ZennDev1337/Wiki
1
0
Fork 0
Code Issues Pull requests Projects 1 Releases Packages Wiki Activity

Added Wiki for Linux Proxmox and div. Software-installs

Browse source
This commit is contained in:
ZennDev1337 2023-12-21 13:00:56 +01:00
parent d47f1dc602
commit 741584446c
17 changed files with 4537 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

188
Software-Install/Bitwarden/Cert.md Normal file
View file

@ -0,0 +1,188 @@
# Bitwarden Certificate Options
This article defines the certificate options available to self-hosted instances of Bitwarden. You will select your certificate option during installation.
## Generate a certificate with Let's Encrypt
[Let's Encrypt](https://letsencrypt.org/how-it-works/) is a certificate authority (CA) that issues trusted SSL certificates free of charge for any domain. The Bitwarden installation script offers the option to generate a trusted SSL certificate for your domain using Let's Encrypt and [Certbot](https://certbot.eff.org).
Certificate renewal checks occur each time Bitwarden is restarted. Using Let's Encrypt will require you to enter an email address for certificate expiration reminders.
Using Let's Encrypt requires ports 80 and 443 to be open on your machine.
## Manually update a Let's Encrypt certificate
If you change the domain name of your Bitwarden server, you will need to manually update your generated certificate. Run the following commands to create a backup, update your certificate, and rebuild Bitwarden:
Bash
```
./bitwarden.sh stop
mv ./bwdata/letsencrypt ./bwdata/letsencrypt_backup
mkdir ./bwdata/letsencrypt
chown -R bitwarden:bitwarden ./bwdata/letsencrypt
chmod -R 740 ./bwdata/letsencrypt
docker pull certbot/certbot
docker run -i --rm --name certbot -p 443:443 -p 80:80 -v <Full Path from / >/bwdata/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --email <user@email.com> --logs-dir /etc/letsencrypt/logs
```
Select 1, then follow the instructions:
```
openssl dhparam -out ./bwdata/letsencrypt/live/<your.domain.com>/dhparam.pem 2048
./bitwarden.sh rebuild
./bitwarden.sh start
```
PowerShell
### tip
You will need to install a build of OpenSSL for Windows.
```
.\bitwarden.ps1 -stop
mv .\bwdata\letsencrypt .\bwdata\letsencrypt_backup
mkdir .\bwdata\letsencrypt
docker pull certbot/certbot
docker run -i --rm --name certbot -p 443:443 -p 80:80 -v <Full Path from \ >\bwdata\letsencrypt\:/etc/letsencrypt/ certbot/certbot certonly --email <user@email.com> --logs-dir /etc/letsencrypt/logs
Select 1, then follow instructions
<path/to/openssl.exe> dhparam -out .\bwdata\letsencrypt\live\<your.domain.com>\dhparam.pem 2048
.\bitwarden.ps1 -rebuild
.\bitwarden.ps1 -start
```
## Use an existing SSL certificate
You may alternatively opt to use an existing SSL certificate, which will require you to have the following files:
A server certificate (`certificate.crt`)
A private key (`private.key`)
A CA certificate (`ca.crt`)
You may need to bundle your primary certificate with intermediate CA certificates to prevent SSL trust errors. All certificates should be included in the server certificate file when using a CA certificate. The first certificate in the file should be your server certificate, followed by any intermediate CA certificate(s), followed by the root CA.
Under the default configuration, place your files in `./bwdata/ssl/your.domain`. You may specify a different location for your certificate files by editing the following values in `./bwdata/config.yml`:
```
ssl_certificate_path: <path>
ssl_key_path: <path>
ssl_ca_path: <path>
```
### note
The values defined in `config.yml` represent locations inside the NGINX container. Directories on the host are mapped to directories within the NGINX container. Under the default configuration, mappings line up as follows:
The following values in `config.yml`:
```
ssl_certificate_path: /etc/ssl/your.domain/certificate.crt
ssl_key_path: /etc/ssl/your.domain/private.key
ssl_ca_path: /etc/ssl/your.domain/ca.crt
```
Map to the following files on the host:
```
./bwdata/ssl/your.domain/certificate.crt
./bwdata/ssl/your.domain/private.key
./bwdata/ssl/your.domain/ca.crt
```
**You should only ever need to work with files in** `**./bwdata/ssl/**`**. Working with files directly in the NGINX container is not recommended.**
### Using Diffie-Hellman key exchange
Optionally, if using Diffie-Hellman key exchange to generate ephemeral parameters:
Include a `dhparam.pem` file in the same directory.
Set the `ssl_diffie_hellman_path:` value in `config.yml`.
