feat: update AliasVault installation scripts and configuration; enhance resource allocation and adjust privileges

2026-05-16 23:30:29 +02:00
parent d1e59fc330
commit af880ae5d8
3 changed files with 324 additions and 76 deletions
--- a/ct/aliasvault.sh
+++ b/ct/aliasvault.sh
@@ -7,12 +7,12 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV

 APP="AliasVault"
 var_tags="${var_tags:-security;passwords;privacy}"
-var_cpu="${var_cpu:-2}"
-var_ram="${var_ram:-2048}"
-var_disk="${var_disk:-16}"
+var_cpu="${var_cpu:-4}"
+var_ram="${var_ram:-4096}"
+var_disk="${var_disk:-20}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
-var_unprivileged="${var_unprivileged:-0}"
+var_unprivileged="${var_unprivileged:-1}"

 header_info "$APP"
 variables
@@ -24,7 +24,7 @@ function update_script() {
  check_container_storage
  check_container_resources

-  if [[ ! -d /opt/aliasvault ]]; then
+  if [[ ! -f /opt/aliasvault/.env ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
@@ -33,27 +33,60 @@ function update_script() {
    RELEASE=$(get_latest_github_release "aliasvault/aliasvault")

    msg_info "Stopping Services"
-    cd /opt/aliasvault
-    $STD docker compose down
+    systemctl stop aliasvault-api aliasvault-admin aliasvault-smtp aliasvault-taskrunner
    msg_ok "Stopped Services"

-    msg_info "Updating Compose Configuration"
-    curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.yml" |
-      sed "s/:latest/:${RELEASE}/g" >/opt/aliasvault/docker-compose.yml
-    curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.letsencrypt.yml" \
-      >/opt/aliasvault/docker-compose.letsencrypt.yml
-    msg_ok "Updated Compose Configuration"
+    msg_info "Backing up Configuration"
+    cp /opt/aliasvault/.env /opt/aliasvault_env.bak
+    cp -r /opt/aliasvault/certificates /opt/aliasvault_certs.bak
+    msg_ok "Backed up Configuration"

-    msg_info "Pulling Updated Images"
-    $STD docker compose -f /opt/aliasvault/docker-compose.yml pull
-    msg_ok "Pulled Updated Images"
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "aliasvault" "aliasvault/aliasvault" "tarball"
+
+    msg_info "Building Core Libraries (Patience)"
+    source "$HOME/.cargo/env"
+    $STD rustup target add wasm32-unknown-unknown
+    cd /opt/aliasvault/core
+    $STD bash build-and-distribute.sh --browser
+    msg_ok "Built Core Libraries"
+
+    msg_info "Copying Core Artifacts"
+    mkdir -p /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm
+    cp /opt/aliasvault/core/rust/dist/wasm/aliasvault_core_bg.wasm \
+      /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm/
+    cp /opt/aliasvault/core/rust/dist/wasm/aliasvault_core.js \
+      /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm/
+    mkdir -p /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/{identity-generator,password-generator,vault}
+    cp -r /opt/aliasvault/core/typescript/identity-generator/dist/. \
+      /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/identity-generator/
+    cp -r /opt/aliasvault/core/typescript/password-generator/dist/. \
+      /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/password-generator/
+    cp -r /opt/aliasvault/core/vault/dist/. \
+      /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/vault/
+    msg_ok "Copied Core Artifacts"
+
+    msg_info "Building AliasVault Applications (Patience)"
+    cd /opt/aliasvault/apps/server
+    $STD dotnet workload install wasm-tools
+    $STD dotnet restore aliasvault.sln
+    $STD dotnet publish AliasVault.Api/AliasVault.Api.csproj -c Release -o /opt/aliasvault/api --no-restore
+    $STD dotnet build AliasVault.Client/AliasVault.Client.csproj -c Release --no-restore
+    $STD dotnet publish AliasVault.Client/AliasVault.Client.csproj -c Release -o /opt/aliasvault/client --no-restore
+    $STD dotnet publish AliasVault.Admin/AliasVault.Admin.csproj -c Release -o /opt/aliasvault/admin --no-restore
+    $STD dotnet publish Services/AliasVault.SmtpService/AliasVault.SmtpService.csproj -c Release -o /opt/aliasvault/smtp --no-restore
+    $STD dotnet publish Services/AliasVault.TaskRunner/AliasVault.TaskRunner.csproj -c Release -o /opt/aliasvault/taskrunner --no-restore
+    msg_ok "Built AliasVault Applications"
+
+    msg_info "Restoring Configuration"
+    cp /opt/aliasvault_env.bak /opt/aliasvault/.env
+    cp -r /opt/aliasvault_certs.bak/. /opt/aliasvault/certificates/
+    rm -f /opt/aliasvault_env.bak
+    rm -rf /opt/aliasvault_certs.bak
+    msg_ok "Restored Configuration"

