Merge from upstream master

.env.template

@@ -21,8 +21,12 @@ TZ=
 #SMTP_USERNAME=
 #SMTP_PASSWORD=
 #SMTP_SECURITY=
-# For fail2ban, YES or NO
+# fail2ban-specific SMTP settings
+# Use TLS to talk to the SMTP server (YES or NO, default NO)
 #SMTP_TLS=
+# Specify whether ssmtp does a EHLO/STARTTLS before starting SSL negotiation (YES or NO, default NO)
+# Should probably be YES if SMTP_SECURITY=starttls above
+#SSMTP_STARTTLS=
 
 
 ### BITWARDEN VARIABLES ###
@@ -39,16 +43,24 @@ TZ=
 SIGNUPS_ALLOWED=true
 ADMIN_TOKEN=
 # Method 2. Use the admin page to create your first user(s) then disable it.
-#   1. Set ADMIN_TOKEN using gthe command `openssl rand -base64 48`
+#   1. Set ADMIN_TOKEN using the command `openssl rand -base64 48`
 #   2. Use the admin page (/admin) to create your initial user(s).
 #   3. Disable the admin page by clearing the token (ADMIN_TOKEN=)
 #SIGNUPS_ALLOWED=false
 #ADMIN_TOKEN=
+# Note on ADMIN_TOKEN: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
+
+## Enables push notifications (requires key and id from https://bitwarden.com/host)
+# PUSH_ENABLED=true
+# PUSH_INSTALLATION_ID=
+# PUSH_INSTALLATION_KEY=
+## Don't change this unless you know what you're doing.
+# PUSH_RELAY_BASE_URI=https://push.bitwarden.com
 
 # Specify YUBIKEY info if desired
-YUBICO_CLIENT_ID=
-YUBICO_SECRET_KEY=
-YUBICO_SERVER=
+#YUBICO_CLIENT_ID=
+#YUBICO_SECRET_KEY=
+#YUBICO_SERVER=
 
 # Specfiy which user email addresses can create organizations
 # Leave blank to allow all users
@@ -65,41 +77,34 @@ BACKUP_SCHEDULE=0 0 * * *
 BACKUP_DAYS=30
 # Directory to place backups in (& sync from in rclone)
 BACKUP_DIR=/data/backups
-# Emails can be sent for either email backup or notifying of rclone|local backup
-BACKUP_EMAIL_FROM_NAME="Bitwarden Backup"
-# Optional encryption key for backup
-# BACKUP_ENCRYPTION_KEY="<key to encrypt backup - optional, bw data is encrypted at rest>"
-# Email address to send backup (BACKUP=email) or notifications (BACKUP=rclone && BACKUP_RCLONE_NOTIFY=true)
+# Optional - encryption key for backup
+#   bitwarden data is encrypted at rest, but if your backup includes this env file <BACKUP_ENV=true>, your backup will include sensitive data
+#BACKUP_ENCRYPTION_KEY="<key to encrypt backup>"
+# Backup env file - set to true to include your .env (this file) in the backup\
+#   only use this when also encrypting the backup with BACKUP_ENCRYPTION_KEY
+BACKUP_ENV=false
+# Email address to send backup (BACKUP=email) or notifications (BACKUP_NOTIFY=true)
 BACKUP_EMAIL_TO="<email to send the backup to>"
 # Send email notification for rclone|local backup jobs
 BACKUP_EMAIL_NOTIFY=true
 #
 #
-# Backup type is one of local|email|rclone - uncomment one:
-#
-# LOCAL BACKUP OPTIONS
-#
-# Just uncomment this
-# BACKUP=local
-#
-# EMAIL BACKUP OPTIONS:
-#
-# Just uncomment this; uses email settings above
-# BACKUP=email
+# Backup type is any combination of local|email|rclone - e.g., email,rclone
+# If you use rclone, follow the instructions below
+#BACKUP=
 #
 # RCLONE BACKUP OPTIONS:
 #
-# rclone:
+# rclone first time run instructions:
 #   1. Uncomment lines below and `docker-compose up -d`
-#   2. With bitwarden running, configure rclone with the following command:
-#      sudo docker exec -it bitwarden rclone config --config $BACKUP_RCLONE_CONF
+#   2. With the backup container running, configure rclone with the following command:
+#      `sudo docker exec -it backup ash -c 'rclone config --config $BACKUP_RCLONE_CONF'`
 #   3. Follow the prompts and instructions at https://rclone.org/remote_setup/ - you 
 #      will most likely need to download a rclone on another computer (it is portable)
-#      to authorize
+#      to authorize.
 #   4. The script should run as normal with a working configuration file
-# BACKUP=rclone
-# BACKUP_RCLONE_CONF=/data/rclone.conf
-# BACKUP_RCLONE_DEST=/bw_backup
+BACKUP_RCLONE_CONF=/data/rclone/rclone.conf
+BACKUP_RCLONE_DEST=/bw_backup
 
