From 89d7957eb63c8933e5f37a34267b89e84879302f Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@geeklabor.de>
Date: Fri, 17 Jan 2020 11:36:37 +0100
Subject: [PATCH] add env file templating

---
 .gitignore                          |   1 +
 Dockerfile.amd64                    |   8 +-
 docker-compose.yml                  |  15 +++
 overlay/etc/templates/env.tmpl      | 184 ++++++++++++++++++++++++++++
 overlay/usr/local/bin/entrypoint.sh |   4 +-
 5 files changed, 208 insertions(+), 4 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 docker-compose.yml
 create mode 100644 overlay/etc/templates/env.tmpl

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..65e3ba2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+test/
diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
index 2dc06bb..0166f31 100644
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@@ -11,9 +11,11 @@ ARG VAULT_TARBALL=https://github.com/dani-garcia/bw_web_builds/releases/download
 
 RUN addgroup -g 101 -S app && \
     adduser -S -D -H -u 101 -h /app -s /sbin/nologin -G app -g app app && \
-    apk --update add --virtual .build-deps tar && \
+    apk --update add --virtual .build-deps tar curl && \
     apk --update add openssl curl postgresql-libs ca-certificates && \
-    mkdir -p /app/web-vault && \
+    curl -SsL -o /usr/local/bin/gomplate https://github.com/hairyhenderson/gomplate/releases/download/v3.5.0/gomplate_linux-amd64-slim && \
+    chmod 755 /usr/local/bin/gomplate && \
+    mkdir -p /app/web-vault /app/data && \
     curl -SsL ${VAULT_TARBALL} | tar xz -C /app/web-vault && \
     apk del .build-deps && \
     rm -rf /var/cache/apk/* && \
@@ -24,7 +26,7 @@ ADD overlay/ /
 ADD source/Rocket.toml /app
 ADD source/target/x86_64-unknown-linux-musl/release/bitwarden_rs /app
 
-VOLUME /data
+VOLUME /app/data
 
 EXPOSE 8080
 
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..88a30ce
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,15 @@
+---
+version: '2.1'
+
+services:
+  bitwardenrs:
+    container_name: bitwardenrs
+    image: xoxys/bitwardenrs:latest
+    ports:
+      - "80:8080"
+    volumes:
+      - bitwardenrs_data:/var/www/app/data
+
+volumes:
+  bitwardenrs_data:
+    driver: local
diff --git a/overlay/etc/templates/env.tmpl b/overlay/etc/templates/env.tmpl
new file mode 100644
index 0000000..ea3278a
--- /dev/null
+++ b/overlay/etc/templates/env.tmpl
@@ -0,0 +1,184 @@
+## Bitwarden_RS Configuration File
+DATA_FOLDER=/app/data
+
+## Database URL
+DATABASE_URL={{ getenv "DATABASE_URL" }}
+
+## Individual folders, these override %DATA_FOLDER%
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=/path/to/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
+## Client IP Header, used to identify the IP of the client, defaults to "X-Client-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Client-IP
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+# ICON_CACHE_NEGTTL=259200
+
+## Web vault settings
+# WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=true
+
+## Enables websocket notifications
+# WEBSOCKET_ENABLED=false
+
+## Controls the WebSocket server address and port
+# WEBSOCKET_ADDRESS=0.0.0.0
+# WEBSOCKET_PORT=3012
+
+## Enable extended logging, which shows timestamps and targets in the logs
+# EXTENDED_LOGGING=true
+
+## Logging to file
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# LOG_FILE=/path/to/log
+
+## Logging to Syslog
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# USE_SYSLOG=false
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## Setting it to "trace" or "debug" would also show logs for mounted 
+## routes and static file, websocket and alive requests
+# LOG_LEVEL=Info
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents bitwarden_rs from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render  the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Disable icon downloading
+## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
+## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+## otherwise it will delete them and they won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Icon blacklist Regex
+## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+# ICON_BLACKLIST_REGEX=192\.168\.1\.[0-9].*^
+
+## Any IP which is not defined as a global IP will be blacklisted.
+## Usefull to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+# ICON_BLACKLIST_NON_GLOBAL_IPS=true
+
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
+## Token for the admin interface, preferably use a long random string
+## One option is to use 'openssl rand -base64 48'
+## If not set, the admin panel is disabled
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
+# DISABLE_ADMIN_TOKEN=false
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+
+## Controls the PBBKDF password iterations to apply on the server
+## The change only applies when the password is changed
+# PASSWORD_ITERATIONS=100000
+
+## Whether password hint should be sent into the error response when the client request it
+# SHOW_PASSWORD_HINT=true
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+# DOMAIN=https://bw.domain.tld:8443
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Duo Settings
+## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Integration Key>
+# DUO_SKEY=<Secret Key>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+## 
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT = false
+
+## Rocket specific settings, check Rocket documentation to learn more
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_PORT=8080
+ROCKET_TLS=false
+
+## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=bitwarden-rs@domain.tld
+# SMTP_FROM_NAME=Bitwarden_RS
+# SMTP_PORT=587
+# SMTP_SSL=true
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
+# SMTP_AUTH_MECHANISM="Plain"
+# SMTP_TIMEOUT=15
diff --git a/overlay/usr/local/bin/entrypoint.sh b/overlay/usr/local/bin/entrypoint.sh
index 7d32a04..f323c3d 100755
--- a/overlay/usr/local/bin/entrypoint.sh
+++ b/overlay/usr/local/bin/entrypoint.sh
@@ -1,3 +1,5 @@
 #!/usr/bin/env sh
 
-ROCKET_TLS=disabled ROCKET_ADDRESS=0.0.0.0 ROCKET_PORT=8080 /app/bitwarden_rs
+/usr/local/bin/gomplate -V -o /app/.env -f /etc/templates/env.tmpl
+
+exec /app/bitwarden_rs