vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

README.md (4478B)

      1 # vw_small  
      2   
      3 `vw_small` is a fork of [Vaultwarden](https://github.com/dani-garcia/vaultwarden) that focuses on security and OpenBSD-stable compatibility.  
      4   
      5 ## Why use this crate instead of Vaultwarden?  
      6   
      7 Stricter validation and stronger adherence to RFCs and standards are performed in this crate in addition to safe arithmetic (i.e., overflow/underflow and
      8 truncation are coded against). Additionally, this crate does not cater to parties that are not familiar with the best practices of self-hosting. A password manager
      9 is something you want to do correctly; so if self-hosting is something you are new at, this crate is _not_ for you. Problems dealing with firewall rules, reverse proxy
     10 settings, X.509 certificates, backups, file permissions, etc. are unrelated to the job of a password manager.  
     11   
     12 This crate has first-class support for OpenBSD-stable; and when compiled/installed with the `priv_sep` `feature`, it uses [`pledge(2)`](https://man.openbsd.org/amd64/pledge.2) and
     13 [`unveil(2)`](https://man.openbsd.org/amd64/unveil.2) to lock down the daemon.  
     14   
     15 This crate does not support all of the features Vaultwarden supports. To some fewer features _is_ a feature. In particular, this crate assumes a small-scale environment; thus
     16 the following are true and likely won’t change in the future:  
     17   
     18 * No containers
     19 * WebAuthn and TOTP are the only forms of 2FA  
     20 * SQLite is the only supported database engine
     21 * HTTPS is required
     22 * No HTTP(S) client
     23 * No SMTP client
     24 * No DNS resolver
     25 * No groups
     26 * No admin panel
     27 * No attachments
     28 * No sends
     29 * No WebSocket support
     30 * No push notifications
     31 * No log in with device
     32 * No recovery code
     33 * No emergency access
     34 * No log in via the API
     35 * No automatic jobs (e.g., purging trash)
     36   
     37 This crate makes a better attempt at performing state-changing operations in an atomic fashion (e.g., instead of mutating two database tables in separate transactions allowing
     38 for the possibility the first change occurs without the second, both changes are done as a single transaction).  
     39   
     40 ## Config file  
     41   
     42 The TOML config file must be located in the running directory and must be named `config.toml`. The
     43 format of this file must conform to the following:
     44 
     45 ```bash
     46 database_max_conns=<1-255>
     47 database_timeout=<0-65535>
     48 db_connection_retries=<1-255>
     49 domain=<FQDN_that_doesnt_need_to_be_encoded_in_Punycode>
     50 ip=<IPv6_or_IPv4_address>
     51 password_iterations=<100000-4294967295>
     52 port=<0-65535>
     53 web_vault_enabled=<true/false>
     54 webauthn_require_yubi=<true/false>
     55 workers=<1-255>
     56 [tls]
     57 cert=<absolute_path_to_complete_X509_certificate>
     58 ciphers=<subset_of_ciphers_allowed_by_Rocket>
     59 key=<absolute_path_to_X509_private_key>
     60 prefer_server_cipher_order=<true/false>
     61 ```
     62 
     63 The only required keys are `domain`, `ip`, `port`, `tls.cert`, and `tls.key`. For the remaining keys, the following are the values used when omitted:
     64 
     65 ```bash
     66 database_max_conns=10
     67 database_timeout=30
     68 db_connection_retries=15
     69 password_iterations=600000
     70 web_vault_enabled=true
     71 webauthn_require_yubi=false
     72 workers=<number_of_CPU_cores>
     73 [tls]
     74 ciphers=["TLS_CHACHA20_POLY1305_SHA256","TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
     75 prefer_server_cipher_order=false
     76 ```
     77 
     78 When `database_timeout` is `0`, there is no timeout; otherwise the value represents the maximum seconds allowed for a database connection to be made.
     79 When `webauthn_require_yubi` is `true`, then WebAuthn registrations require a FIDO2 YubiKey with firmware 5.2.a, 5.4.b, 5.5.c, or 5.6.d.  
     80   
     81 ## Directory hierachy  
     82   
     83 The running directory must conform to the following:
     84 
     85 ```bash
     86 $PWD/
     87   config.toml
     88   data/
     89   web-vault/
     90 ```
     91 
     92 Where `web-vault` must exist if `web_vault_enabled=true` and must be the output of an extracted [`bw_web_builds`](https://github.com/dani-garcia/bw_web_builds/releases).  
     93   
     94 ### Status  
     95   
     96 This package will be actively maintained to stay in-sync with Vaultwarden and OpenBSD-stable.  
     97   
     98 The crate is only tested on the `x86_64-unknown-linux-gnu` and `x86_64-unknown-openbsd` targets, but
     99 it should work on any [Tier 1 with Host Tools](https://doc.rust-lang.org/beta/rustc/platform-support.html)
    100 target.  
    101   
    102 If/when a complete re-write occurs, a new crate will be maintained that has no relation to Vaultwarden.