Installing passbolt using Docker and Ubuntu
Why?
I like to have my own password manager, self-hosted, I trust only myself :)
What do I need to install?
You need a Linux Server with Docker, and Docker-Compose installed.
What's my setup?
- ProxMox
- KVM
- Ubuntu 20.04
- Docker
- Docker-compose
- External Nginx
- Reverse Proxy Configuration
- LetsEncrypt Certificate
Where I can find more about the project?
- https://www.passbolt.com
- https://hub.docker.com/r/passbolt/passbolt/
- https://www.passbolt.com/ce/docker
How I can install it?
first, let's create the directories
mkdir -p /opt/passbolt/docker
mkdir -p /opt/passbolt/data/{database,gpg,jwt}
then, let's create the docker-compose file
cd /opt/passbolt/docker
vim docker-compose.yaml
here follows the content, change the parameters for you setup
version: "3.9"
services:
db:
image: mariadb:10.11
restart: unless-stopped
environment:
MYSQL_RANDOM_ROOT_PASSWORD: "true"
MYSQL_DATABASE: "passbolt"
MYSQL_USER: "passbolt"
MYSQL_PASSWORD: "your_mysql_password_here"
volumes:
- database_volume:/var/lib/mysql
passbolt:
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: unless-stopped
depends_on:
- db
environment:
DATASOURCES_DEFAULT_HOST: "db"
DATASOURCES_DEFAULT_USERNAME: "passbolt"
DATASOURCES_DEFAULT_PASSWORD: "your_mysql_password_here"
DATASOURCES_DEFAULT_DATABASE: "passbolt"
APP_FULL_BASE_URL: https://passbolt.domain.tld
EMAIL_DEFAULT_FROM: passbolt@domain.tld
EMAIL_TRANSPORT_DEFAULT_HOST: mail.domain.tld
EMAIL_TRANSPORT_DEFAULT_PORT: 587
EMAIL_TRANSPORT_DEFAULT_USERNAME: user@domain.tld
EMAIL_TRANSPORT_DEFAULT_PASSWORD: user_password_here
EMAIL_TRANSPORT_DEFAULT_TLS: true
PASSBOLT_KEY_EMAIL: passbolt@domain.tld
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"db:3306",
"--",
"/docker-entrypoint.sh",
]
ports:
- 80:80
volumes:
database_volume:
driver_opts:
type: none
device: /opt/passbolt/data/database
o: bind
gpg_volume:
driver_opts:
type: none
device: /opt/passbolt/data/gpg
o: bind
jwt_volume:
driver_opts:
type: none
device: /opt/passbolt/data/jwt
o: bind
all right, let's spin up the passbolt
docker-compose up -d
now let's test the e-mail configuration, we cannot create our user without a working e-mail relay.
docker-compose exec passbolt su -m -c "bin/cake passbolt send_test_email -r user@domain.tld"
if you got the e-mail, it's time to create the first admin user
docker-compose exec passbolt su -m -c "bin/cake passbolt register_user -u user@domain.tld -f Guto -l Carvalho -r admin" -s /bin/sh www-data
output expected
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
User saved successfully.
To start registration follow the link provided in your mailbox or here:
https://passbolt.domain.tld/setup/install/1111111-8d5c-43a7-8fc2-301403b93766/efd71548-bcb4-4d58-b98d-a6877799d548
Now you can access your Passbolt and finish the configuration!
external nginx
In our case, Passbolt is behind an External NGINX Reserve Proxy.
Here follow the config snippet used
upstream passbolt {
server your_passbolt_docker_server_ip_here:your_port_here fail_timeout=0;
}
server {
listen your_nginx_listen_ip_here:80;
server_name passbolt.domain.tld;
return 301 https://passbolt.domain.tld$request_uri;
}
server {
listen your_nginx_listen_ip_here:443 ssl http2;
server_name passbolt.domain.tld;
access_log /var/log/nginx/passbolt-domain-tld.log;
error_log /var/log/nginx/passbolt-domain-tld.log;
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/dh-param.pem;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
location / {
proxy_pass http://passbolt;
}
}
That's it :)
[s]
Did you like our content?
We have a lot to share; visit our site!
Our fediverse services ;)
- mastodon => https://bolha.us
- mastopoet => https://poet.bolha.us
- elk => https://elk.bolha.us
- pinafore => https://pinafore.bolha.us
- pixelfed => https://bolha.photos
- lemmy => https://bolha.social
- writefreely => https://bolha.blog
- bookwyrm => https://bolha.review
- funkwhale => https://bolha.studio
- friendica => https://bolha.network
Chat and video? We have it!
- matrix => https://bolha.chat
- jitsi => https://bolha.video
Translation tools
- libretranslate => https://libretranslate.bolha.tools
- lingva => https://translate.bolha.tools
Video Platform Frontends
- invidious => https://bolha.in
Text Editors
- hedgeDoc => https://notes.bolha.tools
- wise Mapping => https://mindmap.bolha.tools
- overleaf => https://overleaf.bolha.tools
- mermaid => https://mermaid.bolha.tools
You can also visit our hacking space!
Follow our founder!
- https://bolha.us/@gutocarvalho
- https://bolha.photos/@gutocarvalho
- https://bolha.forum@gutocarvalho
- https://bolha.blog/@gutocarvalho
- https://bolha.review/@gutocarvalho
- https://bolha.studio/@gutocarvalho
- https://bolha.network/@gutocarvalho
- matrix => @bolha.chat@gutocarvalho
Follow the status of our tools
Do you want to support us? You can!
- https://www.patreon.com/bolha
- https://apoia.se/bolha
- pix@bolha.us (local brazilian wire transfer)
See you!
[s]