21:53 +02:00
systemctl restart docker
2024-06-29 02:39:46 +02:00
2024-07-16 00:57:59 +02:00
sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
ufw reload
iptables -t nat -A POSTROUTING ! -o docker0 -s 172.18.0.0/16 -j MASQUERADE
2024-06-29 03:21:53 +02:00
ufw allow in on docker0
ufw route allow in on docker0
ufw route allow out on docker0
2024-06-29 02:49:55 +02:00
ufw allow 22
ufw allow 443
ufw enable
2024-06-29 03:21:53 +02:00
ufw status verbose
docker run hello-world
mkdir /root/nginx
mkdir /root/vaultwarden
2024-07-16 16:14:16 +02:00
# Mail
# Add root to the /etc/alias file and add the msmtprc file to /etc
apt -y install msmtp msmtp-mta mailutils
vi /etc/msmtprc
chmod 644 /etc/msmtprc
touch /var/log/msmtp.log
chmod 666 /var/log/msmtp.log
# ln -s /usr/bin/msmtp /usr/sbin/sendmail
2024-07-16 16:32:32 +02:00
# echo "Test message" | mail -s "Test subject" root
2024-06-29 03:26:00 +02:00
```
2024-06-29 03:21:53 +02:00
2024-07-16 16:19:06 +02:00
Don't forget to set up the cron job for the backup:
```
crontab -e
0 0 * * * /bin/bash /root/backup/make_backup.sh
```
2024-06-29 03:23:24 +02:00
# Check the ports with an external computer
2024-06-29 03:21:53 +02:00
2024-06-29 03:23:24 +02:00
```
nmap -v -A vaultwarden.neuro.uni-bremen.de
```
2024-06-29 02:49:55 +02:00
2024-06-29 02:39:46 +02:00
# What now?
2024-06-29 13:20:05 +02:00
## We need this in /root/mysql:
* .env: Change both passwords
* compose.yml
In /root/mysql
Start docker:
```
docker compose up -d
```
Stop docker:
```
docker compose down
```
Show logs continously:
```
docker compose logs -f
```
## We need this in /root/nginx:
2024-06-29 02:39:46 +02:00
2024-06-29 03:54:50 +02:00
* ca.pem : Public Key plus certificate chain
* key.pem : Private SSL key decrypted
* nginx.conf
2024-06-29 02:39:46 +02:00
We want this file modes:
```
-rw------- 1 root root 3268 Jun 28 17:30 key.pem
-rw------- 1 root root 8964 Jun 28 17:30 ca.pem
-rw-r--r-- 1 root root 1327 Jun 28 17:47 nginx.conf
```
2024-06-29 13:20:05 +02:00
## We need this in /root/vaultwarden:
2024-06-29 02:39:46 +02:00
2024-06-29 13:55:14 +02:00
* .env: Change three passwords (mysql passwords need to be the same as above) and the email user name; obviously you want to change the domainname
2024-06-29 02:39:46 +02:00
* add_admin_token.sh : Change password and run ONCE: sh add_admin_token.sh
2024-06-29 13:55:14 +02:00
* compose.yml : Look for neuro.uni-bremen.de related stuff and change it...
2024-06-29 02:39:46 +02:00
In /root/vaultwarden
Start docker:
```
docker compose up -d
```
Stop docker:
```
docker compose down
```
Show logs continously:
```
docker compose logs -f
```
2024-06-29 03:53:35 +02:00
2024-07-05 15:56:20 +02:00
# Disable YubiCo and Duo special support
2024-07-16 00:58:29 +02:00
Use the admin console to disable them. We only want to use the FIDO2 Webauth mode.
2024-07-05 15:56:20 +02:00
2024-06-29 13:55:14 +02:00
# Options to think about:
2024-06-29 03:53:35 +02:00
2024-07-09 15:19:41 +02:00
* Separate SSL Proxy and Vaultwarden / MariaDB
* Allow only 134.102.0.0/16 und 2001:638:708::/48? But then the smartphones need VPN access to the University IP range.