Fix importing Bitwarden exports (#4030)

When importing Bitwarden JSON exports, these would fail because the last
modification date was also imported and caused our out-off-sync check to
kick-in. This PR fixes this by checking if we are doing an import, and
skip this check.

Fixes #4005

.env.template

@@ -30,6 +30,10 @@
 ## Define the size of the connection pool used for connecting to the database.
 # DATABASE_MAX_CONNS=10
 
+## Database timeout
+## Timeout when acquiring database connection
+# DATABASE_TIMEOUT=30
+
 ## Database connection initialization
 ## Allows SQL statements to be run whenever a new database connection is created.
 ## This is mainly useful for connection-scoped pragmas.
@@ -72,6 +76,13 @@
 # WEBSOCKET_ADDRESS=0.0.0.0
 # WEBSOCKET_PORT=3012
 
+## Enables push notifications (requires key and id from https://bitwarden.com/host)
+# PUSH_ENABLED=true
+# PUSH_INSTALLATION_ID=CHANGEME
+# PUSH_INSTALLATION_KEY=CHANGEME
+## Don't change this unless you know what you're doing.
+# PUSH_RELAY_URI=https://push.bitwarden.com
+
 ## Controls whether users are allowed to create Bitwarden Sends.
 ## This setting applies globally to all users.
 ## To control this on a per-org basis instead, use the "Disable Send" org policy.
@@ -86,6 +97,10 @@
 ## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
 # ORG_EVENTS_ENABLED=false
 
+## Controls whether users can change their email.
+## This setting applies globally to all users
+# EMAIL_CHANGE_ALLOWED=true
+
 ## Number of days to retain events stored in the database.
 ## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
 # EVENTS_DAYS_RETAIN=
@@ -264,6 +279,8 @@
 ## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
 ## If not set, the admin panel is disabled
 ## New Argon2 PHC string
+## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
+## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
 # ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
 ## Old plain text string (Will generate warnings in favor of Argon2)
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp

.github/workflows/build.yml

@@ -8,9 +8,11 @@ on:
       - "migrations/**"
       - "Cargo.*"
       - "build.rs"
-      - "rust-toolchain"
+      - "rust-toolchain.toml"
       - "rustfmt.toml"
       - "diesel.toml"
+      - "docker/Dockerfile.j2"
+      - "docker/DockerSettings.yaml"
   pull_request:
     paths:
       - ".github/workflows/build.yml"
@@ -18,19 +20,20 @@ on:
       - "migrations/**"
       - "Cargo.*"
       - "build.rs"
-      - "rust-toolchain"
+      - "rust-toolchain.toml"
       - "rustfmt.toml"
       - "diesel.toml"
+      - "docker/Dockerfile.j2"
+      - "docker/DockerSettings.yaml"
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 120
     # Make warnings errors, this is to prevent warnings slipping through.
     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
     env:
       RUSTFLAGS: "-D warnings"
-      CARGO_REGISTRIES_CRATES_IO_PROTOCOL: git # Use the old git protocol until it is stable probably in 1.68 or 1.69. MSRV needs to be at this before removed.
     strategy:
       fail-fast: false
       matrix:
@@ -43,13 +46,13 @@ jobs:
     steps:
       # Checkout the repo
       - name: "Checkout"
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       # End Checkout the repo
 
 
       # Install dependencies
       - name: "Install dependencies Ubuntu"
-        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl sqlite build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
+        run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config
       # End Install dependencies
 
 
@@ -59,7 +62,7 @@ jobs:
         shell: bash
         run: |
           if [[ "${{ matrix.channel }}" == 'rust-toolchain' ]]; then
-            RUST_TOOLCHAIN="$(cat rust-toolchain)"
+            RUST_TOOLCHAIN="$(grep -oP 'channel.*"(\K.*?)(?=")' rust-toolchain.toml)"
           elif [[ "${{ matrix.channel }}" == 'msrv' ]]; then
             RUST_TOOLCHAIN="$(grep -oP 'rust-version.*"(\K.*?)(?=")' Cargo.toml)"
           else
@@ -71,7 +74,7 @@ jobs:
 
       # Only install the clippy and rustfmt components on the default rust-toolchain
       - name: "Install rust-toolchain version"
-        uses: dtolnay/rust-toolchain@fc3253060d0c959bea12a59f10f8391454a0b02d # master @ 2023-03-21 - 06:36 GMT+1
+        uses: dtolnay/rust-toolchain@439cf607258077187679211f12aa6f19af4a0af7 # master @ 2023-09-19 - 05:31 PM GMT+2
         if: ${{ matrix.channel == 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
@@ -81,17 +84,19 @@ jobs:
 
