commit: ca1b0dc5d743492e3fdb1bc0c0b0599208b22c03 Author: Rahil Bhimjiani <me <AT> rahil <DOT> rocks> AuthorDate: Wed Apr 30 14:35:01 2025 +0000 Commit: Fabian Groffen <grobian <AT> gentoo <DOT> org> CommitDate: Sun Jun 1 08:56:57 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ca1b0dc5
app-admin/vaultwarden: Unofficial Bitwarden compatible server in Rust Explaination of some design decisions: * Icon cache folder & tmp folder paths have been changed from default /var/cache/... & /tmp/... respectively so that backing up /var/lib/vaultwarden backs up everything needed minus extra fluff. Also having them at linux standard locations allow users to take advantage of tmpfs on /tmp and other fine tunings. * USE +web pulls in dependency www-apps/vaultwarden-web instead of just downloading tarball conditionally because sometimes only web frontend gets updated but not backend. So it doesn't make sense to recompile backend (rust package which takes ~20 minutes to compile) just to update frontend (*js, *css, *html files) Thanks Fabian Groffen <grobian <AT> gentoo.org> for taking interest & good suggestions Closes: https://github.com/gentoo/gentoo/pull/41864 Signed-off-by: Rahil Bhimjiani <me <AT> rahil.rocks> Signed-off-by: Fabian Groffen <grobian <AT> gentoo.org> app-admin/vaultwarden/Manifest | 3 + .../vaultwarden/files/vaultwarden-1.33.2.confd | 9 ++ .../vaultwarden/files/vaultwarden-1.33.2.initd | 20 +++ .../files/vaultwarden-1.33.2.logrotated | 9 ++ .../vaultwarden/files/vaultwarden-1.33.2.service | 45 ++++++ .../files/vaultwarden-envfile-1.33.2.patch | 49 +++++++ .../files/vaultwarden-tmpfiles-1.33.2.conf | 5 + app-admin/vaultwarden/metadata.xml | 25 ++++ app-admin/vaultwarden/vaultwarden-1.34.1.ebuild | 163 +++++++++++++++++++++ app-admin/vaultwarden/vaultwarden-9999.ebuild | 163 +++++++++++++++++++++ 10 files changed, 491 insertions(+) diff --git a/app-admin/vaultwarden/Manifest b/app-admin/vaultwarden/Manifest new file mode 100644 index 000000000000..faed7ae695b3 --- /dev/null +++ b/app-admin/vaultwarden/Manifest @@ -0,0 +1,3 @@ +DIST vaultwarden-1.34.1-deps.tar.xz 52689252 BLAKE2B e2d6eea8e29908b08e887967c2a4320dc213073a7a7bbbba969f964475d0babff8b57ff093ac9cab3ed3a724d6f924b6b09aa2380eaf30d17a79765d18996391 SHA512 e21df43a3c09c3463d0b7c9a8ae23bebfba062cf4f2ce0deb2ad0cd27231c7269586911b4b69ab550467143fed1deba9ac29e01231e1701de941ce8a8bb5e02f +DIST vaultwarden-1.34.1-docs.tar.xz 79056 BLAKE2B c863f0e3657a1165d1d6920c396a444a54662a20b0ee6e5a7053a184d9cde7e3c9a9429248448ef349d9d794226fee149e0bddb200a450a32957e2a68c3f8481 SHA512 8b4cd281261433559aca8d058d37e23b1cbb96f95f22c991bbbe125479bd424475f4982206e33bfcd4dac22a9167f6c2a7c4f4a9877e880de73000ad2e22c8c0 +DIST vaultwarden-1.34.1.tar.gz 649230 BLAKE2B fc842974ab1b7ba6cd6cbec36d6b03f2ca9358214a0a993f9ae99a91ba2e655186e89de714d5ce0327b885e22d5c8cc374dd1ef6d2abbb588795bc5fb4f4ffe7 SHA512 9811a9d178b855ef66694d8b6e49906c5b68b02303f1653c644e925eaedbe0a98d974ac3d426dcb2567be1c7cc5efd4dc0418414acfda2e92d48aae1510b74d0 diff --git a/app-admin/vaultwarden/files/vaultwarden-1.33.2.confd b/app-admin/vaultwarden/files/vaultwarden-1.33.2.confd new file mode 100644 index 000000000000..c06312ea72a5 --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden-1.33.2.confd @@ -0,0 +1,9 @@ +# Location of config file +#CONF_FILE=/etc/vaultwarden/vaultwarden.conf + +# User & group to start daemon as +#VW_USER=vaultwarden +#VW_GROUP=vaultwarden + +# Directory to store data in +#DATA_FOLDER=/var/lib/vaultwarden diff --git a/app-admin/vaultwarden/files/vaultwarden-1.33.2.initd b/app-admin/vaultwarden/files/vaultwarden-1.33.2.initd new file mode 100644 index 000000000000..aaa98a9cc846 --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden-1.33.2.initd @@ -0,0 +1,20 @@ +#!