### note
You can create your own `dhparam.pem` file using OpenSSL with `openssl dhparam -out ./dhparam.pem 2048`.
## Using a self-signed Certificate
You may alternatively opt to use a self-signed certificate, however this is only recommended for testing.
Self-signed certificates will not be trusted by Bitwarden client applications by default. You will be required to manually install this certificate to the trusted store of each device you plan to use Bitwarden with.
Generate a self-signed certificate:
```
mkdir ./bwdata/ssl/bitwarden.example.com
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365\
-keyout ./ssl/bitwarden.example.com/private.key\
-out ./ssl/bitwarden.example.com/certificate.crt\
-reqexts SAN -extensions SAN\
-config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:bitwarden.example.com\nbasicConstraints=CA:true'))\
-subj "/C=US/ST=New York/L=New York/O=Company Name/OU=Bitwarden/CN=bitwarden.example.com"
```
Your self-signed certificate (`.crt`) and private key (`private.key`) can be placed in the `./bwdata/ssl/self/your.domain` directory and configured in the `./bwdata/config.yml`:
```
ssl_certificate_path: /etc/ssl/bitwarden.example.com/certificate.crt
ssl_key_path: /etc/ssl/bitwarden.example.com/private.key
```
## Trust a self-signed certificate
### Windows
To trust a self-signed certificate on Windows, run `certmgr.msc` and import your certificate into the Trusted Root Certification Authorities.
### Linux
To trust a self-signed certificate on Linux, add your certificate to the following directories:
```
/usr/local/share/ca-certificates/
/usr/share/ca-certificates/
```
And run the following commands:
```
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
```
For our Linux desktop app, accessing the web vault using Chromium-based browsers, and the Directory Connector desktop app, you also need to complete [this Linux cert management procedure](https://chromium.googlesource.com/chromium/src/+/refs/heads/master/docs/linux/cert_management.md).
For the [Bitwarden CLI](https://bitwarden.com/help/cli/) and [Directory Connector CLI](https://bitwarden.com/help/directory-sync-cli/), your self-signed certificate must be stored in a local file and referenced by a `NODE_EXTRA_CA_CERTS=` environment variable, for example:
```
export NODE_EXTRA_CA_CERTS=~/.config/Bitwarden/certificate.crt
```
### Android
To trust a self-signed certificate on an Android device, refer to Google's [Add & remove certificates documentation](https://support.google.com/pixelphone/answer/2844832?hl=en).
### note
If you are **not self-hosting** and encounter the following certificate error on your android device:
```
Exception message: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
```
You will need to upload Bitwarden's certificates to your device. Refer to [this community thread](https://community.bitwarden.com/t/android-client-login-bitwarden-https-cert-problem/12132) for help finding the certificates.
## Use no certificate
### warning
If you opt to use no certificate, you **must front your installation with a proxy that serves Bitwarden over SSL**. This is because Bitwarden requires HTTPS; trying to use Bitwarden without the HTTPS protocol will trigger errors.

252
Software-Install/Bitwarden/Install.md Normal file
View file

@ -0,0 +1,252 @@
# Install and Deploy - Linux
This article will walk you through the procedure to install and deploy Bitwarden to your own Linux server. Bitwarden can also be installed and deployed on [Windows](https://wiki.zenndev.xyz/#help/install-on-premise-windows/) machines.
## System specifications
|   | Minimum | Recommended |
| -------------- | ---------------------------- | ---------------------------- |
| Processor | x64, 1.4GHz | x64, 2GHz dual core |
| Memory | 2GB RAM | 4GB RAM |
| Storage | 12GB | 25GB |
| Docker Version | Engine 19+ and Compose 1.24+ | Engine 19+ and Compose 1.24+ |
> #### **TIP**
>
> If you are looking for a quality provider with affordable prices, we recommend DigitalOcean. [Get started today](https://marketplace.digitalocean.com/apps/bitwarden) or read our [blog post about Bitwarden on DigitalOcean](https://wiki.zenndev.xyz/#blog/digitalocean-marketplace/).
## TL;DR
The following is a summary of the installation procedure in this article. Links in this section will jump to detailed **Installation procedure** sections:
[**Configure your domain**](https://wiki.zenndev.xyz/#software-install/bitwarden/#configure-your-domain). Set DNS records for a domain name pointing to your machine, and open ports 80 and 443 on the machine.
[**Install Docker and Docker Compose**](https://wiki.zenndev.xyz/#software-install/bitwarden/#install-docker-and-docker-compose) on your machine.
[**Create a Bitwarden user & directory**](https://wiki.zenndev.xyz/#software-install/bitwarden/#create-bitwarden-local-user--directory) from which to complete installation.
