``` ____ __ ____ .-. / __ \____ _____ ____/ /_ ____ / / /_ .--./ / _.---., / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ '-, (__..-` \ / ____/ /_/ (__ |__ ) /_/ / /_/ / / /_ \ | /_/ \__,_/____/____/_,___/\____/_/\__/ `,.__. ^___.-/ `-./ .'...--` The open source password manager for teams `' (c) 2021 Passbolt SA https://www.passbolt.com ``` [![Codacy Badge](https://api.codacy.com/project/badge/Grade/0de4eaf7426944769a70a2d727a9012b)](https://www.codacy.com/app/passbolt/passbolt_docker?utm_source=github.com&utm_medium=referral&utm_content=passbolt/passbolt_docker&utm_campaign=Badge_Grade) [![Docker Pulls](https://img.shields.io/docker/pulls/passbolt/passbolt.svg?style=flat-square)](https://hub.docker.com/r/passbolt/passbolt/tags/) [![GitHub release](https://img.shields.io/github/release/passbolt/passbolt_docker.svg?style=flat-square)](https://github.com/passbolt/passbolt_docker/releases) [![license](https://img.shields.io/github/license/passbolt/passbolt_docker.svg?style=flat-square)](https://github.com/passbolt/passbolt_docker/LICENSE) [![Twitter Follow](https://img.shields.io/twitter/follow/passbolt.svg?style=social&label=Follow)](https://twitter.com/passbolt) # What is passbolt? Passbolt is a free and open source password manager that allows team members to store and share credentials securely. # Requirements * rng-tools or haveged might be required on host machine to speed up entropy generation on containers. This way gpg key creation on passbolt container will be faster. * mariadb/mysql >= 5.0 # Usage ### docker-compose Usage: ``` $ docker-compose up ``` Users are encouraged to use [official docker image from the docker hub](https://hub.docker.com/r/passbolt/passbolt/). ## Start passbolt instance Passbolt requires mysql to be running. The following example use mysql official docker image with the default passbolt credentials. ```bash $ docker run -e MYSQL_ROOT_PASSWORD= \ -e MYSQL_DATABASE= \ -e MYSQL_USER= \ -e MYSQL_PASSWORD= \ mariadb ``` Then you can start passbolt just by providing the database container ip in the `DATASOURCES_DEFAULT_HOST` environment variable. ```bash $ docker run --name passbolt \ -p 80:80 \ -p 443:443 \ -e DATASOURCES_DEFAULT_HOST= \ -e DATASOURCES_DEFAULT_PASSWORD= \ -e DATASOURCES_DEFAULT_USERNAME= \ -e DATASOURCES_DEFAULT_DATABASE= \ -e APP_FULL_BASE_URL=https://mydomain.com \ passbolt/passbolt:develop-debian ``` Once the container is running create your first admin user: ```bash $ docker exec passbolt su -m -c "bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data ``` This registration command will return a single use url required to continue the web browser setup and finish the registration. Your passbolt instance should be available browsing `https://yourdomain.com` # Configure passbolt ## Environment variables reference Passbolt docker image provides several environment variables to configure different aspects: | Variable name | Description | Default value | ----------------------------------- | -------------------------------- | ------------------- | APP_BASE | it allows people to specify the base subdir the application is running in | null | APP_FULL_BASE_URL | Passbolt base url | false | DATASOURCES_DEFAULT_HOST | Database hostname | localhost | DATASOURCES_DEFAULT_PORT | Database port | 3306 | DATASOURCES_DEFAULT_USERNAME | Database username | '' | DATASOURCES_DEFAULT_PASSWORD | Database password | '' | DATASOURCES_DEFAULT_DATABASE | Database name | '' | DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | '' | DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | '' | DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | '' | EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp | EMAIL_DEFAULT_FROM | From email address | you@localhost | EMAIL_DEFAULT_TRANSPORT | Sets transport method | default | EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost | EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25 | EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30 | EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null | EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null | EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null | EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null | EMAIL_TRANSPORT_DEFAULT_URL | Set url | null | GNUPGHOME | path to gnupghome directory | /var/lib/passbolt/.gnupg | PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048 | PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048 | PASSBOLT_KEY_NAME | Key owner name | Passbolt default user | PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com | PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires | PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null | PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /etc/passbolt/gpg/serverkey.asc | PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /etc/passbolt/gpg/serverkey_private.asc | PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true | PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true | PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false | PASSBOLT_SSL_FORCE | Redirects http to https | true | PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true | SECURITY_SALT | CakePHP security salt | __SALT__ For more env variables supported please check [default.php](https://github.com/passbolt/passbolt_api/blob/master/config/default.php) and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/config/app.default.php) ### Configuration files What if you already have a set of gpg keys and custom configuration files for passbolt? It it possible to mount the desired configuration files as volumes. * /etc/passbolt/app.php * /etc/passbolt/passbolt.php * /etc/passbolt/gpg/serverkey.asc * /etc/passbolt/gpg/serverkey_private.asc * /usr/share/php/passbolt/webroot/img/public/images ### SSL certificate files It is also possible to mount a ssl certificate on the following paths: * /etc/ssl/certs/certificate.crt * /etc/ssl/certs/certificate.key ### Database SSL certificate files If Database SSL certs provided, you must mount mysql/mariadb specific conf on the following paths: * /etc/mysql/conf.d # if using mysql * /etc/mysql/mariadb.conf.d/ #if using mariadb Example: ``` [client] ssl-ca=/etc/mysql/ssl/ca-cert.pem ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-key=/etc/mysql/ssl/server-key.pem ``` ### CLI healthcheck In order to run the healtcheck from the CLI on the container: On a root docker image: ``` $ su -s /bin/bash www-data $ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" $ bin/cake passbolt healthcheck ``` Non root image: ``` $ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)" $ bin/cake passbolt healthcheck ```