From 64595b08ceb1fd149922ee8aefd8627bcfccc00d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Slavi=C5=A1a=20Are=C5=BEina?=
 <58952836+tremor021@users.noreply.github.com>
Date: Sat, 3 May 2025 14:48:55 +0200
Subject: [PATCH] Vaultwarden: Enable HTTPS by default (#4197)

---
 frontend/public/json/vaultwarden.json | 105 +++++++++++++-------------
 install/alpine-vaultwarden-install.sh |   5 ++
 install/vaultwarden-install.sh        |  25 +++---
 3 files changed, 69 insertions(+), 66 deletions(-)

diff --git a/frontend/public/json/vaultwarden.json b/frontend/public/json/vaultwarden.json
index eae430f72..7b046d5fe 100644
--- a/frontend/public/json/vaultwarden.json
+++ b/frontend/public/json/vaultwarden.json
@@ -1,56 +1,55 @@
 {
-    "name": "Vaultwarden",
-    "slug": "vaultwarden",
-    "categories": [
-        6
-    ],
-    "date_created": "2024-05-02",
-    "type": "ct",
-    "updateable": true,
-    "privileged": false,
-    "interface_port": 8000,
-    "documentation": null,
-    "website": "https://github.com/dani-garcia/vaultwarden/",
-    "logo": "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon-white.svg",
-    "config_path": "/opt/vaultwarden/.env",
-    "description": "Vaultwarden is a self-hosted password manager which provides secure and encrypted password storage. It uses client-side encryption and provides access to passwords through a web interface and mobile apps.",
-    "install_methods": [
-        {
-            "type": "default",
-            "script": "ct/vaultwarden.sh",
-            "resources": {
-                "cpu": 4,
-                "ram": 6144,
-                "hdd": 6,
-                "os": "debian",
-                "version": "12"
-            }
-        },
-        {
-            "type": "alpine",
-            "script": "ct/alpine-vaultwarden.sh",
-            "resources": {
-                "cpu": 1,
-                "ram": 256,
-                "hdd": 0.5,
-                "os": "alpine",
-                "version": "3.21"
-            }
-        }
-    ],
-    "default_credentials": {
-        "username": null,
-        "password": null
+  "name": "Vaultwarden",
+  "slug": "vaultwarden",
+  "categories": [
+    6
+  ],
+  "date_created": "2024-05-02",
+  "type": "ct",
+  "updateable": true,
+  "privileged": false,
+  "interface_port": 8000,
+  "documentation": "https://github.com/dani-garcia/vaultwarden/wiki",
+  "website": "https://github.com/dani-garcia/vaultwarden/",
+  "logo": "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon-white.svg",
+  "config_path": "/opt/vaultwarden/.env",
+  "description": "Vaultwarden is a self-hosted password manager which provides secure and encrypted password storage. It uses client-side encryption and provides access to passwords through a web interface and mobile apps.",
+  "install_methods": [
+    {
+      "type": "default",
+      "script": "ct/vaultwarden.sh",
+      "resources": {
+        "cpu": 4,
+        "ram": 6144,
+        "hdd": 6,
+        "os": "debian",
+        "version": "12"
+      }
     },
-    "notes": [
-        {
-            "text": "Vaultwarden needs to be behind a proxy (Nginx Proxy Manager, Caddy, etc) to obtain HTTPS and to allow clients to connect. If you try to open the web page directly on the new container, the web site will not load",
-            "type": "warning"
-        },
-        {
-            "text": "To set the Admin Token, run the command below (or type update) in the LXC Console.",
-            "type": "info"
-        }
-    ]
+    {
+      "type": "alpine",
+      "script": "ct/alpine-vaultwarden.sh",
+      "resources": {
+        "cpu": 1,
+        "ram": 256,
+        "hdd": 0.5,
+        "os": "alpine",
+        "version": "3.21"
+      }
+    }
+  ],
+  "default_credentials": {
+    "username": null,
+    "password": null
+  },
+  "notes": [
+    {
+      "text": "Application uses self-signed certificate for HTTPS to work and is enabled by default. If you need a different setup, please read the documentation.",
+      "type": "warning"
+    },
+    {
+      "text": "To set the Admin Token, run the command below (or type update) in the LXC Console.",
+      "type": "info"
+    }
+  ]
 }
-
diff --git a/install/alpine-vaultwarden-install.sh b/install/alpine-vaultwarden-install.sh
index 9d6767854..937767ca2 100644
--- a/install/alpine-vaultwarden-install.sh
+++ b/install/alpine-vaultwarden-install.sh
@@ -28,6 +28,11 @@ $STD apk add vaultwarden
 sed -i -e 's|export WEB_VAULT_ENABLED=.*|export WEB_VAULT_ENABLED=true|' /etc/conf.d/vaultwarden
 echo -e "export ADMIN_TOKEN=''" >>/etc/conf.d/vaultwarden
 echo -e "export ROCKET_ADDRESS=0.0.0.0" >>/etc/conf.d/vaultwarden
+echo -e "export ROCKET_TLS='{certs=\"/etc/ssl/certs/vaultwarden-selfsigned.crt\",key=\"/etc/ssl/private/vaultwarden-selfsigned.key\"}'"
+$STD openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/vaultwarden-selfsigned.key -out /etc/ssl/certs/vaultwarden-selfsigned.crt -subj "/C=US/O=Vaultwarden/O
+U=Domain Control Validated/CN=localhost"
+chown vaultwarden:vaultwarden /etc/ssl/certs/vaultwarden-selfsigned.crt
+chown vaultwarden:vaultwarden /etc/ssl/private/vaultwarden-selfsigned.key
 msg_ok "Installed Alpine-Vaultwarden"
 
