From d1e59fc3301e7141acc00dddaf24d6a660fe7dbb Mon Sep 17 00:00:00 2001
From: MickLesk <mickey.leskowitz@gmail.com>
Date: Sat, 16 May 2026 23:17:16 +0200
Subject: [PATCH] feat: add AliasVault container and installation scripts;
 update Colanode setup instructions

---
 ct/aliasvault.sh              | 71 ++++++++++++++++++++++++++++
 ct/colanode.sh                |  6 ++-
 install/aliasvault-install.sh | 88 +++++++++++++++++++++++++++++++++++
 install/colanode-install.sh   | 11 +++++
 json/aliasvault.json          | 48 +++++++++++++++++++
 json/colanode.json            |  6 ++-
 6 files changed, 227 insertions(+), 3 deletions(-)
 create mode 100644 ct/aliasvault.sh
 create mode 100644 install/aliasvault-install.sh
 create mode 100644 json/aliasvault.json

diff --git a/ct/aliasvault.sh b/ct/aliasvault.sh
new file mode 100644
index 00000000..2f716b27
--- /dev/null
+++ b/ct/aliasvault.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: ProxmoxVED Community
+# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
+# Source: https://aliasvault.net
+
+APP="AliasVault"
+var_tags="${var_tags:-security;passwords;privacy}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-16}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-12}"
+var_unprivileged="${var_unprivileged:-0}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/aliasvault ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "aliasvault" "aliasvault/aliasvault"; then
+    RELEASE=$(get_latest_github_release "aliasvault/aliasvault")
+
+    msg_info "Stopping Services"
+    cd /opt/aliasvault
+    $STD docker compose down
+    msg_ok "Stopped Services"
+
+    msg_info "Updating Compose Configuration"
+    curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.yml" |
+      sed "s/:latest/:${RELEASE}/g" >/opt/aliasvault/docker-compose.yml
+    curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.letsencrypt.yml" \
+      >/opt/aliasvault/docker-compose.letsencrypt.yml
+    msg_ok "Updated Compose Configuration"
+
+    msg_info "Pulling Updated Images"
+    $STD docker compose -f /opt/aliasvault/docker-compose.yml pull
+    msg_ok "Pulled Updated Images"
+
+    msg_info "Starting Services"
+    $STD docker compose -f /opt/aliasvault/docker-compose.yml up -d --force-recreate
+    msg_ok "Started Services"
+
+    echo "${RELEASE}" >~/.aliasvault
+    sed -i "s/^ALIASVAULT_VERSION=.*/ALIASVAULT_VERSION=${RELEASE}/" /opt/aliasvault/.env
+    msg_ok "Updated successfully to ${RELEASE}!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}${CL}"
+echo -e "${INFO}${YW} Admin Panel:${CL} ${TAB}${GATEWAY}${BGN}https://${IP}/admin${CL}"
+echo -e "${INFO}${YW} Admin credentials were shown in the installation output above.${CL}"
diff --git a/ct/colanode.sh b/ct/colanode.sh
index 73208a6a..41f0f7bd 100644
--- a/ct/colanode.sh
+++ b/ct/colanode.sh
@@ -75,6 +75,8 @@ description
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
 echo -e "${INFO}${YW} Access it using the following URLs:${CL}"
-echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:4000${CL} (Web UI - accept self-signed cert)"
-echo -e "${INFO}${YW} When adding a server in the app, use:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:4000${CL} (Web UI)"
+echo -e "${INFO}${YW} Before using: import the self-signed cert into your browser:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:4000/colanode.crt${CL}"
+echo -e "${INFO}${YW} Server URL to use inside the app:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}https://${IP}:4000/config${CL}"
diff --git a/install/aliasvault-install.sh b/install/aliasvault-install.sh
new file mode 100644
index 00000000..81470f10
--- /dev/null
+++ b/install/aliasvault-install.sh
@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: ProxmoxVED Community
+# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE
+# Source: https://aliasvault.net
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Docker"
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
+chmod a+r /etc/apt/keyrings/docker.asc
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "${VERSION_CODENAME}") stable" \
+  >/etc/apt/sources.list.d/docker.list
+$STD apt update
+$STD apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
+systemctl enable -q --now docker
+msg_ok "Installed Docker"
+
+RELEASE=$(get_latest_github_release "aliasvault/aliasvault")
+msg_info "Setting up AliasVault ${RELEASE}"
+mkdir -p /opt/aliasvault/{database/postgres,logs/msbuild,secrets,certificates/{ssl,smtp,letsencrypt/www}}
+curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.yml" |
+  sed "s/:latest/:${RELEASE}/g" >/opt/aliasvault/docker-compose.yml
+curl -fsSL "https://raw.githubusercontent.com/aliasvault/aliasvault/${RELEASE}/docker-compose.letsencrypt.yml" \
+  >/opt/aliasvault/docker-compose.letsencrypt.yml
+msg_ok "Set up AliasVault ${RELEASE}"
+
+msg_info "Generating Secrets"
+chmod 700 /opt/aliasvault/secrets
+printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/jwt_key
+printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/data_protection_cert_pass
+printf '%s' "$(openssl rand -base64 32)" >/opt/aliasvault/secrets/postgres_password
+ADMIN_PASS=$(openssl rand -base64 12 | tr -dc 'a-zA-Z0-9' | head -c 16)
+ADMIN_HASH=$(docker run --rm ghcr.io/aliasvault/installcli:latest hash-password "$ADMIN_PASS")
+printf '%s' "${ADMIN_HASH}|$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >/opt/aliasvault/secrets/admin_password_hash
+chmod 600 /opt/aliasvault/secrets/*
+msg_ok "Generated Secrets"
+
+msg_info "Creating Configuration"
+cat <<EOF >/opt/aliasvault/.env
+HTTP_PORT=80
+HTTPS_PORT=443
+SMTP_PORT=25
+SMTP_TLS_PORT=587
+FORCE_HTTPS_REDIRECT=true
+PRIVATE_EMAIL_DOMAINS=
+HIDDEN_PRIVATE_EMAIL_DOMAINS=
+SMTP_ADVERTISED_HOSTNAME=
+SMTP_TLS_ENABLED=false
+LETSENCRYPT_ENABLED=false
+HOSTNAME=localhost
+PUBLIC_REGISTRATION_ENABLED=true
+IP_LOGGING_ENABLED=true
+SUPPORT_EMAIL=
+MAX_UPLOAD_SIZE_MB=100
+ADMIN_IP_ALLOWLIST=
+TRUSTED_PROXIES=
+DEPLOYMENT_MODE=install
+ALIASVAULT_VERSION=${RELEASE}
+EOF
+msg_ok "Created Configuration"
+
+msg_info "Starting Services"
+cd /opt/aliasvault
+$STD docker compose up -d
+echo "${RELEASE}" >~/.aliasvault
+msg_ok "Started Services"
+
+echo ""
+echo "================================================================"
+echo "  AliasVault Initial Admin Credentials"
+echo "  Username: admin"
+echo "  Password: ${ADMIN_PASS}"
+echo "  Save these credentials — they will not be shown again!"
+echo "================================================================"
+echo ""
+
+motd_ssh
+customize
+cleanup_lxc
diff --git a/install/colanode-install.sh b/install/colanode-install.sh
index 6aa0d6f9..4246624a 100644
--- a/install/colanode-install.sh
+++ b/install/colanode-install.sh
@@ -52,6 +52,8 @@ msg_ok "Configured Application"
 
