feat: update AliasVault installation scripts and configuration; enhance resource allocation and adjust privileges

2026-05-16 23:30:29 +02:00
parent d1e59fc330
commit af880ae5d8
3 changed files with 324 additions and 76 deletions
--- a/install/aliasvault-install.sh
+++ b/install/aliasvault-install.sh
@@ -13,66 +13,281 @@ setting_up_container
 network_check
 update_os

-msg_info "Installing Docker"
-install -m 0755 -d /etc/apt/keyrings
-curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
-chmod a+r /etc/apt/keyrings/docker.asc
-echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "${VERSION_CODENAME}") stable" \
-  >/etc/apt/sources.list.d/docker.list
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  nginx \
+  python3 \
+  gettext-base \
+  inotify-tools \
+  libkrb5-3 \
+  libgssapi-krb5-2 \
+  openssl
+msg_ok "Installed Dependencies"
+
+RUST_CRATES="wasm-pack" setup_rust
+
+NODE_VERSION="20" setup_nodejs
+
+msg_info "Installing .NET SDK 10.0"
+curl -fsSL "https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb" \
+  -o /tmp/packages-microsoft-prod.deb
+$STD dpkg -i /tmp/packages-microsoft-prod.deb
+rm -f /tmp/packages-microsoft-prod.deb
 $STD apt update
-$STD apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
-systemctl enable -q --now docker
-msg_ok "Installed Docker"
+$STD apt install -y dotnet-sdk-10.0
+msg_ok "Installed .NET SDK 10.0"

-RELEASE=$(get_latest_github_release "aliasvault/aliasvault")
-msg_info "Setting up AliasVault ${RELEASE}"
-mkdir -p /opt/aliasvault/{database/postgres,logs/msbuild,secrets,certificates/{ssl,smtp,letsencrypt/www}}
-curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.yml" |
-  sed "s/:latest/:${RELEASE}/g" >/opt/aliasvault/docker-compose.yml
-curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.letsencrypt.yml" \
-  >/opt/aliasvault/docker-compose.letsencrypt.yml
-msg_ok "Set up AliasVault ${RELEASE}"
+PG_VERSION="16" setup_postgresql
+PG_DB_NAME="aliasvault" PG_DB_USER="aliasvault" setup_postgresql_db

-msg_info "Generating Secrets"
-chmod 700 /opt/aliasvault/secrets
-printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/jwt_key
-printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/data_protection_cert_pass
-printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/postgres_password
+fetch_and_deploy_gh_release "aliasvault" "aliasvault/aliasvault" "tarball"
+
+msg_info "Building Core Libraries (Patience)"
+source "$HOME/.cargo/env"
+$STD rustup target add wasm32-unknown-unknown
+cd /opt/aliasvault/core
+$STD bash build-and-distribute.sh --browser
+msg_ok "Built Core Libraries"
+
+msg_info "Copying Core Artifacts"
+mkdir -p /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm
+cp /opt/aliasvault/core/rust/dist/wasm/aliasvault_core_bg.wasm \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm/
+cp /opt/aliasvault/core/rust/dist/wasm/aliasvault_core.js \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/wasm/
+mkdir -p /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/{identity-generator,password-generator,vault}
+cp -r /opt/aliasvault/core/typescript/identity-generator/dist/. \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/identity-generator/
+cp -r /opt/aliasvault/core/typescript/password-generator/dist/. \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/password-generator/
+cp -r /opt/aliasvault/core/vault/dist/. \
+  /opt/aliasvault/apps/server/AliasVault.Client/wwwroot/js/dist/core/vault/
+msg_ok "Copied Core Artifacts"
+
+msg_info "Building AliasVault Applications (Patience)"
+cd /opt/aliasvault/apps/server
+$STD dotnet workload install wasm-tools
+$STD dotnet restore aliasvault.sln
+$STD dotnet publish AliasVault.Api/AliasVault.Api.csproj \
+  -c Release -o /opt/aliasvault/api --no-restore
+$STD dotnet build AliasVault.Client/AliasVault.Client.csproj \
+  -c Release --no-restore
+$STD dotnet publish AliasVault.Client/AliasVault.Client.csproj \
+  -c Release -o /opt/aliasvault/client --no-restore
+$STD dotnet publish AliasVault.Admin/AliasVault.Admin.csproj \
+  -c Release -o /opt/aliasvault/admin --no-restore
+$STD dotnet publish Services/AliasVault.SmtpService/AliasVault.SmtpService.csproj \
+  -c Release -o /opt/aliasvault/smtp --no-restore
+$STD dotnet publish Services/AliasVault.TaskRunner/AliasVault.TaskRunner.csproj \
+  -c Release -o /opt/aliasvault/taskrunner --no-restore
+$STD dotnet publish Utilities/AliasVault.InstallCli/AliasVault.InstallCli.csproj \
+  -c Release -o /opt/aliasvault/installcli --no-restore
+msg_ok "Built AliasVault Applications"
+
+msg_info "Generating Secrets and Configuration"
 ADMIN_PASS=$(openssl rand -base64 12 | tr -dc 'a-zA-Z0-9' | head -c 16)
-ADMIN_HASH=$(docker run --rm ghcr.io/aliasvault/installcli:latest hash-password "$ADMIN_PASS")
-printf '%s' "${ADMIN_HASH}|$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >/opt/aliasvault/secrets/admin_password_hash
-chmod 600 /opt/aliasvault/secrets/*
-msg_ok "Generated Secrets"
-
-msg_info "Creating Configuration"
+ADMIN_HASH=$(dotnet /opt/aliasvault/installcli/AliasVault.InstallCli.dll hash-password "$ADMIN_PASS")
+ADMIN_GENERATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+JWT_KEY=$(openssl rand -base64 32)
+DATA_PROTECTION_CERT_PASS=$(openssl rand -base64 32)
+DB_CONN="Host=localhost;Port=5432;Database=aliasvault;Username=aliasvault;Password=${PG_DB_PASS};Maximum Pool Size=80;Minimum Pool Size=5"
 cat <<EOF >/opt/aliasvault/.env
-HTTP_PORT=80
-HTTPS_PORT=443
-SMTP_PORT=25
-SMTP_TLS_PORT=587
-FORCE_HTTPS_REDIRECT=true
-PRIVATE_EMAIL_DOMAINS=
-HIDDEN_PRIVATE_EMAIL_DOMAINS=
-SMTP_ADVERTISED_HOSTNAME=
-SMTP_TLS_ENABLED=false
-LETSENCRYPT_ENABLED=false
-HOSTNAME=localhost
+ConnectionStrings__AliasServerDbContext=${DB_CONN}
+JWT_KEY=${JWT_KEY}
+DATA_PROTECTION_CERT_PASS=${DATA_PROTECTION_CERT_PASS}
+ADMIN_PASSWORD_HASH=${ADMIN_HASH}
+ADMIN_PASSWORD_GENERATED=${ADMIN_GENERATED}
 PUBLIC_REGISTRATION_ENABLED=true
 IP_LOGGING_ENABLED=true
-SUPPORT_EMAIL=
+PRIVATE_EMAIL_DOMAINS=
+HIDDEN_PRIVATE_EMAIL_DOMAINS=
 MAX_UPLOAD_SIZE_MB=100
-ADMIN_IP_ALLOWLIST=
-TRUSTED_PROXIES=
-DEPLOYMENT_MODE=install
-ALIASVAULT_VERSION=${RELEASE}
+SMTP_TLS_ENABLED=false
+Logging__LogLevel__Default=Error
+Logging__LogLevel__Microsoft__Hosting__Lifetime=Error
+Logging__LogLevel__Microsoft=Error
 EOF
-msg_ok "Created Configuration"
+chmod 600 /opt/aliasvault/.env
+msg_ok "Generated Secrets and Configuration"