 
 ### PROXY / CADDY VARIABLES ###
@@ -131,4 +136,4 @@ COUNTRYBLOCK_SCHEDULE=0 0 * * *
 ### WATCHTOWER VARIABLES ###
 
 # How often should watchtower check for updated container images? Default is every Sunday at 3am
-WATCHTOWER_SCHEDULE=0 0 3 ? * 1
+WATCHTOWER_SCHEDULE=0 0 3 ? * 0

.gitmodules

@@ -0,0 +1,9 @@
+[submodule "docker/proxy"]
+	path = docker/proxy
+	url = https://github.com/dadatuputi/bwgc_caddy.git
+[submodule "docker/countryblock"]
+	path = docker/countryblock
+	url = https://github.com/dadatuputi/bwgc_countryblock.git
+[submodule "docker/backup"]
+	path = docker/backup
+	url = https://github.com/dadatuputi/bwgc_backup.git

README.md

@@ -1,144 +1,46 @@
 # Bitwarden self-hosted on Google Cloud for Free
 
-Bitwarden installation optimized for Google Cloud's 'always free' e2-micro compute instance
-
-> _Note: if you follow these instructions the end product is a self-hosted instance of Bitwarden running in the cloud and will be free **unless** you exceed the 1GB egress per month or have egress to China or Australia. I talk about best practices to help avoid China/AUS egress, but there's a chance you can get charges from that so please keep that in mind._
-
-This is a quick-start guide. Read about this project in more detail [here](https://bradford.la/2020/self-host-bitwarden-on-google-cloud).
-
 ---
 
 ## Features
 
-* Bitwarden self-hosted
+* Bitwarden self-hosted (via Vaultwarden) on Google Cloud 'always free' e2-micro tier 
 * Automatic https certificate management through Caddy 2 proxy
 * Dynamic DNS updates through ddclient
 * Blocking brute-force attempts with fail2ban
 * Country-wide blocking through iptables and ipset
+* Automatic backups
 
-## Pre-requisites
-
-Before you start, ensure you have the following:
-
-1. A Google Cloud account
-2. A Cloudflare-managed DNS site with an A record ready for Bitwarden
-
-### f1-micro -> e2-micro migration
-
-_As of 1 August 2021, Google added the e2-micro machine type to the free tier. Google has contacted existing f1-micro users with a suggestion to upgrade to the more powerful e2-micro type (details in [this reddit thread](https://www.reddit.com/r/googlecloud/comments/oo55s1/upgraded_free_tier_f1micro_vm_to_an_e2micro/)). Upgrading existing f1-micro instances running bitwarden_gcloud is easy can be accomplished following steps at the bottom of this README._
-
-## Step 1: Set up Google Cloud `e2-micro` Compute Engine Instance
-
-Google Cloud offers an '[always free](https://cloud.google.com/free/)' tier of their Compute Engine with one virtual core and ~600 MB of RAM (about 150 MB free depending on which OS you installed). [Vaultwarden](https://github.com/dani-garcia/vaultwarden) runs well under these constraints; it's written in Rust and an ideal candidate for a micro instance. 
-
-Go to [Google Compute Engine](https://cloud.google.com/compute) and open a Cloud Shell. You may also create the instance manually following [the constraints of the free tier](https://cloud.google.com/free/docs/gcp-free-tier). In the Cloud Shell enter the following command to build the properly spec'd machine: 
-
-```bash
-$ gcloud compute instances create bitwarden \
-    --machine-type e2-micro \
-    --zone us-central1-a \
-    --image-project cos-cloud \
-    --image-family cos-stable \
-    --boot-disk-size=30GB \
-    --tags http-server,https-server \
-    --scopes compute-rw
-```
-
-You may change the zone to be closer to you or customize the name (`bitwarden`), but most of the other values should remain the same. 
+## Installation
+Follow the [guide in the wiki](https://github.com/dadatuputi/bitwarden_gcloud/wiki/Installation) to install and configure Bitwarden self-hosted on Google Cloud
 