 msg_info "Configuring Nginx"
 create_self_signed_cert "colanode"
+# Make cert available for browser import (required for Service Worker to work)
+cp /etc/ssl/colanode/colanode.crt /var/www/colanode/colanode.crt
 cat <<EOF >/etc/nginx/sites-available/colanode
 server {
     listen 4000 ssl;
@@ -62,6 +64,10 @@ server {
     ssl_certificate /etc/ssl/colanode/colanode.crt;
     ssl_certificate_key /etc/ssl/colanode/colanode.key;
 
+    # Required for SharedArrayBuffer / OPFS SQLite (WASM)
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+
     # Proxy API and WebSocket traffic to the Node.js server
     location ~ ^/(config|client)(/.*)?$ {
         proxy_pass http://127.0.0.1:3000;
@@ -74,6 +80,11 @@ server {
         proxy_set_header X-Forwarded-Proto \$scheme;
     }
 
+    # Serve self-signed cert for browser import
+    location = /colanode.crt {
+        default_type application/x-x509-ca-cert;
+    }
+
     location / {
         try_files \$uri \$uri/ /index.html;
     }
diff --git a/json/aliasvault.json b/json/aliasvault.json
new file mode 100644
index 00000000..d582f73b
--- /dev/null
+++ b/json/aliasvault.json
@@ -0,0 +1,48 @@
+{
+    "name": "AliasVault",
+    "slug": "aliasvault",
+    "categories": [
+        6
+    ],
+    "date_created": "2026-05-16",
+    "type": "ct",
+    "updateable": true,
+    "privileged": true,
+    "interface_port": 443,
+    "documentation": "https://docs.aliasvault.net/",
+    "website": "https://aliasvault.net/",
+    "logo": "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/aliasvault.webp",
+    "description": "AliasVault is an open-source, end-to-end encrypted password manager and email alias service. It features a zero-knowledge architecture where your master password never leaves your device, a built-in SMTP server for alias email addresses, browser extensions with autofill, and native iOS/Android apps.",
+    "install_methods": [
+        {
+            "type": "default",
+            "script": "ct/aliasvault.sh",
+            "config_path": "/opt/aliasvault/.env",
+            "resources": {
+                "cpu": 2,
+                "ram": 2048,
+                "hdd": 16,
+                "os": "Debian",
+                "version": "12"
+            }
+        }
+    ],
+    "default_credentials": {
+        "username": "admin",
+        "password": null
+    },
+    "notes": [
+        {
+            "text": "A privileged LXC container is required because AliasVault runs via Docker Compose internally.",
+            "type": "info"
+        },
+        {
+            "text": "The admin password is auto-generated during installation and displayed in the installation output. Save it immediately.",
+            "type": "warning"
+        },
+        {
+            "text": "To receive alias emails, configure your domain's MX record to point to this server and update PRIVATE_EMAIL_DOMAINS in /opt/aliasvault/.env.",
+            "type": "info"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/json/colanode.json b/json/colanode.json
index 652c2119..0bad1334 100644
--- a/json/colanode.json
+++ b/json/colanode.json
@@ -33,7 +33,11 @@
     },
     "notes": [
         {
-            "text": "Web UI is available at https://YOUR_IP:4000 (self-signed certificate — accept the browser warning in the browser). When adding a server inside the app, enter https://YOUR_IP:4000/config as the server URL.",
+            "text": "Before using the app: download and import the self-signed certificate into your browser. Navigate to https://YOUR_IP:4000/colanode.crt and install it as a trusted CA. This is required for Service Worker and OPFS storage to work.",
+            "type": "warning"
+        },
+        {
+            "text": "Web UI: https://YOUR_IP:4000 — Server URL when adding a server inside the app: https://YOUR_IP:4000/config",
             "type": "info"
         },
         {