diff options
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 7 | ||||
-rw-r--r-- | bitwarden_rs.service | 39 |
3 files changed, 37 insertions, 13 deletions
@@ -1,7 +1,7 @@ pkgbase = bitwarden_rs pkgdesc = An unofficial lightweight implementation of the bitwarden-server using rust and sqlite. Does NOT include the web-interface. pkgver = 1.14.2 - pkgrel = 2 + pkgrel = 3 url = https://github.com/dani-garcia/bitwarden_rs install = bitwarden_rs.install arch = i686 @@ -25,7 +25,7 @@ pkgbase = bitwarden_rs source = 0001-Disable-Vault.patch sha512sums = 242f10592dec87b83cd9ea360dc83901cb8adaf019c9220ea910824d8f9a7d98c713ff37ddc3f0522a1961006a899c38d1c4ebd3394190267d845c81325eeb88 sha512sums = ae1e05b613d3178bf3fa273ff6661c567140a43826e681b5164ef7d101c1243e5ff93e9caf7193984626d363b8b8b7c076e6646b865699d4cbe482a3dc4f91e7 - sha512sums = 60a406c8fea4bb651974b3fd386f66a0fcf73bfcc29bffe171b92134e2e81b6374ac6be879eb420208ecd77911b7d157db587510347e56ecb72aec34ac90fbe6 + sha512sums = 6f6b05881ee3344bdc553fae00a709404ddd086af347f909b3f3a620aabd2294b7dd2892472cd72515e9ceced2449eacbd9ef24626a1429776ea4599673a665b sha512sums = 15b00b0dc9122f98ce8d7b55668fdfbb2e0387563e7d9ad6c0ebc73b75e46e1ccdb3a2186a453795a1b3e2d45358ff5a8076d5cf30319ab2c21539d20cff81c6 sha512sums = 6fd0ea962f077f92ad7f55a1bab479e68e3463b41eb171d501847554b676b7ecf05e016544f6331bdb53bf71038fcf2ce67ad213d0a7c2f93acbafd72e8441a6 sha512sums = 9fde678747d120704d0d99751af1eebd89ba2643af5917da9d9d2a8712fe5bb6ef1d3545d3b669467d14cab51c0c1514853364f323ff92bab7e7ed8501fe5b56 @@ -4,7 +4,7 @@ pkgname=bitwarden_rs _pkgbase=bitwarden_rs pkgver=1.14.2 -pkgrel=2 +pkgrel=3 pkgdesc="An unofficial lightweight implementation of the bitwarden-server using rust and sqlite. Does NOT include the web-interface." arch=('i686' 'x86_64' 'armv7h' 'aarch64') url="https://github.com/dani-garcia/bitwarden_rs" @@ -23,7 +23,7 @@ source=("https://github.com/dani-garcia/bitwarden_rs/archive/$pkgver.tar.gz" "0001-Disable-Vault.patch") sha512sums=('242f10592dec87b83cd9ea360dc83901cb8adaf019c9220ea910824d8f9a7d98c713ff37ddc3f0522a1961006a899c38d1c4ebd3394190267d845c81325eeb88' 'ae1e05b613d3178bf3fa273ff6661c567140a43826e681b5164ef7d101c1243e5ff93e9caf7193984626d363b8b8b7c076e6646b865699d4cbe482a3dc4f91e7' - '60a406c8fea4bb651974b3fd386f66a0fcf73bfcc29bffe171b92134e2e81b6374ac6be879eb420208ecd77911b7d157db587510347e56ecb72aec34ac90fbe6' + '6f6b05881ee3344bdc553fae00a709404ddd086af347f909b3f3a620aabd2294b7dd2892472cd72515e9ceced2449eacbd9ef24626a1429776ea4599673a665b' '15b00b0dc9122f98ce8d7b55668fdfbb2e0387563e7d9ad6c0ebc73b75e46e1ccdb3a2186a453795a1b3e2d45358ff5a8076d5cf30319ab2c21539d20cff81c6' '6fd0ea962f077f92ad7f55a1bab479e68e3463b41eb171d501847554b676b7ecf05e016544f6331bdb53bf71038fcf2ce67ad213d0a7c2f93acbafd72e8441a6' '9fde678747d120704d0d99751af1eebd89ba2643af5917da9d9d2a8712fe5bb6ef1d3545d3b669467d14cab51c0c1514853364f323ff92bab7e7ed8501fe5b56') @@ -38,7 +38,8 @@ build() { #build bitwarden_rs cd "$srcdir/$_src" patch -N -p1 -i "$srcdir/0001-Disable-Vault.patch" - cargo build --release --locked --features sqlite + + BWRS_VERSION="$pkgver-archlinux-sqlite-$pkgrel" cargo build --release --locked --features sqlite rustup set profile $RUSTUP_PROFILE 2>/dev/null && echo "Set rustup profile back to '$RUSTUP_PROFILE'." } diff --git a/bitwarden_rs.service b/bitwarden_rs.service index c8263ff33640..1786588d31cb 100644 --- a/bitwarden_rs.service +++ b/bitwarden_rs.service @@ -7,38 +7,61 @@ After=network.target # The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group User=bitwarden_rs Group=bitwarden_rs + # The location of the .env file for configuration EnvironmentFile=/etc/bitwarden_rs.env + # The location of the compiled binary ExecStart=/usr/bin/bitwarden_rs + # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 +# Only allow writes to the following directory and set it to the working directory (user and password data are stored here) +WorkingDirectory=/var/lib/bitwarden_rs +ReadWritePaths=/var/lib/bitwarden_rs + # Prevent bitwarden_rs from doing anything stupid and/or unneccessary. -PrivateTmp=true -PrivateDevices=true +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes + +PrivateTmp=yes +PrivateDevices=yes -ProtectHome=true +ProtectHome=yes ProtectSystem=strict ProtectKernelTunables=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectControlGroups=yes +ProtectHostname=yes +ProtectClock=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes + +RemoveIPC=yes +UMask=0077 SystemCallArchitectures=native SystemCallFilter=@system-service -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 - -# Only allow writes to the following directory and set it to the working directory (user and password data are stored here) -WorkingDirectory=/var/lib/bitwarden_rs -ReadWriteDirectories=/var/lib/bitwarden_rs +SystemCallFilter=~@resources +SystemCallFilter=~@privileged # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE # Restrict bitwarden_rs to only this capability CapabilityBoundingSet=CAP_NET_BIND_SERVICE +# If bitwarden_rs is run at ports >1024, you can enable (remove the leading '#' of) +# the following lines: +#PrivateUsers=yes +#CapabilityBoundingSet= +#AmbientCapabilities= + [Install] WantedBy=multi-user.target |