-Next, create firewall rules to allow traffic to your VM. Bitwarden only serves encrypted traffic over HTTPS, but port 80 is needed for the Let's Encrypt challenges served by Caddy:
-```bash
-$ gcloud compute firewall-rules create bitwarden-http-ingress --action allow --target-tags http-server --rules tcp:80
-$ gcloud compute firewall-rules create bitwarden-https-ingress --action allow --target-tags https-server --rules tcp:443
-```
-
-## Step 2: Pull and Configure Project
-
-Enter a shell on the new instance and clone this repo:
-
-```bash
-$ git clone https://github.com/dadatuputi/bitwarden_gcloud.git
-$ cd bitwarden_gcloud
-```
+## Changelog
+2.0.2 - 7 November 2023
 
-Set up the docker-compose alias by using the included script:
+* Improve `fail2ban` SMTP env variable documentation in `.env.template` (#79)
+* Update IP Header env var (#77)
+* Push `fail2ban` logs to STDOUT / docker logging
+* Update `docker-compose` to latest version (#76). Requires manual updating of `~/.bash_alias` with the following command:
 
 ```bash
-$ sh utilities/install-alias.sh
-$ source ~/.bashrc
-$ docker-compose --version
-docker-compose version 1.25.5, build 8a1c60f
+$ docker-compose version
+$ sed -i "s|docker/compose|docker compose|g" ~/.bash_alias
+$ source ~/.bash_alias
+$ docker-compose version
 ```
 
-### Configure Environmental Variables with `.env`
-
-I provide `.env.template` which should be copied to `.env` and filled out; filling it out is self-explanitory and requires certain values such as a domain name, Cloudflare API tokens, etc. 
-Be aware that there is an optional backup section that allows you to have an encrypted backup regularly backed up and emailed or synced to cloud storage. More documentation on this feature is available [here](https://bradford.la/2020/self-host-bitwarden-on-google-cloud/#configure-bitwarden-backups-optional).
-
-### Configure `fail2ban` (_optional_)
-
-`fail2ban` stops brute-force attempts at your vault. To configure how long a ban is and how many attempts will trigger a ban, edit `fail2ban/jail.d/jail.local`:
-
-```conf
-bantime = 6h <- how long to enforce the ip ban
-maxretry = 5  <- number of times to retry until a ban occurs
-```
-
-This will work out of the box - no `fail2ban` configuration is needed unless you want e-mail alerts of bans. To enable this, enter the SMTP settings in `.env`, and follow the instructions in `fail2ban/jail.d/jail.local` by uncommenting and entering `destemail` and `sender` and uncommenting the `action_mwl` action in the `bitwarden` and `bitwarden-admin` jails in the same file.
-
-### Configure Country-wide Blocking (_optional_)
+2.0.1 - 25 October 2023
 
-The `countryblock` container will block ip addresses from countries specified in `.env` under `COUNTRIES`. China, Hong Kong, and Australia (CN, HK, AU) are blocked by default because Google Cloud will charge egress to those countries under the free tier. You may add any country you like to that list, or clear it out entirely if you don't want to block those countries. Be aware, however, you'll probably be charged for any traffic to those countries, even from bots or crawlers. 
+* Update backup option to include `.env` for full restoration. Off by default. Please encrypt your backup if including `.env`
+* Starting new versioning/tagging system to keep track of changes. Arbitrarily starting after 2.0, which was the fully modular approach.
 