Retrieve an installation id and key from [**https://bitwarden.com/host**](https://wiki.zenndev.xyz/#host/) for use in installation.
> For more information, see [What are my installation id and installation key used for?](https://wiki.zenndev.xyz/#help/hosting-faqs/#general)
[**Install Bitwarden**](https://wiki.zenndev.xyz/#software-install/bitwarden/#install-bitwarden) on your machine.
[**Configure your environment**](https://wiki.zenndev.xyz/#software-install/bitwarden/#post-install-configuration) by adjusting settings in `./bwdata/env/global.override.env`.
> #### **TIP**
>
> At a minimum, configure the `globalSettings__mail__smtp...` variables to setup an email server for inviting and verifying users.
[**Start your instance**](https://wiki.zenndev.xyz/#software-install/bitwarden/#start-bitwarden).
Test your installation by opening your configured domain in a web browser.
Once deployed, we recommend regularly [backing up your server](https://wiki.zenndev.xyz/#help/backup-on-premise/) and [checking for system updates](https://wiki.zenndev.xyz/#help/updating-on-premise/).
# Installation procedure
## Configure your domain
By default, Bitwarden will be served through ports 80 (`http`) and 443 (`https`) on the host machine. Open these ports so that Bitwarden can be accessed from within and/or outside of the network. You may opt to choose different ports during installation.
We recommend configuring a domain name with DNS records that point to your host machine (for example, `bitwarden.example.com`), especially if you are serving Bitwarden over the internet.
## Install Docker and Docker Compose
Bitwarden will be deployed and run on your machine using an array of [Docker containers](https://docs.docker.com/get-started/). Bitwarden can be run with any Docker edition or plan. Evaluate which edition is best for your installation.
Deployment of containers is orchestrated using [Docker Compose](https://docs.docker.com/compose/). Some Docker installations, including Docker for macOS, come with Docker Compose already installed.
**Install Docker and Docker Compose on your machine before proceeding with installation.** Refer to the following Docker documentation for help:
[Install Docker Engine](https://docs.docker.com/engine/installation/)
[Install Docker Compose](https://docs.docker.com/compose/install/)
## Create Bitwarden local user & directory
We recommend configuring your Linux server with a dedicated `bitwarden` service account, from which to install and run Bitwarden. Doing so will isolate your Bitwarden instance from other applications running on your server.
**These steps are Bitwarden-recommended best practices, but are not required.** For more information, see Docker's [Post-installation steps for Linux](https://docs.docker.com/engine/install/linux-postinstall/) documentation.
Create a bitwarden user:
```
sudo adduser bitwarden
```
Set password for bitwarden user (strong password):
```
sudo passwd bitwarden
```
Create a docker group (if it doesn't already exist):
```
sudo groupadd docker
```
Add the bitwarden user to the docker group:
```
sudo usermod -aG docker bitwarden
```
Create a bitwarden directory:
```
sudo mkdir /opt/bitwarden
```
Set permissions for the `/opt/bitwarden` directory:
```
sudo chmod -R 700 /opt/bitwarden
```
Set the bitwarden user as owner of the `/opt/bitwarden` directory:
```
sudo chown -R bitwarden:bitwarden /opt/bitwarden
```
## Install Bitwarden
Bitwarden provides a shell script for easy installation on Linux and macOS (Bash), or Windows (PowerShell). Complete the following steps to install Bitwarden using the shell script:
> #### **TIP**
>
> If you have [created a Bitwarden user & directory](https://wiki.zenndev.xyz/#software-install/bitwarden/#create-bitwarden-local-user--directory), complete the following as the `bitwarden` user from the `/opt/bitwarden` directory.
Download the Bitwarden installation script (`bitwarden.sh`) to your machine:
```
curl -Lso bitwarden.sh https://go.btwrdn.co/bw-sh && chmod 700 bitwarden.sh
```
Run the installer script. A `./bwdata` directory will be created relative to the location of `bitwarden.sh`.
```
./bitwarden.sh install
```
Complete the prompts in the installer:
**Enter the domain name for your Bitwarden instance:**
Typically, this value should be the configured DNS record.
**Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n):**
Specify `y` to generate a trusted SSL certificate using Let's Encrypt. You will be prompted to enter an email address for expiration reminders from Let's Encrypt. For more information, see [Certificate Options](https://wiki.zenndev.xyz/#help/certificates/).
Alternatively, specify `n` and use the **Do you have a SSL certificate to use?** option.
