dadatuputi / bitwarden_gcloud Goto Github PK

Using the syntax on your website, I can't get dynamic DNS updates with Cloudflare running.
The following messages show up repeatedly (<my-domain> and <my-ip> were redacted):

ddns  | SUCCESS:  updating <my-domain>: IPv4 address set to <my-IP>
ddns  | WARNING:  skipping update of <my-domain> from <nothing> to <my-IP>.
ddns  | WARNING:  last updated Fri Jan 20 20:30:13 2023 but last attempt on Fri Jan 20 20:30:13 2023 failed.
ddns  | WARNING:  Wait at least 5 minutes between update attempts.

The Cloudflare audit logs show no activity. I've tried this with my global API key, an API token, another IP check website (ifconfig.me/ip)

Much of the command mess in the compose file should be in their own Dockerfiles that extends the base image. Easily done with caddy as of 837c1fc, however watchtower won't pull updates to the base image (see containrrr/watchtower#1401).

Alternatives to watchtower, cron?

• It would require a simple script and an extra step during installation.
• Existing users who blindly git pull will miss that step

Fail2ban not sending shutdown and startup emails.
My SMTP has been configured properly as I have tested it with the admin page.
Do I have to change these variables and if so, what should be the value of SMTP_TLS?

# For fail2ban, YES or NO
#SMTP_TLS=

Bind for 0.0.0.0:443 failed: port is already allocated

Already tried docker-compose down and docker-compose up again to no avail. Any idea why this keeps on happening? Already happened twice.

Is it possible to use Cloudflare Origin CA and Cloudflare proxy instead of letsencrypt?

This can also solve the issue of traffic to China and Australia cuz Cloudflare will choose nearest datacenter from your vm.

But fail2ban must reconfigure to use CF-Connecting-IP instead of origin IP
https://guides.wp-bullet.com/integrate-fail2ban-cloudflare-api-v4-guide/

And also block all traffics comes from anywhere other than cloudflare https://www.cloudflare.com/zh-tw/ips/ .

See an example here: https://github.com/google/voice-builder

Example flow: https://console.cloud.google.com/flows/enableapi?apiid=genomics,storage_component,storage_api,compute_component,containerregistry.googleapis.com

I made my bitwarden_gcloud integrated with Cloudflare Argo tunnel

Argo tunnel is not Argo, it's free for everyone. It's more like ngrok.
It will establish a reverse tunnel from your machine to cloudflare's node first, then redirect external requests to your machine.
So you can even host your server in LAN without setting up port forwarding! This is prefect for our scenario.

So, with this setup, we have following advantage:

1. We don't need to expose ANY port at all.
   
   I even turned off external SSH traffic at firewall to prevent any unwanted traffic.
   Now, anyone can reach my server by argo tunnel only.
2. No traffic to Australia / China
   Because cloudflared will choose nearest node to connect at first stage.
   
3. DDNS/Static IP no longer required.
4. Let's encrypt no longer required. Cloudflare will handle SSL certificate for us as long as our domain are not expired.

Disadvantage: fail2ban not works for now because all connections are comes from 127.0.0.1 from cloudflared.
Although you can read the actual IP from CF-Connecting-IP header, you still need to use cloudflare API to ban it.

I am not sure is it a good idea to submit pull request because my version and your version are quite different now.
The biggest different is I use git as my backup engine, instead of your rclone.
All my backups are stored in my private repo and tracked by git version control.

If you ok with that, I can submit a pull request later.
If you don't, I still think integrate this with argo tunnel is a good idea.

We’ve identified that you’re using an F1-micro instance that is a part of the Compute Engine Free Tier. As we improve the experience of the Free Tier, we will be introducing the E2-micro VM, which is a part of a second generation VM family. It offers additional resources for your use, specifically 0.25 vCPU (which burst to 2 vCPU periodically) and 1 GB of RAM.

What do I need to know?
The Free Tier F1-micro VM is changing to the E2-micro VM as the VM to use for free. On August 1, 2021, E2-micro Free Tier will be introduced. Follow these steps to change your machine type to E2-micro to avoid incurring charges for continuing to use F1-micro after August 31, 2021.

What do I need to do?
Starting August 1, 2021, change the machine type from F1-micro, or stop your existing F1-micro instance and begin using a E2-micro instance. VMs created with either method will automatically have the Free Tier discount applied to them. The supported regions will remain the same.

Hi Bradford,

Thanks again for your work on this. I looked into my watchtower logs and saw this:

watchtower      | time="2023-01-26T12:49:53-05:00" level=info msg="Watchtower 1.5.1"
watchtower      | time="2023-01-26T12:49:53-05:00" level=info msg="Using no notifications"
watchtower      | time="2023-01-26T12:49:53-05:00" level=info msg="Checking all containers (except explicitly disabled with label)"
watchtower      | time="2023-01-26T12:49:53-05:00" level=info msg="Scheduling first run: 2023-01-29 03:00:00 -0500 EST"
watchtower      | time="2023-01-26T12:49:53-05:00" level=info msg="Note that the first check will be performed in 62 hours, 10 minutes, 6 seconds"
watchtower      | time="2023-01-29T03:00:09-05:00" level=warning msg="Could not do a head request for \"bitwarden_gcloud_proxy:latest\", falling back to regular pull." container=/proxy image="bitwarden_gcloud_proxy:latest"
watchtower      | time="2023-01-29T03:00:09-05:00" level=warning msg="Reason: registry responded to head request with \"401 Unauthorized\", auth: \"Bearer realm=\\\"https://auth.docker.io/token\\\",service=\\\"registry.docker.io\\\",scope=\\\"repository:library/bitwarden_gcloud_proxy:pull\\\",error=\\\"insufficient_scope\\\"\"" container=/proxy image="bitwarden_gcloud_proxy:latest"
watchtower      | time="2023-01-29T03:00:10-05:00" level=info msg="Unable to update container \"/proxy\": Error response from daemon: pull access denied for bitwarden_gcloud_proxy, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. Proceeding to next."
watchtower      | time="2023-01-29T03:00:10-05:00" level=info msg="Session done" Failed=0 Scanned=6 Updated=0 notify=no

I wasn't able to find any reference to a bitwarden_gcloud_proxy:latest image anywhere in the docker_compose.yml either. Based on the information I can see, it seems like I can ignore this error? Can you confirm?

Since a while I am getting an insecure connection warning when opening my Vaultwarden vault using Chrome. In the logs of the DDNS container I see this message:
ddns | Invalid version format (non-numeric data) at /usr/bin/ddclient line 24.
How do I fix this?

The bitwarden addon for Firefox appears to have been updated. Login box now displays the self-hosted url. Unfortunately, the new version gives invalid username/password error with self-hosted urls but seems to work with standard bitwarden account. MSFT Edge continues to show old design and allows login+sync to the self-hosted server.

Has anyone encounted this situation? Are there any suggestion to debug/fix this? Can the server put in log if the login request was processed by the server?

Thanks for publishing this project. Even though this was my first foray into GCP and docker, I had no issues other than getting google domains working correctly working with ddclient. I was wondering what is the best way to back up the vault or sync it to other systems (e.g. a home bitwarden server). Is there a single data file/directory than can be easily backed up somewhere? Any plans to add this functionality to this project?

Hi there,

Really appreciate your work, however I'm getting an error from google cloud when I try to spin up the VM with the commands you provided. It's probably something basic since I'm relatively new to this.

gcloud compute instances create bitwarden \ --machine-type f1-micro \ --zone us-central1-a \ --image-project cos-cloud \ --image-family cos-stable \ --boot-disk-size=30GB \ --tags http-server,https-server \ --scopes compute-ro

returns the following:

ERROR: (gcloud.compute.instances.create) The project property is set to the empty string, which is invalid. To set your project, run: $ gcloud config set project PROJECT_ID or to unset it, run: $ gcloud config unset project

Hi, the default configuration you use is not applicable for the E2 free tier.

"Google Cloud Free Tier does not include external IP addresses"

you would have to supply --no-address and configure a bunch of other stuff, to stay in line with that.

I have been following your tutorial, (in fact very good and easy to understand) but I am in the middle of an error that I cannot understand because it occurs.
I try to enter my static ip in GCP and this error appears. I have tried creating my own cert and key .pem, which I add in the .env and also in the CaddyFile.
Maybe you know what my mistake might be?
Thank you!

f1d0cf4382b1_proxy | 2020/07/29 18:28:50 http: TLS handshake error from XX.XX.XX.XX: no certificate available for '172.18.0.5'
f1d0cf4382b1_proxy | 2020/07/29 18:28:50 http: TLS handshake error from XX.XX.XX.XX: no certificate available for '172.18.0.5'
f1d0cf4382b1_proxy | 2020/07/29 18:28:51 http: TLS handshake error from XX.XX.XX.XX: no certificate available for '172.18.0.5'
f1d0cf4382b1_proxy | 2020/07/29 18:28:51 http: TLS handshake error from XX.XX.XX.XX: no certificate available for '172.18.0.5'

Tried many email servers and settings, cPanel and Gmail as well. Working fine on VPS but not on Google Cloud Instance.

Logs

[2020-10-08 10:55:55.994][request][INFO] POST /admin/test/smtp/
[2020-10-08 10:56:11.645][error][ERROR] SmtpError.
[CAUSE] Io(
Os {
code: 11,
kind: WouldBlock,
message: "Resource temporarily unavailable",
},
)
[2020-10-08 10:56:11.645][response][INFO] POST /admin/test/smtp (test_smtp) => 400 Bad Request

Google takes care of automatically updating the OS. Are there any standard instructions to pull all latest updates for an old installation of this project from github? Is periodic git pull recommended?

Hello There,

I have already configured Bitwarden using this Github repo.

Now My client wants to use a new domain on that server for another application.

Can you please guide me how put that domain name along with Bitwarden domain and ssl enables also.

Reverse proxy want to use

Hi,
any thoughts how this error in the proxy container logs can be avoided?

proxy | {"level":"error","ts":1672992906.1859872,"logger":"http","msg":"looking up info for HTTP challenge","host":"xx.xxx.de","error":"no information found to solve challenge for identifier: xx.xxx.de"}

potentially related error in bitwarden container logs:

bitwarden | [2023-01-06 09:10:18.098][][WARN] Responding with registered (not_found) 404 catcher.
bitwarden | [2023-01-06 09:15:06.381][][WARN] Parameter guard p: PathBuf is forwarding: BadStart('.').
bitwarden | [2023-01-06 09:15:06.381][][ERROR] No matching routes for GET /.well-known/acme-challenge/RN_U0zFlBL_SiQnhQcqIR6aL0sAOXFnK6wU-M9ip0RA.
bitwarden | [2023-01-06 09:15:06.381][][WARN] Responding with registered (not_found) 404 catcher.
bitwarden | [2023-01-06 13:04:53.934][request][INFO] GET /api/devices/knowndevice/[email protected]/73833eb1-5adb-44df-99d0-5b6705c9ad48

Thanks!

Google recently announced they will no longer support less secure apps accessing their services. See below:

However, for the SMTP section in .env to do its job, this is a requirement if you want to use Google's SMTP servers.
Is there another way to use it with the new security policy in place?

Great project, got everything up and running, vaultwarden is accessible, but also configured DDNS with cloudflare, which seems not to work with following log message:
ddns | FAILED: updating xx.domain.xx: Could not connect to api.cloudflare.com/client/v4.

my ddclient.conf looks like this
use=web, web=checkip.dyndns.org/, web-skip='IP Address' # found after IP Address

CloudFlare (www.cloudflare.com)

protocol=cloudflare
zone=xxx.de
ttl=0
login=token # Only needed if you are using your global API key. If you are using an API token, set it to "token" (wihtout double quotes).
password=APItoken# # This is either your global API key, or an API token. If you are using an API token, it must have the permissions "Zone - DNS - Edit" and "Zone - Zone - Read". The Zone resources must be "Include - All zones".
xx.xxx.de

Did anybody experience this as well and has a hint how to fix this, looks like ddns has no access to the web?!
Thanks!

By default, rclone.conf file is located in the /data/rclone.conf folder, data folder in backup container is mounted as read-only, so rclone cannot create or modify the configuration file.
Solution: change the path to rclone.conf and give the folder where the configuration file is located write permissions.
Example: in .env change the line BACKUP_RCLONE_CONF=/data/rclone.conf to BACKUP_RCLONE_CONF=/data/rclone/rclone.conf and in docker-compose.yml add - ${PWD}/bitwarden/rclone:/data/rclone to volumes:

On iPhone, for the first sync, i have a "Exception message : the request has expired"...so i can't sync my password...
On my computer, it work but very long for the first authentification but no time out.

Hi, thank you for setting up the project. Today I found the GCP VM instance freezes - not able to open any webpage, not able to SSH into the machine.

From the console I can see there is an error right after reboot and update. Then the CPU and disk usage has been very high for the rest of the day. I tried to reboot the instance from the console, but it didn’t help. The CPU usage was still very high.

Does anyone else has this issue today or before? I managed to fix the issue by turned it off for an hour and restart all docker containers.

Attached the GCP log and CPU monitor graph.