-This country-wide blocklist will be updated daily at midnight, but you can change the `COUNTRYBLOCK_SCHEDULE` variable in `.env` to suit your needs. 
-
-These block-lists are pulled from <www.ipdeny.com> on each update. 
-
-### Configure Automatic Rebooting After Updates (_optional_)
-
-Container-Optimized OS will automatically update itself, but the update will only be applied after a reboot. In order to ensure that you are using the most current operating system software, you can set a boot script that waits until an update has been applied to schedule a reboot.
-
-Before you start, ensure you have `compute-rw` scope for your bitwarden compute vm. If you used the `gcloud` command above, it includes that scope. If not, go to your Google Cloud console and edit the "Cloud API access scopes" to have "Compute Engine" show "Read Write". You need to shut down your compute vm in order to change this.
-
-Modify the script to set your local timezone and the time to schedule reboots: set the `TZ=` and `TIME=` variables in `utilities/reboot-on-update.sh`. By default the script will schedule reboots for 06:00 UTC. 
-
-From within your compute vm console, type the command `toolbox`. From within `toolbox`, find the `utilities` folder within `bitwarden_gcloud`. `toolbox` mounts the host filesystem under `/media/root`, so go there to find the folder. It will likely be in `/media/root/home/<google account name>/bitwarden_gcloud/utilities` - `cd` to that folder.
-
-Next, use `gcloud` to add the `reboot-on-update.sh` script to your vm's boot script metadata with the `add-metadata` [command](https://cloud.google.com/compute/docs/startupscript#startupscriptrunninginstances):
-
-```bash
-gcloud compute instances add-metadata <instance> --metadata-from-file startup-script=reboot-on-update.sh
-```
-
-You can confirm that your startup script has been added in your instance details under "Custom metadata" on the Compute Engine Console. 
-
-Next, restart your vm with the command `$ sudo reboot`. Once your vm has rebooted, you can confirm that the startup script was run with the command:
-
-```bash
-$ sudo journalctl -u google-startup-scripts.service
-```
-
-Now the script will wait until a reboot is pending and then schedule a reboot for the time configured in the script.
-
-## Step 3: Start Services
-
-To start up, use `docker-compose`:
-
-```bash
-$ docker-compose up
-```
-
-You can now use your browser to visit your new Bitwarden site. 
-
-## f1-micro to e2-micro Migration
-
-Follow these steps to migrate from the previous free tier f1-micro to the new free tier e2-micro.
-
-1.  Shut down your VM instance
-2.  Edit the vm instance to machine type e2-micro using the google cloud GUI or cloud shell. 
-3.  Boot the VM again and everything should start as before. 
-
-Note that after shutting down and booting the new machine type, it may take a while for the DNS record's TTL to expire and point to the new IP which gets changed after a shutdown. 
+---
 
-# Notes
-For a pure Cloudflare approach, see [this issue](https://github.com/dadatuputi/bitwarden_gcloud/issues/5).
+> __3 April 2023 Alert__: [Recent changes to Vaultwarden](https://github.com/dani-garcia/vaultwarden/commit/ca417d32578c3b6224c5aa8df56eb776712941b7) may cause Vaultwarden to fail to start due to default environmental variables. `.env.template` has been updated in this repo, however, if you are affected, you must also update `.env` and comment out all `YUBICO_*` variables, so that they appear as:
+>
+> ```
+> #YUBICO_CLIENT_ID=
+> #YUBICO_SECRET_KEY=
+> #YUBICO_SERVER=
+> ```
+> Restart with `docker-compose`, and Vaultwarden should come up as normal. Credit to [@AySz88 for reporting this](https://github.com/dadatuputi/bitwarden_gcloud/issues/54).

caddy/Caddyfile

@@ -4,15 +4,14 @@
   # Doc about automatic HTTPS https://caddyserver.com/docs/automatic-https
 
   log {
-	output file {$LOG_FILE} {
-        roll_size 50MiB # https://caddyserver.com/docs/caddyfile/directives/log#log
-        roll_keep 5 # https://caddyserver.com/docs/caddyfile/directives/log#log
-    }
-    level INFO
+	output stderr
+    	level INFO
   }
 
-  # Uncomment only one of the 2 lines. Depending if you provide your own cert or request one from Let's Encrypt
+  # Uncomment only one of the 2 lines:
+  # Provide your own cert 
   # tls {$SSLCERTIFICATE} {$SSLKEY}
+  # Request a cert from Let's Encrypt using ACME HTTP-01
   tls {$EMAIL}
 
   encode zstd gzip
@@ -28,14 +27,11 @@
        X-Robots-Tag "none"
        # Server name remove
        -Server
-   }
-  # The negotiation endpoint is also proxied to Rocket
-  reverse_proxy /notifications/hub/negotiate bitwarden:80
-
-  # Notifications redirected to the websockets server
-  reverse_proxy /notifications/hub bitwarden:3012
-
-  # Proxy the Root directory to Rocket
-  reverse_proxy bitwarden:80
-
+  }	
+
+  reverse_proxy bitwarden:80 {
+       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
+       # log, so that fail2ban can ban the correct IP.
+       header_up X-Real-IP {remote_host}
+  }
 }