DietPi-Software | Adding Bitwarden_rs

[CactiChameleon9]

Status: Ready (I think)

• Example task 1

Reference: #3724

Commit list/description:

• This should all work correctly, and testing seems to work
• Still needs testing on a fresh install if that's required

[CactiChameleon9]

I have fixed the first 3 issues/suggested changes. The last one ( PrivateTmp=true) I don't know much about, but I think it should be left as it is the service config they give so it should all work with it.

[CactiChameleon9]

Also, should I add a config for the web vault and a reverse proxy to be installed by default or should I leave it at minimal? It is quite easy to add the web vault - so it isn't hard to do from our end or the end user's end.

[CactiChameleon9]

I just made a commit(c8d5f61) to make sure the service starts properly, but do I have to register the service with dietpi-services or something or an I doing it correctly?

[MichaIng]

To make own tests correctly and for our online docs:

• I downloaded the Windows desktop client here: https://bitwarden.com/download/
• Top left settings gear, I added http://192.168.1.22:8000 (test VMs local IP), then I created a new account.
• Seems to work, and yes it's my own server that the account is created on, as when I stop the service, the client "fails to fetch" when I want to add/change something.

---

@CactiChameleon9

I just made a commit(c8d5f61) to make sure the service starts properly, but do I have to register the service with dietpi-services or something or an I doing it correctly?

Jep, add the service name to this array: https://github.com/CactiChameleon9/DietPi/blob/patch-1/dietpi/dietpi-services#L147

Also, should I add a config for the web vault and a reverse proxy to be installed by default or should I leave it at minimal? It is quite easy to add the web vault - so it isn't hard to do from our end or the end user's end.

Probably we can add it as optional choice via dietpi.txt setting and/or whiptail question and add instructions to online docs? But actually a web UI is definitely helpful and we install optional ones in case of other software titles as well. Also I see it requires additional download and install steps, so probably we install it by default. It can be disabled easily. I'd skip a reverse proxy, also to match other software installs and as we might add a generic script/instructions to setup reverse proxies web applications that do not run on a regular webserver.

[MichaIng]

Hmm, when I want to create an account via web vault, hitting "Send" does not have any effect but produces an error in browser console:

core.js:4127 ERROR Error: Uncaught (in promise): TypeError: Cannot read property 'importKey' of null
TypeError: Cannot read property 'importKey' of null
    at e.<anonymous> (webCryptoFunction.service.ts:47)
    at main.cd3fdd91e1a63cf3ead5.js:1
    at Object.next (main.cd3fdd91e1a63cf3ead5.js:1)
    at main.cd3fdd91e1a63cf3ead5.js:1
    at new t (zone.js:913)
    at r (main.cd3fdd91e1a63cf3ead5.js:1)
    at e.pbkdf2 (main.cd3fdd91e1a63cf3ead5.js:1)
    at e.<anonymous> (crypto.service.ts:315)
    at main.cd3fdd91e1a63cf3ead5.js:1
    at Object.next (main.cd3fdd91e1a63cf3ead5.js:1)
    at w (zone.js:832)
    at zone.js:739
    at s (main.cd3fdd91e1a63cf3ead5.js:1)
    at t.invoke (zone.js:386)
    at Object.onInvoke (core.js:28144)
    at t.invoke (zone.js:385)
    at e.run (zone.js:143)
    at zone.js:891
    at t.invokeTask (zone.js:421)
    at Object.onInvokeTask (core.js:28132)

When trying to login (just to check whether as well console errors appear), it reveals another, probably related issue, as the web UI itself prints an error:

This browser requires HTTPS to use the web vault
Check the bitwarden_rs wiki for details on how to enable it

"This" browser is latest Opera dev, so all current Chromium-based browsers might be affected. Chromium Edge shows indeed exactly the same error and behaviour.

Hmm, I'm not keen to install a whole webserver as reverse proxy and creating a trusted standalone certificate is possible but not yet implemented into dietpi-letsencrypt, also those would not grant access via plain IP but only domain. Probably we could place a snakeoil certificate, just to make it running, and advise users to create a real one or setup a reverse proxy. I mean a snakeoil certificate is not worse than plain HTTP, as long as you do not feel "safe" just because of the HTTPS protocol.

---

Initial online docs: https://dietpi.com/phpbb/viewtopic.php?p=28903#p28903

[CactiChameleon9]

That error is very odd - in theory I programmed it to do the exact way I manually installed. I need to test on a blank install. I think a snake-oil cert would be best - however I am not too confident with self signing things.

[MichaIng]

Known issue: dani-garcia/vaultwarden#153
Known and intended by upstream vault: bitwarden/web#254
I'll implement a self-signed certificate generation.

[MichaIng]

Memory + disk (RAMdisk) usage is quite high during compilation:

2020-11-25 12:11:28 root@VM-Bullseye:/tmp# du -sm .rustup .cargo
671     .rustup
198     .cargo
2020-11-25 12:11:26 root@VM-Bullseye:/tmp# free -m
              total        used        free      shared  buff/cache   available
Mem:           1989         592         138        1103        1258         153
Swap:             0  

Even if we force 2 GiB memory via auto-sized swap file (when it's smaller) and temporarily increase /tmp to 2 GiB, it's very close 🤔.

---

Too close, 2 GiB was not sufficient, build of a specific module with high RAM demand failed. I needed to add another GiB to swap space, then it went through.

On a 4 core/thread machine, cargo utilises 4 rustc processes to compile concurrently, each using ~200 - 500 MiB memory, the last, bitwarden_rs itself, requires 700 MiB peak. While this sounds reasonable at first, actually a single rustc process can utilise all 4 cores/threads, i.e. 400% CPU usage. So running multiple processes concurrently not only leads to a very high memory usage but in theory does not speed up things but slows down due to parallelism overhead. Probably there is a way to force only a single rustc process at a time.

---

Another issue, with a self-signed certificate, the client fails to access:

Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID

From the docs: https://bitwarden.com/help/article/install-on-premise/

• If you are only testing and do not have an SSL certificate, a self-signed certificate can be generated for your installation. Self-signed certificates will not be trusted by Bitwarden client applications so you will need to install this certificate to the trusted store of each device you plan to use Bitwarden with.

• If you choose not to configure Bitwarden with a SSL certificate you must front your installation with a proxy that serves the Bitwarden installation over SSL. HTTPS is required to use Bitwarden. If you try to use Bitwarden without the HTTPS protocol you will get errors.

Hmm here it says, importing the certificate to trusted storage is enough: https://bitwarden.com/help/article/hosting-faqs/#trust-a-private-ca-issued-or-self-signed-certificate-for-bitwarden-client

---

Okay importing works, at least we're one step further:

Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID

So dummy entries are required.
... not even CN, actually SAN is required and needs to match:

openssl req -x509 -sha256 -newkey rsa:4096 -days 7200 -reqexts SAN -extensions SAN -nodes -keyout privkey.pem -out cert.pem -subj '/CN=DietPi Bitwarden_RS' -config <(cat /etc/ssl/openssl.cnf <(echo -ne "[SAN]\nsubjectAltName=DNS:$(</etc/hostname),IP:$(mawk 'NR==4' /run/dietpi/.network)"))

Only works for local network access via IP or the servers internal hostname, or, if the public FQDN matches the /etc/hostname entry, which is generally reasonable.

And of course the certificate needs to be imported into trusted CA space. Probably we need to give an introduction about how to do that on Windows 10 and Linux? Has become even more complicated since it cannot be installed directly from the browser but needs to be copied to file first, then file opened and installed from there...
For removal: certmgr.msc

[MichaIng]

I'll liberate dietpi-letsencrypt in a separate PR to allow retrieving a certificate without having a webserver installed. The code is already there when Minio S3 file server is installed. It makes sense to simply always create a standalone certificate, and, if one or more TLS-capable service is installed, configure those to get a copy of that certificate.

We could automatically apply a Certbot certificate, when found on the system /etc/letsencrypt/live/... but that needs to be thought through as well since this means that the service can only be accessed via the public FQDN (fully qualified domain name), not via local IP or similar, as the certificate is not trusted then. So for local network access, a self-signed certificate can even be seen as a benefit, to allow local network access via local hostnames or IPs while for external access port 443 -> 3000 proxy has the benefit that only ports 80/443 need to be opened to the web. Bitwarden_RS could still run via HTTPS so even local network-internal proxy connection is encrypted.

So generally as non-HTTP with Bitwarden in general doesn't work reliably (strangely works for the Windows desktop client, but not for web vault, and probably not all clients), at least the docs say it causes issues and it totally makes sense to have the connection encrypted that transports the master password for a password management server. But as the ways to set this up all have their pros and cons, trusted CA certificates require a public domain name and ports 80/443 opened, it seems to be best to automatically only setup a simple self-signed certificate based on the best information we can get (local IP and machine hostname) and add further information to our online docs about which steps are required to use that self-signed certificate with a recommendation to setup a real trusted CA signed one ASAP for remote access.

[MichaIng]

Okay, number of concurrent jobs DOES limit the utilised cores for a single job as well. Probably when allowing 4 concurrent jobs, there are some special jobs (like compiling bitwarden_rs binary itself) that can use and are then allowed to use 4 cores while allowing only 1 concurrent job limits as well the used cores/threads of jobs that could utilise more core 🤔. Final solution: If more than two logic cores are available but less than 3 GiB memory, limited jobs to two, else utilising all available cores is fine.

[CactiChameleon9]

And of course the certificate needs to be imported into trusted CA space. Probably we need to give an introduction about how to do that on Windows 10 and Linux? Has become even more complicated since it cannot be installed directly from the browser but needs to be copied to file first, then file opened and installed from there...
For removal: certmgr.msc

Can a web browser just say accept the risk and continue?

Thanks for doing the cert stuff BTW

Also good research/testing on compiling issues

[MichaIng]

Can a web browser just say accept the risk and continue?

With most browser one can do that, but not with all. But most importantly the Windows desktop Bitwarden client does not accept it without having it imported as trusted CA, and I guess in case of some mobile clients it's similar.

---

Okay, ready from my side, @CactiChameleon9 are you okay with everything?

[CactiChameleon9]

I think its all OK. I haven't actually tested it recently - but I am quite sure it works

[MichaIng]

New documentation page is ready as well: MichaIng/DietPi-Docs#253

[CactiChameleon9]

Well done

[MichaIng]

We have already three software titles running at port 8000: WebIOPi, IceCast and Koel, so we should change it to 8001.