Commit 42d1b6e0 authored by Ian Fijolek's avatar Ian Fijolek

Merge branch 'ldap-sync'

parents 2c246bf4 56396a1e
......@@ -9,8 +9,14 @@
"healthCheckPath": "/healthcheck",
"httpPort": 80,
"addons": {
"localstorage": {},
"ldap": {},
"localstorage": {},
"scheduler": {
"ldap_sync": {
"schedule": "*/5 * * * *",
"command": "/app/code/ldap_sync.sh"
}
},
"sendmail": {}
},
"manifestVersion": 2,
......@@ -21,5 +27,6 @@
"tags": [
"password"
],
"minBoxVersion": "4.1.4",
"mediaLinks": [ "https://raw.githubusercontent.com/bitwarden/brand/master/screenshots/web-vault-macbook.png" ]
}
FROM "bitwardenrs/server:1.9.1" as bitwarden
# FROM "bitwardenrs/server:1.9.1" as bitwarden
FROM "vividboarder/bitwarden_rs:mail-auth-over-insecure" as bitwarden
FROM "vividboarder/bitwarden_rs_ldap:alpine" as bitwarden_ldap
FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617
......@@ -10,7 +12,6 @@ ENV CONFIG_FILE=/app/data/config.json
ENV SIGNUPS_ALLOWED=false
ENV INVITATIONS_ALLOWED=true
ENV DISABLE_ADMIN_TOKEN=true
ENV WEBSOCKET_ENABLED=true
RUN mkdir -p /app/data
......@@ -30,6 +31,9 @@ RUN a2enmod ldap authnz_ldap proxy proxy_http proxy_wstunnel rewrite
COPY --from=bitwarden /web-vault /app/code/web-vault
COPY --from=bitwarden /bitwarden_rs /app/code/
COPY --from=bitwarden /Rocket.toml /app/code/
# Copy ldap sync utility
COPY --from=bitwarden_ldap /usr/local/bin/bitwarden_rs_ldap /app/code/
ENV RUST_BACKTRACE=1
# configure supervisor
ADD supervisor/ /etc/supervisor/conf.d/
......@@ -37,5 +41,7 @@ RUN sed -e 's,^logfile=.*$,logfile=/run/supervisord.log,' -i /etc/supervisor/sup
WORKDIR /app/code
COPY start.sh /app/code/start.sh
COPY ldap_sync.sh /app/code/ldap_sync.sh
COPY ldap_config.template.toml /app/code/ldap_config.template.toml
CMD [ "/app/code/start.sh" ]
# Unpack vault assets
FROM alpine:3.10 as vault
RUN apk add --no-cache --upgrade \
curl \
tar
RUN mkdir /web-vault
WORKDIR /web-vault
# SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
ENV VAULT_VERSION "v2.11.0"
ENV URL "https://github.com/dani-garcia/bw_web_builds/releases/download/$VAULT_VERSION/bw_web_$VAULT_VERSION.tar.gz"
RUN curl -L $URL | tar xz
RUN ls
# Build server binary
FROM rust:1.36 as build
RUN apt-get update && apt-get install -y \
--no-install-recommends \
curl \
tar \
libmariadb-dev \
&& rm -rf /var/lib/apt/lists/*
ENV BW_VERSION "master"
ENV URL "https://github.com/dani-garcia/bitwarden_rs/archive/${BW_VERSION}.tar.gz"
RUN curl -L $URL | tar xz
RUN mv /bitwarden_rs-$BW_VERSION /src
WORKDIR /src
RUN cargo build --features mysql --release
# Get ldap sync binary
FROM "vividboarder/bitwarden_rs_ldap:alpine" as bitwarden_ldap
FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617
ENV ROCKET_ENV "staging"
ENV ROCKET_PORT=3000
ENV ROCKET_WORKERS=10
ENV DATA_FOLDER=/app/data
ENV CONFIG_FILE=/app/data/config.json
ENV SIGNUPS_ALLOWED=false
ENV INVITATIONS_ALLOWED=true
ENV WEBSOCKET_ENABLED=true
RUN mkdir -p /app/data
VOLUME /app/data
EXPOSE 80
EXPOSE 3012
# configure apache
RUN rm /etc/apache2/sites-enabled/*
