diff --git a/ct/headers/onetimesecret b/ct/headers/onetimesecret new file mode 100644 index 00000000..d692e98d --- /dev/null +++ b/ct/headers/onetimesecret @@ -0,0 +1,6 @@ + ____ __ _ _____ __ + / __ \____ ___ / /_(_)___ ___ ___ / ___/___ _____________ ____ / /_ + / / / / __ \/ _ \ / __/ / __ `__ \/ _ \ \__ \/ _ \/ ___/ ___/ _ \/ __ \/ __/ +/ /_/ / / / / __// /_/ / / / / / / __/ ___/ / __/ /__/ / / __/ /_/ / /_ +\____/_/ /_/\___/ \__/_/_/ /_/ /_/\___/ /____/\___/\___/_/ \___/\____/\__/ + diff --git a/ct/onetimesecret.sh b/ct/onetimesecret.sh new file mode 100644 index 00000000..d48de12f --- /dev/null +++ b/ct/onetimesecret.sh @@ -0,0 +1,136 @@ +#!/usr/bin/env bash +source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVED/main/misc/build.func) +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Hai Tran (epiHATR) +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://onetimesecret.com/ | Github: https://github.com/onetimesecret/onetimesecret + +APP="OneTimeSecret" +var_tags="${var_tags:-security;privacy;secrets}" +var_cpu="${var_cpu:-2}" +var_ram="${var_ram:-4096}" +var_disk="${var_disk:-10}" +var_os="${var_os:-debian}" +var_version="${var_version:-13}" +var_arm64="${var_arm64:-no}" +var_unprivileged="${var_unprivileged:-1}" + +header_info "$APP" +variables +color +catch_errors + +function update_script() { + header_info + check_container_storage + check_container_resources + + SSL_VALUE="${OTS_SSL:-}" + if [[ -n "${SSL_VALUE}" ]]; then + case "${SSL_VALUE,,}" in + 1 | true | yes | on) SSL_VALUE="true" ;; + 0 | false | no | off) SSL_VALUE="false" ;; + *) + msg_error "Invalid OTS_SSL value '${OTS_SSL}' (use true/false)" + exit 1 + ;; + esac + fi + + if [[ ! -d /opt/onetimesecret ]] || [[ ! -f /opt/onetimesecret/.env ]]; then + msg_error "No ${APP} Installation Found!" + exit + fi + + if check_for_gh_release "onetimesecret" "onetimesecret/onetimesecret"; then + msg_info "Stopping Service" + systemctl stop onetimesecret + msg_ok "Stopped Service" + + msg_info "Backing up Configuration" + cp /opt/onetimesecret/.env /opt/onetimesecret.env.bak + mkdir -p /opt/onetimesecret_etc_backup + for FILE in auth.yaml config.yaml logging.yaml puma.rb; do + [[ -f /opt/onetimesecret/etc/${FILE} ]] && cp "/opt/onetimesecret/etc/${FILE}" "/opt/onetimesecret_etc_backup/${FILE}" + done + msg_ok "Backed up Configuration" + + CLEAN_INSTALL=1 fetch_and_deploy_gh_release "onetimesecret" "onetimesecret/onetimesecret" "tarball" + + RUBY_VERSION=$(sed -n "s/^ruby '>= \([0-9.]*\)'.*/\1/p" /opt/onetimesecret/Gemfile) + RUBY_VERSION="${RUBY_VERSION:-3.4.7}" setup_ruby + + PNPM_VERSION=$(sed -n 's/.*"packageManager": "pnpm@\([^"]*\)".*/\1/p' /opt/onetimesecret/package.json) + NODE_VERSION=$(tr -d ' \n' /dev/null) + NODE_VERSION="${NODE_VERSION:-25}" NODE_MODULE="pnpm@${PNPM_VERSION:-11.1.2}" setup_nodejs + + msg_info "Restoring Configuration" + cp /opt/onetimesecret.env.bak /opt/onetimesecret/.env + mkdir -p /opt/onetimesecret/etc + for FILE in auth.yaml config.yaml logging.yaml puma.rb; do + [[ -f /opt/onetimesecret_etc_backup/${FILE} ]] && cp "/opt/onetimesecret_etc_backup/${FILE}" "/opt/onetimesecret/etc/${FILE}" + done + if [[ -n "${OTS_HOST:-}" ]]; then + sed -i "s|^HOST=.*|HOST=${OTS_HOST//&/\\&}|" /opt/onetimesecret/.env + fi + if [[ -n "${SSL_VALUE}" ]]; then + sed -i "s|^SSL=.*|SSL=${SSL_VALUE}|" /opt/onetimesecret/.env + fi + if grep -q '^RACK_ENV=' /opt/onetimesecret/.env; then + sed -i 's|^RACK_ENV=.*|RACK_ENV=production|' /opt/onetimesecret/.env + else + echo "RACK_ENV=production" >>/opt/onetimesecret/.env + fi + if grep -q '^AUTHENTICATION_MODE=' /opt/onetimesecret/.env; then + sed -i 's|^AUTHENTICATION_MODE=.*|AUTHENTICATION_MODE=simple|' /opt/onetimesecret/.env + else + echo "AUTHENTICATION_MODE=simple" >>/opt/onetimesecret/.env + fi + if ! grep -q '^PORT=' /opt/onetimesecret/.env; then + echo "PORT=3000" >>/opt/onetimesecret/.env + fi + chmod 600 /opt/onetimesecret/.env + rm -f /opt/onetimesecret.env.bak + rm -rf /opt/onetimesecret_etc_backup + msg_ok "Restored Configuration" + + msg_info "Reconciling Application" + systemctl enable -q --now redis-server + cd /opt/onetimesecret + mkdir -p tmp/pids log + $STD bash ./install.sh reconcile + msg_ok "Reconciled Application" + + msg_info "Building Frontend" + cd /opt/onetimesecret + $STD pnpm run build + msg_ok "Built Frontend" + + msg_info "Starting Service" + systemctl start onetimesecret + msg_ok "Started Service" + msg_ok "Updated successfully!" + fi + exit +} + +start +build_container +description + +DISPLAY_HOST="${OTS_HOST:-$IP}" +case "${OTS_SSL:-false,,}" in +1 | true | yes | on) + DISPLAY_SCHEME="https" + ;; +*) + DISPLAY_SCHEME="http" + ;; +esac + +msg_ok "Completed Successfully!\n" +echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}" +echo -e "${INFO}${YW} Access it using the following URL:${CL}" +echo -e "${TAB}${GATEWAY}${BGN}${DISPLAY_SCHEME}://${DISPLAY_HOST}${CL}" +echo -e "${INFO}${YW} Configure hostname, TLS, and SMTP settings in:${CL}" +echo -e "${TAB}${BGN}/opt/onetimesecret/.env${CL}" diff --git a/install/onetimesecret-install.sh b/install/onetimesecret-install.sh new file mode 100644 index 00000000..dbfa03e0 --- /dev/null +++ b/install/onetimesecret-install.sh @@ -0,0 +1,142 @@ +#!/usr/bin/env bash + +# Copyright (c) 2021-2026 community-scripts ORG +# Author: Hai Tran (epiHATR) +# License: MIT | https://github.com/community-scripts/ProxmoxVED/raw/main/LICENSE +# Source: https://onetimesecret.com/ | Github: https://github.com/onetimesecret/onetimesecret + +source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" +color +verb_ip6 +catch_errors +setting_up_container +network_check +update_os + +msg_info "Installing Dependencies" +$STD apt install -y \ + build-essential \ + git \ + libffi-dev \ + libgmp-dev \ + libpq-dev \ + libreadline-dev \ + libsqlite3-dev \ + libssl-dev \ + libxml2-dev \ + libxslt1-dev \ + libyaml-dev \ + nginx \ + pkg-config \ + python3 \ + redis-server \ + zlib1g-dev +msg_ok "Installed Dependencies" + +fetch_and_deploy_gh_release "onetimesecret" "onetimesecret/onetimesecret" "tarball" + +RUBY_VERSION=$(sed -n "s/^ruby '>= \([0-9.]*\)'.*/\1/p" /opt/onetimesecret/Gemfile) +RUBY_VERSION="${RUBY_VERSION:-3.4.7}" setup_ruby + +PNPM_VERSION=$(sed -n 's/.*"packageManager": "pnpm@\([^"]*\)".*/\1/p' /opt/onetimesecret/package.json) +NODE_VERSION=$(tr -d ' \n' /dev/null) +NODE_VERSION="${NODE_VERSION:-25}" NODE_MODULE="pnpm@${PNPM_VERSION:-11.1.2}" setup_nodejs + +HOST_VALUE="${OTS_HOST:-$LOCAL_IP}" +SSL_VALUE="${OTS_SSL:-false}" +case "${SSL_VALUE,,}" in +1 | true | yes | on) SSL_VALUE="true" ;; +0 | false | no | off | "") SSL_VALUE="false" ;; +*) + msg_error "Invalid OTS_SSL value '${OTS_SSL}' (use true/false)" + exit 1 + ;; +esac + +msg_info "Configuring Application" +systemctl enable -q --now redis-server +cd /opt/onetimesecret +$STD bash ./install.sh init +sed -i \ + -e "s|^REDIS_URL=.*|REDIS_URL=redis://127.0.0.1:6379/0|" \ + -e "s|^HOST=.*|HOST=${HOST_VALUE//&/\\&}|" \ + -e "s|^SSL=.*|SSL=${SSL_VALUE}|" \ + /opt/onetimesecret/.env +if grep -q '^RACK_ENV=' /opt/onetimesecret/.env; then + sed -i 's|^RACK_ENV=.*|RACK_ENV=production|' /opt/onetimesecret/.env +else + echo "RACK_ENV=production" >>/opt/onetimesecret/.env +fi +if grep -q '^AUTHENTICATION_MODE=' /opt/onetimesecret/.env; then + sed -i 's|^AUTHENTICATION_MODE=.*|AUTHENTICATION_MODE=simple|' /opt/onetimesecret/.env +else + echo "AUTHENTICATION_MODE=simple" >>/opt/onetimesecret/.env +fi +if ! grep -q '^PORT=' /opt/onetimesecret/.env; then + echo "PORT=3000" >>/opt/onetimesecret/.env +fi +chmod 600 /opt/onetimesecret/.env +mkdir -p /opt/onetimesecret/tmp/pids /opt/onetimesecret/log +msg_ok "Configured Application" + +msg_info "Reconciling Application" +cd /opt/onetimesecret +$STD bash ./install.sh reconcile +msg_ok "Reconciled Application" + +msg_info "Building Frontend" +cd /opt/onetimesecret +$STD pnpm run build +msg_ok "Built Frontend" + +msg_info "Creating Service" +cat <<'EOF' >/etc/systemd/system/onetimesecret.service +[Unit] +Description=Onetime Secret Service +After=network.target redis-server.service +Requires=redis-server.service + +[Service] +Type=simple +User=root +WorkingDirectory=/opt/onetimesecret +Environment=HOME=/root +Environment=PATH=/root/.rbenv/shims:/root/.rbenv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ExecStart=/bin/bash -lc 'source .env.sh && exec bundle exec puma -C etc/puma.rb' +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=multi-user.target +EOF +systemctl enable -q --now onetimesecret +msg_ok "Created Service" + +msg_info "Configuring Nginx" +cat <<'EOF' >/etc/nginx/sites-available/onetimesecret +server { + listen 80 default_server; + server_name _; + + location / { + proxy_pass http://127.0.0.1:3000; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} +EOF +ln -sf /etc/nginx/sites-available/onetimesecret /etc/nginx/sites-enabled/onetimesecret +rm -f /etc/nginx/sites-enabled/default +$STD nginx -t +systemctl enable -q --now nginx +systemctl reload nginx +msg_ok "Configured Nginx" + +motd_ssh +customize +cleanup_lxc diff --git a/json/onetimesecret.json b/json/onetimesecret.json new file mode 100644 index 00000000..e1cf7910 --- /dev/null +++ b/json/onetimesecret.json @@ -0,0 +1,47 @@ +{ + "name": "Onetime Secret", + "slug": "onetimesecret", + "categories": [6], + "date_created": "2026-05-26", + "type": "ct", + "updateable": true, + "privileged": false, + "has_arm": false, + "interface_port": 80, + "documentation": "https://docs.onetimesecret.com/en/self-hosting/installation/", + "website": "https://onetimesecret.com/", + "logo": "https://onetimesecret.com/favicon.svg", + "description": "Onetime Secret is a self-hosted secret sharing app that creates self-destructing links for passwords, API keys, and other sensitive text.", + "install_methods": [ + { + "type": "default", + "script": "ct/onetimesecret.sh", + "config_path": "/opt/onetimesecret/.env", + "resources": { + "cpu": 2, + "ram": 4096, + "hdd": 10, + "os": "Debian", + "version": "13" + } + } + ], + "default_credentials": { + "username": null, + "password": null + }, + "notes": [ + { + "text": "Update HOST and set SSL=true in /opt/onetimesecret/.env when using a domain or TLS-terminating reverse proxy.", + "type": "warning" + }, + { + "text": "Configure SMTP settings in /opt/onetimesecret/.env if you want email notifications or account verification features.", + "type": "info" + }, + { + "text": "Back up /opt/onetimesecret/.env because it contains the root SECRET used to derive the app's other cryptographic keys.", + "type": "warning" + } + ] +}