Jump to content

User:Acmeraptor: Difference between revisions

From RiSKi
← Older editNewer edit →
VisualWikitext
No edit summary
No edit summary
Line 38: Line 38:
**4 1/2 cups sugar
**4 1/2 cups sugar
**1/8 teaspoon salt
**1/8 teaspoon salt
**2 tablespoons butter
**2 tablespoons butter
bloovis.com
 
Bloovis
Posts
Installing Vaultwarden Without Docker
Installing Vaultwarden Without Docker
📅 Oct 6, 2023
·
☕ 6 min read
🏷️
#linux
#software
Update: the newer version of the Bitwarden Android app requires a newer Vaultwarden. This required some changes in the following procedure, mainly in using the “latest” docker image instead of the “alpine” image, and installing the required libmariadb3 and libpq5 packages.
 
I recently switched from using LastPass to BitWarden as my password manager. LastPass has always worked well enough in browsers, but there was no easy way to get it to work on so-called “smart” devices like Android phones, and there was no Linux application for managing passwords. I’d been using KeePassXC on Linux in parallel with LastPass, but keeping the two synced up manually was an error-prone annoyance.
 
Bitwarden solves these problems by providing Linux and Android applications, a web interface, and browser extensions that synchronize with each other. But using it still means being dependent on a third-party service, as with LastPass, and that makes me uncomfortable. I have my own domain and Linux server for it, and I’ve been using it to self-host this blog, an email server, an RSS reader, and Git repositories, so I thought it would be a natural next step to host a Bitwarden server there too.
 
Fortunately, there’s a lightweight Bitwarden-compatible server called Vaultwarden that can be used for self-hosting. But like Bitwarden and seemingly every other web service these days, it normally requires Docker for installation, which I’m trying to avoid.
 
I understand the motivation behind Docker: it’s a clever way to avoid dependency and build problems in trying to get software to work on a multitude of different Linux distributions. But to this old-school Linux admin, it seems like a terribly wasteful system. Each application using Docker has to package all of its dependencies – both libraries and related application problems – into a Docker image. It’s as if each program comes with multiple copies of its own user-space operating systems.
 
So I looked for a way to install Vaultwarden without Docker, and I came across this forum posting. The instructions posted by the user sockrocker were nearly perfect, with one tiny exception: the web-vault directory has to be moved to /var/lib/vaultwarden, not /opt/vaultwarden.
 
Install Vaultwarden
For completeness, here is what I did to install Vaultwarden on my server. All of these commands should be performed as root, or prefixed with sudo.
 
First, create a directory to store the docker image temporarily:
 
mkdir vw-image
cd vw-image
Obtain the script for extracting the needed pieces of the Docker image:
 
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract
Extract the Vaultwarden Docker image:
 
./docker-image-extract vaultwarden/server:latest
Create directories where Vaultwarden will be stored on the server:
 
mkdir /opt/vaultwarden
mkdir /var/lib/vaultwarden
mkdir /var/lib/vaultwarden/data
Create a vaultwarden user and make the Vaultwarden data owned by it:
 
useradd vaultwarden
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden
Move the Vaultwarden server program and data to their final destinations:
 
mv output/vaultwarden /opt/vaultwarden
mv output/web-vault /var/lib/vaultwarden
If things have gone well, remove the unnecessary bits:
 
rm -Rf output
rm -Rf docker-image-extract
Install two packages required by Vaultwarden:
 
apt install libmariadb3
apt install libpq5
Configure Vaultwarden
Create the hash for a Vaultwarden admin password:
 
/opt/vaultwarden/vaultwarden hash
You will be prompted for a password twice. Save the resulting output somewhere.
 
Create the file /var/lib/vaultwarden/.env with the following contents, substituting your own user name, domain, and SMTP details:
 
DOMAIN=https://www.example.com/vaultwarden/
ORG_CREATION_USERS=user@example.com
ADMIN_TOKEN='<hash produced by vaultwarden hash earlier>'
SIGNUPS_ALLOWED=false
SMTP_HOST=smtp.example.com
SMTP_FROM=vaultwarden@example.com
SMTP_FROM_NAME=Vaultwarden
SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and us>
SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_>
SMTP_EXPLICIT_TLS=false # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this o>
SMTP_USERNAME=user@example.com
SMTP_PASSWORD=mysmtppassword
SMTP_TIMEOUT=15
# Change the following back to true to allow login on the web.
WEB_VAULT_ENABLED=false
LOG_FILE=/var/lib/vaultwarden/vaultwarden.log
Create the file /etc/systemd/system/vaultwarden.service with the following contents:
 
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
 
[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=/var/lib/vaultwarden/.env
ExecStart=/opt/vaultwarden/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE
 
[Install]
WantedBy=multi-user.target
Now you should be able to start the Vaultwarden service and check its status:
 
systemctl enable vaultwarden
systemctl start vaultwarden
systemctl status vaultwarden | less
The status should say that vaultwarden is running and that it is listening at http://127.0.0.1:8000.
 
Configure Apache
Now we have to set up Apache as a reverse proxy, so that it will provide SSL protection to Vaultwarden, whose internal web server, Rocket, does not support SSL by default. I’m assuming that you already have SSL implemented on your Apache server, perhaps by using Let’s Encrypt, and that your base web site URL is https://www.example.com/ for illustration purposes.
 
First, enable the proxy module:
 
a2enmod proxy_http
Tell Apache how to redirect the URL /vaultwarden from your base web site to Vaultwarden. Do this by adding a single line to the <VirtualHost *:443> section of your Apache site configuration. If you used Let’s Encrypt to obtain your SSL certificates, this configuration file might be at /etc/apache2/sites-enabled/000-default-le-ssl.conf. The line you need to add looks like this:
 
ProxyPass /vaultwarden/ http://127.0.0.1:8000/vaultwarden/ upgrade=websocket
Restart Apache and check its status:
 
systemctl restart apache2
systemctl status apache2
If all went well, you should be able to visit the admin page of your Vaultwarden site by going to this URL in a browser:
 
https://www.example.com/vaultwarden/admin
You will be prompted for a password, so enter the password you used earlier when prompted by vaultwarden hash. The configuration page should now appear.
 
Test SMTP
You’ll want to make sure that your SMTP settings are correct. To do this, click on SMTP Email Settings on the configuration page, fill in your email address in the Test SMTP form, and click on Send test email.
 
User Signup
If, like me, you are installing Vaultwarden for personal use, it is probably best for security purposes to disallow new signups in the general settings of the configuration page. However, you can send yourself (or trusted friends) an email invitation to sign up. Find this option in the Users tab; at the bottom of the page is an Invite User form.
 
User Login
When you receive the signup invitation email, you’ll can respond to the invitation in a web browser. Choose a lengthy, secure password.
 
(Note: if the Brave browser hangs showing a spinning wheel when you try to log into the Vaultwarden web interface, it might be due to interference from browser extensions. Try removing the tampermonkey and BypassPaywalls extensions and clearing the browser cache.)
 
Once you log in to Vaultwarden, you can now import your Bitwarden vault. First export the vault as a JSON file in the Bitwarden browser extension, then import it into Vaultwarden using the web interface.
 
To use the Vaultwarden vault in the Bitward browser extension, log out of the extension in Settings / Account / Log Out. Then you’ll need to create a new account in the extension. To the right of “Logging in on:”, select “self-hosted” from the drop-down menu. You’ll be prompted for the URL of Vaultwarden, which should be https://www.example.com/vaultwarden/, using the examples above. A similar process can be used in the Linux Bitwarden app to switch to the Vaultwarden vault.
 
SELinux
An alert reader has informed me that the following things need to be done if you’re using SELinux:
 
semanage fcontext -a -t bin_t '/opt/vaultwarden/vaultwarden'
restorecon -RFv /opt/vaultwarden/vaultwarden
setsebool -P httpd_can_network_connect on
I don’t use SELinux, so I’m unable to try this myself.
 
