[arch-commits] Commit in bitwarden_rs/trunk (3 files)
Date: Wednesday, November 25, 2020 @ 00:36:36
Author: polyzen
Revision: 761026
upgpkg: bitwarden_rs 1.17.0-5: Do not log in two places by default
Also add systemd unit drop-in suggestions to post_install().
Modified:
bitwarden_rs/trunk/PKGBUILD
bitwarden_rs/trunk/bitwarden_rs.install
bitwarden_rs/trunk/bitwarden_rs.service
--+
PKGBUILD |7 +++
bitwarden_rs.install | 18 +-
bitwarden_rs.service |2 +-
3 files changed, 21 insertions(+), 6 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2020-11-25 00:36:13 UTC (rev 761025)
+++ PKGBUILD2020-11-25 00:36:36 UTC (rev 761026)
@@ -4,7 +4,7 @@
pkgname=bitwarden_rs
pkgver=1.17.0
-pkgrel=4
+pkgrel=5
pkgdesc='Unofficial Bitwarden compatible server written in Rust'
arch=('x86_64')
url=https://github.com/dani-garcia/bitwarden_rs
@@ -12,7 +12,6 @@
depends=('mariadb-libs' 'openssl' 'postgresql-libs' 'sqlite')
makedepends=('rustup')
optdepends=('bitwarden_rs-vault: for the web app')
-conflicts=("$pkgname-mysql" "$pkgname-postgresql")
backup=('etc/bitwarden_rs.env')
install=$pkgname.install
source=("$url/archive/$pkgver/$pkgname-$pkgver.tar.gz"
@@ -20,7 +19,7 @@
"$pkgname.sysusers.conf"
"$pkgname.tmpfiles")
b2sums=('faf4a3e0cba6905547c347bd8d7939e2412116d5c9b226e49cddd04306b6e69e00e1f5d7b1b09493ff02614d5417b34cd9c54cb3efffbf238e23e3f54bacd5d1'
-
'c344164792bc9f9d5b485f932d2c476515d783cb54478e60fb8ca3c17f5781e067af0d2dff0670886fd186427c78e986f544f66d34e936db9f719c7f0be156e3'
+
'22bc90b8c49b6a26610ec840f04481fe3c7fcffc82434df3ee6adba4555787ba44c7b58dfcb181a28d4a6c943db6e7f7f439b67995c5aa06c23035002765de09'
'c44af94e19724ba23a11cec3ccc46ff9db307a058564d539dc533308e75ff43cfb5e42515bd49fdeb86e02cbc7575dc87c3b132d9d28d49f7e8fedab598c06f5'
'a2a6a128a405b4dbd06eb84c25b1971a5dcab4b918d6fec74da317b76485eda6b4b16ad972a85d9c8267b0a848787761fae75cd6bbb81d970a8cbc8683a2fc42')
@@ -28,7 +27,7 @@
cd $pkgname-$pkgver
sed -i 's,# DATA_FOLDER=data,DATA_FOLDER=/var/lib/bitwarden_rs,
s,# WEB_VAULT_ENABLED=true,WEB_VAULT_ENABLED=false,
- s,# LOG_FILE=/path/to/log,LOG_FILE=/var/log/bitwarden_rs.log,
+ s,# LOG_FILE=/path/to/log,# LOG_FILE=/var/log/bitwarden_rs.log,
/^# ROCKET_TLS/a ROCKET_LIMITS={json=10485760}' .env.template
}
Modified: bitwarden_rs.install
===
--- bitwarden_rs.install2020-11-25 00:36:13 UTC (rev 761025)
+++ bitwarden_rs.install2020-11-25 00:36:36 UTC (rev 761026)
@@ -2,7 +2,23 @@
cat << EOF
Configure the server via its environment variables in /etc/bitwarden_rs.env.
+If bitwarden_rs is run at ports >1024, you should apply these systemd unit
+options via a drop-in file:
+[Service]
+CapabilityBoundingSet=
+AmbientCapabilities=
+PrivateUsers=yes
+
+If the service produces too much noise in your journal, you can redirect stdout
+to /dev/null (bitwarden_rs will still also write to /var/log/bitwarden_rs.log
+if configured to do so):
+[Service]
+StandardOutput=null
+
+Create or edit drop-in file:
+# systemctl edit bitwarden_rs
+
Start bitwarden_rs and enable its systemd service:
-# systemctl enable --now bitwarden_rs.service
+# systemctl enable --now bitwarden_rs
EOF
}
Modified: bitwarden_rs.service
===
--- bitwarden_rs.service2020-11-25 00:36:13 UTC (rev 761025)
+++ bitwarden_rs.service2020-11-25 00:36:36 UTC (rev 761026)
@@ -14,7 +14,7 @@
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
-# If bitwarden_rs is run at ports >1024, you should apply these options in a
+# If bitwarden_rs is run at ports >1024, you should apply these options via a
# drop-in file
#CapabilityBoundingSet=
#AmbientCapabilities=
[arch-commits] Commit in bitwarden_rs/trunk (3 files)
Date: Tuesday, November 24, 2020 @ 22:13:57
Author: polyzen
Revision: 761016
upgpkg: bitwarden_rs 1.17.0-4: Omit home directory and shell
As recommended in sysusers.d(5).