    msg_info "Starting Services"
-    $STD docker compose -f /opt/aliasvault/docker-compose.yml up -d --force-recreate
+    systemctl start aliasvault-api aliasvault-admin aliasvault-smtp aliasvault-taskrunner
    msg_ok "Started Services"
-
-    echo "${RELEASE}" >~/.aliasvault
-    sed -i "s/^ALIASVAULT_VERSION=.*/ALIASVAULT_VERSION=${RELEASE}/" /opt/aliasvault/.env
    msg_ok "Updated successfully to ${RELEASE}!"
  fi
  exit
--- a/install/aliasvault-install.sh
+++ b/install/aliasvault-install.sh
@@ -13,66 +13,281 @@ setting_up_container
 network_check
 update_os

-msg_info "Installing Docker"
-install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
-chmod a+r /etc/apt/keyrings/docker.asc
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "${VERSION_CODENAME}") stable" \
-  >/etc/apt/sources.list.d/docker.list
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  nginx \
+  python3 \
+  gettext-base \
+  inotify-tools \
+  libkrb5-3 \
+  libgssapi-krb5-2 \
+  openssl
+msg_ok "Installed Dependencies"
+
+RUST_CRATES="wasm-pack" setup_rust
+
+NODE_VERSION="20" setup_nodejs
+
+msg_info "Installing .NET SDK 10.0"
+curl -fsSL "https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb" \
+  -o /tmp/packages-microsoft-prod.deb
+$STD dpkg -i /tmp/packages-microsoft-prod.deb
+rm -f /tmp/packages-microsoft-prod.deb
 $STD apt update
-$STD apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
-systemctl enable -q --now docker
-msg_ok "Installed Docker"
+$STD apt install -y dotnet-sdk-10.0
+msg_ok "Installed .NET SDK 10.0"

-RELEASE=$(get_latest_github_release "aliasvault/aliasvault")
-msg_info "Setting up AliasVault ${RELEASE}"
-mkdir -p /opt/aliasvault/{database/postgres,logs/msbuild,secrets,certificates/{ssl,smtp,letsencrypt/www}}
-curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.yml" |
-  sed "s/:latest/:${RELEASE}/g" >/opt/aliasvault/docker-compose.yml
-curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.letsencrypt.yml" \
-  >/opt/aliasvault/docker-compose.letsencrypt.yml
-msg_ok "Set up AliasVault ${RELEASE}"
+PG_VERSION="16" setup_postgresql
+PG_DB_NAME="aliasvault" PG_DB_USER="aliasvault" setup_postgresql_db