       # Install the any other channel to be used for which we do not execute clippy and rustfmt
       - name: "Install MSRV version"
-        uses: dtolnay/rust-toolchain@fc3253060d0c959bea12a59f10f8391454a0b02d # master @ 2023-03-21 - 06:36 GMT+1
+        uses: dtolnay/rust-toolchain@439cf607258077187679211f12aa6f19af4a0af7 # master @ 2023-09-19 - 05:31 PM GMT+2
         if: ${{ matrix.channel != 'rust-toolchain' }}
         with:
           toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}"
       # End Install the MSRV channel to be used
 
-
-      # Enable Rust Caching
-      - uses: Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1
-      # End Enable Rust Caching
-
+      # Set the current matrix toolchain version as default
+      - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default"
+        run: |
+          # Remove the rust-toolchain.toml
+          rm rust-toolchain.toml
+          # Set the default
+          rustup default ${{steps.toolchain.outputs.RUST_TOOLCHAIN}}
 
       # Show environment
       - name: "Show environment"
@@ -100,47 +105,55 @@ jobs:
           cargo -vV
       # End Show environment
 
+      # Enable Rust Caching
+      - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43 # v2.7.0
+        with:
+          # Use a custom prefix-key to force a fresh start. This is sometimes needed with bigger changes.
+          # Like changing the build host from Ubuntu 20.04 to 22.04 for example.
+          # Only update when really needed! Use a <year>.<month>[.<inc>] format.
+          prefix-key: "v2023.07-rust"
+      # End Enable Rust Caching
 
-      # Run cargo tests (In release mode to speed up future builds)
+      # Run cargo tests
       # First test all features together, afterwards test them separately.
       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
         id: test_sqlite_mysql_postgresql_mimalloc
         if: $${{ always() }}
         run: |
-          cargo test --release --features sqlite,mysql,postgresql,enable_mimalloc
+          cargo test --features sqlite,mysql,postgresql,enable_mimalloc
 
       - name: "test features: sqlite,mysql,postgresql"
         id: test_sqlite_mysql_postgresql
         if: $${{ always() }}
         run: |
-          cargo test --release --features sqlite,mysql,postgresql
+          cargo test --features sqlite,mysql,postgresql
 
       - name: "test features: sqlite"
         id: test_sqlite
         if: $${{ always() }}
         run: |
-          cargo test --release --features sqlite
+          cargo test --features sqlite
 
       - name: "test features: mysql"
         id: test_mysql
         if: $${{ always() }}
         run: |
-          cargo test --release --features mysql
+          cargo test --features mysql
 
       - name: "test features: postgresql"
         id: test_postgresql
         if: $${{ always() }}
         run: |
-          cargo test --release --features postgresql
+          cargo test --features postgresql
       # End Run cargo tests
 
 
-      # Run cargo clippy, and fail on warnings (In release mode to speed up future builds)
+      # Run cargo clippy, and fail on warnings
       - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
         id: clippy
         if: ${{ always() && matrix.channel == 'rust-toolchain' }}
         run: |
-          cargo clippy --release --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
+          cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
       # End Run cargo clippy
 
 
@@ -182,21 +195,3 @@ jobs:
         run: |
           echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-
-
-      # Build the binary to upload to the artifacts
-      - name: "build features: sqlite,mysql,postgresql"
-        if: ${{ matrix.channel == 'rust-toolchain' }}
-        run: |
-          cargo build --release --features sqlite,mysql,postgresql
-      # End Build the binary
-
-
-      # Upload artifact to Github Actions
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
-        if: ${{ matrix.channel == 'rust-toolchain' }}
-        with:
-          name: vaultwarden
-          path: target/release/vaultwarden
-      # End Upload artifact to Github Actions

.github/workflows/hadolint.yml

@@ -8,15 +8,14 @@ on: [
 jobs:
   hadolint:
     name: Validate Dockerfile syntax
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       # End Checkout the repo
 
-
       # Download hadolint - https://github.com/hadolint/hadolint/releases
       - name: Download hadolint
         shell: bash
@@ -30,5 +29,5 @@ jobs:
       # Test Dockerfiles
       - name: Run hadolint
         shell: bash
-        run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored --cached | xargs hadolint
+        run: hadolint docker/Dockerfile.{debian,alpine}
       # End Test Dockerfiles

