diff --git a/manuscript/CHANGELOG.md b/manuscript/CHANGELOG.md index 9938f4f..880056e 100644 --- a/manuscript/CHANGELOG.md +++ b/manuscript/CHANGELOG.md @@ -13,13 +13,10 @@ ## Recently added recipes +* Added [Bitwarden](/recipes/bitwarden/), an **awesome** open-source password manager, with great mobile sync support (_14 May 2019_) * Added [Traefik Forward Auth](/ha-docker-swarm/traefik-forward-auth/), replacing function of multiple [oauth_proxies](/reference/oauth_proxy/) with a single, 7MB Go application, which can authenticate against Google, [KeyCloak](/recipes/keycloak/), and other OIDC providers (_10 May 2019_) * Added Kubernetes version of [Miniflux](/recipes/kubernetes/miniflux/) recipe, a minimalistic RSS reader supporting the Fever API (_26 Mar 2019_) * Added Kubernetes version of [Kanboard](/recipes/kubernetes/kanboard/) recipe, a lightweight, well-supported Kanban tool for visualizing your work (_19 Mar 2019_) -* Added [Minio](/recipes/minio/), a high performance distributed object storage server, designed for large-scale private cloud infrastructure, but perfect for simple use cases where emulating AWS S3 is useful. (_27 Jan 2019_) -* Added the beginning of the **Kubernetes** design, including a getting started on using [Digital Ocean,](/kubernetes/digitalocean/) and a WIP recipe for an [MQTT](/recipes/mqtt/) broker (_21 Jan 2019_) -* [ElkarBackup](/recipes/elkarbackup/), a beautiful GUI-based backup solution built on rsync/rsnapshot (_1 Jan 2019_) - ## Recent improvements diff --git a/manuscript/book.txt b/manuscript/book.txt index 8c42f34..1c187ca 100644 --- a/manuscript/book.txt +++ b/manuscript/book.txt @@ -49,6 +49,7 @@ recipes/swarmprom.md recipes/turtle-pool.md sections/menu-docker.md +recipes/bitwarden.md recipes/bookstack.md recipes/cryptominer.md recipes/cryptominer/mining-rig.md diff --git a/manuscript/images/bitwarden.png b/manuscript/images/bitwarden.png new file mode 100644 index 0000000..8d1b8bb Binary files /dev/null and b/manuscript/images/bitwarden.png differ diff --git a/manuscript/recipes/bitwarden.md b/manuscript/recipes/bitwarden.md new file mode 100644 index 0000000..8dbaaed --- /dev/null +++ b/manuscript/recipes/bitwarden.md @@ -0,0 +1,97 @@ +# Bitwarden + +Heard about the [latest passsword breach](https://www.databreaches.net) (since lunch)? [HaveYouBeenPowned](http://haveibeenpwned.com) lately? [Passwords are broken](https://www.theguardian.com/technology/2008/nov/13/internet-passwords), and as the amount of sites for which you need to store credentials grows exponetially, so does the risk of using a common password. + +"*Duh, use a password manager*", you say. Sure, but be aware that [even password managers have security flaws](https://www.securityevaluators.com/casestudies/password-manager-hacking/). + +**OK, look** - no software is perfect, and there will always be a risk of your credentials being exposed in ways you didn't intend. You can at least **minimize** the impact of such exposure by using a password manager to store unique credentials per-site. While [1Password](http://1password.com) is king of the commercial password manager, [BitWarden](https://bitwarden.com) is king of the open-source, self-hosted password manager. + +Enter Bitwarden.. + +![BitWarden Screenshot](../images/bitwarden.png) + +Bitwarden is a free and open source password management solution for individuals, teams, and business organizations. While Bitwarden does offer a paid / hosted version, the free version comes with the following (*better than any other free password manager!*): + +* Access & install all Bitwarden apps +* Sync all of your devices, no limits! +* Store unlimited items in your vault +* Logins, secure notes, credit cards, & identities +* Two-step authentication (2FA) +* Secure password generator +* Self-host on your own server (optional) + +## Ingredients + +1. [Docker swarm cluster](/ha-docker-swarm/design/) with [persistent shared storage](/ha-docker-swarm/shared-storage-ceph.md) +2. [Traefik](/ha-docker-swarm/traefik_public) configured per design +3. DNS entry for the hostname you intend to use, pointed to your [keepalived](ha-docker-swarm/keepalived/) IP + +## Preparation + +### Setup data locations + +We'll need to create a directory to bind-mount into our container, so create `/var/data/bitwarden`: + +``` +mkdir /var/data/bitwarden +``` + +### Setup Docker Swarm + +Create a docker swarm config file in docker-compose syntax (v3), something like this: + +!!! tip + I share (_with my [patreon patrons](https://www.patreon.com/funkypenguin)_) a private "_premix_" git repository, which includes necessary docker-compose and env files for all published recipes. This means that patrons can launch any recipe with just a ```git pull``` and a ```docker stack deploy``` 👍 + + +``` +version: "3" +services: + bitwarden: + image: mprasil/bitwarden + env_file: /var/data/config/bitwarden/bitwarden.env + volumes: + - /etc/localtime:/etc/localtime:ro + - /var/data/bitwarden:/data/:rw + deploy: + labels: + - traefik.enable=true + - traefik.web.frontend.rule=Host:bitwarden.example.com + - traefik.web.port=80 + - traefik.hub.frontend.rule=Host:bitwarden.example.com;Path:/notifications/hub + - traefik.hub.port=3012 + - traefik.docker.network=traefik_public + networks: + - traefik_public + +networks: + traefik_public: + external: true +``` + +!!! note + Note the clever use of two Traefik frontends to expose the notifications hub on port 3012. Thanks @gkoerk! + + +## Serving + +### Launch Bitwarden stack + +Launch the Bitwarden stack by running ```docker stack deploy bitwarden -c ``` + +Browse to your new instance at https://**YOUR-FQDN**, and create a new user account and master password (*Just click the **Create Account** button without filling in your email address or master password*) + +### Get the apps / extensions + +Once you've created your account, jump over to https://bitwarden.com/#download and download the apps for your mobile and browser, and start adding your logins! + +## Chef's Notes + +1. You'll notice we're not using the *official* container images (*[all 6 of them required](https://help.bitwarden.com/article/install-on-premise/#install-bitwarden)!)*, but rather a [more lightweight version ideal for self-hosting](https://hub.docker.com/r/mprasil/bitwarden). All of the elements are contained within a single container, and SQLite is used for the database backend. +2. The inclusion of Bitwarden was due to the efforts of @gkoerk in our [Discord server](http://chat.funkypenguin.co.nz)- Thanks Gerry! + +### Tip your waiter (donate) 👏 + +Did you receive excellent service? Want to make your waiter happy? (_..and support development of current and future recipes!_) See the [support](/support/) page for (_free or paid)_ ways to say thank you! 👏 + +### Your comments? 💬 diff --git a/manuscript/recipes/keycloak.md b/manuscript/recipes/keycloak.md index f712be8..5738966 100644 --- a/manuscript/recipes/keycloak.md +++ b/manuscript/recipes/keycloak.md @@ -173,15 +173,13 @@ For each of the following mappers, click the name, and set the "_Read Only_" fla ![KeyCloak Add Realm Screenshot](/images/sso-stack-keycloak-4.png) !!! important - Development of this recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! + Development of the original KeyCloak recipe is sponsored by [The Common Observatory](https://www.observe.global/). Thanks guys! [![Common Observatory](../images/common_observatory.png)](https://www.observe.global/) ## Chef's Notes -1. I wanted to be able to add multiple networks to KeyCloak (_i.e., a dedicated overlay network for LDAP authentication_), but the entrypoint used by the container produces an error when more than one network is configured. This could theoretically be corrected in future, with a PR, but the [GitHub repo](https://github.com/jboss-dockerfiles/keycloak) has no issues enabled, so I wasn't sure where to start. - ### Tip your waiter (donate) 👏 Did you receive excellent service? Want to make your waiter happy? (_..and support development of current and future recipes!_) See the [support](/support/) page for (_free or paid)_ ways to say thank you! 👏 diff --git a/manuscript/sponsored-projects.md b/manuscript/sponsored-projects.md index 602f5c2..1fd3dbe 100644 --- a/manuscript/sponsored-projects.md +++ b/manuscript/sponsored-projects.md @@ -16,3 +16,6 @@ I regularly donate to / sponsor the following projects. **Join me** in supportin | [LinuxServer.io](https://www.linuxserver.io) | [PayPal](https://www.linuxserver.io/donate) | [Pi-hole](https://pi-hole.net/) | [Patreon](https://www.patreon.com/pihole/posts) | [Franck Nijhof's Hassio Addons](https://www.frenck.nl/about/franck-nijhof/) | [Patreon](https://www.patreon.com/frenck/overview) +| [WidgetBot's Discord Widget](https://widgetbot.io/) | [Patreon](https://www.patreon.com/widgetbot/overview) + + diff --git a/mkdocs.yml b/mkdocs.yml index f247c1f..9ed94b4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -87,6 +87,7 @@ nav: # - phpIPAM: recipes/kubernetes/phpipam.md # - PrivateBin: recipes/kubernetes/privatebin.md - Menu: + - Bitwarden: recipes/bitwarden.md - Bookstack: recipes/bookstack.md - CryptoMiner: - Start: recipes/cryptominer.md @@ -169,8 +170,8 @@ google_analytics: - 'UA-139253-18' - 'auto' -extra_javascript: -# - 'extras/javascript/piwik.js' +#extra_javascript: +# - 'extras/javascript/discord.js' # Extensions markdown_extensions: diff --git a/overrides/main.html b/overrides/main.html index d2612f8..bd9f7ec 100644 --- a/overrides/main.html +++ b/overrides/main.html @@ -16,3 +16,17 @@ {% endblock %} + + +{% block scripts %} + +{% endblock %} \ No newline at end of file