-msg_info "Generating Secrets"
-chmod 700 /opt/aliasvault/secrets
-printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/jwt_key
-printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/data_protection_cert_pass
-printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/postgres_password
+fetch_and_deploy_gh_release "aliasvault" "aliasvault/aliasvault" "tarball"
+
+msg_info "Building Core Libraries (Patience)"
+source "$HOME/.cargo/env"
+$STD rustup target add wasm32-unknown-unknown
+cd /opt/aliasvault/core
+$STD bash build-and-distribute.sh --browser
+msg_ok "Built Core Libraries"
+
+msg_info "Copying Core Artifacts"
+mkdir -p /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm
+cp /opt/aliasvault/core/rust/dist/wasm/aliasvault_core_bg.wasm \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm/
+cp /opt/aliasvault/core/rust/dist/wasm/aliasvault_core.js \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm/
+mkdir -p /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/{identity-generator,password-generator,vault}
+cp -r /opt/aliasvault/core/typescript/identity-generator/dist/. \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/identity-generator/
+cp -r /opt/aliasvault/core/typescript/password-generator/dist/. \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/password-generator/
+cp -r /opt/aliasvault/core/vault/dist/. \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/vault/
+msg_ok "Copied Core Artifacts"
+
+msg_info "Building AliasVault Applications (Patience)"
+cd /opt/aliasvault/apps/server
+$STD dotnet workload install wasm-tools
+$STD dotnet restore aliasvault.sln
+$STD dotnet publish AliasVault.Api/AliasVault.Api.csproj \
+  -c Release -o /opt/aliasvault/api --no-restore
+$STD dotnet build AliasVault.Client/AliasVault.Client.csproj \
+  -c Release --no-restore
+$STD dotnet publish AliasVault.Client/AliasVault.Client.csproj \
+  -c Release -o /opt/aliasvault/client --no-restore
+$STD dotnet publish AliasVault.Admin/AliasVault.Admin.csproj \
+  -c Release -o /opt/aliasvault/admin --no-restore
+$STD dotnet publish Services/AliasVault.SmtpService/AliasVault.SmtpService.csproj \
+  -c Release -o /opt/aliasvault/smtp --no-restore
+$STD dotnet publish Services/AliasVault.TaskRunner/AliasVault.TaskRunner.csproj \
+  -c Release -o /opt/aliasvault/taskrunner --no-restore
+$STD dotnet publish Utilities/AliasVault.InstallCli/AliasVault.InstallCli.csproj \
+  -c Release -o /opt/aliasvault/installcli --no-restore
+msg_ok "Built AliasVault Applications"
+
+msg_info "Generating Secrets and Configuration"
 ADMIN_PASS=$(openssl rand -base64 12 | tr -dc 'a-zA-Z0-9' | head -c 16)
-ADMIN_HASH=$(docker run --rm ghcr.io/aliasvault/installcli:latest hash-password "$ADMIN_PASS")
-printf '%s' "${ADMIN_HASH}|$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >/opt/aliasvault/secrets/admin_password_hash
-chmod 600 /opt/aliasvault/secrets/*
-msg_ok "Generated Secrets"
-
-msg_info "Creating Configuration"
+ADMIN_HASH=$(dotnet /opt/aliasvault/installcli/AliasVault.InstallCli.dll hash-password "$ADMIN_PASS")
+ADMIN_GENERATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+JWT_KEY=$(openssl rand -base64 32)
+DATA_PROTECTION_CERT_PASS=$(openssl rand -base64 32)
+DB_CONN="Host=localhost;Port=5432;Database=aliasvault;Username=aliasvault;Password=${PG_DB_PASS};Maximum Pool Size=80;Minimum Pool Size=5"
 cat <<EOF >/opt/aliasvault/.env
-HTTP_PORT=80
-HTTPS_PORT=443
-SMTP_PORT=25
-SMTP_TLS_PORT=587
-FORCE_HTTPS_REDIRECT=true
-PRIVATE_EMAIL_DOMAINS=
-HIDDEN_PRIVATE_EMAIL_DOMAINS=
-SMTP_ADVERTISED_HOSTNAME=
-SMTP_TLS_ENABLED=false
-LETSENCRYPT_ENABLED=false
-HOSTNAME=localhost
+ConnectionStrings__AliasServerDbContext=${DB_CONN}
+JWT_KEY=${JWT_KEY}
+DATA_PROTECTION_CERT_PASS=${DATA_PROTECTION_CERT_PASS}
+ADMIN_PASSWORD_HASH=${ADMIN_HASH}
+ADMIN_PASSWORD_GENERATED=${ADMIN_GENERATED}
 PUBLIC_REGISTRATION_ENABLED=true
 IP_LOGGING_ENABLED=true
-SUPPORT_EMAIL=
+PRIVATE_EMAIL_DOMAINS=
+HIDDEN_PRIVATE_EMAIL_DOMAINS=
 MAX_UPLOAD_SIZE_MB=100
-ADMIN_IP_ALLOWLIST=
-TRUSTED_PROXIES=
-DEPLOYMENT_MODE=install
-ALIASVAULT_VERSION=${RELEASE}
+SMTP_TLS_ENABLED=false
+Logging__LogLevel__Default=Error
+Logging__LogLevel__Microsoft__Hosting__Lifetime=Error
+Logging__LogLevel__Microsoft=Error
 EOF
-msg_ok "Created Configuration"
+chmod 600 /opt/aliasvault/.env
+msg_ok "Generated Secrets and Configuration"