.github/workflows/release.yml

@@ -6,15 +6,15 @@ on:
       - ".github/workflows/release.yml"
       - "src/**"
       - "migrations/**"
-      - "hooks/**"
       - "docker/**"
       - "Cargo.*"
       - "build.rs"
       - "diesel.toml"
-      - "rust-toolchain"
+      - "rust-toolchain.toml"
 
     branches: # Only on paths above
       - main
+      - release-build-revision
 
     tags: # Always, regardless of paths above
       - '*'
@@ -24,7 +24,7 @@ jobs:
   # Some checks to determine if we need to continue with building a new docker.
   # We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
   skip_check:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
     outputs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
@@ -35,23 +35,20 @@ jobs:
         with:
           cancel_others: 'true'
         # Only run this when not creating a tag
-        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+        if: ${{ github.ref_type == 'branch' }}
 
   docker-build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     timeout-minutes: 120
     needs: skip_check
-    # Start a local docker registry to be used to generate multi-arch images.
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
+    # TODO: Start a local docker registry to be used to extract the final Alpine static build images
+    # services:
+    #   registry:
+    #     image: registry:2
+    #     ports:
+    #       - 5000:5000
     env:
-      # Use BuildKit (https://docs.docker.com/build/buildkit/) for better
-      # build performance and the ability to copy extended file attributes
-      # (e.g., for executable capabilities) across build phases.
-      DOCKER_BUILDKIT: 1
       SOURCE_COMMIT: ${{ github.sha }}
       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
       # The *_REPO variables need to be configured as repository variables
@@ -65,7 +62,6 @@ jobs:
       # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
       # Check for Quay.io credentials in secrets
       HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
-    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
     strategy:
       matrix:
         base_image: ["debian","alpine"]
@@ -73,163 +69,102 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           fetch-depth: 0
 
-      # Determine Docker Tag
-      - name: Init Variables
-        id: vars
+      - name: Initialize QEMU binfmt support
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: "arm64,arm"
+
+      # Start Docker Buildx
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        # https://github.com/moby/buildkit/issues/3969
+        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+          driver-opts: |
+            network=host
+
+      # Determine Base Tags and Source Version
+      - name: Determine Base Tags and Source Version
         shell: bash
         run: |
-          # Check which main tag we are going to build determined by github.ref
-          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            echo "DOCKER_TAG=${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_OUTPUT}"
-          elif [[ "${{ github.ref }}" == refs/heads/* ]]; then
-            echo "DOCKER_TAG=testing" | tee -a "${GITHUB_OUTPUT}"
+          # Check which main tag we are going to build determined by github.ref_type
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
+          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
           fi
-      # End Determine Docker Tag
+
+          # Get the Source Version for this release
+          GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
+          if [[ -n "${GIT_EXACT_TAG}" ]]; then
+              echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}"
+          else
+              GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
+              echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
+          fi
+      # End Determine Base Tags
 
       # Login to Docker Hub
       - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
 
+      - name: Add registry for DockerHub
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        shell: bash
+        run: |
+          echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}"
+
       # Login to GitHub Container Registry
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
 
+      - name: Add registry for ghcr.io
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        shell: bash
+        run: |
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
+
       # Login to Quay.io
       - name: Login to Quay.io
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_TOKEN }}
         if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
 
-      # Debian
-
-      # Docker Hub
-      - name: Build Debian based images (docker.io)
+      - name: Add registry for Quay.io
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
         shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
         run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
 
-      - name: Push Debian based images (docker.io)
-        shell: bash
+      - name: Bake ${{ matrix.base_image }} containers
+        uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0
         env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-
-      # GitHub Container Registry
-      - name: Build Debian based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      - name: Push Debian based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      # Quay.io
-      - name: Build Debian based images (quay.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }}
-
-      - name: Push Debian based images (quay.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }}
-
-      # Alpine
-
-      # Docker Hub
-      - name: Build Alpine based images (docker.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-
-      - name: Push Alpine based images (docker.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-
-      # GitHub Container Registry
-      - name: Build Alpine based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      - name: Push Alpine based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      # Quay.io
-      - name: Build Alpine based images (quay.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }}
-
-      - name: Push Alpine based images (quay.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }}
+          BASE_TAGS: "${{ env.BASE_TAGS }}"
+          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
+          SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
+          SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
+          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
+        with:
+          pull: true
+          push: true
+          files: docker/docker-bake.hcl
+          targets: "${{ matrix.base_image }}-multi"