See Also
Postfix + Maildrop = Failure
Tagging Ogg Vorbis music files for classical music
Windows, UTC, and the hardware clock
Linux on Lenovo Ideapad 3
Fixing Guest Session on Linux Mint 20
Postfix + Maildrop = Failure
Using Pobox.com with Postfix
What's on this Page
 
©2025, All Rights Reserved
 
Powered by Hugo and the Zzo theme
 
 
**1 tall can evaporated milk
**1 tall can evaporated milk


Line 240: Line 69:


==Read==
==Read==
===Comms===
Closed Network podcaset, move this section later. I'm not sure where to put it right now.
[https://closednetwork.social/home Mastadon]


===Firearms===
===Firearms===

Revision as of 18:13, 14 April 2025

Food

Menus

Recipes

Grandma's Fudge

  • Ingredients
    • 2 cups (12oz) semi sweet chocolate bits
    • 3 packages german sweet chocolate
    • 1 8oz jar? marchmallow creme
    • 2 cups broken nut meat
    • 4 1/2 cups sugar
    • 1/8 teaspoon salt
    • 2 tablespoons butter
    • 1 tall can evaporated milk
  • Instructions
    • combine chocolate bits, sweet chocolate, marshmallow creme, and walnuts in a large bowl
    • combine sugar, butter, salt, and evaporated milk in large heavy saucepan, heat to boiling
    • !!! Get better pictures of the card dad has in order to write this up cleanly !!!

MariaDB

Use if PHPMyAdmin is not running: 

CREATE DATABASE my_wiki;
CREATE USER 'wikiuser'@'localhost' IDENTIFIED BY 'database_password';
GRANT ALL PRIVILEGES ON my_wiki.* TO 'wikiuser'@'localhost' WITH GRANT OPTION;
  • Note: Now that I have VaultWarden running, usernames and passwords will be managed through it. Also, vault should **ONLY** work with VPN access.

Mobile

Software and information about GrapheneOS. GrapheneOS only runs on Google devices currently, phones and tablets.

Software

Tips

  • Pressing power+volume up buttons to switch from an audible ring tone to vibrate (or mute) is enabled by default, causing missed important phone calls and text messages.

To modify, go to Settings > Sound & vibration > Shortcut to prevent ringing

  • Auto dimming has been an annoyance, it is supposed to learn tendencies/preference yet keeps dimming too low in low light conditions.

To modify, go to Settings > Display > Adaptive brightness

Read

Comms

Closed Network podcaset, move this section later. I'm not sure where to put it right now. Mastadon

Firearms

Locksport

Misc

Servers

Notes on server names and functions for planned future use.

Physical

  • hovp-rsk-uos00 : OpenStack - Currently in use, my clunky old laptop
  • iapp-rsk-owr01 : OpenWRT Wireless Router - Linksys router (model noted below this page). VPN client profile rebuild still pending.

Virtual

  • hovp-rsk-uss01 : Single Server - Single server holding these notes and plans, currently minimal setup of webapps.
  • hovt-rsk-uws22 : WebServer - Base Jammy Jellyfish OS. Minimal setup kept updated to use as a source for cloning other virtual servers.

Upcoming

The following will be strictly for RSK Solutions and demo models for future domains like Casper307 and NIALC

The following will be desktop environments available for use as remote appliances accessable from my home LAN and via VPN

Server Notes

These will eventually have their own individual wiki pages. For the sake of not migrating or losing notes later, they will be consolidated here.

Templates

Once a template virtual server is created, issue the following commands to pull my ACME code library from the OpenStack virtual server host's repository. 

mkdir /home/rkeeling/webapps
scp -r rkeeling@10.65.30.11:/home/rkeeling/RSK\\\ Solutions/VSCode/acme /home/rkeeling/webapps

Then issue "sudo visudo" to edit the sudoers secure path to include the new acme path 

Defaults        secure_path="/home/rkeeling/webapps/acme/.bin: ...