**Enter your installation id:**
Retrieve an installation id using a valid email at [https://bitwarden.com/host](https://wiki.zenndev.xyz/#host/). For more information, see [what are my installation id and installation key used for?](https://wiki.zenndev.xyz/#help/hosting-faqs/#general)
**Enter your installation key:**
Retrieve an installation key using a valid email at [https://bitwarden.com/host](https://wiki.zenndev.xyz/#host/). For more information, see [What are my installation id and installation key used for?](https://wiki.zenndev.xyz/#help/hosting-faqs/#general)
**Do you have a SSL certificate to use? (y/n):**
If you already have your own SSL certificate, specify `y` and place the necessary files in the `./bwdata/ssl/your.domain` directory. You will be asked whether it is a trusted SSL certificate (y/n). For more information, see [Certificate Options](https://wiki.zenndev.xyz/#help/certificates/).
Alternatively, specify `n` and use the **self-signed SSL certificate?** option, which is only recommended for testing purposes.
**Do you want to generate a self-signed SSL certificate? (y/n):**
Specify `y` to have Bitwarden generate a self-signed certificate for you. This option is only recommended for testing. For more information, see [Certificate Options](https://wiki.zenndev.xyz/#help/certificates/).
If you specify `n`, your instance will not use an SSL certificate and you will be required to front your installation with a HTTPS proxy, or else Bitwarden applications will not function properly.
# Post-install configuration
Configuring your environment can involve making changes to two files; an [environment variables file](https://wiki.zenndev.xyz/#software-install/bitwarden/#environment-variables) and an [installation file](https://wiki.zenndev.xyz/#software-install/bitwarden/#installation-configuration):
## Environment variables (_required_)
Some features of Bitwarden are not configured by the `bitwarden.sh` script. Configure these settings by editing the environment file, located at `./bwdata/env/global.override.env`. **At a minimum, you should replace the values for:**
```
...
globalSettings__mail__smtp__host=<placeholder>
globalSettings__mail__smtp__port=<placeholder>
globalSettings__mail__smtp__ssl=<placeholder>
globalSettings__mail__smtp__username=<placeholder>
globalSettings__mail__smtp__password=<placeholder>
...
adminSettings__admins=
...
```
Replace `globalSettings__mail__smtp...=` placeholders to connect to the SMTP mail server that will be used to send verification emails to new users and invitations to organizations. Adding an email address to `adminSettings__admins=` will provision access to the admin portal.
After editing `global.override.env`, run the following command to apply your changes:
```
./bitwarden.sh restart
```
## Installation file
The Bitwarden installation script uses settings in `./bwdata/config.yml` to generate the necessary assets for installation. Some installation scenarios (such as installations behind a proxy with alternate ports) may require adjustments to `config.yml` that were not provided during standard installation.
Edit `config.yml` as necessary and apply your changes by running:
```
./bitwarden.sh rebuild
```
## Start Bitwarden
Once you have completed all previous steps, start your Bitwarden instance:
```
./bitwarden.sh start
```
## note
The first time you start Bitwarden it may take some time as it downloads all of the images from Docker Hub.
Verify that all containers are running correctly:
```
docker ps
```
Congratulations! Bitwarden is now up and running at `https://your.domain.com`. Visit the web vault in your web browser to confirm that it's working.
You may now register a new account and log in. You will need to have configured `smtp` environment variables (see [Environment Variables](https://wiki.zenndev.xyz/#help/environment-variables/)) in order to verify the email for your new account.
> #### **TIP**
>
> Once deployed, we recommend regularly [backing up your server](https://wiki.zenndev.xyz/#help/backup-on-premise/) and [checking for system updates](https://wiki.zenndev.xyz/#help/updating-on-premise/).
## Script commands reference
The Bitwarden installation script (`bitwarden.sh` or `bitwarden.ps1`) has the following commands available:
## note
PowerShell users will run the commands with a prefixed `-` (switch). For example `.\bitwarden.ps1 -start`.
| Command | Description |
| ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| install | Start the installer. |
| start | Start all containers. |
| restart | Restart all containers (same as start). |
| stop | Stop all containers. |
| update | Update all containers and the database. |
| updatedb | Update/initialize the database. |
| updaterun | Update the `run.sh` file. |
| updateself | Update this main script. |
| updateconf | Update all containers without restarting the running instance. |
| uninstall | Before this command executes, you will be prompted to save database files. `y` will create a tarfile of your database including the most recent backup. Stops containers, deletes the `bwdata` directory and all its contents, and removes ephemeral volumes. After executing, you will be asked whether you also want to purge all Bitwarden images. |
| renewcert | Renew certificates. |
| rebuild | Rebuild generated installation assets from `config.yml`. |
| help | List all commands. |