.github/workflows/trivy.yml

@@ -0,0 +1,43 @@
+name: trivy
+
+on:
+  push:
+    branches:
+      - main
+      - release-build-revision
+    tags:
+      - '*'
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '00 12 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  trivy-scan:
+    name: Check
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1
+        with:
+          scan-type: repo
+          ignore-unfixed: true
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@bad341350a2f5616f9e048e51360cedc49181ce8 # v2.22.4
+        with:
+          sarif_file: 'trivy-results.sarif'

.hadolint.yaml

@@ -1,10 +1,12 @@
 ignored:
+  # To prevent issues and make clear some images only work on linux/amd64, we ignore this
+  - DL3029
   # disable explicit version for apt install
   - DL3008
   # disable explicit version for apk install
   - DL3018
-  # disable check for consecutive `RUN` instructions
-  - DL3059
+  # Ignore shellcheck info message
+  - SC1091
 trustedRegistries:
   - docker.io
   - ghcr.io

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
     - id: check-yaml
     - id: check-json

Cargo.toml

@@ -3,7 +3,7 @@ name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.66.1"
+rust-version = "1.71.1"
 resolver = "2"
 
 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -36,70 +36,72 @@ unstable = []
 
 [target."cfg(not(windows))".dependencies]
 # Logging
-syslog = "6.0.1" # Needs to be v4 until fern is updated
+syslog = "6.1.0"
 
 [dependencies]
 # Logging
-log = "0.4.17"
-fern = { version = "0.6.2", features = ["syslog-6"] }
-tracing = { version = "0.1.37", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
+log = "0.4.20"
+fern = { version = "0.6.2", features = ["syslog-6", "reopen-1"] }
+tracing = { version = "0.1.40", features = ["log"] } # Needed to have lettre and webauthn-rs trace logging to work
 
 # A `dotenv` implementation for Rust
 dotenvy = { version = "0.15.7", default-features = false }
 
 # Lazy initialization
-once_cell = "1.17.1"
+once_cell = "1.18.0"
 
 # Numerical libraries
-num-traits = "0.2.15"
-num-derive = "0.3.3"
+num-traits = "0.2.17"
+num-derive = "0.4.1"
 
 # Web framework
 rocket = { version = "0.5.0-rc.3", features = ["tls", "json"], default-features = false }
+# rocket_ws = { version ="0.1.0-rc.3" }
+rocket_ws = { git = 'https://github.com/SergioBenitez/Rocket', rev = "ce441b5f46fdf5cd99cb32b8b8638835e4c2a5fa" } # v0.5 branch
 
 # WebSockets libraries
-tokio-tungstenite = "0.18.0"
-rmpv = "1.0.0" # MessagePack library
+tokio-tungstenite = "0.19.0"
+rmpv = "1.0.1" # MessagePack library
 
 # Concurrent HashMap used for WebSocket messaging and favicons
-dashmap = "5.4.0"
+dashmap = "5.5.3"
 
 # Async futures
 futures = "0.3.28"
-tokio = { version = "1.27.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] }
+tokio = { version = "1.33.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] }
 
 # A generic serialization/deserialization framework
-serde = { version = "1.0.159", features = ["derive"] }
-serde_json = "1.0.95"
+serde = { version = "1.0.189", features = ["derive"] }
+serde_json = "1.0.107"
 
 # A safe, extensible ORM and Query builder
-diesel = { version = "2.0.3", features = ["chrono", "r2d2"] }
-diesel_migrations = "2.0.0"
-diesel_logger = { version = "0.2.0", optional = true }
+diesel = { version = "2.1.3", features = ["chrono", "r2d2"] }
+diesel_migrations = "2.1.0"
+diesel_logger = { version = "0.3.0", optional = true }
 
 # Bundled/Static SQLite
-libsqlite3-sys = { version = "0.25.2", features = ["bundled"], optional = true }
+libsqlite3-sys = { version = "0.26.0", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
 rand = { version = "0.8.5", features = ["small_rng"] }
-ring = "0.16.20"
+ring = "0.17.5"
 
 # UUID generation
-uuid = { version = "1.3.0", features = ["v4"] }
+uuid = { version = "1.5.0", features = ["v4"] }
 
 # Date and time libraries
-chrono = { version = "0.4.24", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.8.1"
-time = "0.3.20"
+chrono = { version = "0.4.31", features = ["clock", "serde"], default-features = false }
+chrono-tz = "0.8.3"
+time = "0.3.30"
 