In order for this to be effective within the shell, logout and log back on. *I will change this to reloading the shell later*

At this point the scripts are executable anywhere. The following will update repositories, upgrade general packages, upgrade distribution packages (IE, kernel updates), remove old and unused packages. 

sudo getallupdates

Now, set the time zone for the server. In my case, CST 

sudo timedatectl set-timezone America/Chicago

The following may be ran to confirm the change to the local time 

sudo timedatectl status

At this point the template is fully up to date and can be shut down. The only maintenance needed is periodically running the getallupdates script.

Any new virtual server that is needed can be cloned from these versioned release templates to significantly cut down on setup time.

Template Clone

Following the clone of a template with newly generated MAC address, update the following two files and restart to permanently change the new server's name. 

sudo vi /etc/hostname
sudo vi /etc/hosts
sudo shutdown -Fr now

The appropriate installation script can be issued depending on the server's purpose.

Shop

Auto

Firearms

Gear

Home Office

Locksport

Paracord Lanyards

Software

Open-source and purchased *licenses

WebApp Downloads

Windows VM

The VM needs a minimum of two cores and 4Gb memory to run. The following steps will bypass the hardware checks to allow Windows 11 to install:

Click next to show-up the "Install now" button; when you see the installation button, press "Shift+F10" on your keyboard at the same time to launch a command prompt. At this command prompt, type "regedit" and press enter to launch the Windows Registry Editor.

When the Registry Editor opens, navigate to "HKEY_LOCAL_MACHINE\SYSTEM\Setup", right-click on the "Setup" key and select "New => Key".

When prompted to name the key, enter "LabConfig" and press enter.

Now right-click on the "LabConfig" key and select "New => DWORD (32-bit)" value and create a value named "BypassTPMCheck", and set its data to "1". With the same steps create the "BypassRAMCheck" and "BypassSecureBootCheck" values and set also their data to "1", so it looks like the following image.

With those three values configured under the "LabConfig" key, close the "Registry Editor", and then type exit in the "Command Prompt" followed by enter to close the window. You can now click on the "Install now" button to proceed to get "Microsoft Windows 11" installed as a virtual-machine on top of VirtualBox.

WRT3200ACM

This router has a dual boot partition that has several methods of switching from the A/B partitions. Also, information on for OpenVPN.

Logical

  • SSH into your router
  • You can see what partition is currently being booted from by running: /usr/sbin/fw_printenv -n boot_part
  • Mine was booting from partition 1, I needed it to boot to partition 2.
  • Tell the router which partition to boot from: /usr/sbin/fw_setenv boot_part 2
  • Reboot the router by running: reboot
  • Change the number "2" in step 4 to whatever partition you need. I couldn't find a command that would show what my boot options were. So I tried 0 first, which did nothing, then tried 2. Boot partition 2 was the correct one for me.

LuCI

Install the LuCI-app-advanced-reboot package. This is the easiest method.

OpenVPN

OpenWRT/OpenVPN Use this as a baseline for rewriting the scripts, as they do not work as published.

  • This section is being heavily edited until I work out the kinks

Creation

This is going to be my third and final profile. The first lasted the ten years it was meant to, the second lasted three years and could not be recovered due to configuration hiccups. My personal one will be set to 100 years, far beyond my expected lifetime. Things may adjust if I allow another user access, but as of yet - no one has asked.

Install all needed apps beforehand: 

opkg update

opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl

The following four scripts can be created under the /root path and will need to be chmod to executable. 

sudo chmod +x *.sh
1-preparation.sh
# Install packages
opkg update
opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl

# Configuration parameters
VPN_DIR="/etc/openvpn"
VPN_PKI="/etc/easy-rsa/pki"
VPN_PORT="1194"
VPN_PROTO="udp"
VPN_POOL="10.65.9.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_DN="$(uci -q get dhcp.@dnsmasq[0].domain)"

# Fetch server address
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)"
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
if [ -n "${NET_FQDN}" ]
then VPN_SERV="${NET_FQDN}"
else VPN_SERV="${NET_ADDR}"
fi
2-keymanagement.sh
# Work around EasyRSA issues
wget -U "" -O /tmp/easyrsa.tar.gz https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.2/EasyRSA-3.2.2.tgz
tar -z -x -f /tmp/easyrsa.tar.gz