 msg_info "Installing Web-Vault"
diff --git a/install/vaultwarden-install.sh b/install/vaultwarden-install.sh
index 9f31292ed..fae4702a7 100644
--- a/install/vaultwarden-install.sh
+++ b/install/vaultwarden-install.sh
@@ -15,28 +15,23 @@ update_os
 
 msg_info "Installing Dependencies"
 $STD apt-get update
-$STD apt-get -qqy install \
-  git \
+$STD apt-get install -y git \
   build-essential \
   pkgconf \
   libssl-dev \
   libmariadb-dev-compat \
   libpq-dev \
-  argon2
+  argon2 \
+  ssl-cert
 msg_ok "Installed Dependencies"
 
-WEBVAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest |
-  grep "tag_name" |
-  awk '{print substr($2, 2, length($2)-3) }')
-
-VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest |
-  grep "tag_name" |
-  awk '{print substr($2, 2, length($2)-3) }')
+WEBVAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
+VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
 
 msg_info "Installing Rust"
 curl -fsSL https://sh.rustup.rs -o rustup-init.sh
 $STD bash rustup-init.sh -y --profile minimal
-echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc
+echo 'export PATH="$HOME/.cargo/bin:$PATH"' >>~/.bashrc
 export PATH="$HOME/.cargo/bin:$PATH"
 rm rustup-init.sh
 msg_ok "Installed Rust"
@@ -54,19 +49,23 @@ mkdir -p /opt/vaultwarden/data
 cp target/release/vaultwarden /opt/vaultwarden/bin/
 
 msg_info "Downloading Web-Vault ${WEBVAULT}"
-$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/$WEBVAULT/bw_web_$WEBVAULT.tar.gz
-$STD tar -xzf bw_web_$WEBVAULT.tar.gz -C /opt/vaultwarden/
+$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/"$WEBVAULT"/bw_web_"$WEBVAULT".tar.gz
+$STD tar -xzf bw_web_"$WEBVAULT".tar.gz -C /opt/vaultwarden/
 msg_ok "Downloaded Web-Vault ${WEBVAULT}"
 
 cat <<EOF >/opt/vaultwarden/.env
 ADMIN_TOKEN=''
 ROCKET_ADDRESS=0.0.0.0
+ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}'
 DATA_FOLDER=/opt/vaultwarden/data
 DATABASE_MAX_CONNS=10
 WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
 WEB_VAULT_ENABLED=true
 EOF
 
+mv /etc/ssl/certs/ssl-cert-snakeoil.pem /opt/vaultwarden/
+mv /etc/ssl/private/ssl-cert-snakeoil.key /opt/vaultwarden/
+
 msg_info "Creating Service"
 chown -R vaultwarden:vaultwarden /opt/vaultwarden/
 chown root:root /opt/vaultwarden/bin/vaultwarden