-msg_info "Starting Services"
-cd /opt/aliasvault
-$STD docker compose up -d
-echo "${RELEASE}" >~/.aliasvault
-msg_ok "Started Services"
+msg_info "Generating SSL Certificate"
+mkdir -p /opt/aliasvault/certificates/ssl
+openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
+  -keyout /opt/aliasvault/certificates/ssl/key.pem \
+  -out /opt/aliasvault/certificates/ssl/cert.pem \
+  -subj "/C=US/ST=State/L=City/O=AliasVault/CN=${LOCAL_IP}" \
+  -addext "subjectAltName=IP:${LOCAL_IP},DNS:localhost,IP:127.0.0.1" \
+  2>/dev/null
+chmod 600 /opt/aliasvault/certificates/ssl/key.pem
+chmod 644 /opt/aliasvault/certificates/ssl/cert.pem
+msg_ok "Generated SSL Certificate"
+
+msg_info "Configuring Nginx"
+rm -f /etc/nginx/sites-enabled/default
+cat <<'NGINXEOF' >/etc/nginx/sites-available/aliasvault
+upstream aliasvault_api   { server 127.0.0.1:3001 max_fails=1 fail_timeout=5s; }
+upstream aliasvault_admin { server 127.0.0.1:3002 max_fails=1 fail_timeout=5s; }
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name _;
+
+    ssl_certificate     /opt/aliasvault/certificates/ssl/cert.pem;
+    ssl_certificate_key /opt/aliasvault/certificates/ssl/key.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+
+    client_max_body_size 100M;
+
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript
+               text/xml application/xml application/wasm;
+
+    # API
+    location /api {
+        proxy_pass http://aliasvault_api;
+        proxy_set_header Host              $http_host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_intercept_errors on;
+        error_page 502 503 504 =503 @unavailable;
+    }
+
+    # Admin (Blazor Server — needs WebSocket)
+    location /admin {
+        proxy_pass http://aliasvault_admin;
+        proxy_set_header Host                $http_host;
+        proxy_set_header X-Real-IP           $remote_addr;
+        proxy_set_header X-Forwarded-Proto   $scheme;
+        proxy_set_header X-Forwarded-For     $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Prefix  /admin/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade    $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 86400;
+        proxy_intercept_errors on;
+        error_page 502 503 504 =503 @unavailable;
+    }
+
+    # Blazor WASM client (static files)
+    root /opt/aliasvault/client/wwwroot;
+    location / {
+        gzip_static on;
+        try_files $uri $uri/ /index.html =404;
+    }
+
+    location @unavailable {
+        return 503 "Service temporarily unavailable";
+    }
+}
+NGINXEOF
+ln -sf /etc/nginx/sites-available/aliasvault /etc/nginx/sites-enabled/aliasvault
+$STD nginx -t
+systemctl enable -q --now nginx
+$STD nginx -s reload
+msg_ok "Configured Nginx"
+
+msg_info "Creating Services"
+cat <<EOF >/etc/systemd/system/aliasvault-api.service
+[Unit]
+Description=AliasVault API
+After=network.target postgresql.service
+Requires=postgresql.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/api
+EnvironmentFile=/opt/aliasvault/.env
+Environment=ASPNETCORE_URLS=http://127.0.0.1:3001
+Environment=ASPNETCORE_PATHBASE=/api
+ExecStart=/usr/bin/dotnet AliasVault.Api.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/aliasvault-admin.service
+[Unit]
+Description=AliasVault Admin
+After=network.target aliasvault-api.service
+Requires=aliasvault-api.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/admin
+EnvironmentFile=/opt/aliasvault/.env
+Environment=ASPNETCORE_URLS=http://127.0.0.1:3002
+Environment=ASPNETCORE_PATHBASE=/admin
+ExecStart=/usr/bin/dotnet AliasVault.Admin.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/aliasvault-smtp.service
+[Unit]
+Description=AliasVault SMTP Service
+After=network.target aliasvault-api.service
+Requires=aliasvault-api.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/smtp
+EnvironmentFile=/opt/aliasvault/.env
+ExecStart=/usr/bin/dotnet AliasVault.SmtpService.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat <<EOF >/etc/systemd/system/aliasvault-taskrunner.service
+[Unit]
+Description=AliasVault Task Runner
+After=network.target aliasvault-api.service
+Requires=aliasvault-api.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/aliasvault/taskrunner
+EnvironmentFile=/opt/aliasvault/.env
+ExecStart=/usr/bin/dotnet AliasVault.TaskRunner.dll
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl enable -q --now aliasvault-api aliasvault-admin aliasvault-smtp aliasvault-taskrunner
+msg_ok "Created Services"

 echo ""
 echo "================================================================"