public bool BuildForInstall()
{
var selfSignedSsl = false;
if (!Ssl)
{
if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?"))
{
Directory.CreateDirectory($"/bitwarden/ssl/self/{Domain}/");
Console.WriteLine("Generating self signed SSL certificate.");
Ssl = selfSignedSsl = true;
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
$"-keyout /bitwarden/ssl/self/{Domain}/private.key " +
$"-out /bitwarden/ssl/self/{Domain}/certificate.crt " +
$"-subj \"/C=US/ST=New York/L=New York/O=8bit Solutions LLC/OU=Bitwarden/CN={Domain}\"");
}
}
if (LetsEncrypt)
{
Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{Domain}/");
Helpers.Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{Domain}/dhparam.pem 2048");
}
Console.WriteLine("Generating key for IdentityServer.");
Directory.CreateDirectory("/bitwarden/identity/");
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
"-out identity.crt -subj \"/CN=Bitwarden IdentityServer\" -days 10950");
Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
$"-in identity.crt -certfile identity.crt -passout pass:{IdentityCertPassword}");
Console.WriteLine();
return(selfSignedSsl);
}
public void BuildForInstall()
{
if (_context.Stub)
{
_context.Config.Ssl = true;
_context.Install.Trusted = true;
_context.Install.SelfSignedCert = false;
_context.Install.DiffieHellman = false;
_context.Install.IdentityCertPassword = "******";
return;
}
_context.Config.Ssl = _context.Config.SslManagedLetsEncrypt;
if (!_context.Config.Ssl)
{
var skipSSL = _context.Parameters.ContainsKey("skip-ssl") && (_context.Parameters["skip-ssl"] == "true" || _context.Parameters["skip-ssl"] == "1");
if (!skipSSL)
{
_context.Config.Ssl = Helpers.ReadQuestion("Do you have a SSL certificate to use?");
if (_context.Config.Ssl)
{
Directory.CreateDirectory($"/bitwarden/ssl/{_context.Install.Domain}/");
var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" +
"appropriate directory before running 'start' (see docs for info).";
Helpers.ShowBanner(_context, "NOTE", message);
}
else if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?"))
{
Directory.CreateDirectory($"/bitwarden/ssl/self/{_context.Install.Domain}/");
Helpers.WriteLine(_context, "Generating self signed SSL certificate.");
_context.Config.Ssl = true;
_context.Install.Trusted = false;
_context.Install.SelfSignedCert = true;
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 36500 " +
$"-keyout /bitwarden/ssl/self/{_context.Install.Domain}/private.key " +
$"-out /bitwarden/ssl/self/{_context.Install.Domain}/certificate.crt " +
$"-reqexts SAN -extensions SAN " +
$"-config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{_context.Install.Domain}\nbasicConstraints=CA:true')) " +
$"-subj \"/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN={_context.Install.Domain}\"");
}
}
}
if (_context.Config.SslManagedLetsEncrypt)
{
_context.Install.Trusted = true;
_context.Install.DiffieHellman = true;
Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{_context.Install.Domain}/");
Helpers.Exec($"openssl dhparam -out " +
$"/bitwarden/letsencrypt/live/{_context.Install.Domain}/dhparam.pem 2048");
}
else if (_context.Config.Ssl && !_context.Install.SelfSignedCert)
{
_context.Install.Trusted = Helpers.ReadQuestion("Is this a trusted SSL certificate " +
"(requires ca.crt, see docs)?");
}
Helpers.WriteLine(_context, "Generating key for IdentityServer.");
_context.Install.IdentityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
Directory.CreateDirectory("/bitwarden/identity/");
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
"-out identity.crt -subj \"/CN=Bitwarden IdentityServer\" -days 36500");
Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
$"-in identity.crt -passout pass:{_context.Install.IdentityCertPassword}");
Helpers.WriteLine(_context);
if (!_context.Config.Ssl)
{
var message = "You are not using a SSL certificate. Bitwarden requires HTTPS to operate. \n" +
