Vaultwarden: Enable HTTPS by default (#4197)

frontend/public/json/vaultwarden.json

@@ -9,7 +9,7 @@
   "updateable": true,
   "privileged": false,
   "interface_port": 8000,
-    "documentation": null,
+  "documentation": "https://github.com/dani-garcia/vaultwarden/wiki",
   "website": "https://github.com/dani-garcia/vaultwarden/",
   "logo": "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon-white.svg",
   "config_path": "/opt/vaultwarden/.env",
@@ -44,7 +44,7 @@
   },
   "notes": [
     {
-            "text": "Vaultwarden needs to be behind a proxy (Nginx Proxy Manager, Caddy, etc) to obtain HTTPS and to allow clients to connect. If you try to open the web page directly on the new container, the web site will not load",
+      "text": "Application uses self-signed certificate for HTTPS to work and is enabled by default. If you need a different setup, please read the documentation.",
       "type": "warning"
     },
     {
@@ -53,4 +53,3 @@
     }
   ]
 }
-

install/alpine-vaultwarden-install.sh

@@ -28,6 +28,11 @@ $STD apk add vaultwarden
 sed -i -e 's|export WEB_VAULT_ENABLED=.*|export WEB_VAULT_ENABLED=true|' /etc/conf.d/vaultwarden
 echo -e "export ADMIN_TOKEN=''" >>/etc/conf.d/vaultwarden
 echo -e "export ROCKET_ADDRESS=0.0.0.0" >>/etc/conf.d/vaultwarden
+echo -e "export ROCKET_TLS='{certs=\"/etc/ssl/certs/vaultwarden-selfsigned.crt\",key=\"/etc/ssl/private/vaultwarden-selfsigned.key\"}'"
+$STD openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/vaultwarden-selfsigned.key -out /etc/ssl/certs/vaultwarden-selfsigned.crt -subj "/C=US/O=Vaultwarden/O
+U=Domain Control Validated/CN=localhost"
+chown vaultwarden:vaultwarden /etc/ssl/certs/vaultwarden-selfsigned.crt
+chown vaultwarden:vaultwarden /etc/ssl/private/vaultwarden-selfsigned.key
 msg_ok "Installed Alpine-Vaultwarden"
 
 msg_info "Installing Web-Vault"

install/vaultwarden-install.sh

@@ -15,28 +15,23 @@ update_os
 
 msg_info "Installing Dependencies"
 $STD apt-get update
-$STD apt-get -qqy install \
+$STD apt-get install -y git \
-  git \
   build-essential \
   pkgconf \
   libssl-dev \
   libmariadb-dev-compat \
   libpq-dev \
-  argon2
+  argon2 \
+  ssl-cert
 msg_ok "Installed Dependencies"
 
-WEBVAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest |
+WEBVAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/bw_web_builds/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
-  grep "tag_name" |
+VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest | grep "tag_name" | awk '{print substr($2, 2, length($2)-3) }')
-  awk '{print substr($2, 2, length($2)-3) }')
-
-VAULT=$(curl -fsSL https://api.github.com/repos/dani-garcia/vaultwarden/releases/latest |
-  grep "tag_name" |
-  awk '{print substr($2, 2, length($2)-3) }')
 
 msg_info "Installing Rust"
 curl -fsSL https://sh.rustup.rs -o rustup-init.sh
 $STD bash rustup-init.sh -y --profile minimal
-echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc
+echo 'export PATH="$HOME/.cargo/bin:$PATH"' >>~/.bashrc
 export PATH="$HOME/.cargo/bin:$PATH"
 rm rustup-init.sh
 msg_ok "Installed Rust"
@@ -54,19 +49,23 @@ mkdir -p /opt/vaultwarden/data
 cp target/release/vaultwarden /opt/vaultwarden/bin/
 
 msg_info "Downloading Web-Vault ${WEBVAULT}"
-$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/$WEBVAULT/bw_web_$WEBVAULT.tar.gz
+$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/"$WEBVAULT"/bw_web_"$WEBVAULT".tar.gz
-$STD tar -xzf bw_web_$WEBVAULT.tar.gz -C /opt/vaultwarden/
+$STD tar -xzf bw_web_"$WEBVAULT".tar.gz -C /opt/vaultwarden/
 msg_ok "Downloaded Web-Vault ${WEBVAULT}"
 
 cat <<EOF >/opt/vaultwarden/.env
 ADMIN_TOKEN=''
 ROCKET_ADDRESS=0.0.0.0
+ROCKET_TLS='{certs="/opt/vaultwarden/ssl-cert-snakeoil.pem",key="/opt/vaultwarden/ssl-cert-snakeoil.key"}'
 DATA_FOLDER=/opt/vaultwarden/data
 DATABASE_MAX_CONNS=10
 WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
 WEB_VAULT_ENABLED=true
 EOF
 
+mv /etc/ssl/certs/ssl-cert-snakeoil.pem /opt/vaultwarden/
+mv /etc/ssl/private/ssl-cert-snakeoil.key /opt/vaultwarden/
+
 msg_info "Creating Service"
 chown -R vaultwarden:vaultwarden /opt/vaultwarden/
 chown root:root /opt/vaultwarden/bin/vaultwarden