README.md (4220B)
1 # vw_small 2 3 `vw_small` is a fork of [Vaultwarden](https://github.com/dani-garcia/vaultwarden) that focuses on security and OpenBSD-stable compatibility. 4 5 ## Why use this crate instead of Vaultwarden? 6 7 Stricter validation and stronger adherence to RFCs and standards are performed in this crate in addition to safe arithmetic (i.e., overflow/underflow and 8 truncation are coded against). Additionally, this crate does not cater to parties that are not familiar with the best practices of self-hosting. A password manager 9 is something you want to do correctly; so if self-hosting is something you are new at, this crate is _not_ for you. Problems dealing with firewall rules, reverse proxy 10 settings, X.509 certificates, backups, file permissions, etc. are unrelated to the job of a password manager. 11 12 This crate has first-class support for OpenBSD-stable; and when compiled/installed with the `priv_sep` `feature`, it uses [`pledge(2)`](https://man.openbsd.org/amd64/pledge.2) and 13 [`unveil(2)`](https://man.openbsd.org/amd64/unveil.2) to lock down the daemon. 14 15 This crate does not support all of the features Vaultwarden supports. To some fewer features _is_ a feature. In particular, this crate assumes a small-scale environment; thus 16 the following are true and likely won’t change in the future: 17 18 * No containers 19 * WebAuthn and TOTP are the only forms of 2FA 20 * SQLite is the only supported database engine 21 * HTTPS is required 22 * No HTTP(S) client 23 * No SMTP client 24 * No DNS resolver 25 * No groups 26 * No admin panel 27 * No attachments 28 * No sends 29 * No WebSocket support 30 * No push notifications 31 * No log in with device 32 * No recovery code 33 * No emergency access 34 * No log in via the API 35 * No automatic jobs (e.g., purging trash) 36 37 This crate makes a better attempt at performing state-changing operations in an atomic fashion (e.g., instead of mutating two database tables in separate transactions allowing 38 for the possibility the first change occurs without the second, both changes are done as a single transaction). 39 40 ## Config file 41 42 The TOML config file must be located in the running directory and must be named `config.toml`. The 43 format of this file must conform to the following: 44 45 ```bash 46 database_max_conns=<1-255> 47 database_timeout=<0-65535> 48 db_connection_retries=<1-255> 49 domain=<FQDN_that_doesnt_need_to_be_encoded_in_Punycode> 50 ip=<IPv6_or_IPv4_address> 51 password_iterations=<100000-4294967295> 52 port=<0-65535> 53 web_vault_enabled=<true/false> 54 workers=<1-255> 55 [tls] 56 cert=<absolute_path_to_complete_X509_certificate> 57 ciphers=<subset_of_ciphers_allowed_by_Rocket> 58 key=<absolute_path_to_X509_private_key> 59 prefer_server_cipher_order=<true/false> 60 ``` 61 62 The only required keys are `domain`, `ip`, `port`, `tls.cert`, and `tls.key`. For the remaining keys, the following are the values used when omitted: 63 64 ```bash 65 database_max_conns=10 66 database_timeout=30 67 db_connection_retries=15 68 password_iterations=600000 69 web_vault_enabled=true 70 workers=<number_of_CPU_cores> 71 [tls] 72 ciphers=["TLS_CHACHA20_POLY1305_SHA256","TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] 73 prefer_server_cipher_order=false 74 ``` 75 76 When `database_timeout` is `0`, there is no timeout; otherwise the value represents the maximum seconds allowed for a database connection to be made. 77 78 ## Directory hierachy 79 80 The running directory must conform to the following: 81 82 ```bash 83 $PWD/ 84 config.toml 85 data/ 86 web-vault/ 87 ``` 88 89 Where `web-vault` must exist if `web_vault_enabled=true` and must be the output of an extracted [`bw_web_builds`](https://github.com/dani-garcia/bw_web_builds/releases). 90 91 ### Status 92 93 This package will be actively maintained to stay in-sync with Vaultwarden and OpenBSD-stable. 94 95 The crate is only tested on the `x86_64-unknown-linux-gnu` and `x86_64-unknown-openbsd` targets, but 96 it should work on any [Tier 1 with Host Tools](https://doc.rust-lang.org/beta/rustc/platform-support.html) 97 target. 98 99 If/when a complete re-write occurs, a new crate will be maintained that has no relation to Vaultwarden.