CommunEu
/
Passbolt
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Passbolt/README.md

178 lines
9.8 KiB
Markdown
Raw Blame History

```
____ __ ____ .-.
/ __ \____ _____ ____/ /_ ____ / / /_ .--./ / _.---.,
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ '-, (__..-` \
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /_ \ |
/_/ \__,_/____/____/_,___/\____/_/\__/ `,.__. ^___.-/
`-./ .'...--`
The open source password manager for teams `'
(c) 2021 Passbolt SA
https://www.passbolt.com
```
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/0de4eaf7426944769a70a2d727a9012b)](https://www.codacy.com/app/passbolt/passbolt_docker?utm_source=github.com&utm_medium=referral&utm_content=passbolt/passbolt_docker&utm_campaign=Badge_Grade)
[![Docker Pulls](https://img.shields.io/docker/pulls/passbolt/passbolt.svg?style=flat-square)](https://hub.docker.com/r/passbolt/passbolt/tags/)
[![GitHub release](https://img.shields.io/github/release/passbolt/passbolt_docker.svg?style=flat-square)](https://github.com/passbolt/passbolt_docker/releases)
[![license](https://img.shields.io/github/license/passbolt/passbolt_docker.svg?style=flat-square)](https://github.com/passbolt/passbolt_docker/LICENSE)
[![Twitter Follow](https://img.shields.io/twitter/follow/passbolt.svg?style=social&label=Follow)](https://twitter.com/passbolt)
# What is passbolt?
Passbolt is a free and open source password manager that allows team members to
store and share credentials securely.
# Requirements
* rng-tools or haveged might be required on host machine to speed up entropy generation on containers.
This way gpg key creation on passbolt container will be faster.
* mariadb/mysql >= 5.0
# Usage
### docker-compose
Usage:
```
$ docker-compose up
```
Users are encouraged to use [official docker image from the docker hub](https://hub.docker.com/r/passbolt/passbolt/).
## Start passbolt instance
Passbolt requires mysql to be running. The following example use mysql official
docker image with the default passbolt credentials.
```bash
$ docker run -e MYSQL_ROOT_PASSWORD=<root_password> \
-e MYSQL_DATABASE=<mariadb_database> \
-e MYSQL_USER=<mariadb_user> \
-e MYSQL_PASSWORD=<mariadb_password> \
mariadb
```
Then you can start passbolt just by providing the database container ip in the
`DATASOURCES_DEFAULT_HOST` environment variable.
```bash
$ docker run --name passbolt \
-p 80:80 \
-p 443:443 \
-e DATASOURCES_DEFAULT_HOST=<mariadb_container_host> \
-e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
-e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
-e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
-e APP_FULL_BASE_URL=https://mydomain.com \
passbolt/passbolt:develop-debian
```
Once the container is running create your first admin user:
```bash
$ docker exec passbolt su -m -c "bin/cake passbolt register_user -u your@email.com -f yourname -l surname -r admin" -s /bin/sh www-data
```
This registration command will return a single use url required to continue the
web browser setup and finish the registration. Your passbolt instance should be
available browsing `https://yourdomain.com`
# Configure passbolt
## Environment variables reference
Passbolt docker image provides several environment variables to configure different aspects:
| Variable name | Description | Default value
| ----------------------------------- | -------------------------------- | -------------------
| APP_BASE | it allows people to specify the base subdir the application is running in | null
| APP_FULL_BASE_URL | Passbolt base url | false
