-
-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DietPi-Software | Adding Bitwarden_rs #3894
Conversation
I have fixed the first 3 issues/suggested changes. The last one ( PrivateTmp=true) I don't know much about, but I think it should be left as it is the service config they give so it should all work with it. |
Also, should I add a config for the web vault and a reverse proxy to be installed by default or should I leave it at minimal? It is quite easy to add the web vault - so it isn't hard to do from our end or the end user's end. |
I just made a commit(c8d5f61) to make sure the service starts properly, but do I have to register the service with dietpi-services or something or an I doing it correctly? |
To make own tests correctly and for our online docs:
Jep, add the service name to this array: https://github.com/CactiChameleon9/DietPi/blob/patch-1/dietpi/dietpi-services#L147
Probably we can add it as optional choice via dietpi.txt setting and/or whiptail question and add instructions to online docs? But actually a web UI is definitely helpful and we install optional ones in case of other software titles as well. Also I see it requires additional download and install steps, so probably we install it by default. It can be disabled easily. I'd skip a reverse proxy, also to match other software installs and as we might add a generic script/instructions to setup reverse proxies web applications that do not run on a regular webserver. |
I also removed the making of the no longer needed data dir
+ DietPi-Software | Bitwarden_RS: Align indentation + DietPi-Software | Bitwarden_RS: Rename to "Bitwarden_RS" with underscore with matches the official spelling + DietPi-Software | Bitwarden_RS: Export HOME override and revert, to simplify it a bid and assure that it is set for all commands and sub commands where required + DietPi-Software | Bitwarden_RS: Add fallback URL for main download + DietPi-Software | Bitwarden_RS: Fix web vault install where G_CHECK_URL on the final archive fails, and move that to the install step
Hmm, when I want to create an account via web vault, hitting "Send" does not have any effect but produces an error in browser console:
When trying to login (just to check whether as well console errors appear), it reveals another, probably related issue, as the web UI itself prints an error:
"This" browser is latest Opera dev, so all current Chromium-based browsers might be affected. Chromium Edge shows indeed exactly the same error and behaviour. Hmm, I'm not keen to install a whole webserver as reverse proxy and creating a trusted standalone certificate is possible but not yet implemented into Initial online docs: https://dietpi.com/phpbb/viewtopic.php?p=28903#p28903 |
That error is very odd - in theory I programmed it to do the exact way I manually installed. I need to test on a blank install. I think a snake-oil cert would be best - however I am not too confident with self signing things. |
Known issue: dani-garcia/vaultwarden#153 |
Memory + disk (RAMdisk) usage is quite high during compilation:
Even if we force 2 GiB memory via auto-sized swap file (when it's smaller) and temporarily increase Too close, 2 GiB was not sufficient, build of a specific module with high RAM demand failed. I needed to add another GiB to swap space, then it went through. On a 4 core/thread machine, Another issue, with a self-signed certificate, the client fails to access:
From the docs: https://bitwarden.com/help/article/install-on-premise/
Hmm here it says, importing the certificate to trusted storage is enough: https://bitwarden.com/help/article/hosting-faqs/#trust-a-private-ca-issued-or-self-signed-certificate-for-bitwarden-client Okay importing works, at least we're one step further:
So dummy entries are required.
Only works for local network access via IP or the servers internal hostname, or, if the public FQDN matches the And of course the certificate needs to be imported into trusted CA space. Probably we need to give an introduction about how to do that on Windows 10 and Linux? Has become even more complicated since it cannot be installed directly from the browser but needs to be copied to file first, then file opened and installed from there... |
+ DietPi-Software | Bidwarden_RS: Assure 2 GiB memory and 1.5 GiB /tmp size for Rust install to /tmp and Bitwarden_RS build + DietPi-Software | Bidwarden_RS: Don't run multiple jobs concurrently, as one job can require > 500 MiB memory and can utilize all cores as well + DietPi-Software | Bidwarden_RS: Download and execute rustup as separate steps to allow separate error handling, even editing rustup-init.sh, when required, and avoid "eval" where we don't exactly know the scripts content. + DietPi-Software | Mycroft AI: Avoid running "dietpi-set_swapfile 1" if less than 100 MiB would be required, as such a small swap file size is now omitted by the script internally, which lead to ~50 MiB swap files on all 2 GiB physical RAM devices in the past.
I'll liberate We could automatically apply a Certbot certificate, when found on the system /etc/letsencrypt/live/... but that needs to be thought through as well since this means that the service can only be accessed via the public FQDN (fully qualified domain name), not via local IP or similar, as the certificate is not trusted then. So for local network access, a self-signed certificate can even be seen as a benefit, to allow local network access via local hostnames or IPs while for external access port 443 -> 3000 proxy has the benefit that only ports 80/443 need to be opened to the web. Bitwarden_RS could still run via HTTPS so even local network-internal proxy connection is encrypted. So generally as non-HTTP with Bitwarden in general doesn't work reliably (strangely works for the Windows desktop client, but not for web vault, and probably not all clients), at least the docs say it causes issues and it totally makes sense to have the connection encrypted that transports the master password for a password management server. But as the ways to set this up all have their pros and cons, trusted CA certificates require a public domain name and ports 80/443 opened, it seems to be best to automatically only setup a simple self-signed certificate based on the best information we can get (local IP and machine hostname) and add further information to our online docs about which steps are required to use that self-signed certificate with a recommendation to setup a real trusted CA signed one ASAP for remote access. |
Okay, number of concurrent jobs DOES limit the utilised cores for a single job as well. Probably when allowing 4 concurrent jobs, there are some special jobs (like compiling bitwarden_rs binary itself) that can use and are then allowed to use 4 cores while allowing only 1 concurrent job limits as well the used cores/threads of jobs that could utilise more core 🤔. Final solution: If more than two logic cores are available but less than 3 GiB memory, limited jobs to two, else utilising all available cores is fine. |
Can a web browser just say accept the risk and continue? Thanks for doing the cert stuff BTW Also good research/testing on compiling issues |
With most browser one can do that, but not with all. But most importantly the Windows desktop Bitwarden client does not accept it without having it imported as trusted CA, and I guess in case of some mobile clients it's similar. Okay, ready from my side, @CactiChameleon9 are you okay with everything? |
I think its all OK. I haven't actually tested it recently - but I am quite sure it works |
+ DietPi-Software | Bitwarden_RS: If APT cache and/or archives have been moved to RAM, build can still run into OOM due to the large amount of DEB packages installed as dependencies. Be failsafe and clean both. As the binary cache file is removed, this could slow down further APT installs within the same run, but much less compared to limiting the build to a single thread and Bitwarden_RS is one of the last installs performed due to its location near the end of the install function.
New documentation page is ready as well: MichaIng/DietPi-Docs#253 |
Well done |
We have already three software titles running at port 8000: WebIOPi, IceCast and Koel, so we should change it to 8001. |
Status: Ready (I think)
Reference: #3724
Commit list/description: