commit a6bc308abfadeab7f0523a4ab96fb0b42cdb71b7
parent 3282b8d3be59bba0733e5cf1ca6c2618d389cf3b
Author: Zack Newman <zack@philomathiclife.com>
Date: Tue, 10 Dec 2024 08:08:22 -0700
update README
Diffstat:
M | README.md | | | 59 | ++++++++++++++++++++++++++++------------------------------- |
1 file changed, 28 insertions(+), 31 deletions(-)
diff --git a/README.md b/README.md
@@ -1,20 +1,20 @@
-# vw_small
-
-`vw_small` is a fork of [Vaultwarden](https://github.com/dani-garcia/vaultwarden) that focuses on security and OpenBSD-stable compatibility.
-
-## Why use this crate instead of Vaultwarden?
-
+# vw_small
+
+`vw_small` is a fork of [Vaultwarden](https://github.com/dani-garcia/vaultwarden) that focuses on security and OpenBSD-stable compatibility.
+
+## Why use this crate instead of Vaultwarden?
+
Stricter validation and stronger adherence to RFCs and standards are performed in this crate in addition to safe arithmetic (i.e., overflow/underflow and
truncation are coded against). Additionally, this crate does not cater to parties that are not familiar with the best practices of self-hosting. A password manager
is something you want to do correctly; so if self-hosting is something you are new at, this crate is _not_ for you. Problems dealing with firewall rules, reverse proxy
-settings, X.509 certificates, backups, file permissions, etc. are unrelated to the job of a password manager.
-
+settings, X.509 certificates, backups, file permissions, etc. are unrelated to the job of a password manager.
+
This crate has first-class support for OpenBSD-stable; and when compiled/installed with the `priv_sep` `feature`, it uses [`pledge(2)`](https://man.openbsd.org/amd64/pledge.2) and
-[`unveil(2)`](https://man.openbsd.org/amd64/unveil.2) to lock down the daemon.
-
+[`unveil(2)`](https://man.openbsd.org/amd64/unveil.2) to lock down the daemon.
+
This crate does not support all of the features Vaultwarden supports. To some fewer features _is_ a feature. In particular, this crate assumes a small-scale environment; thus
-the following are true and likely won’t change in the future:
-
+the following are true and likely won’t change in the future:
+
* No containers
* WebAuthn and TOTP are the only forms of 2FA
* SQLite is the only supported database engine
@@ -33,12 +33,12 @@ the following are true and likely won’t change in the future:
* No emergency access
* No log in via the API
* No automatic jobs (e.g., purging trash)
-
+
This crate makes a better attempt at performing state-changing operations in an atomic fashion (e.g., instead of mutating two database tables in separate transactions allowing
-for the possibility the first change occurs without the second, both changes are done as a single transaction).
-
-## Config file
-
+for the possibility the first change occurs without the second, both changes are done as a single transaction).
+
+## Config file
+
The TOML config file must be located in the running directory and must be named `config.toml`. The
format of this file must conform to the following:
@@ -51,7 +51,6 @@ ip=<IPv6_or_IPv4_address>
password_iterations=<100000-4294967295>
port=<0-65535>
web_vault_enabled=<true/false>
-webauthn_require_yubi=<true/false>
workers=<1-255>
[tls]
cert=<absolute_path_to_complete_X509_certificate>
@@ -68,7 +67,6 @@ database_timeout=30
db_connection_retries=15
password_iterations=600000
web_vault_enabled=true
-webauthn_require_yubi=false
workers=<number_of_CPU_cores>
[tls]
ciphers=["TLS_CHACHA20_POLY1305_SHA256","TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
@@ -76,10 +74,9 @@ prefer_server_cipher_order=false
```
When `database_timeout` is `0`, there is no timeout; otherwise the value represents the maximum seconds allowed for a database connection to be made.
-When `webauthn_require_yubi` is `true`, then WebAuthn registrations require a FIDO2 YubiKey with firmware 5.2.a, 5.4.b, 5.5.c, or 5.6.d.
-
-## Directory hierachy
-
+
+## Directory hierachy
+
The running directory must conform to the following:
```bash
@@ -89,14 +86,14 @@ $PWD/
web-vault/
```
-Where `web-vault` must exist if `web_vault_enabled=true` and must be the output of an extracted [`bw_web_builds`](https://github.com/dani-garcia/bw_web_builds/releases).
-
-### Status
-
-This package will be actively maintained to stay in-sync with Vaultwarden and OpenBSD-stable.
-
+Where `web-vault` must exist if `web_vault_enabled=true` and must be the output of an extracted [`bw_web_builds`](https://github.com/dani-garcia/bw_web_builds/releases).
+
+### Status
+
+This package will be actively maintained to stay in-sync with Vaultwarden and OpenBSD-stable.
+
The crate is only tested on the `x86_64-unknown-linux-gnu` and `x86_64-unknown-openbsd` targets, but
it should work on any [Tier 1 with Host Tools](https://doc.rust-lang.org/beta/rustc/platform-support.html)
-target.
-
+target.
+
If/when a complete re-write occurs, a new crate will be maintained that has no relation to Vaultwarden.