{
  "insertId": "10",
  "jsonPayload": {
    "bootCounter": "3",
    "@type": "type.googleapis.com/cloud_integrity.IntegrityEvent",
    "lateBootReportEvent": {
      "policyEvaluationPassed": false,
      "actualMeasurements": [
        {
          "pcrNum": "PCR_0",
          "value": "UcMj3gwMaU9GAc3QK+tY/xNin3Q=",
          "hashAlgo": "SHA1"
        },
        {
          "pcrNum": "PCR_4",
          "value": "joEJJy/jTEhTw0+EsfsL0vjiwso=",
          "hashAlgo": "SHA1"
        },
        {
          "pcrNum": "PCR_5",
          "value": "vmeIcR8mGESZIKZKAgVNYYY+QFw=",
          "hashAlgo": "SHA1"
        },
        {
          "value": "oiHFqlAmHCH6ZlnJprPlJFd/yxw=",
          "pcrNum": "PCR_7",
          "hashAlgo": "SHA1"
        },
        {
          "pcrNum": "PCR_8",
          "hashAlgo": "SHA1",
          "value": "aeZdy3+ccTB0TEk5N2+u3t+cjdE="
        },
        {
          "value": "mqgxkyUdzWlZb5x3pHRUthvQybo=",
          "hashAlgo": "SHA1",
          "pcrNum": "PCR_9"
        }
      ],
      "policyMeasurements": [
        {
          "hashAlgo": "SHA1",
          "pcrNum": "PCR_0",
          "value": "UcMj3gwMaU9GAc3QK+tY/xNin3Q="
        },
        {
          "pcrNum": "PCR_4",
          "value": "joEJJy/jTEhTw0+EsfsL0vjiwso=",
          "hashAlgo": "SHA1"
        },
        {
          "pcrNum": "PCR_7",
          "hashAlgo": "SHA1",
          "value": "oiHFqlAmHCH6ZlnJprPlJFd/yxw="
        },
        {
          "hashAlgo": "SHA1",
          "value": "+SMuzZi6Mon8TNGawCYlUolcPH8=",
          "pcrNum": "PCR_8"
        },
        {
          "pcrNum": "PCR_9",
          "hashAlgo": "SHA1",
          "value": "qn51Aa8ACMGXHClTIzLpVoN6aVA="
        }
      ]
    }
  },
  "resource": {
    "type": "gce_instance",
    "labels": {

    }
  },
  "timestamp": "2021-04-06T06:00:13.402710160Z",
  "severity": "ERROR",
  "logName": "projects/jl-services/logs/compute.googleapis.com%2Fshielded_vm_integrity",
  "receiveTimestamp": "2021-04-06T06:00:15.411251379Z"
}

When starting/stopping the container with docker-compose, I see this message:
The SMTP_TLS variable is not set. Defaulting to a blank string.

What is the use of SMTP_TLS and what should be its value if any?

Hi,
Thanks for providing a this great arrangement. I just want to request you that please help us to make arrangement without the help of cloud flare. As for DDclient they are providing only if we have paid service or domain from them. Please elaborate your mechanism only with free available services like duckdns, lets encrypt etc.
for free domains & cloudflare service i am geting this "error": "You cannot use this API for domains with a .cf, .ga, .gq, .ml, or .tk TLD (top-level domain). To configure the DNS settings for this domain, use the Cloudflare Dashboard."

also one expert suggest me swag :-
https://docs.linuxserver.io/general/swag

Hi all. Long time user here.

My instance just became inaccessible on it's usual domain. I restarted the VM from the compute console. Access didn't return. Cloudflare is my DNS and the record is pointing to the correct Google VM Static IP.

This site can’t be reached

SSH'd in and viewed logs, only obvious error was the ddclient line 24 that has previously been closed.

So I did docker-compose pull, down, up -d - Line 24 Error gone but service is still not accessible.

It'd been a while, so I've since followed the previous guidance for git pull, down, up -d. I've also updated my .env to latest version having created a back-up of my previous.

The only things I have noted that may be causing the issue surround caddy.

Firstly

~/bitwarden_gcloud/caddy/data $ cd caddy/ -bash: cd: caddy/: Permission denied

~/bitwarden_gcloud/caddy/data $ cd logs/ -bash: cd: logs/: Permission denied

And from the caddy docker log

{"level":"warn","ts":1698447123.4964879,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}

Any help getting my instance back online would be much appreciated!

Not an issue at all, but I am wondering how to benefit from the enhancements and changes/improvements of this project on a running instance of it?
Just cloning the project again with git clone https://github.com/dadatuputi/bitwarden_gcloud.git plus updating .env and docker-compose.yml manually if required and doing another docker-compose up -d?
Will that work and be enough or is there more to be considered?
Thanks for your support and comments/advice.

First off, thanks for this AWESOME project! 🚀

I used the provided Google Cloud console command to create my VM instance and the tags mentioned in your documentation no longer open the firewall for those respective ports incoming.

gcloud compute instances create bitwarden \
    --machine-type f1-micro \
    --zone us-central1-a \
    --image-project cos-cloud \
    --image-family cos-stable \
    --boot-disk-size=30GB \
    --tags http-server,https-server \
    --scopes compute-rw

To resolve this...I had to edit my VM instance and check the boxes shown below.

I've set this in me .env file:

SIGNUPS_ALLOWED=false
ADMIN_TOKEN=***

But I keep getting this message on the /admin page: The admin panel is disabled, please configure the 'ADMIN_TOKEN' variable to enable it

(I've restarted the container after updating the .env file)

Any ideas?

A few days ago, after months of self-hosted Bitwarden on Google Cloud working properly, I started receiving connection errors using the Bitwarden Android app, and seeing this when using the Bitwarden Chrome extention:

Has anyone else had this problem and been able to fix it?

Whenever I enable encryption using the BACKUP_ENCRYPTION_KEY variable, backup files aren't created and there are errors in the logs.
I think the problem is in the section of the backup script;
# If a password is provided, run it through openssl if [ -n "$BACKUP_ENCRYPTION_KEY" ]; then BACKUP_FILE=$BACKUP_FILE.aes256 tar -czf - -C $SQL_BACKUP_DIR $SQL_NAME -C $DATA $FILES | openssl enc -e -aes256 -salt -pbkdf2 -pass pass:${BACKUP_ENCRYPTION_KEY} -out $BACKUP_FILE else tar -czf $BACKUP_FILE -C $SQL_BACKUP_DIR $SQL_NAME -C $DATA $FILES fi

Here's the error log.

Backup file created at /data/backups/bw_backup_2023-09-08-141200.tar.gz.aes256
Running email backup
Email error: Can't stat /data/backups/bw_backup_2023-09-08-141200.tar.gz.aes256: No such file or directory
/data/backups/bw_backup_2023-09-08-141200.tar.gz.aes256: unable to attach file.

If I disable encryption key, it manages to take backup
Running backup to: email Backup file created at /data/backups/bw_backup_2023-09-08-142800.tar.gz Running email backup Sent e-mail (Bitwarden Backup (###@###.com) - bw_backup_2023-09-08-142800.tar.gz) to ###@###.com

Here is my .env file I redacted personal information

### GLOBAL VARIABLES ###

# The fully-qualified domain name for Bitwarden - what address do you want Bitwarden accessible? 
# Do not include the protocol (http/https), that is added when needed in docker-compose.yml
# Used for caddy proxy and ddns with Cloudflare
DOMAIN=###@###.com

# Timezone - used by some containers for logs / cron
# Find your location on this list and use the value in TZ Database Name, e.g Europe/Rome:
#   https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TZ=Europe/#####.###

# SMTP settings for Bitwarden and fail2ban 
# Uncomment and fill in details if you want to use e-mail invitations from bitwarden and e-mail alerts with fail2ban
# SMTP_SECURITY should be either starttls, force_tls, or off
# (see https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration)

SMTP_HOST=#####.###
SMTP_FROM=#####.###
SMTP_PORT=#####.###
SMTP_USERNAME=#####.###
SMTP_PASSWORD=#####.###
SMTP_SECURITY=#####.###
# For fail2ban, YES or NO
SMTP_TLS=#####.###
SMTP_AUTH_MECHANISM="Login"


### BITWARDEN VARIABLES ###

# Setting up Bitwarden for the first time can be done in two ways:
# Uncomment the method you want to use / comment the one you don't
# Method 1. [RECOMMENDED] because it avoids the admin page entirely; using the admin
#   page overrides these environmental variables which can cause confusion.
#   1. Set up your primary account(s) while SIGNUPS_ALLOWED=true
#   2. Set SIGNUPS_ALLOWED=false
#   3. Set the SMTP details above to enable e-mail invitation
#   4. Invite other users from within Bitwarden
#   Keep ADMIN_TOKEN blank to disable access to the admin page entirely.
SIGNUPS_ALLOWED=false
#ADMIN_TOKEN=
VAULTWARDEN_ADMIN_TOKEN=#####.###
# Method 2. Use the admin page to create your first user(s) then disable it.
#   1. Set ADMIN_TOKEN using gthe command `openssl rand -base64 48`
#   2. Use the admin page (/admin) to create your initial user(s).
#   3. Disable the admin page by clearing the token (ADMIN_TOKEN=)
#SIGNUPS_ALLOWED=false
#ADMIN_TOKEN=
# Note on ADMIN_TOKEN: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token

## Enables push notifications (requires key and id from https://bitwarden.com/host)
# PUSH_ENABLED=true
PUSH_INSTALLATION_ID=#####.###
PUSH_INSTALLATION_KEY=#####.###
## Don't change this unless you know what you're doing.
# PUSH_RELAY_BASE_URI=https://push.bitwarden.com

# Specify YUBIKEY info if desired
#YUBICO_CLIENT_ID=
#YUBICO_SECRET_KEY=
#YUBICO_SERVER=

# Specfiy which user email addresses can create organizations
# Leave blank to allow all users
[email protected]

# Bitwarden Backup Options
#
#
# GENERAL OPTIONS:
#
# How often to run the backup script; default is daily at midnight
#BACKUP_SCHEDULE=0 0 * * *
BACKUP_SCHEDULE=*/2 * * * *
# How many days of backups to keep
BACKUP_DAYS=30
# Directory to place backups in (& sync from in rclone)
BACKUP_DIR=/data/backups
# Optional encryption key for backup
BACKUP_ENCRYPTION_KEY="test"
# Email address to send backup (BACKUP=email) or notifications (BACKUP_NOTIFY=true)
BACKUP_EMAIL_TO="#####.###"
# Send email notification for rclone|local backup jobs
BACKUP_EMAIL_NOTIFY=true
#
#
# Backup type is any combination of local|email|rclone - e.g., email,rclone
# If you use rclone, follow the instructions below
BACKUP=email
#
# RCLONE BACKUP OPTIONS:
#
# rclone first time run instructions:
#   1. Uncomment lines below and `docker-compose up -d`
#   2. With the backup container running, configure rclone with the following command:
#      `sudo docker exec -it backup ash -c 'rclone config --config $BACKUP_RCLONE_CONF'`
#   3. Follow the prompts and instructions at https://rclone.org/remote_setup/ - you 
#      will most likely need to download a rclone on another computer (it is portable)
#      to authorize.
#   4. The script should run as normal with a working configuration file
#BACKUP_RCLONE_CONF=/data/rclone/rclone.conf
#BACKUP_RCLONE_DEST=/bw_backup


### PROXY / CADDY VARIABLES ###

# EMAIL address to use with Let's Encrypt certificate provisioning
EMAIL=######@#####.###


### DDNS VARIABLES ###

# These variables are only necessary if you are using DDNS / comment them out if you don't use ddns
# Enter user id (use `id -u` to determine your user id)
#PUID=
# Enter group id (use `id -g` to determine your group id)
#PGID=


### COUNTRY BLOCKING VARIABLES ###

# Put any countries you want to block here using their ISO 3166-1 alpha-2 code (https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2)
# Defaullt is China (CN), Hong Kong (HK), and Australia (AU) because gcloud free tier charges egress to those countries
# Data is pulled from www.ipdeny.com
COUNTRIES=CN HK AU

# How often to update the ip block list - default is daily at midnight; see https://en.wikipedia.org/wiki/Cron#CRON_expression
COUNTRYBLOCK_SCHEDULE=0 0 * * *


### WATCHTOWER VARIABLES ###

# How often should watchtower check for updated container images? Default is every Sunday at 3am
WATCHTOWER_SCHEDULE=0 0 3 ? * 0

Set everything up as per the procedure mentioned.

• DDNS is working
• Let's Encrypt is working
• Browser connection and resolution to https://bitwarden.mydomain.com is working

However, when the browser connects the vaultwarden server is returning a 404

This is reflected in the bitwarden container logs -

bitwarden       | [INFO] No .env file found.
bitwarden       |
bitwarden       | [WARNING] `ADMIN_TOKEN` is enabled but has an empty value, so the admin page will be disabled.
bitwarden       | [WARNING] To enable the admin page without a token, use `DISABLE_ADMIN_TOKEN`.
bitwarden       | [2022-07-26 06:43:28.929][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012
bitwarden       | [2022-07-26 06:43:28.932][start][INFO] Rocket has launched from http://0.0.0.0:80
bitwarden       | [2022-07-26 06:47:26.436][_][ERROR] No matching routes for GET /.well-known/acme-challenge/2ZlZDCro6faXJ3SINZwEX-mjoHPimXKOrmfMERKh9K0.
bitwarden       | [2022-07-26 06:47:26.436][_][WARN] No 404 catcher registered. Using Rocket default.

.env configuration

# The fully-qualified domain name for Bitwarden - what address do you want Bitwarden accessible?
# Used for caddy proxy and ddns with Cloudflare
DOMAIN=https://bitwarden.mydomain.com

# Timezone - used by some containers for logs / cron
TZ='Asia/Kolkata'

### BITWARDEN VARIABLES ###
# Setting up Bitwarden for the first time can be done in two ways:
# Uncomment the method you want to use / comment the one you don't

# Method 1. [RECOMMENDED] because it avoids the admin page entirely; using the admin
#   page overrides these environmental variables which can cause confusion.
#   1. Set up your primary account(s) while SIGNUPS_ALLOWED=true
#   2. Set SIGNUPS_ALLOWED=false
#   3. Set the SMTP details above to enable e-mail invitation
#   4. Invite other users from within Bitwarden
#   Keep ADMIN_TOKEN blank to disable access to the admin page entirely.
SIGNUPS_ALLOWED=true
ADMIN_TOKEN=

# Method 2. Use the admin page to create your first user(s) then disable it.
#   1. Set ADMIN_TOKEN using gthe command `openssl rand -base64 48`
#   2. Use the admin page (/admin) to create your initial user(s).
#   3. Disable the admin page by clearing the token (ADMIN_TOKEN=)
#SIGNUPS_ALLOWED=false
#ADMIN_TOKEN=

### PROXY / CADDY VARIABLES ###
EMAIL=<email removed for privacy>

### DDNS VARIABLES ###
# Enter user id (use `id -u` to determine your user id)
PUID=*****
# Enter group id (use `id -g` to determine your group id)
PGID=*****

COUNTRIES=CN HK AU
COUNTRYBLOCK_SCHEDULE=0 0 * * *
WATCHTOWER_SCHEDULE=0 0 3 ? * 1

From the instructions in https://github.com/dadatuputi/bitwarden_gcloud/blob/master/.env.template I try to setup Rclone backups. When running the following command:

sudo docker exec -it bitwarden rclone config --config $BACKUP_RCLONE_CONF

I get the following error:

OCI runtime exec failed: exec failed: unable to start container process: exec: "rclone": executable file not found in $PATH: unknown

Which I couldn't fix. Please help me out.