Also follow option ordering used in systemd unit manuals.
Modified:
bitwarden_rs/trunk/PKGBUILD
bitwarden_rs/trunk/bitwarden_rs.service
bitwarden_rs/trunk/bitwarden_rs.sysusers.conf
+
PKGBUILD |6 ++--
bitwarden_rs.service | 60 ---
bitwarden_rs.sysusers.conf |2 -
3 files changed, 27 insertions(+), 41 deletions(-)
Modified: PKGBUILD
===
--- PKGBUILD2020-11-24 20:51:09 UTC (rev 761015)
+++ PKGBUILD2020-11-24 22:13:57 UTC (rev 761016)
@@ -4,7 +4,7 @@
pkgname=bitwarden_rs
pkgver=1.17.0
-pkgrel=3
+pkgrel=4
pkgdesc='Unofficial Bitwarden compatible server written in Rust'
arch=('x86_64')
url=https://github.com/dani-garcia/bitwarden_rs
@@ -20,8 +20,8 @@
"$pkgname.sysusers.conf"
"$pkgname.tmpfiles")
b2sums=('faf4a3e0cba6905547c347bd8d7939e2412116d5c9b226e49cddd04306b6e69e00e1f5d7b1b09493ff02614d5417b34cd9c54cb3efffbf238e23e3f54bacd5d1'
-
'8fc7e0aeed4b17065ddaedad0038e2a635e9bc477170e397a116845249784f3beaa7c241e9706ae64abc1c662eb969ccfa045e21bd805188690bb308e1d88a97'
-
'1c95c3ba5b40508c0b67bec788ea38468baddd5e0e2b20ff78aaeb99cb5d0b93e29995dc4672a96a7be9a3b0d3a5c5a607576a2db01309ff08231eb4b747b659'
+
'c344164792bc9f9d5b485f932d2c476515d783cb54478e60fb8ca3c17f5781e067af0d2dff0670886fd186427c78e986f544f66d34e936db9f719c7f0be156e3'
+
'c44af94e19724ba23a11cec3ccc46ff9db307a058564d539dc533308e75ff43cfb5e42515bd49fdeb86e02cbc7575dc87c3b132d9d28d49f7e8fedab598c06f5'
'a2a6a128a405b4dbd06eb84c25b1971a5dcab4b918d6fec74da317b76485eda6b4b16ad972a85d9c8267b0a848787761fae75cd6bbb81d970a8cbc8683a2fc42')
prepare() {
Modified: bitwarden_rs.service
===
--- bitwarden_rs.service2020-11-24 20:51:09 UTC (rev 761015)
+++ bitwarden_rs.service2020-11-24 22:13:57 UTC (rev 761016)
@@ -4,66 +4,52 @@
After=network.target
[Service]
-# The user/group bitwarden_rs is run under. These are created at install, with
-# /var/lib/bitwarden_rs as the home directory
+ExecStart=/usr/bin/bitwarden_rs
+WorkingDirectory=/var/lib/bitwarden_rs
User=bitwarden_rs
Group=bitwarden_rs
-# The location of the .env file for configuration
-EnvironmentFile=/etc/bitwarden_rs.env
+# Allow bitwarden_rs to bind ports in the range of 0-1024 and restrict it to
+# that capability
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
-# The location of the compiled binary
-ExecStart=/usr/bin/bitwarden_rs
+# If bitwarden_rs is run at ports >1024, you should apply these options in a
+# drop-in file
+#CapabilityBoundingSet=
+#AmbientCapabilities=
+#PrivateUsers=yes
-# Set reasonable connection and process limits
+NoNewPrivileges=yes
+
LimitNOFILE=1048576
LimitNPROC=64
+UMask=0077
-# Set the working directory (user and password data are stored here) and only
-# allow writes to the following
-WorkingDirectory=~
+ProtectSystem=strict
+ProtectHome=yes
ReadWritePaths=/var/lib/bitwarden_rs /var/log/bitwarden_rs.log
-
-# Prevent bitwarden_rs from doing anything stupid and/or unneccessary
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
-
PrivateTmp=yes
PrivateDevices=yes
-
-ProtectHome=yes
-ProtectSystem=strict
+ProtectHostname=yes
+ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
-ProtectHostname=yes
-ProtectClock=yes
-
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
-
RemoveIPC=yes
-UMask=0077
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@resources
-SystemCallFilter=~@privileged
-# Allow bitwarden_rs to bind ports in the range of 0-1024 and restrict it to
-# that capability
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+EnvironmentFile=/etc/bitwarden_rs.env
-# If bitwarden_rs is run at ports >1024, you should apply these options in a
-# drop-in file
-#PrivateUsers=yes
-#CapabilityBoundingSet=
-#AmbientCapabilities=
-
[Install]
WantedBy=multi-user.target
Modified: bitwarden_rs.sysusers.conf
===
--- bitwarden_rs.sysusers.conf 2020-11-24 20:51:09 UTC (rev 761015)
+++ bitwarden_rs.sysusers.conf 2020-11-24 22:13:57 UTC (rev 761016)
@@ -1 +1 @@
-u bitwarden_rs - "bitwarden_rs user" /var/lib/bitwarden_rs /usr/bin/nologin
+u bitwarden_rs - "bitwarden_rs user"