/sbin/openrc-run +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +export ENV_FILE="${CONF_FILE:-/etc/${RC_SVCNAME}/${RC_SVCNAME}.conf}" + +name="Vaultwarden" +description="Unofficial Bitwarden compatible password manager" +command="/usr/bin/${RC_SVCNAME}" +command_user="${VW_USER:-vaultwarden}:${VW_GROUP:-vaultwarden}" +command_background="true" +pidfile="/run/${RC_SVCNAME}.pid" +output_log="/var/log/${RC_SVCNAME}.log" +error_log="/var/log/${RC_SVCNAME}.log" +directory="${DATA_FOLDER:-/var/lib/${RC_SVCNAME}}" +umask=0027 + +depend() { + after net +} diff --git a/app-admin/vaultwarden/files/vaultwarden-1.33.2.logrotated b/app-admin/vaultwarden/files/vaultwarden-1.33.2.logrotated new file mode 100644 index 000000000000..b107697b214e --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden-1.33.2.logrotated @@ -0,0 +1,9 @@ +/var/log/vaultwarden.log { + su vaultwarden vaultwarden + size 5M + compress + rotate 4 + copytruncate + missingok + notifempty +} diff --git a/app-admin/vaultwarden/files/vaultwarden-1.33.2.service b/app-admin/vaultwarden/files/vaultwarden-1.33.2.service new file mode 100644 index 000000000000..b98d0e39b504 --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden-1.33.2.service @@ -0,0 +1,45 @@ +[Unit] +Description=Vaultwarden, unofficial Bitwarden compatible password manager +Documentation=https://github.com/dani-garcia/vaultwarden + +After=network.target +Wants=network.target + +[Service] +Environment=ENV_FILE=/etc/%N/%N.conf +ExecStart=/usr/bin/%N +WorkingDirectory=/var/lib/%N + +User=%N +Group=%N +UMask=0027 + +# Sandboxing and hardening systemd.exec(5) +PrivateUsers=yes +ProtectClock=yes +ProtectHostname=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +RestrictRealtime=yes +PrivateTmp=true +PrivateDevices=true +ProtectHome=true + +# set entire file system to read only except following paths +ProtectSystem=strict +ReadWritePaths=/var/lib/%N -/var/log/%N.log +CacheDirectory=%N + +# Set reasonable connection and process limits +LimitNOFILE=1048576 +LimitNPROC=64 + +[Install] +WantedBy=multi-user.target diff --git a/app-admin/vaultwarden/files/vaultwarden-envfile-1.33.2.patch b/app-admin/vaultwarden/files/vaultwarden-envfile-1.33.2.patch new file mode 100644 index 000000000000..073fbf0205d4 --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden-envfile-1.33.2.patch @@ -0,0 +1,49 @@ +As upstream defaults create directories where binary is executed (/usr/bin/), this patch is needed to change paths to Gentoo specific locations +--- a/.env.template ++++ b/.env.template +@@ -5,24 +5,20 @@ + ## Be aware that most of these settings will be overridden if they were changed + ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . + ## +-## By default, Vaultwarden expects for this file to be named ".env" and located +-## in the current working directory. If this is not the case, the environment +-## variable ENV_FILE can be set to the location of this file prior to starting +-## Vaultwarden. + + #################### + ### Data folders ### + #################### + + ## Main data folder +-# DATA_FOLDER=data ++DATA_FOLDER=/var/lib/vaultwarden + + ## Individual folders, these override %DATA_FOLDER% + # RSA_KEY_FILENAME=data/rsa_key +-# ICON_CACHE_FOLDER=data/icon_cache ++ICON_CACHE_FOLDER=/var/cache/vaultwarden/icon_cache + # ATTACHMENTS_FOLDER=data/attachments + # SENDS_FOLDER=data/sends +-# TMP_FOLDER=data/tmp ++TMP_FOLDER=/tmp/vaultwarden + + ## Templates data folder, by default uses embedded templates + ## Check source code to see the format +@@ -31,7 +27,7 @@ + # RELOAD_TEMPLATES=false + + ## Web vault settings +-# WEB_VAULT_FOLDER=web-vault/ ++WEB_VAULT_FOLDER=/usr/share/webapps/vaultwarden-web + # WEB_VAULT_ENABLED=true + + ######################### +@@ -371,7 +367,7 @@ + # USE_SYSLOG=false + + ## Logging to file +-# LOG_FILE=/path/to/log ++LOG_FILE=/var/log/vaultwarden.log + + ## Log level + ## Change the verbosity of the log output diff --git a/app-admin/vaultwarden/files/vaultwarden-tmpfiles-1.33.2.conf b/app-admin/vaultwarden/files/vaultwarden-tmpfiles-1.33.2.conf new file mode 100644 index 000000000000..13754438ddcd --- /dev/null +++ b/app-admin/vaultwarden/files/vaultwarden-tmpfiles-1.33.2.conf @@ -0,0 +1,5 @@ +# Fields: type; path; mode; uid; gid; age; argument +# tmpfiled.d(5) +d /var/cache/vaultwarden 0750 vaultwarden vaultwarden +d /tmp/vaultwarden 0750 vaultwarden vaultwarden 1d +f /var/log/vaultwarden.log 0640 vaultwarden vaultwarden diff --git a/app-admin/vaultwarden/metadata.xml b/app-admin/vaultwarden/metadata.xml new file mode 100644 index 000000000000..29512303aaa7 --- /dev/null +++ b/app-admin/vaultwarden/metadata.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer type="person" proxied="yes"> + <email>[email protected]</email> + <name>Rahil Bhimjiani</name> + </maintainer> + <maintainer type="person"> + <email>[email protected]</email> + <name>Fabian Groffen</name> + </maintainer> + <use> + <flag name="cli"> + Install client with the Command-Line Interface + </flag> + <flag name="web"> + Install client with Web UI + </flag> + </use> + <upstream> + <remote-id type="github">dani-garcia/vaultwarden</remote-id> + <bugs-to>https://github.com/dani-garcia/vaultwarden/issues</bugs-to> + <doc>https://github.com/dani-garcia/vaultwarden/blob/main/README.md</doc> + </upstream> +</pkgmetadata> diff --git a/app-admin/vaultwarden/vaultwarden-1.34.1.ebuild b/app-admin/vaultwarden/vaultwarden-1.34.1.ebuild new file mode 100644 index 000000000000..47af5112e14d --- /dev/null +++ b/app-admin/vaultwarden/vaultwarden-1.34.1.ebuild @@ -0,0 +1,163 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit cargo check-reqs readme.gentoo-r1 systemd tmpfiles + +DESCRIPTION="Unofficial Bitwarden compatible password manager" +HOMEPAGE="https://github.com/dani-garcia/vaultwarden"; + +if [[ ${PV} == 9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/dani-garcia/vaultwarden.git"; +else + SRC_URI=" + https://github.com/dani-garcia/vaultwarden/archive/refs/tags/${PV}.tar.gz -> ${P}.tar.gz + https://github.com/rahilarious/gentoo-distfiles/releases/download/${P}/deps.tar.xz -> ${P}-deps.tar.xz + https://github.com/rahilarious/gentoo-distfiles/releases/download/${P}/wiki.tar.xz -> ${P}-docs.tar.xz +" + KEYWORDS="~amd64" +fi + +LICENSE="AGPL-3" +# Dependent crate licenses +LICENSE+=" 0BSD Apache-2.0 BSD ISC MIT MPL-2.0 Unicode-3.0" + +SLOT="0" +IUSE="cli mysql postgres +sqlite +web" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +RDEPEND=" + acct-user/vaultwarden + acct-group/vaultwarden + dev-libs/openssl:= + cli? ( app-admin/bitwarden-cli-bin ) + mysql? ( dev-db/mysql-connector-c:= ) + postgres? ( dev-db/postgresql:* ) + sqlite? ( dev-db/sqlite:3 ) + web? ( www-apps/vaultwarden-web ) +" + +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +QA_FLAGS_IGNORED="usr/bin/${PN}" +QA_PRESTRIPPED="usr/bin/${PN}" +ECARGO_VENDOR="${WORKDIR}/vendor" + +PATCHES=( + "${FILESDIR}"/vaultwarden-envfile-1.33.2.patch +) + +CHECKREQS_MEMORY=3G +CHECKREQS_DISK_BUILD=2G + +DOC_CONTENTS="\n + Configuration file: /etc/${PN}/${PN}.conf\n + Data directory: /var/lib/${PN}\n + Log file: /var/log/${PN}.log\n + Default endpoint: http://127.0.0.1:8000\n + Admin endpoint: http://127.0.0.1:8000/admin\n + \n + MySQL & PostgreSQL users must set DATABASE_URL in config\n +" + +pkg_setup() { + check-reqs_pkg_setup + rust_pkg_setup +} + +src_unpack() { + if [[ ${PV} == 9999* ]]; then + # clone vaultwarden + git-r3_src_unpack + + # clone vaultwarden.wiki + EGIT_REPO_URI="https://github.com/dani-garcia/vaultwarden.wiki.git"; + EGIT_CHECKOUT_DIR="${WORKDIR}/${PN}.wiki" + git-r3_src_unpack + + cargo_live_src_unpack + else + cargo_src_unpack + fi +} + +src_prepare() { + default + if use !web; then + sed -i \ + -e 's|^# WEB_VAULT_ENABLED=true|WEB_VAULT_ENABLED=false|g;' \ + .env.template || die + fi + + if use mysql || use postgres; then + declare -a DB_UNIT + use mysql && DB_UNIT+=( + mariadb.service + mysqld.service + ) + use postgres && DB_UNIT+=( + postgresql-{13..17}.service + ) + cat <<-EOF > "${T}/${PN}-db.conf" + [Unit] + After=${DB_UNIT[@]} + Wants=${DB_UNIT[@]} + EOF + fi + +} + +src_configure() { + local myfeatures=( + $(usev sqlite) + $(usev mysql) + $(usev postgres postgresql ) + ) + cargo_src_configure +} + +src_compile() { + # https://github.com/dani-garcia/vaultwarden/blob/main/build.rs + [[ ${PV} != 9999* ]] && export VW_VERSION="${PV}" + cargo_src_compile +} + +src_install() { + dobin "$(cargo_target_dir)/${PN}" + systemd_newunit "${FILESDIR}"/vaultwarden-1.33.2.service \ + "${PN}".service + if [[ -f "${T}/${PN}-db.conf" ]]; then + local UNIT_DIR="$(systemd_get_systemunitdir)" + insinto "${UNIT_DIR#${EPREFIX}}/${PN}".service.d + doins "${T}/${PN}-db.conf" + fi + newinitd "${FILESDIR}"/vaultwarden-1.33.2.initd "${PN}" + newconfd "${FILESDIR}"/vaultwarden-1.33.2.confd "${PN}" + newtmpfiles "${FILESDIR}"/vaultwarden-tmpfiles-1.33.2.conf "${PN}".conf + insinto /etc/logrotate.d + newins "${FILESDIR}/"vaultwarden-1.33.2.logrotated "${PN}" + insinto /etc/"${PN}" + newins .env.template "${PN}".conf + keepdir /var/lib/"${PN}" + fowners "${PN}":"${PN}" /var/lib/"${PN}" + fperms 750 /var/lib/"${PN}" + + readme.gentoo_create_doc + einstalldocs + dodoc -r ../"${PN}".wiki/* +} + +pkg_postinst() { + tmpfiles_process "${PN}".conf + readme.gentoo_print_elog + + # delete following after 3 months + elog "Vaultwarden stack has been moved from ::guru to ::gentoo" + elog "### Migration guide: " + elog "* Backup /etc/vaultwarden.env" + elog "* Configuration file has been moved from /etc/${PN}.env to /etc/${PN}/${PN}.conf" + elog " So make sure to migrate that & remove old config" +} diff --git a/app-admin/vaultwarden/vaultwarden-9999.ebuild b/app-admin/vaultwarden/vaultwarden-9999.ebuild new file mode 100644 index 000000000000..47af5112e14d --- /dev/null +++ b/app-admin/vaultwarden/vaultwarden-9999.ebuild @@ -0,0 +1,163 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit cargo check-reqs readme.gentoo-r1 systemd tmpfiles + +DESCRIPTION="Unofficial Bitwarden compatible password manager" +HOMEPAGE="https://github.com/dani-garcia/vaultwarden"; + +if [[ ${PV} == 9999* ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/dani-garcia/vaultwarden.git"; +else + SRC_URI=" + https://github.com/dani-garcia/vaultwarden/archive/refs/tags/${PV}.tar.gz -> ${P}.tar.gz + https://github.com/rahilarious/gentoo-distfiles/releases/download/${P}/deps.tar.xz -> ${P}-deps.tar.xz + https://github.com/rahilarious/gentoo-distfiles/releases/download/${P}/wiki.tar.xz -> ${P}-docs.tar.xz +" + KEYWORDS="~amd64" +fi + +LICENSE="AGPL-3" +# Dependent crate licenses +LICENSE+=" 0BSD Apache-2.0 BSD ISC MIT MPL-2.0 Unicode-3.0" + +SLOT="0" +IUSE="cli mysql postgres +sqlite +web" +REQUIRED_USE="|| ( mysql postgres sqlite )" + +RDEPEND=" + acct-user/vaultwarden + acct-group/vaultwarden + dev-libs/openssl:= + cli? ( app-admin/bitwarden-cli-bin ) + mysql? ( dev-db/mysql-connector-c:= ) + postgres? ( dev-db/postgresql:* ) + sqlite? ( dev-db/sqlite:3 ) + web? ( www-apps/vaultwarden-web ) +" + +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +QA_FLAGS_IGNORED="usr/bin/${PN}" +QA_PRESTRIPPED="usr/bin/${PN}" +ECARGO_VENDOR="${WORKDIR}/vendor" + +PATCHES=( + "${FILESDIR}"/vaultwarden-envfile-1.33.2.patch +) + +CHECKREQS_MEMORY=3G +CHECKREQS_DISK_BUILD=2G + +DOC_CONTENTS="\n + Configuration file: /etc/${PN}/${PN}.conf\n + Data directory: /var/lib/${PN}\n + Log file: /var/log/${PN}.log\n + Default endpoint: http://127.0.0.1:8000\n + Admin endpoint: http://127.0.0.1:8000/admin\n + \n + MySQL & PostgreSQL users must set DATABASE_URL in config\n +" + +pkg_setup() { + check-reqs_pkg_setup + rust_pkg_setup +} + +src_unpack() { + if [[ ${PV} == 9999* ]]; then + # clone vaultwarden + git-r3_src_unpack + + # clone vaultwarden.wiki + EGIT_REPO_URI="https://github.com/dani-garcia/vaultwarden.wiki.git"; + EGIT_CHECKOUT_DIR="${WORKDIR}/${PN}.wiki" + git-r3_src_unpack + + cargo_live_src_unpack + else + cargo_src_unpack + fi +} + +src_prepare() { + default + if use !web; then + sed -i \ + -e 's|^# WEB_VAULT_ENABLED=true|WEB_VAULT_ENABLED=false|g;' \ + .env.template || die + fi + + if use mysql || use postgres; then + declare -a DB_UNIT + use mysql && DB_UNIT+=( + mariadb.service + mysqld.service + ) + use postgres && DB_UNIT+=( + postgresql-{13..17}.service + ) + cat <<-EOF > "${T}/${PN}-db.conf" + [Unit] + After=${DB_UNIT[@]} + Wants=${DB_UNIT[@]} + EOF + fi + +} + +src_configure() { + local myfeatures=( + $(usev sqlite) + $(usev mysql) + $(usev postgres postgresql ) + ) + cargo_src_configure +} + +src_compile() { + # https://github.com/dani-garcia/vaultwarden/blob/main/build.rs + [[ ${PV} != 9999* ]] && export VW_VERSION="${PV}" + cargo_src_compile +} + +src_install() { + dobin "$(cargo_target_dir)/${PN}" + systemd_newunit "${FILESDIR}"/vaultwarden-1.33.2.service \ + "${PN}".service + if [[ -f "${T}/${PN}-db.conf" ]]; then + local UNIT_DIR="$(systemd_get_systemunitdir)" + insinto "${UNIT_DIR#${EPREFIX}}/${PN}".service.d + doins "${T}/${PN}-db.conf" + fi + newinitd "${FILESDIR}"/vaultwarden-1.33.2.initd "${PN}" + newconfd "${FILESDIR}"/vaultwarden-1.33.2.confd "${PN}" + newtmpfiles "${FILESDIR}"/vaultwarden-tmpfiles-1.33.2.conf "${PN}".conf + insinto /etc/logrotate.d + newins "${FILESDIR}/"vaultwarden-1.33.2.logrotated "${PN}" + insinto /etc/"${PN}" + newins .env.template "${PN}".conf + keepdir /var/lib/"${PN}" + fowners "${PN}":"${PN}" /var/lib/"${PN}" + fperms 750 /var/lib/"${PN}" + + readme.gentoo_create_doc + einstalldocs + dodoc -r ../"${PN}".wiki/* +} + +pkg_postinst() { + tmpfiles_process "${PN}".conf + readme.gentoo_print_elog + + # delete following after 3 months + elog "Vaultwarden stack has been moved from ::guru to ::gentoo" + elog "### Migration guide: " + elog "* Backup /etc/vaultwarden.env" + elog "* Configuration file has been moved from /etc/${PN}.env to /etc/${PN}/${PN}.conf" + elog " So make sure to migrate that & remove old config" +}