-msg_info "Starting Services"
-cd /opt/aliasvault
-$STD docker compose up -d
-echo "${RELEASE}" >~/.aliasvault
-msg_ok "Started Services"
+msg_info "Generating SSL Certificate"
+mkdir -p /opt/aliasvault/certificates/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
+  -keyout /opt/aliasvault/certificates/ssl/key.pem \
+  -out /opt/aliasvault/certificates/ssl/cert.pem \
+  -subj "/C=US/ST=State/L=City/O=AliasVault/CN=${LOCAL_IP}" \
+  -addext "subjectAltName=IP:${LOCAL_IP},DNS:localhost,IP:127.0.0.1" \
+  2>/dev/null
+chmod 600 /opt/aliasvault/certificates/ssl/key.pem
+chmod 644 /opt/aliasvault/certificates/ssl/cert.pem
+msg_ok "Generated SSL Certificate"
+
+msg_info "Configuring Nginx"
+rm -f /etc/nginx/sites-enabled/default
+cat <<'NGINXEOF' >/etc/nginx/sites-available/aliasvault
+upstream aliasvault_api   { server 127.0.0.1:3001 max_fails=1 fail_timeout=5s; }
+upstream aliasvault_admin { server 127.0.0.1:3002 max_fails=1 fail_timeout=5s; }
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name _;
+
+    ssl_certificate     /opt/aliasvault/certificates/ssl/cert.pem;
+    ssl_certificate_key /opt/aliasvault/certificates/ssl/key.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+
+    client_max_body_size 100M;
+
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript
+               text/xml application/xml application/wasm;
+
+    # API
+    location /api {
+        proxy_pass http://aliasvault_api;
+        proxy_set_header Host              $http_host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_intercept_errors on;
+        error_page 502 503 504 =503 @unavailable;
+    }
+
+    # Admin (Blazor Server — needs WebSocket)
+    location /admin {
+        proxy_pass http://aliasvault_admin;
+        proxy_set_header Host                $http_host;
+        proxy_set_header X-Real-IP           $remote_addr;
+        proxy_set_header X-Forwarded-Proto   $scheme;
+        proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Prefix  /admin/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 86400;
+        proxy_intercept_errors on;
+        error_page 502 503 504 =503 @unavailable;
+    }
+
+    # Blazor WASM client (static files)
+    root /opt/aliasvault/client/wwwroot;
+    location / {
+        gzip_static on;
+        try_files $uri $uri/ /index.html =404;
+    }
+
+    location @unavailable {
+        return 503 "Service temporarily unavailable";
+    }
+}
+NGINXEOF
+ln -sf /etc/nginx/sites-available/aliasvault /etc/nginx/sites-enabled/aliasvault
+$STD nginx -t
+systemctl enable -q --now nginx
+$STD nginx -s reload
+msg_ok "Configured Nginx"
+
+msg_info "Creating Services"
+cat <<EOF >/etc/systemd/system/aliasvault-api.service
+[Unit]
+Description=AliasVault API
+After=network.target postgresql.service
+Requires=postgresql.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/api
+EnvironmentFile=/opt/aliasvault/.env
+Environment=ASPNETCORE_URLS=http://127.0.0.1:3001
+Environment=ASPNETCORE_PATHBASE=/api
+ExecStart=/usr/bin/dotnet AliasVault.Api.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/aliasvault-admin.service
+[Unit]
+Description=AliasVault Admin
+After=network.target aliasvault-api.service
+Requires=aliasvault-api.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/admin
+EnvironmentFile=/opt/aliasvault/.env
+Environment=ASPNETCORE_URLS=http://127.0.0.1:3002
+Environment=ASPNETCORE_PATHBASE=/admin
+ExecStart=/usr/bin/dotnet AliasVault.Admin.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/aliasvault-smtp.service
+[Unit]
+Description=AliasVault SMTP Service
+After=network.target aliasvault-api.service
+Requires=aliasvault-api.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/smtp
+EnvironmentFile=/opt/aliasvault/.env
+ExecStart=/usr/bin/dotnet AliasVault.SmtpService.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/aliasvault-taskrunner.service
+[Unit]
+Description=AliasVault Task Runner
+After=network.target aliasvault-api.service
+Requires=aliasvault-api.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/taskrunner
+EnvironmentFile=/opt/aliasvault/.env
+ExecStart=/usr/bin/dotnet AliasVault.TaskRunner.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl enable -q --now aliasvault-api aliasvault-admin aliasvault-smtp aliasvault-taskrunner
+msg_ok "Created Services"

 echo ""
 echo "================================================================"
--- a/json/aliasvault.json
+++ b/json/aliasvault.json
@@ -7,7 +7,7 @@
    "date_created": "2026-05-16",
    "type": "ct",
    "updateable": true,
-    "privileged": true,
+    "privileged": false,
    "interface_port": 443,
    "documentation": "https://docs.aliasvault.net/",
    "website": "https://aliasvault.net/",
@@ -19,9 +19,9 @@
            "script": "ct/aliasvault.sh",
            "config_path": "/opt/aliasvault/.env",
            "resources": {
-                "cpu": 2,
-                "ram": 2048,
-                "hdd": 16,
+                "cpu": 4,
+                "ram": 4096,
+                "hdd": 20,
                "os": "Debian",
                "version": "12"
            }
@@ -33,8 +33,8 @@
    },
    "notes": [
        {
-            "text": "A privileged LXC container is required because AliasVault runs via Docker Compose internally.",
-            "type": "info"
+            "text": "The initial installation builds AliasVault from source and takes 15–30 minutes. Do not interrupt the process.",
+            "type": "warning"
        },
        {
            "text": "The admin password is auto-generated during installation and displayed in the installation output. Save it immediately.",