Bug 269143 - security/vaultwarden upgrade web vault to 2023.1.0 via new security/vaultwarden-web port
Summary: security/vaultwarden upgrade web vault to 2023.1.0 via new security/vaultward...
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Michael Reifenberger
URL: https://github.com/dani-garcia/bw_web...
Depends on:
Reported: 2023-01-25 02:00 UTC by yds
Modified: 2023-01-27 00:40 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (mr)

vaultwarden-web patch (58.71 KB, patch)
2023-01-25 02:00 UTC, yds
no flags Details | Diff
refactor security/vaultwarden and new RUN_DEPENDS=security/vaultwarden-web patch (58.75 KB, patch)
2023-01-27 00:40 UTC, yds
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description yds 2023-01-25 02:00:26 UTC
Created attachment 239691 [details]
vaultwarden-web patch

this patch splits the security/vaultwarden web-vault into a new security/vaultwarden-web port. the main security/vaultwarden port now RUN_DEPENDS on security/vaultwarden-web. this allows for building binary packages where only the web-vault might need a version bump while the main Rust pkg does not need upgrading.

the security/vaultwarden port splits Makefile.crates into a separate file to make the main Makefile much smaller and easier to grok.

the port now installs the fully commented ${WRKSRC}/.env.template in
/usr/local/share/examples/vaultwarden/vaultwarden.env which can be copied to
/usr/local/etc/vaultwarden.env and edited as needed.

any existing rc.conf.d/vaultwarden should be moved to the new ENV_FILE=/usr/local/etc/vaultwarden.env location

port includes a new apache.conf reverse proxy example file.

the rc.d script is completely rewritten to automatically create, chmod/chown all the requisite config and runtime files and folders to be accessible only by the vaultwarden runtime user. the runtime user can be set with vaultwarden_user and vaultwarden_group rc.conf variables.

the port now includes a /usr/local/etc/newsyslog.conf.d/vaultwarden.conf file to rotate the logs created by daemon -o logging output. there's no need to configure any logging within vaultwarden itself, daemon and newsyslogd take care of all the logging chores automagically.

daemon supervisor will now restart vaultwarden after one second should it quit for any reason.

the rc.d script now creates a bare-bones config.json with a random admin_token and adds two new extra sub-commands: showtoken and maketoken which will show the current admin_token or generate a new one. making it easy to set/get the admin_token in config.json helps keep the 
admin_token out of the environment variables where it can be viewed with `ps awxeww|grep vaultwarden` while vaultwarden is running. setting admin_token via environment variables seems like a bad idea from a security perspective <-- that was the motivation for the two new sub-commands. config.json is ensured by the rc.d script to be readable only by the vaultwarden runtime user keeping the admin_token secret like it oughtta be.

of course any existing config.json will be honored and not touched unless one issues the maketoken subcommand, and then only the admin_token is changed, while the rest of the file stays as is.

the port moves the default location of the "data" folder to "/var/db/vaultwarden" and adds a new rc.conf variable `vaultwarden_data`

current users are advised to move their existing "data" folder to the new default location:
tar -C /usr/local/www/vaultwarden/data/ -cf - . | tar -C /var/db/vaultwarden/ -xvf -

or to keep using the old data folder location set the rc.conf variables:
Comment 1 yds 2023-01-27 00:40:20 UTC
Created attachment 239733 [details]
refactor security/vaultwarden and new RUN_DEPENDS=security/vaultwarden-web patch

same as the first patch with minor fixes