# Configuration parameters
cat << EOF > /etc/profile.d/easy-rsa.sh
export EASYRSA_PKI="${VPN_PKI}"
export EASYRSA_TEMP_DIR="/tmp"
export EASYRSA_CERT_EXPIRE="36500"
export EASYRSA_BATCH="1"
alias easyrsa="/root/EasyRSA-3.2.2/easyrsa"
EOF
. /etc/profile.d/easy-rsa.sh

# Remove and re-initialize PKI directory
easyrsa init-pki

# Generate DH parameters
easyrsa gen-dh

# Create a new CA
easyrsa build-ca nopass

# Generate server keys and certificate
easyrsa build-server-full server nopass
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem

# Generate client keys and certificate
easyrsa build-client-full client nopass
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem
3-firewall.sh
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci -q delete firewall.ovpn
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="${VPN_PORT}"
uci set firewall.ovpn.proto="${VPN_PROTO}"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
service firewall restart
4-vpnservice.sh
# Configure VPN service and generate client profiles
umask go=
VPN_DH="$(cat ${VPN_PKI}/dh.pem)"
VPN_CA="$(openssl x509 -in ${VPN_PKI}/ca.crt)"
ls ${VPN_PKI}/issued \
| sed -e "s/\.\w*$//" \
| while read -r VPN_ID
do
VPN_TC="$(cat ${VPN_PKI}/private/${VPN_ID}.pem)"
VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)"
VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)"
VPN_EKU="$(echo "${VPN_CERT}" | openssl x509 -noout -purpose)"
case ${VPN_EKU} in
(*"SSL server : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.conf"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
port ${VPN_PORT}
proto ${VPN_PROTO}
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${VPN_DH}
</dh>
EOF
(*"SSL client : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
EOF
esac
cat << EOF >> ${VPN_CONF}
<tls-crypt-v2>
${VPN_TC}
</tls-crypt-v2>
<key>
${VPN_KEY}
</key>
<cert>
${VPN_CERT}
</cert>
<ca>
${VPN_CA}
</ca>
EOF
done
service openvpn restart
ls ${VPN_DIR}/*.ovpn

Restoration

Configuration backups do NOT include the downloaded software packages, learned this the really hard way... On any new or refreshed partition image, the following lines !MUST! be run !FIRST! to ensure that the software is in place prior to restoring a configuration!

Login to the router, navigate to System > Backup / Flash Firmware > Reset to defaults > Perform reset (this is destructive, save your working configs if you have them)

After clearing the /overlay directory, issue the successive commands to reload the needeed packages: 

opkg update

opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl

Then find your working config and navigate to System > Backup / Flash Firmware > Restore backup: <pick the appropriate file name>

Physical

Power cycling the router 3 times in quick succession When it powers on the power LED turns on then will go out briefly, This is when you turn it back off do this again and on the 3rd cycle, leave it powered on and it should boot back to the other partition.

Youtube

Locksport

Paracord Lanyard Tying

With 550 7-strand core paracord -- 108 inches (9 feet) from the reel for the grab handle.

With 550 7-strand core paracord -- 192 inches (16 foot) from the reel for the lanyard. The twisted portion should be about 42"-43" in length as it turns out shorter than expected after the braid and just daily use of folding and is not meant to not be completely rigid, the extra room is to allow for alot of flexibility. When braided, it can turn out shorter than estimated. No two of these will be exactly the alike!

  • Note 1: I will use the same color cord for the lanyard as the carabiner unless asked to make a three color variant, or if I feel squirrelly.
  • Note 2: I have the "leftovers" mantra running through my head the whole time. On the first half for sizing, twist left strand left side left to avoid snags, and place it over the right, and so on. On the braid part, start with the left strand through a twist and put the right strand under the left one.
  • Note 3: Related to note 2, pay attention and try not to miss braiding a twist. It is maddening to spot it ten minutes later, unravel to that spot to fix it.
Retrieved from "https://wiki.rsksolutions.org/index.php?title=User:Acmeraptor&oldid=220"