vw_small

Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
git clone https://git.philomathiclife.com/repos/vw_small
Log | Files | Refs | README

README.md (4220B)


      1 # vw_small
      2 
      3 `vw_small` is a fork of [Vaultwarden](https://github.com/dani-garcia/vaultwarden) that focuses on security and OpenBSD-stable compatibility.
      4 
      5 ## Why use this crate instead of Vaultwarden?
      6 
      7 Stricter validation and stronger adherence to RFCs and standards are performed in this crate in addition to safe arithmetic (i.e., overflow/underflow and
      8 truncation are coded against). Additionally, this crate does not cater to parties that are not familiar with the best practices of self-hosting. A password manager
      9 is something you want to do correctly; so if self-hosting is something you are new at, this crate is _not_ for you. Problems dealing with firewall rules, reverse proxy
     10 settings, X.509 certificates, backups, file permissions, etc. are unrelated to the job of a password manager.
     11 
     12 This crate has first-class support for OpenBSD-stable; and when compiled/installed with the `priv_sep` `feature`, it uses [`pledge(2)`](https://man.openbsd.org/amd64/pledge.2) and
     13 [`unveil(2)`](https://man.openbsd.org/amd64/unveil.2) to lock down the daemon.
     14 
     15 This crate does not support all of the features Vaultwarden supports. To some fewer features _is_ a feature. In particular, this crate assumes a small-scale environment; thus
     16 the following are true and likely won’t change in the future:
     17 
     18 * No containers
     19 * WebAuthn and TOTP are the only forms of 2FA  
     20 * SQLite is the only supported database engine
     21 * HTTPS is required
     22 * No HTTP(S) client
     23 * No SMTP client
     24 * No DNS resolver
     25 * No groups
     26 * No admin panel
     27 * No attachments
     28 * No sends
     29 * No WebSocket support
     30 * No push notifications
     31 * No log in with device
     32 * No recovery code
     33 * No emergency access
     34 * No log in via the API
     35 * No automatic jobs (e.g., purging trash)
     36 
     37 This crate makes a better attempt at performing state-changing operations in an atomic fashion (e.g., instead of mutating two database tables in separate transactions allowing
     38 for the possibility the first change occurs without the second, both changes are done as a single transaction).
     39 
     40 ## Config file
     41 
     42 The TOML config file must be located in the running directory and must be named `config.toml`. The
     43 format of this file must conform to the following:
     44 
     45 ```bash
     46 database_max_conns=<1-255>
     47 database_timeout=<0-65535>
     48 db_connection_retries=<1-255>
     49 domain=<FQDN_that_doesnt_need_to_be_encoded_in_Punycode>
     50 ip=<IPv6_or_IPv4_address>
     51 password_iterations=<100000-4294967295>
     52 port=<0-65535>
     53 web_vault_enabled=<true/false>
     54 workers=<1-255>
     55 [tls]
     56 cert=<absolute_path_to_complete_X509_certificate>
     57 ciphers=<subset_of_ciphers_allowed_by_Rocket>
     58 key=<absolute_path_to_X509_private_key>
     59 prefer_server_cipher_order=<true/false>
     60 ```
     61 
     62 The only required keys are `domain`, `ip`, `port`, `tls.cert`, and `tls.key`. For the remaining keys, the following are the values used when omitted:
     63 
     64 ```bash
     65 database_max_conns=10
     66 database_timeout=30
     67 db_connection_retries=15
     68 password_iterations=600000
     69 web_vault_enabled=true
     70 workers=<number_of_CPU_cores>
     71 [tls]
     72 ciphers=["TLS_CHACHA20_POLY1305_SHA256","TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]
     73 prefer_server_cipher_order=false
     74 ```
     75 
     76 When `database_timeout` is `0`, there is no timeout; otherwise the value represents the maximum seconds allowed for a database connection to be made.
     77 
     78 ## Directory hierachy
     79 
     80 The running directory must conform to the following:
     81 
     82 ```bash
     83 $PWD/
     84   config.toml
     85   data/
     86   web-vault/
     87 ```
     88 
     89 Where `web-vault` must exist if `web_vault_enabled=true` and must be the output of an extracted [`bw_web_builds`](https://github.com/dani-garcia/bw_web_builds/releases).
     90 
     91 ### Status
     92 
     93 This package will be actively maintained to stay in-sync with Vaultwarden and OpenBSD-stable.
     94 
     95 The crate is only tested on the `x86_64-unknown-linux-gnu` and `x86_64-unknown-openbsd` targets, but
     96 it should work on any [Tier 1 with Host Tools](https://doc.rust-lang.org/beta/rustc/platform-support.html)
     97 target.
     98 
     99 If/when a complete re-write occurs, a new crate will be maintained that has no relation to Vaultwarden.