Category Archives: Hosting

passbolt docker password manager

docker pull passbolt/passbolt:latest
git clone https://github.com/passbolt/passbolt_docker
cd passbolt_docker

vim env/mysql.env
vim env/passbolt.env

docker-compose -f docker-compose.yml up -d
docker-compose ps

docker-compose exec passbolt su -m -c "/var/www/passbolt/bin/cake \
                                passbolt register_user \
                                -u <your@email.com> \
                                -f <yourname> \
                                -l <surname> \
                                -r admin" -s /bin/sh www-data

Another option manually run passbolt:

docker network create passbolt_network
docker volume create mariadb_passbolt_data

docker run -d --name mariadb --net passbolt_network \
             --mount source=mariadb_passbolt_data,target=/var/lib/mysql \
             -e MYSQL_ROOT_PASSWORD=<root_password> \
             -e MYSQL_DATABASE=<mariadb_database> \
             -e MYSQL_USER=<mariadb_user> \
             -e MYSQL_PASSWORD=<mariadb_password> \
             mariadb
docker run --name passbolt --net passbolt_network \
             --mount type=bind,\
               source=<host_path_to_gnupg_keys_dir>,\
               target=/var/www/passbolt/config/gpg \
             -p 443:443 \
             -p 80:80 \
             -e DATASOURCES_DEFAULT_HOST=mariadb \
             -e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
             -e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
             -e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
             -e APP_FULL_BASE_URL=https://mydomain.com \
             passbolt/passbolt:latest

Persisting data in passbolt container:
/var/www/passbolt/webroot/img
/var/www/passbolt/config/gpg
/etc/ssl/certs/certificate.crt /etc/ssl/certs/certificate.key

Persisting the images directory could be to create a docker volume:
docker volume create passbolt_images

docker run --name passbolt --net passbolt_network \
             --mount source=passbolt_images,\
             target=/var/www/passbolt/webroot/img \
             -p 443:443 \
             -p 80:80 \
             -e DATASOURCES_DEFAULT_HOST=mariadb \
             -e DATASOURCES_DEFAULT_PASSWORD=<mariadb_password> \
             -e DATASOURCES_DEFAULT_USERNAME=<mariadb_user> \
             -e DATASOURCES_DEFAULT_DATABASE=<mariadb_database> \
             -e APP_FULL_BASE_URL=https://mydomain.com \
             passbolt/passbolt:latest

PHP-FPM get status

cat /etc/php/7.4/fpm/pool.d/www.conf | grep -v \; | awk 'NF' | tee /etc/php/7.4/fpm/pool.d/www.conf
vi /etc/php/7.4/fpm/pool.d/www.conf

pm.status_path=/status
ping.path=/ping
ping.response=pong

apt install fcgiwrap
ss -l | grep php
u_strLISTEN 0 511 /run/php/php7.4-fpm.sock 79744 * 0

SCRIPT_NAME=/status \
SCRIPT_FILENAME=/status \
REQUEST_METHOD=GET \
cgi-fcgi -bind -connect /run/php/php7.4-fpm.sock

Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-type: text/plain;charset=UTF-8

pool: www
process manager: dynamic
start time: 07/Feb/2021:13:44:50 +0200
start since: 382
accepted conn: 3
listen queue: 0
max listen queue: 0
listen queue len: 0
idle processes: 1
active processes: 1
total processes: 2
max active processes: 1
max children reached: 0
slow requests: 0

proxy_fcgi apache

apt install apache2 php7.4-fpm

a2enconf php7.4-fpm
a2enmod proxy proxy_fcgi

cat /etc/apache2/conf-enabled/php7.4-fpm.conf 
# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
<IfModule proxy_fcgi_module>
    # Enable http authorization headers
    <IfModule setenvif_module>
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>

    <FilesMatch ".+\.ph(ar|p|tml)$">
        SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
    </FilesMatch>
    <FilesMatch ".+\.phps$">
        # Deny access to raw php sources by default
        # To re-enable it's recommended to enable access to the files
        # only in specific virtual host or directory
        Require all denied
    </FilesMatch>
    # Deny access to files without filename (e.g. '.php')
    <FilesMatch "^\.ph(ar|p|ps|tml)$">
        Require all denied
    </FilesMatch>
</IfModule>
</IfModule>

certbot cloudflare DNS authentication API

add-apt-repository ppa:certbot/certbot
apt install software-properties-common
apt update
apt install python-certbot-nginx
apt install python-pip
pip install certbot-dns-cloudflare

vi /root/.secrets/cloudflare.cfg
dns_cloudflare_api_key = “xxx”

certbot certonly –dns-cloudflare –dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d domain.com,*.domain.com –preferred-challenges dns-01