| DATASOURCES_DEFAULT_HOST | Database hostname | localhost
| DATASOURCES_DEFAULT_PORT | Database port | 3306
| DATASOURCES_DEFAULT_USERNAME | Database username | ''
| DATASOURCES_DEFAULT_PASSWORD | Database password | ''
| DATASOURCES_DEFAULT_DATABASE | Database name | ''
| DATASOURCES_DEFAULT_SSL_KEY | Database SSL Key | ''
| DATASOURCES_DEFAULT_SSL_CERT | Database SSL Cert | ''
| DATASOURCES_DEFAULT_SSL_CA | Database SSL CA | ''
| EMAIL_TRANSPORT_DEFAULT_CLASS_NAME | Email classname | Smtp
| EMAIL_DEFAULT_FROM | From email address | you@localhost
| EMAIL_DEFAULT_TRANSPORT | Sets transport method | default
| EMAIL_TRANSPORT_DEFAULT_HOST | Server hostname | localhost
| EMAIL_TRANSPORT_DEFAULT_PORT | Server port | 25
| EMAIL_TRANSPORT_DEFAULT_TIMEOUT | Timeout | 30
| EMAIL_TRANSPORT_DEFAULT_USERNAME | Username for email server auth | null
| EMAIL_TRANSPORT_DEFAULT_PASSWORD | Password for email server auth | null
| EMAIL_TRANSPORT_DEFAULT_CLIENT | Client | null
| EMAIL_TRANSPORT_DEFAULT_TLS | Set tls | null
| EMAIL_TRANSPORT_DEFAULT_URL | Set url | null
| GNUPGHOME | path to gnupghome directory | /var/lib/passbolt/.gnupg
| PASSBOLT_KEY_LENGTH | Gpg desired key length | 2048
| PASSBOLT_SUBKEY_LENGTH | Gpg desired subkey length | 2048
| PASSBOLT_KEY_NAME | Key owner name | Passbolt default user
| PASSBOLT_KEY_EMAIL | Key owner email address | passbolt@yourdomain.com
| PASSBOLT_KEY_EXPIRATION | Key expiration date | 0, never expires
| PASSBOLT_GPG_SERVER_KEY_FINGERPRINT | GnuPG fingerprint | null
| PASSBOLT_GPG_SERVER_KEY_PUBLIC | Path to GnuPG public server key | /etc/passbolt/gpg/serverkey.asc
| PASSBOLT_GPG_SERVER_KEY_PRIVATE | Path to GnuPG private server key | /etc/passbolt/gpg/serverkey_private.asc
| PASSBOLT_PLUGINS_EXPORT_ENABLED | Enable export plugin | true
| PASSBOLT_PLUGINS_IMPORT_ENABLED | Enable import plugin | true
| PASSBOLT_REGISTRATION_PUBLIC | Defines if users can register | false
| PASSBOLT_SSL_FORCE | Redirects http to https | true
| PASSBOLT_SECURITY_SET_HEADERS | Send CSP Headers | true
| SECURITY_SALT | CakePHP security salt | __SALT__
For more env variables supported please check [default.php](https://github.com/passbolt/passbolt_api/blob/master/config/default.php)
and [app.default.php](https://github.com/passbolt/passbolt_api/blob/master/config/app.default.php)
### Configuration files
What if you already have a set of gpg keys and custom configuration files for passbolt?
It it possible to mount the desired configuration files as volumes.
* /etc/passbolt/app.php
* /etc/passbolt/passbolt.php
* /etc/passbolt/gpg/serverkey.asc
* /etc/passbolt/gpg/serverkey_private.asc
* /usr/share/php/passbolt/webroot/img/public/images
### SSL certificate files
It is also possible to mount a ssl certificate on the following paths:
* /etc/ssl/certs/certificate.crt
* /etc/ssl/certs/certificate.key
### Database SSL certificate files
If Database SSL certs provided, you must mount mysql/mariadb specific conf on the following paths:
* /etc/mysql/conf.d # if using mysql
* /etc/mysql/mariadb.conf.d/ #if using mariadb
Example:
```
[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
```
### CLI healthcheck
In order to run the healtcheck from the CLI on the container:
On a root docker image:
```
$ su -s /bin/bash www-data
$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
$ bin/cake passbolt healthcheck
```
Non root image:
```
$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
$ bin/cake passbolt healthcheck
```
Reference in New Issue View Git Blame Copy Permalink