Similar issue to 7910ed9

This vaultwarden commit, done as part of addressing vaultwarden issue #3003, appears to disallow setting YUBICO_SERVER to an empty string, such that it now considers it a configuration error rather than quietly(?) failing and continuing. The default .env.template, and any .env that left those lines in, now produces a restart loop and Error 503 for any users.

For users: workaround is to comment out YUBICO_* in .env, and re-run docker-compose up. Presumably .env.template should be changed so those lines are commented out by default as well.

Is there any mechanism to help existing deployments here other than asking to patch vaultwarden to consider empty strings to be unset?

[edit] I just noticed that the Vaultwarden issue has someone expecting an empty string to be some other behavior, so the idea of considering empty strings to be unset might not even be accepted. [edit2] Their reasoning here.

I was able to download everything and edit the .env file and everything worked just fine until I came to the point where I should use the toolbox command.
When I type toolbox it responds:
***@cs-****-default:~/bitwarden_gcloud$ toolbox
-bash: toolbox: command not found

Does anyone know how I should proceed from here?

In docker/caddy/Dockerfile

ref: https://caddy.community/t/caddy-reverse-proxy-behind-caddy-reverse-proxy/19020/2

#no more valid

Firstly, fantastic job with this.

Running reboot on update fails (setting up as per README)

Aug 30 14:47:21 bitwarden startup-script[358]: INFO Starting startup scripts.
Aug 30 14:47:21 bitwarden startup-script[358]: INFO Found startup-script in metadata.
Aug 30 14:47:21 bitwarden startup-script[358]: INFO startup-script: [0830/144721.700568:ERROR:object_proxy.cc(628)] Failed to call method: org.chromium.UpdateEngineInterface.GetStatusAdvanced: object_path= /org/chromium/UpdateEngine: org
Aug 30 14:47:21 bitwarden startup-script[358]: INFO startup-script: [0830/144721.701448:ERROR:dbus_method_invoker.h(113)] CallMethodAndBlockWithTimeout(...): Domain=dbus, Code=org.freedesktop.DBus.Error.ServiceUnknown, Message=The name o
Aug 30 14:47:21 bitwarden startup-script[358]: INFO startup-script: /var/lib/google/startup-2HnXNE/tmpbaUYOM: line 12:   377 Segmentation fault      (core dumped) update_engine_client --block_until_reboot_is_needed
Aug 30 14:47:21 bitwarden startup-script[358]: INFO startup-script: Shutdown scheduled for Mon 2020-08-31 05:00:00 UTC, use 'shutdown -c' to cancel.
Aug 30 14:47:21 bitwarden startup-script[358]: INFO startup-script: Return code 0.

Fixed by running sudo

sudo update_engine_client --block_until_reboot_is_needed

Aug 30 15:05:49 bitwarden systemd[1]: Starting Google Compute Engine Startup Scripts...
Aug 30 15:05:49 bitwarden startup-script[350]: INFO Starting startup scripts.
Aug 30 15:05:49 bitwarden startup-script[350]: INFO Found startup-script in metadata.
Aug 30 15:05:50 bitwarden sudo[372]:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/update_engine_client --block_until_reboot_is_needed
Aug 30 15:05:50 bitwarden sudo[372]: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 30 15:05:50 bitwarden sudo[372]: pam_tty_audit(sudo:session): changed status from 0 to 1

Likely for historical reasons, the environment for Vaultwarden specifies a custom IP_HEADER env var:

However, this setup uses Caddy as the reverse proxy, and that's configured to set the real IP in X-Real-IP:

So the Compose YAML needs to be adjusted.

It's pretty long, could use a refactor and moving some of the major sections to the wiki.

Should link to the other bwgc container repos as well somewhere, either in the README or in the wiki

Does the base vaultwarden image do log rotation? Or is there log rotation otherwise set up? I set it up on my fork of the old setup, and slowly trying to PR my changes into this new setup so I can get caught up with your latest changes.

update .env vars

### GLOBAL VARIABLES ###

# The fully-qualified domain name for Bitwarden - what address do you want Bitwarden accessible?
# Do not include the protocol (http/https), that is added when needed in docker-compose.yml
# Used for caddy proxy and ddns with Cloudflare
DOMAIN=<sub-domain>.duckdns.org

### DDNS VARIABLES ###

# These variables are only necessary if you are using DDNS / comment them out if you don't use ddns
# Enter user id (use `id -u` to determine your user id)
# PUID=
# Enter group id (use `id -g` to determine your group id)
# PGID=

replace ddclient.conf might need to sudo chown -R user:user ddns first

daemon=300
syslog=yes
verbose=yes
pid=/var/run/ddclient/ddclient.pid
ssl=yes
use=web

##
## Duckdns (http://www.duckdns.org/)
##
#

login=<sub-domain>
server=www.duckdns.org
password=<token>
protocol=duckdns
<sub-domain>.duckdns.org

I notice that my backup file names and the "new login" timestamps are still in UTC even though I've set the timezone properly (as far as I know). In the .env I have set TZ="America/New_York" for EST. I've also tried TZ=America/New_York

When I go into the shell for the bitwarden container, trying cat /etc/timezone returns No such file or directory. Am I just setting something wrong?

Based on my current config, seems like the bitwarden and proxy containers don't seem to adhere to my TZ setting, but ddns and fail2ban do:

user@server ~/bitwarden_gcloud $ docker exec -it bitwarden date
Thu Jan 26 05:39:31 UTC 2023
user@server ~/bitwarden_gcloud $ docker exec -it fail2ban date
Thu Jan 26 00:39:40 EST 2023
user@server ~/bitwarden_gcloud $ docker exec -it ddns date
Thu Jan 26 00:39:47 EST 2023
user@server ~/bitwarden_gcloud $ docker exec -it proxy date
Thu Jan 26 05:39:52 UTC 2023

Reading around, would this be the cause? dani-garcia/vaultwarden#574 (comment)

Hi all,
I get following message in the watchtower logs:

level=warning msg="Could not do a head request for "containrrr/watchtower:latest", falling back to regular pull." container=/watchtower image="containrrr/watchtower:latest"
watchtower | time="2023-01-08T03:00:06+01:00" level=warning msg="Reason: invalid character 'S' looking for beginning of value" container=/watchtower image="containrrr/watchtower:latest"

Any thoughts about the invalid "character 'S' topic? Just found this issue which seems to be resolved since 2020: containrrr/watchtower#715

Nevertheless all containers seem to be scanned OK at the end:
watchtower | time="2023-01-08T03:00:09+01:00" level=info msg="Session done" Failed=0 Scanned=7 Updated=0 notify=no

Can above warning be avoided somehow or is the regular pull OK as well?

Hello, I see that the setup is still using the docker/compose image to run docker-compose commands. This image has reached EOL and is already pretty old.

From what I can see, using a new version should be as easy as changing this line:

so that it says docker compose to use the (newer) docker image and its compose command.

Naturally, anyone with an existing setup would need to update the alias in ~/.bash_alias

Changing domain or AUTH_TOKEN in the .env file did not have any effect. I had to use the config.json to be able to access to admin page and make changes.

Is there a script to install vaultwarden in GKE ?

docker-compose up ends up error messages:

proxy           | {"level":"error","ts":1613599644.6069458,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"bitwarden.<mydomain>.net","challenge_type":"http-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:connection","error":"Fetching http://bitwarden.<mydomain>.net/.well-known/acme-challenge/KkUwBaSArywzemlOmNLY8omg8pCWQmfz6blwNmvpKz4: Timeout during connect (likely firewall problem)"}
proxy           | {"level":"error","ts":1613599644.6087248,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"bitwarden.<mydomain>.net","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Fetching http://bitwarden.<mydomain>.net/.well-known/acme-challenge/KkUwBaSArywzemlOmNLY8omg8pCWQmfz6blwNmvpKz4: Timeout during connect (likely firewall problem)","order":"https://acme-staging-v02.api.letsencrypt.org/acme/order/18150164/242579938","attempt":2,"max_attempts":3}
proxy           | {"level":"error","ts":1613599646.1697505,"logger":"tls.obtain","msg":"will retry","error":"[bitwarden.<mydomain>.net] Obtain: [bitwarden.<mydomain>.net] solving challenges: bitwarden.<mydomain>.net: no solvers available for remaining challenges (configured=[tls-alpn-01 http-01] offered=[http-01 dns-01 tls-alpn-01] remaining=[dns-01]) (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/18150164/242580083) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":4,"retrying_in":300,"elapsed":400.909904751,"max_duration":2592000}```

This was expected according to https://bradford.la/2020/self-host-bitwarden-on-google-cloud/
But installing DDNS should fix the problem. The DDNS config seams to work, but does not resolve the problem

ddns            | /config/ddclient.conf MODIFY 
ddns            | ddclient has been restarted
ddns            | Setting up watches.
ddns            | Watches established.
ddns            | SUCCESS:  bitwarden.<mydomain>.net -- Updated Successfully to <my_ipaddress>

I have cloudfare set up as DNS. I tried direct DNS and I tried proxied. I turned off cloudfare encryption. All the same result.