 # Job scheduler
 job_scheduler_ng = "2.0.4"
 
 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.3.3"
+data-encoding = "2.4.0"
 
 # JWT library
-jsonwebtoken = "8.3.0"
+jsonwebtoken = "9.0.0"
 
 # TOTP library
 totp-lite = "2.0.0"
@@ -111,68 +113,77 @@ yubico = { version = "0.11.0", features = ["online-tokio"], default-features = f
 webauthn-rs = "0.3.2"
 
 # Handling of URL's for WebAuthn and favicons
-url = "2.3.1"
+url = "2.4.1"
 
 # Email libraries
-lettre = { version = "0.10.3", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
-percent-encoding = "2.2.0" # URL encoding library used for URL's in the emails
+lettre = { version = "0.11.0", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+percent-encoding = "2.3.0" # URL encoding library used for URL's in the emails
 email_address = "0.2.4"
 
 # HTML Template library
-handlebars = { version = "4.3.6", features = ["dir_source"] }
+handlebars = { version = "4.4.0", features = ["dir_source"] }
 
 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.11.16", features = ["stream", "json", "gzip", "brotli", "socks", "cookies", "trust-dns"] }
+reqwest = { version = "0.11.22", features = ["stream", "json", "deflate", "gzip", "brotli", "socks", "cookies", "trust-dns", "native-tls-alpn"] }
 
 # Favicon extraction libraries
-html5gum = "0.5.2"
-regex = { version = "1.7.3", features = ["std", "perf", "unicode-perl"], default-features = false }
-data-url = "0.2.0"
-bytes = "1.4.0"
+html5gum = "0.5.7"
+regex = { version = "1.10.2", features = ["std", "perf", "unicode-perl"], default-features = false }
+data-url = "0.3.0"
+bytes = "1.5.0"
 
 # Cache function results (Used for version check and favicon fetching)
-cached = "0.42.0"
+cached = { version = "0.46.0", features = ["async"] }
 
 # Used for custom short lived cookie jar during favicon extraction
 cookie = "0.16.2"
-cookie_store = "0.19.0"
+cookie_store = "0.19.1"
 
 # Used by U2F, JWT and PostgreSQL
-openssl = "0.10.48"
+openssl = "0.10.57"
+# Set openssl-sys fixed to v0.9.92 to prevent building issues with musl, arm and 32bit pointer width
+# It will force add a dynamically linked library which prevents the build from being static
+openssl-sys = "=0.9.92"
 
 # CLI argument parsing
 pico-args = "0.5.0"
 
 # Macro ident concatenation
-paste = "1.0.12"
-governor = "0.5.1"
+paste = "1.0.14"
+governor = "0.6.0"
 
 # Check client versions for specific features.
-semver = "1.0.17"
+semver = "1.0.20"
 
 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
-mimalloc = { version = "=0.1.34", features = ["secure"], default-features = false, optional = true }
-libmimalloc-sys = "=0.1.30"
-which = "4.4.0"
+mimalloc = { version = "0.1.39", features = ["secure"], default-features = false, optional = true }
+which = "5.0.0"
 
 # Argon2 library with support for the PHC format
-argon2 = "0.5.0"
+argon2 = "0.5.2"
 
 # Reading a password from the cli for generating the Argon2id ADMIN_TOKEN
 rpassword = "7.2.0"
 
+
+[patch.crates-io]
+rocket = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'ce441b5f46fdf5cd99cb32b8b8638835e4c2a5fa' } # v0.5 branch
+# rocket_ws = { git = 'https://github.com/SergioBenitez/Rocket', rev = 'ce441b5f46fdf5cd99cb32b8b8638835e4c2a5fa' } # v0.5 branch
+
+
 # Strip debuginfo from the release builds
 # Also enable thin LTO for some optimizations
 [profile.release]
 strip = "debuginfo"
 lto = "thin"
 
-# Always build argon2 using opt-level 3
-# This is a huge speed improvement during testing
-[profile.dev.package.argon2]
-opt-level = 3
 
 # A little bit of a speedup
 [profile.dev]
 split-debuginfo = "unpacked"
+
+# Always build argon2 using opt-level 3
+# This is a huge speed improvement during testing
+[profile.dev.package.argon2]
+opt-level = 3

Dockerfile

@@ -1 +1 @@
-docker/amd64/Dockerfile
+docker/Dockerfile.debian

README.md

@@ -38,11 +38,11 @@ Pull the docker image and mount a volume from the host for persistent storage:
 
 ```sh
 docker pull vaultwarden/server:latest
-docker run -d --name vaultwarden -v /vw-data/:/data/ -p 80:80 vaultwarden/server:latest
+docker run -d --name vaultwarden -v /vw-data/:/data/ --restart unless-stopped -p 80:80 vaultwarden/server:latest
 ```
 This will preserve any persistent data under /vw-data/, you can adapt the path to whatever suits you.
 
