diff options
| author | Markus Richter | 2020-01-06 15:22:42 +0100 |
|---|---|---|
| committer | Markus Richter | 2020-01-06 15:22:42 +0100 |
| commit | 4893113c97aab6aaf07951803e9bdd95eb1faa6a (patch) | |
| tree | 681eaf8981d31867864743be36ba0720b558ba11 | |
| parent | 0c1ba91d01f4c9469dd49ce9cd451bc447803dcb (diff) | |
| download | aur-4893113c97aab6aaf07951803e9bdd95eb1faa6a.tar.gz | |
+ declarative user+data folder, clean up .install
- apply changes to the systemd config from Siosm (https://github.com/Siosm/archlinux-bitwarden_rs-postgresql/commit/8862da33b998059ba593e17052b03b0b9d457ad6)
- harden .service file some more
- add sysusers and tmpfiles integration
- remove unneccessary daemon-reloading (is triggered by pacman anyway) in .install file
- make restart reminder on update smaller
| -rw-r--r-- | .SRCINFO | 10 | ||||
| -rw-r--r-- | PKGBUILD | 17 | ||||
| -rw-r--r-- | bitwarden_rs.install | 23 | ||||
| -rw-r--r-- | bitwarden_rs.service | 17 | ||||
| -rw-r--r-- | bitwarden_rs.sysusers.conf | 1 | ||||
| -rw-r--r-- | bitwarden_rs.tmpfiles.conf | 1 |
6 files changed, 39 insertions, 30 deletions
@@ -1,6 +1,6 @@ pkgbase = bitwarden_rs-git pkgdesc = An unofficial lightweight implementation of the bitwarden-server using rust and sqlite. Does NOT include the web-interface. - pkgver = 1.12.0.r5.g486c7d8 + pkgver = 1.13.1.r19.gbaf7d1b pkgrel = 1 url = https://github.com/dani-garcia/bitwarden_rs install = bitwarden_rs.install @@ -21,10 +21,14 @@ pkgbase = bitwarden_rs-git source = git+https://github.com/dani-garcia/bitwarden_rs.git source = bitwarden_rs.install source = bitwarden_rs.service + source = bitwarden_rs.sysusers.conf + source = bitwarden_rs.tmpfiles.conf source = 0001-Disable-Vault.patch sha512sums = SKIP - sha512sums = 399e63002acb764895bbcf3b983642c8858343b36909eeeb73133de1a9740a3d81232bc206ff6bf3daed50f72354c5e6fd5314d0d044acd9f1cb23a933b1dd74 - sha512sums = 4ce188956f6fe7cfdb711b1505f6344ed2775751ea112a0506dc96455c2705ab8529ec442e4747d7810fc3535b4ca78d1864e874dab5b5306373587097e02658 + sha512sums = ae1e05b613d3178bf3fa273ff6661c567140a43826e681b5164ef7d101c1243e5ff93e9caf7193984626d363b8b8b7c076e6646b865699d4cbe482a3dc4f91e7 + sha512sums = 60a406c8fea4bb651974b3fd386f66a0fcf73bfcc29bffe171b92134e2e81b6374ac6be879eb420208ecd77911b7d157db587510347e56ecb72aec34ac90fbe6 + sha512sums = 15b00b0dc9122f98ce8d7b55668fdfbb2e0387563e7d9ad6c0ebc73b75e46e1ccdb3a2186a453795a1b3e2d45358ff5a8076d5cf30319ab2c21539d20cff81c6 + sha512sums = 6fd0ea962f077f92ad7f55a1bab479e68e3463b41eb171d501847554b676b7ecf05e016544f6331bdb53bf71038fcf2ce67ad213d0a7c2f93acbafd72e8441a6 sha512sums = a6f2361c7aa83e63b9a557500406b0cd660e0d7f8b16345f859faa3f96e22bdcecd7589711960486fa0401896291f7d46f66882744c69117fc146056f4a49028 pkgname = bitwarden_rs-git @@ -1,8 +1,9 @@ # Maintainer: Markus Richter <mqus at disroot dot org> +# Contributor: Timothée Ravier <tim@siosm.fr pkgname=bitwarden_rs-git _pkgbase=bitwarden_rs -pkgver=1.12.0.r5.g486c7d8 +pkgver=1.13.1.r19.gbaf7d1b pkgrel=1 pkgdesc="An unofficial lightweight implementation of the bitwarden-server using rust and sqlite. Does NOT include the web-interface." arch=('i686' 'x86_64' 'armv7h' 'aarch64') @@ -18,10 +19,14 @@ install=bitwarden_rs.install source=('git+https://github.com/dani-garcia/bitwarden_rs.git' "${_pkgbase}.install" "${_pkgbase}.service" + "${_pkgbase}.sysusers.conf" + "${_pkgbase}.tmpfiles.conf" "0001-Disable-Vault.patch") sha512sums=('SKIP' - '399e63002acb764895bbcf3b983642c8858343b36909eeeb73133de1a9740a3d81232bc206ff6bf3daed50f72354c5e6fd5314d0d044acd9f1cb23a933b1dd74' - '4ce188956f6fe7cfdb711b1505f6344ed2775751ea112a0506dc96455c2705ab8529ec442e4747d7810fc3535b4ca78d1864e874dab5b5306373587097e02658' + 