"You must front your installation with a HTTPS proxy or the web vault (and \n" +
"other Bitwarden apps) will not work properly.";
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
}
else if (_context.Config.Ssl && !_context.Install.Trusted)
{
var message = "You are using an untrusted SSL certificate. This certificate will not be \n" +
"trusted by Bitwarden client applications. You must add this certificate to \n" +
"the trusted store on each device or else you will receive errors when trying \n" +
"to connect to your installation.";
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
}
}
public void BuildForInstall()
{
if (_context.Stub)
{
_context.Config.Ssl.Enable = true;
_context.Install.Trusted = true;
_context.Install.SelfSignedCert = false;
_context.Install.DiffieHellman = false;
_context.Install.IdentityCertPassword = "******";
return;
}
_context.Config.Ssl.Enable = _context.Config.Ssl.ManagedLetsEncrypt;
if (!_context.Config.Ssl.Enable && _context.Install.Ssl == null)
{
_context.Config.Ssl.Enable = Helpers.ReadQuestion("Do you have a SSL certificate to use?");
if (_context.Config.Ssl.Enable)
{
Directory.CreateDirectory($"{_context.DestDir}/ssl/{_context.Install.Domain}/");
var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" +
"appropriate directory before running 'start' (see docs for info).";
Helpers.ShowBanner(_context, "NOTE", message);
}
else if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?"))
{
Directory.CreateDirectory($"{_context.DestDir}/ssl/self/{_context.Install.Domain}/");
Helpers.WriteLine(_context, "Generating self signed SSL certificate.");
_context.Config.Ssl.Enable = true;
_context.Install.Trusted = false;
_context.Install.SelfSignedCert = true;
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
$"-keyout {_context.DestDir}/ssl/self/{_context.Install.Domain}/private.key " +
$"-out {_context.DestDir}/ssl/self/{_context.Install.Domain}/certificate.crt " +
$"-reqexts SAN -extensions SAN " +
$"-config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{_context.Install.Domain}\nbasicConstraints=CA:true')) " +
$"-subj \"/C=US/ST=Florida/L=Jacksonville/O=8bit Solutions LLC/OU=ByteGarden/CN={_context.Install.Domain}\"");
}
}
if (_context.Config.Ssl?.ManagedLetsEncrypt ?? false)
{
_context.Install.Trusted = true;
_context.Install.DiffieHellman = true;
Directory.CreateDirectory($"{_context.DestDir}/letsencrypt/live/{_context.Install.Domain}/");
Helpers.Exec($"openssl dhparam -out " +
$"{_context.DestDir}/letsencrypt/live/{_context.Install.Domain}/dhparam.pem 2048");
}
else if (_context.Config.Ssl.Enable && !_context.Install.SelfSignedCert)
{
_context.Install.Trusted = Helpers.ReadQuestion("Is this a trusted SSL certificate " +
"(requires ca.crt, see docs)?");
}
GenerateIdentityCertificate();
Helpers.WriteLine(_context);
if (!_context.Config.Ssl.Enable)
{
var message = "You are not using a SSL certificate. ByteGarden requires HTTPS to operate. \n" +
"You must front your installation with a HTTPS proxy or the web vault (and \n" +
"other ByteGarden apps) will not work properly.";
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
}
else if (_context.Config.Ssl.Enable && !_context.Install.Trusted)
{
var message = "You are using an untrusted SSL certificate. This certificate will not be \n" +
"trusted by ByteGarden client applications. You must add this certificate to \n" +
"the trusted store on each device or else you will receive errors when trying \n" +
"to connect to your installation.";
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
}
}
private static void Install()
{
var outputDir = _parameters.ContainsKey("out") ?
_parameters["out"].ToLowerInvariant() : "/etc/bitwarden";
var domain = _parameters.ContainsKey("domain") ?
_parameters["domain"].ToLowerInvariant() : "localhost";
var letsEncrypt = _parameters.ContainsKey("letsencrypt") ?
_parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
if (!ValidateInstallation())
{
return;
}
var ssl = letsEncrypt;
if (!letsEncrypt)
{
ssl = Helpers.ReadQuestion("Do you have a SSL certificate to use?");
if (ssl)
{
Directory.CreateDirectory($"/bitwarden/ssl/{domain}/");
var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" +
"appropriate directory before running 'start' (see docs for info).";
Helpers.ShowBanner("NOTE", message);
}
}
var identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
var certBuilder = new CertBuilder(domain, identityCertPassword, letsEncrypt, ssl);
var selfSignedSsl = certBuilder.BuildForInstall();
ssl = certBuilder.Ssl; // Ssl prop can get flipped during the build
var sslTrusted = letsEncrypt;
var sslDiffieHellman = letsEncrypt;
if (ssl && !selfSignedSsl && !letsEncrypt)
{
sslDiffieHellman = Helpers.ReadQuestion("Use Diffie Hellman ephemeral parameters for SSL " +
"(requires dhparam.pem, see docs)?");
sslTrusted = Helpers.ReadQuestion("Is this a trusted SSL certificate (requires ca.crt, see docs)?");
}
if (!ssl)
{
var message = "You are not using a SSL certificate. Bitwarden requires HTTPS to operate. \n" +
"You must front your installation with a HTTPS proxy. The web vault (and \n" +
"other Bitwarden apps) will not work properly without HTTPS.";
Helpers.ShowBanner("WARNING", message, ConsoleColor.Yellow);
}
else if (ssl && !sslTrusted)
{
var message = "You are using an untrusted SSL certificate. This certificate will not be \n" +
"trusted by Bitwarden client applications. You must add this certificate to \n" +
"the trusted store on each device or else you will receive errors when trying \n" +
"to connect to your installation.";
Helpers.ShowBanner("WARNING", message, ConsoleColor.Yellow);
}
var url = $"https://{domain}";
int httpPort = default(int), httpsPort = default(int);
if (Helpers.ReadQuestion("Do you want to use the default ports for HTTP (80) and HTTPS (443)?"))
{
httpPort = 80;
if (ssl)
{
httpsPort = 443;
}
}
else if (ssl)
{
httpsPort = 443;
if (int.TryParse(Helpers.ReadInput("HTTPS port").Trim(), out httpsPort) && httpsPort != 443)
{
url += (":" + httpsPort);
}
else
{
Console.WriteLine("Using default port.");
}
}
else
{
httpPort = 80;
if (!int.TryParse(Helpers.ReadInput("HTTP port").Trim(), out httpPort) && httpPort != 80)
{
Console.WriteLine("Using default port.");
}
}
if (Helpers.ReadQuestion("Is your installation behind a reverse proxy?"))
{
if (Helpers.ReadQuestion("Do you use the default HTTPS port (443) on your reverse proxy?"))
{
url = $"https://{domain}";
}
else
{
if (int.TryParse(Helpers.ReadInput("Proxy HTTPS port").Trim(), out var httpsReversePort) &&
httpsReversePort != 443)
{
url += (":" + httpsReversePort);
}
else
{
Console.WriteLine("Using default port.");
url = $"https://{domain}";
}
}
}
else if (!ssl)
{
Console.WriteLine("ERROR: You must use a reverse proxy if not using SSL.");
return;
}
var push = Helpers.ReadQuestion("Do you want to use push notifications?");
var nginxBuilder = new NginxConfigBuilder(domain, url, ssl, selfSignedSsl, letsEncrypt,
sslTrusted, sslDiffieHellman);
nginxBuilder.BuildForInstaller();
var environmentFileBuilder = new EnvironmentFileBuilder
{
DatabasePassword = Helpers.SecureRandomString(32),
Domain = domain,
IdentityCertPassword = identityCertPassword,
InstallationId = _installationId,
InstallationKey = _installationKey,
OutputDirectory = outputDir,
Push = push,
Url = url
};
environmentFileBuilder.BuildForInstaller();
var appIdBuilder = new AppIdBuilder(url);
appIdBuilder.Build();
var dockerComposeBuilder = new DockerComposeBuilder(_hostOs, _webVersion, _coreVersion);
dockerComposeBuilder.BuildForInstaller(httpPort, httpsPort);
}