-**IMPORTANT**: Most modern web browsers, disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
+**IMPORTANT**: Most modern web browsers disallow the use of Web Crypto APIs in insecure contexts. In this case, you might get an error like `Cannot read property 'importKey'`. To solve this problem, you need to access the web vault via HTTPS or localhost.
 
 This can be configured in [vaultwarden directly](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS) or using a third-party reverse proxy ([some examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples)).
 

build.rs

@@ -18,7 +18,7 @@ fn main() {
     );
 
     #[cfg(all(not(debug_assertions), feature = "query_logger"))]
-    compile_error!("Query Logging is only allowed during development, it is not intented for production usage!");
+    compile_error!("Query Logging is only allowed during development, it is not intended for production usage!");
 
     // Support $BWRS_VERSION for legacy compatibility, but default to $VW_VERSION.
     // If neither exist, read from git.
@@ -72,7 +72,7 @@ fn version_from_git_info() -> Result<String, std::io::Error> {
     // Combined version
     if let Some(exact) = exact_tag {
         Ok(exact)
-    } else if &branch != "main" && &branch != "master" {
+    } else if &branch != "main" && &branch != "master" && &branch != "HEAD" {
         Ok(format!("{last_tag}-{rev_short} ({branch})"))
     } else {
         Ok(format!("{last_tag}-{rev_short}"))

docker/DockerSettings.yaml

@@ -0,0 +1,28 @@
+---
+vault_version: "v2023.10.0"
+vault_image_digest: "sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935"
+# Cross Compile Docker Helper Scripts v1.3.0
+# We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
+xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc"
+rust_version: 1.73.0 # Rust version to be used
+debian_version: bookworm # Debian release name to be used
+alpine_version: 3.18 # Alpine version to be used
+# For which platforms/architectures will we try to build images
+platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
+# Determine the build images per OS/Arch
+build_stage_image:
+  debian:
+    image: "docker.io/library/rust:{{rust_version}}-slim-{{debian_version}}"
+    platform: "$BUILDPLATFORM"
+  alpine:
+    image: "build_${TARGETARCH}${TARGETVARIANT}"
+    platform: "linux/amd64" # The Alpine build images only have linux/amd64 images
+    arch_image:
+      amd64: "ghcr.io/blackdex/rust-musl:x86_64-musl-stable-{{rust_version}}"
+      arm64: "ghcr.io/blackdex/rust-musl:aarch64-musl-stable-{{rust_version}}"
+      armv7: "ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-{{rust_version}}"
+      armv6: "ghcr.io/blackdex/rust-musl:arm-musleabi-stable-{{rust_version}}"
+# The final image which will be used to distribute the container images
+runtime_stage_image:
+  debian: "docker.io/library/debian:{{debian_version}}-slim"
+  alpine: "docker.io/library/alpine:{{alpine_version}}"

docker/Dockerfile.alpine

@@ -0,0 +1,160 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make`
+# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine`
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull docker.io/vaultwarden/web-vault:v2023.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.10.0
+#     [docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935
+#     [docker.io/vaultwarden/web-vault:v2023.10.0]
+#
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 as vault
+
+########################## ALPINE BUILD IMAGES ##########################
+## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
+## And for Alpine we define all build images here, they will only be loaded when actually used
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.73.0 as build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.73.0 as build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.73.0 as build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.73.0 as build_armv6
+
+########################## BUILD IMAGE ##########################
+# hadolint ignore=DL3006
+FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} as build
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG TARGETPLATFORM
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root" \
+    # Use PostgreSQL v15 during Alpine/MUSL builds instead of the default v11
+    # Debian Bookworm already contains libpq v15
+    PQ_LIB_DIR="/usr/local/musl/pq15/lib"
+
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Shared variables across Debian and Alpine
+RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \
+    # To be able to build the armv6 image with mimalloc we need to tell the linker to also look for libatomic
+    if [[ "${TARGETARCH}${TARGETVARIANT}" == "armv6" ]] ; then echo "export RUSTFLAGS='-Clink-arg=-latomic'" >> /env-cargo ; fi && \
+    # Output the current contents of the file
+    cat /env-cargo
+
+# Enable MiMalloc to improve performance on Alpine builds
+ARG DB=sqlite,mysql,postgresql,enable_mimalloc
+
+RUN source /env-cargo && \
+    rustup target add "${CARGO_TARGET}"
+
+ARG CARGO_PROFILE=release
+ARG VW_VERSION
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain.toml ./rust-toolchain.toml
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN source /env-cargo && \
+    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+    find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Builds again, this time it will be the actual source files being build
+RUN source /env-cargo && \
+    # Make sure that we actually build the project by updating the src/main.rs timestamp
+    touch src/main.rs && \
+    # Create a symlink to the binary target folder to easy copy the binary in the final stage
+    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+    if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
+        ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
+    else \
+        ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \
+    fi
+
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+#
+# To build these images you need to have qemu binfmt support.
+# See the following pages to help install these tools locally
+# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation
+# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64
+#
+# Or use a Docker image which modifies your host system to support this.
+# The GitHub Actions Workflow uses the same image as used below.
+# See: https://github.com/tonistiigi/binfmt
+# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
+# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
+#
+# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.18
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    SSL_CERT_DIR=/etc/ssl/certs
+
+# Create data folder and Install needed libraries
+RUN mkdir /data && \
+    apk --no-cache add \
+        ca-certificates \
+        curl \
+        openssl \
+        tzdata
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/final/vaultwarden .
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/Dockerfile.buildx

@@ -1,34 +0,0 @@
-# syntax=docker/dockerfile:1
-# The cross-built images have the build arch (`amd64`) embedded in the image
-# manifest, rather than the target arch. For example:
-#
-#   $ docker inspect vaultwarden/server:latest-armv7 | jq -r '.[]|.Architecture'
-#   amd64
-#
-# Recent versions of Docker have started printing a warning when the image's
-# claimed arch doesn't match the host arch. For example:
-#
-#   WARNING: The requested image's platform (linux/amd64) does not match the
-#   detected host platform (linux/arm/v7) and no specific platform was requested
-#
-# The image still works fine, but the spurious warning creates confusion.
-#
-# Docker doesn't seem to provide a way to directly set the arch of an image
-# at build time. To resolve the build vs. target arch discrepancy, we use
-# Docker Buildx to build a new set of images with the correct target arch.
-#
-# Docker Buildx uses this Dockerfile to build an image for each requested
-# platform. Since the Dockerfile basically consists of a single `FROM`
-# instruction, we're effectively telling Buildx to build a platform-specific
-# image by simply copying the existing cross-built image and setting the
-# correct target arch as a side effect.
-#
-# References:
-#
-# - https://docs.docker.com/buildx/working-with-buildx/#build-multi-platform-images
-# - https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
-# - https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact
-#
-ARG LOCAL_REPO
-ARG DOCKER_TAG
-FROM ${LOCAL_REPO}:${DOCKER_TAG}-${TARGETARCH}${TARGETVARIANT}