'ae1e05b613d3178bf3fa273ff6661c567140a43826e681b5164ef7d101c1243e5ff93e9caf7193984626d363b8b8b7c076e6646b865699d4cbe482a3dc4f91e7' + '60a406c8fea4bb651974b3fd386f66a0fcf73bfcc29bffe171b92134e2e81b6374ac6be879eb420208ecd77911b7d157db587510347e56ecb72aec34ac90fbe6' + '15b00b0dc9122f98ce8d7b55668fdfbb2e0387563e7d9ad6c0ebc73b75e46e1ccdb3a2186a453795a1b3e2d45358ff5a8076d5cf30319ab2c21539d20cff81c6' + '6fd0ea962f077f92ad7f55a1bab479e68e3463b41eb171d501847554b676b7ecf05e016544f6331bdb53bf71038fcf2ce67ad213d0a7c2f93acbafd72e8441a6' 'a6f2361c7aa83e63b9a557500406b0cd660e0d7f8b16345f859faa3f96e22bdcecd7589711960486fa0401896291f7d46f66882744c69117fc146056f4a49028') @@ -48,8 +53,14 @@ check() { package() { # setup systemd service install -D -m 0644 "$srcdir/bitwarden_rs.service" "$pkgdir/usr/lib/systemd/system/bitwarden_rs.service" + + # declarative setup of user and directory + install -D -m 0644 "$srcdir/bitwarden_rs.sysusers.conf" "$pkgdir/usr/lib/sysusers.d/bitwarden_rs.conf" + install -D -m 0644 "$srcdir/bitwarden_rs.tmpfiles.conf" "$pkgdir/usr/lib/tmpfiles.d/bitwarden_rs.conf" + # copy default config file install -D -m 0644 "$srcdir/$_pkgbase/.env.template" "$pkgdir/etc/bitwarden_rs.env" + # copy binary install -D -m0755 "$srcdir/$_pkgbase/target/release/bitwarden_rs" "$pkgdir/usr/bin/bitwarden_rs" } diff --git a/bitwarden_rs.install b/bitwarden_rs.install index a9ad0060b616..ce116456f22e 100644 --- a/bitwarden_rs.install +++ b/bitwarden_rs.install @@ -1,16 +1,4 @@ post_install() { - # Create users and data directory - - echo "Adding user bitwarden_rs and creating data directory /var/lib/bitwarden_rs ..." - mkdir -p /var/lib/bitwarden_rs - getent group bitwarden_rs &>/dev/null || groupadd -r bitwarden_rs >/dev/null - getent passwd bitwarden_rs &>/dev/null || useradd -r -g bitwarden_rs -d /var/lib/bitwarden_rs -s /usr/bin/nologin bitwarden_rs >/dev/null - chown bitwarden_rs:bitwarden_rs /var/lib/bitwarden_rs - chmod 0750 /var/lib/bitwarden_rs - - # Load service file - systemctl --quiet daemon-reload - echo "" echo "##########" echo "#" @@ -23,16 +11,7 @@ post_install() { } post_upgrade() { - # Reload service file - systemctl --quiet daemon-reload - echo "" - echo "##########" - echo "#" echo "# Remember to restart the bitwarden_rs unit via 'systemctl restart bitwarden_rs.service', if neccessary." - echo "#" - echo "##########" - echo "" - } pre_remove() { @@ -41,8 +20,6 @@ pre_remove() { } post_remove() { - # Unload service - systemctl --quiet daemon-reload echo "" echo "##########" echo "#" diff --git a/bitwarden_rs.service b/bitwarden_rs.service index 458600a27ea6..c8263ff33640 100644 --- a/bitwarden_rs.service +++ b/bitwarden_rs.service @@ -14,16 +14,31 @@ ExecStart=/usr/bin/bitwarden_rs # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 -# Isolate bitwarden_rs from the rest of the system + +# Prevent bitwarden_rs from doing anything stupid and/or unneccessary. PrivateTmp=true PrivateDevices=true + ProtectHome=true ProtectSystem=strict +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes + +RestrictNamespaces=yes + +SystemCallArchitectures=native +SystemCallFilter=@system-service +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) WorkingDirectory=/var/lib/bitwarden_rs ReadWriteDirectories=/var/lib/bitwarden_rs + # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE +# Restrict bitwarden_rs to only this capability +CapabilityBoundingSet=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target diff --git a/bitwarden_rs.sysusers.conf b/bitwarden_rs.sysusers.conf new file mode 100644 index 000000000000..344eab9ab504 --- /dev/null +++ b/bitwarden_rs.sysusers.conf @@ -0,0 +1 @@ +u bitwarden_rs - "User for bitwarden_rs service" diff --git a/bitwarden_rs.tmpfiles.conf b/bitwarden_rs.tmpfiles.conf new file mode 100644 index 000000000000..b6af34830524 --- /dev/null +++ b/bitwarden_rs.tmpfiles.conf @@ -0,0 +1 @@ +d /var/lib/bitwarden_rs 0750 bitwarden_rs bitwarden_rs |