RUN sed -e 's,^ErrorLog.*,ErrorLog "|/bin/cat",' -i /etc/apache2/apache2.conf
RUN a2disconf other-vhosts-access-log
COPY apache.conf /etc/apache2/sites-enabled/bitwarden.conf
RUN a2enmod ldap authnz_ldap proxy proxy_http proxy_wstunnel rewrite
# Copies Bitwarden files from build images
COPY --from=vault /web-vault /app/code/web-vault
COPY --from=build /src/target/release/bitwarden_rs /app/code/
COPY --from=build /src/Rocket.toml /app/code/
COPY --from=bitwarden_ldap /usr/local/bin/bitwarden_rs_ldap /app/code/
ENV RUST_BACKTRACE=1
WORKDIR /app/code
COPY start.sh /app/code/start.sh
COPY ldap_sync.sh /app/code/ldap_sync.sh
COPY ldap_config.template.toml /app/code/ldap_config.template.toml
CMD [ "/app/code/start.sh" ]
bitwarden_url = "http://##BITWARDEN_HOSTNAME:3000"
bitwarden_admin_token = "##ADMIN_TOKEN"
ldap_host = "##LDAP_SERVER"
ldap_port = ##LDAP_PORT
ldap_bind_dn = "##LDAP_BIND_DN"
ldap_bind_password = "##LDAP_BIND_PASSWORD"
ldap_search_base_dn = "##LDAP_USERS_BASE_DN"
ldap_search_filter = "(&(objectClass=*)(uid=*))"
ldap_sync_loop = false
#! /bin/bash
set -e
export ADMIN_TOKEN=$(cat /app/data/admin_token)
# Generate ldap sync config from template
sed -e "s/##LDAP_SERVER/${LDAP_SERVER}/"\
-e "s/##LDAP_PORT/${LDAP_PORT}/"\
-e "s/##LDAP_USERS_BASE_DN/${LDAP_USERS_BASE_DN}/"\
-e "s/##LDAP_BIND_DN/${LDAP_BIND_DN}/"\
-e "s/##LDAP_BIND_PASSWORD/${LDAP_BIND_PASSWORD}/"\
-e "s/##BITWARDEN_HOSTNAME/${CLOUDRON_APP_HOSTNAME}/"\
-e "s/##ADMIN_TOKEN/${ADMIN_TOKEN}/"\
/app/code/ldap_config.template.toml > /run/ldap_config.toml
export CONFIG_PATH=/run/ldap_config.toml
exec /app/code/bitwarden_rs_ldap
......@@ -2,15 +2,36 @@
set -eu
echo "=> exporting env vars expected by Bitwarden"
echo "=> Exporting env vars expected by Bitwarden"
export DOMAIN=$CLOUDRON_APP_ORIGIN
export SMTP_HOST=$CLOUDRON_MAIL_SMTP_SERVER
export SMTP_FROM=$CLOUDRON_MAIL_FROM
export SMTP_FROM_NAME=Bitwarden
export SMTP_PORT=$CLOUDRON_MAIL_SMTPS_PORT
export SMTP_SSL=true
export SMTP_PORT=$CLOUDRON_MAIL_SMTP_PORT
export SMTP_SSL=false
export SMTP_EXPLICIT_TLS=false
export SMTP_USERNAME=$CLOUDRON_MAIL_SMTP_USERNAME
export SMTP_PASSWORD=$CLOUDRON_MAIL_SMTP_PASSWORD
export SMTP_AUTH_MECHANISM="Plain"
export LOG_LEVEL=debug
# Generate admin token if it doesn't exist
if [[ ! -f /app/data/admin_token ]]; then
pwgen -1 48 -s > /app/data/admin_token
fi
export ADMIN_TOKEN=$(cat /app/data/admin_token)
echo "=> Admin token: ${ADMIN_TOKEN}"
echo "=> Generate LDAP config"
# Generate ldap sync config from template
sed -e "s/##LDAP_SERVER/${CLOUDRON_LDAP_SERVER}/"\
-e "s/##LDAP_PORT/${CLOUDRON_LDAP_PORT}/"\
-e "s/##LDAP_USERS_BASE_DN/${CLOUDRON_LDAP_USERS_BASE_DN}/"\
-e "s/##LDAP_BIND_DN/${CLOUDRON_LDAP_BIND_DN}/"\
-e "s/##LDAP_BIND_PASSWORD/${CLOUDRON_LDAP_BIND_PASSWORD}/"\
-e "s/##BITWARDEN_HOSTNAME/${CLOUDRON_APP_HOSTNAME}/"\
-e "s/##ADMIN_TOKEN/${ADMIN_TOKEN}/"\
/app/code/ldap_config.template.toml > /run/ldap_config.toml
echo "=> Starting supervisord"
exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Bitwarden
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment