[Bug 269143] security/vaultwarden upgrade web vault to 2023.1.0 via new security/vaultwarden-web port

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 25 Jan 2023 02:00:26 UTC

            Bug ID: 269143
           Summary: security/vaultwarden upgrade web vault to 2023.1.0 via
                    new security/vaultwarden-web port
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: mr@FreeBSD.org
          Reporter: yds@Necessitu.de
          Assignee: mr@FreeBSD.org
             Flags: maintainer-feedback?(mr@FreeBSD.org)

Created attachment 239691
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=239691&action=edit
vaultwarden-web patch

this patch splits the security/vaultwarden web-vault into a new
security/vaultwarden-web port. the main security/vaultwarden port now
RUN_DEPENDS on security/vaultwarden-web. this allows for building binary
packages where only the web-vault might need a version bump while the main Rust
pkg does not need upgrading.

the security/vaultwarden port splits Makefile.crates into a separate file to
make the main Makefile much smaller and easier to grok.

the port now installs the fully commented ${WRKSRC}/.env.template in
/usr/local/share/examples/vaultwarden/vaultwarden.env which can be copied to
/usr/local/etc/vaultwarden.env and edited as needed.

any existing rc.conf.d/vaultwarden should be moved to the new
ENV_FILE=/usr/local/etc/vaultwarden.env location

port includes a new apache.conf reverse proxy example file.

the rc.d script is completely rewritten to automatically create, chmod/chown
all the requisite config and runtime files and folders to be accessible only by
the vaultwarden runtime user. the runtime user can be set with vaultwarden_user
and vaultwarden_group rc.conf variables.

the port now includes a /usr/local/etc/newsyslog.conf.d/vaultwarden.conf file
to rotate the logs created by daemon -o logging output. there's no need to
configure any logging within vaultwarden itself, daemon and newsyslogd take
care of all the logging chores automagically.

daemon supervisor will now restart vaultwarden after one second should it quit
for any reason.

the rc.d script now creates a bare-bones config.json with a random admin_token
and adds two new extra sub-commands: showtoken and maketoken which will show
the current admin_token or generate a new one. making it easy to set/get the
admin_token in config.json helps keep the 
admin_token out of the environment variables where it can be viewed with `ps
awxeww|grep vaultwarden` while vaultwarden is running. setting admin_token via
environment variables seems like a bad idea from a security perspective <--
that was the motivation for the two new sub-commands. config.json is ensured by
the rc.d script to be readable only by the vaultwarden runtime user keeping the
admin_token secret like it oughtta be.

of course any existing config.json will be honored and not touched unless one
issues the maketoken subcommand, and then only the admin_token is changed,
while the rest of the file stays as is.

the port moves the default location of the "data" folder to
"/var/db/vaultwarden" and adds a new rc.conf variable `vaultwarden_data`

current users are advised to move their existing "data" folder to the new
default location:
tar -C /usr/local/www/vaultwarden/data/ -cf - . | tar -C /var/db/vaultwarden/
-xvf -

or to keep using the old data folder location set the rc.conf variables:

You are receiving this mail because:
You are the assignee for the bug.