summaryrefslogtreecommitdiff
path: root/app-admin/vaultwarden/files
diff options
context:
space:
mode:
Diffstat (limited to 'app-admin/vaultwarden/files')
-rw-r--r--app-admin/vaultwarden/files/conf9
-rw-r--r--app-admin/vaultwarden/files/init13
-rw-r--r--app-admin/vaultwarden/files/vaultwarden16
-rw-r--r--app-admin/vaultwarden/files/vaultwarden.service50
4 files changed, 88 insertions, 0 deletions
diff --git a/app-admin/vaultwarden/files/conf b/app-admin/vaultwarden/files/conf
new file mode 100644
index 0000000..3928906
--- /dev/null
+++ b/app-admin/vaultwarden/files/conf
@@ -0,0 +1,9 @@
+# /etc/conf.d/vaultwarden: config file for /etc/init.d/vaultwarden
+# vim: set filetype=gentoo-conf-d:
+
+# User and group
+VAULTWARDEN_USER="vaultwarden"
+VAULTWARDEN_GROUP="vaultwarden"
+
+# Environment config file (will be sourced)
+VAULTWARDEN_CONFIG="/etc/vaultwarden.env"
diff --git a/app-admin/vaultwarden/files/init b/app-admin/vaultwarden/files/init
new file mode 100644
index 0000000..66fd2ea
--- /dev/null
+++ b/app-admin/vaultwarden/files/init
@@ -0,0 +1,13 @@
+#!/sbin/openrc-run
+# Copyright 1999-2021 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+command="/var/lib/vaultwarden/vaultwarden"
+pidfile="/run/vaultwarden.pid"
+description="Unofficial Vaultwarden compatible server written in Rust"
+start_stop_daemon_args="--env VAULTWARDEN_CONFIG=$VAULTWARDEN_CONFIG --user ${VAULTWARDEN_USER} --group ${VAULTWARDEN_GROUP} --pidfile ${pidfile} --make-pidfile --background"
+
+depend() {
+ need net
+ use mysql postgresql
+}
diff --git a/app-admin/vaultwarden/files/vaultwarden b/app-admin/vaultwarden/files/vaultwarden
new file mode 100644
index 0000000..8400dfb
--- /dev/null
+++ b/app-admin/vaultwarden/files/vaultwarden
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Load config
+set -o allexport
+source "$VAULTWARDEN_CONFIG"
+set +o allexport
+
+# Create data dir
+cd /var/lib/vaultwarden
+mkdir -p "${DATA_FOLDER:-data}"
+
+# Use default web vault folder
+export WEB_VAULT_FOLDER="${WEB_VAULT_FOLDER:-"/usr/share/vaultwarden-web-vault/htdocs"}"
+
+# Exec vaultwarden
+exec /usr/bin/vaultwarden
diff --git a/app-admin/vaultwarden/files/vaultwarden.service b/app-admin/vaultwarden/files/vaultwarden.service
new file mode 100644
index 0000000..4b6cbfc
--- /dev/null
+++ b/app-admin/vaultwarden/files/vaultwarden.service
@@ -0,0 +1,50 @@
+[Unit]
+Description=Unofficial Bitwarden compatible server written in Rust
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target mariadb.service mysqld.service postgresql.service
+
+[Service]
+ExecStart=/usr/bin/vaultwarden
+WorkingDirectory=/var/lib/vaultwarden
+User=vaultwarden
+Group=vaultwarden
+
+# Allow vaultwarden to bind ports in the range of 0-1024
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+NoNewPrivileges=yes
+
+LimitNOFILE=1048576
+UMask=0077
+LimitNPROC=64
+
+ProtectSystem=strict
+ProtectHome=true
+ReadWriteDirectories=/var/lib/vaultwarden
+PrivateUsers=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+
+Environment="WEB_VAULT_FOLDER=/usr/share/vaultwarden-web-vault/htdocs"
+EnvironmentFile=/etc/vaultwarden.env
+
+[Install]
+WantedBy=multi-user.target