From d0dcf68c4a31a84739423192677b0499f4a52a7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20B=C3=A9dard-Couture?= <remi.bc@outlook.com>
Date: Thu, 7 Mar 2024 21:48:10 -0500
Subject: [PATCH] Modify vaultwarden to support postgresql db and fail2ban

---
 install/vaultwarden-install.sh | 121 +++++++++++++++++++++++++++++++--
 1 file changed, 116 insertions(+), 5 deletions(-)

diff --git a/install/vaultwarden-install.sh b/install/vaultwarden-install.sh
index 64f8a460..83849288 100644
--- a/install/vaultwarden-install.sh
+++ b/install/vaultwarden-install.sh
@@ -13,6 +13,28 @@ setting_up_container
 network_check
 update_os
 
+#Select DB engine (Sqlite or PostgreSQL, will maybe add MySQL later)
+DB_ENGINE=""
+while [ -z "$DB_ENGINE" ]; do
+if DB_ENGINE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "VAULTWARDEN DATABASE" --radiolist "Choose Database" 10 58 2 \
+  "sqlite" "" OFF \
+  "postgresql" "" OFF \
+  3>&1 1>&2 2>&3); then
+  if [ -n "$DB_ENGINE" ]; then
+	echo -e "${DGN}Using Database Engine: ${BGN}$DB_ENGINE${CL}"
+  fi
+else
+  exit-script
+fi
+done
+
+#Fail2ban option
+if (whiptail --backtitle "Proxmox VE Helper Scripts" --defaultyes --title "Fail2ban" --yesno "Configure fail2ban?" 10 58); then
+  ENABLE_F2B=1
+else
+  ENABLE_F2B=0
+fi
+
 msg_info "Installing Dependencies"
 $STD apt-get update
 $STD apt-get -qqy install \
@@ -47,7 +69,8 @@ msg_ok "Installed Rust"
 msg_info "Building Vaultwarden ${VAULT} (Patience)"
 $STD git clone https://github.com/dani-garcia/vaultwarden
 cd vaultwarden
-$STD cargo build --features "sqlite,mysql,postgresql" --release
+#$STD cargo build --features "sqlite,mysql,postgresql" --release
+$STD cargo build --features "$DB_ENGINE" --release
 msg_ok "Built Vaultwarden ${VAULT}"
 
 $STD addgroup --system vaultwarden
@@ -57,19 +80,46 @@ mkdir -p /opt/vaultwarden/data
 cp target/release/vaultwarden /opt/vaultwarden/bin/
 
 msg_info "Downloading Web-Vault ${WEBVAULT}"
-$STD curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/$WEBVAULT/bw_web_$WEBVAULT.tar.gz
-$STD tar -xzf bw_web_$WEBVAULT.tar.gz -C /opt/vaultwarden/
+curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/$WEBVAULT/bw_web_$WEBVAULT.tar.gz
+tar -xzf bw_web_$WEBVAULT.tar.gz -C /opt/vaultwarden/
 msg_ok "Downloaded Web-Vault ${WEBVAULT}"
 
+admintoken=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 70 | head -n 1)
+
+#Local server IP
+$STD vw_ip4=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
+#echo "Local IP:$ip4"
+
 cat <<EOF >/opt/vaultwarden/.env
-ADMIN_TOKEN=''
-ROCKET_ADDRESS=0.0.0.0
+ADMIN_TOKEN=${admintoken}
+ROCKET_ADDRESS=${vw_ip4}
 DATA_FOLDER=/opt/vaultwarden/data
 DATABASE_MAX_CONNS=10
 WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault
 WEB_VAULT_ENABLED=true
 EOF
 
+
+if [ "$DB_ENGINE" == "postgresql" ]; then
+  msg_info "Installing PostgreSQL"
+  #sudo apt install postgresql postgresql-contrib libpq-dev dirmngr git libssl-dev pkg-config build-essential curl wget apt-transport-https ca-certificates software-properties-common pwgen -y
+  $STD apt -qqy install postgresql postgresql-contrib
+  msg_ok "Installed PostgreSQL"
+  
+
+  ### Configure PostgreSQL DB
+  # Random password
+  postgresql_pwd=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 24 | head -n 1)
+  sudo -u postgres psql -c "CREATE DATABASE vaultwarden;"
+  sudo -u postgres psql -c "CREATE USER vaultwarden WITH ENCRYPTED PASSWORD '${postgresql_pwd}';"
+  sudo -u postgres psql -c "GRANT all privileges ON database vaultwarden TO vaultwarden;"
+  #echo "Successfully setup PostgreSQL DB vaultwarden with user vaultwarden and password ${postgresql_pwd}"
+
+  echo "DATABASE_URL=postgresql://vaultwarden:${postgresql_pwd}@localhost:5432/vaultwarden" >> /opt/vaultwarden/.env
+fi
+
+
+
 msg_info "Creating Service"
 chown -R vaultwarden:vaultwarden /opt/vaultwarden/
 chown root:root /opt/vaultwarden/bin/vaultwarden
@@ -110,6 +160,65 @@ systemctl daemon-reload
 $STD systemctl enable --now vaultwarden.service
 msg_ok "Created Service"
 
+
+if [ "$ENABLE_F2B" == 1 ]; then
+  msg_info "Configuring fail2ban"
+
+  #####Fail2ban setup
+  $STD apt -qqy install fail2ban
+
+  #Create files
+  touch /etc/fail2ban/filter.d/vaultwarden.conf
+  touch /etc/fail2ban/jail.d/vaultwarden.local
+  touch /etc/fail2ban/filter.d/vaultwarden-admin.conf
+  touch /etc/fail2ban/jail.d/vaultwarden-admin.local
+
+  #Set vaultwarden fail2ban filter conf File
+  vaultwardenfail2banfilter="/etc/fail2ban/filter.d/vaultwarden.conf"
+  echo "[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^.*Username or password is incorrect\. Try again\. IP: <HOST>\. Username:.*$
+ignoreregex =" > $vaultwardenfail2banfilter
+
+  #Set vaultwarden fail2ban jail conf File
+  vaultwardenfail2banjail="/etc/fail2ban/jail.d/vaultwarden.local"
+  echo "[vaultwarden]
+enabled = true
+port = 80,443,8081
+filter = vaultwarden
+action = iptables-allports[name=vaultwarden]
+logpath = /var/log/vaultwarden/error.log
+maxretry = 3
+bantime = 14400
+findtime = 14400" > $vaultwardenfail2banjail
+
+  #Set vaultwarden fail2ban admin filter conf File
+  vaultwardenfail2banadminfilter="/etc/fail2ban/filter.d/vaultwarden-admin.conf"
+  echo "[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^.*Unauthorized Error: Invalid admin token\. IP: <HOST>.*$
+ignoreregex =" > $vaultwardenfail2banadminfilter
+
+  #Set vaultwarden fail2ban admin jail conf File
+  vaultwardenfail2banadminjail="/etc/fail2ban/jail.d/vaultwarden-admin.local"
+  echo "[vaultwarden-admin]
+enabled = true
+port = 80,443
+filter = vaultwarden-admin
+action = iptables-allports[name=vaultwarden]
+logpath = /var/log/vaultwarden/error.log
+maxretry = 5
+bantime = 14400
+findtime = 14400" > $vaultwardenfail2banadminjail
+
+  $STD systemctl restart fail2ban
+  msg_info "Configured fail2ban"
+fi
+
 motd_ssh
 customize
 
@@ -117,3 +226,5 @@ msg_info "Cleaning up"
 $STD apt-get autoremove
 $STD apt-get autoclean
 msg_ok "Cleaned"
+
+msg_info "Enter ${admintoken} to gain access to admin panel, please save this somewhere! Admin panel accessible at $vw_ip4:8000/admin"