docker/Dockerfile.debian

@@ -0,0 +1,194 @@
+# syntax=docker/dockerfile:1
+
+# This file was generated using a Jinja2 template.
+# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make`
+# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine`
+
+# Using multistage build:
+# 	https://docs.docker.com/develop/develop-images/multistage-build/
+# 	https://whitfin.io/speeding-up-rust-docker-builds/
+
+####################### VAULT BUILD IMAGE #######################
+# The web-vault digest specifies a particular web-vault build on Docker Hub.
+# Using the digest instead of the tag name provides better security,
+# as the digest of an image is immutable, whereas a tag name can later
+# be changed to point to a malicious image.
+#
+# To verify the current digest for a given tag name:
+# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
+#   click the tag name to view the digest of the image it currently points to.
+# - From the command line:
+#     $ docker pull docker.io/vaultwarden/web-vault:v2023.10.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2023.10.0
+#     [docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935]
+#
+# - Conversely, to get the tag name from the digest:
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935
+#     [docker.io/vaultwarden/web-vault:v2023.10.0]
+#
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e715228a065935 as vault
+
+########################## Cross Compile Docker Helper Scripts ##########################
+## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
+## And these bash scripts do not have any significant difference if at all
+FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc AS xx
+
+########################## BUILD IMAGE ##########################
+# hadolint ignore=DL3006
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.73.0-slim-bookworm as build
+COPY --from=xx / /
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG TARGETPLATFORM
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Build time options to avoid dpkg warnings and help with reproducible builds.
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    TZ=UTC \
+    TERM=xterm-256color \
+    CARGO_HOME="/root/.cargo" \
+    USER="root"
+
+# Install clang to get `xx-cargo` working
+# Install pkg-config to allow amd64 builds to find all libraries
+# Install git so build.rs can determine the correct version
+# Install the libc cross packages based upon the debian-arch
+RUN apt-get update && \
+    apt-get install -y \
+        --no-install-recommends \
+        clang \
+        pkg-config \
+        git \
+        "libc6-$(xx-info debian-arch)-cross" \
+        "libc6-dev-$(xx-info debian-arch)-cross" \
+        "linux-libc-dev-$(xx-info debian-arch)-cross" && \
+    # Run xx-cargo early, since it sometimes seems to break when run at a later stage
+    echo "export CARGO_TARGET=$(xx-cargo --print-target-triple)" >> /env-cargo
+
+RUN xx-apt-get install -y \
+        --no-install-recommends \
+        gcc \
+        libmariadb3 \
+        libpq-dev \
+        libpq5 \
+        libssl-dev && \
+    # Force install arch dependend mariadb dev packages
+    # Installing them the normal way breaks several other packages (again)
+    apt-get download "libmariadb-dev-compat:$(xx-info debian-arch)" "libmariadb-dev:$(xx-info debian-arch)" && \
+    dpkg --force-all -i ./libmariadb-dev*.deb
+
+# Create CARGO_HOME folder and don't download rust docs
+RUN mkdir -pv "${CARGO_HOME}" \
+    && rustup set profile minimal
+
+# Creates a dummy project used to grab dependencies
+RUN USER=root cargo new --bin /app
+WORKDIR /app
+
+# Environment variables for cargo across Debian and Alpine
+RUN source /env-cargo && \
+    if xx-info is-cross ; then \
+        # We can't use xx-cargo since that uses clang, which doesn't work for our libraries.
+        # Because of this we generate the needed environment variables here which we can load in the needed steps.
+        echo "export CC_$(echo "${CARGO_TARGET}" | tr '[:upper:]' '[:lower:]' | tr - _)=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export CARGO_TARGET_$(echo "${CARGO_TARGET}" | tr '[:lower:]' '[:upper:]' | tr - _)_LINKER=/usr/bin/$(xx-info)-gcc" >> /env-cargo && \
+        echo "export PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /env-cargo && \
+        echo "export CROSS_COMPILE=1" >> /env-cargo && \
+        echo "export OPENSSL_INCLUDE_DIR=/usr/include/$(xx-info)" >> /env-cargo && \
+        echo "export OPENSSL_LIB_DIR=/usr/lib/$(xx-info)" >> /env-cargo ; \
+    fi && \
+    # Output the current contents of the file
+    cat /env-cargo
+
+# Configure the DB ARG as late as possible to not invalidate the cached layers above
+ARG DB=sqlite,mysql,postgresql
+
+RUN source /env-cargo && \
+    rustup target add "${CARGO_TARGET}"
+
+ARG CARGO_PROFILE=release
+ARG VW_VERSION
+
+# Copies over *only* your manifests and build files
+COPY ./Cargo.* ./
+COPY ./rust-toolchain.toml ./rust-toolchain.toml
+COPY ./build.rs ./build.rs
+
+# Builds your dependencies and removes the
+# dummy project, except the target folder
+# This folder contains the compiled dependencies
+RUN source /env-cargo && \
+    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+    find . -not -path "./target*" -delete
+
+# Copies the complete project
+# To avoid copying unneeded files, use .dockerignore
+COPY . .
+
+# Builds again, this time it will be the actual source files being build
+RUN source /env-cargo && \
+    # Make sure that we actually build the project by updating the src/main.rs timestamp
+    touch src/main.rs && \
+    # Create a symlink to the binary target folder to easy copy the binary in the final stage
+    cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
+    if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
+        ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
+    else \
+        ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \
+    fi
+
+
+######################## RUNTIME IMAGE  ########################
+# Create a new stage with a minimal image
+# because we already have a binary built
+#
+# To build these images you need to have qemu binfmt support.
+# See the following pages to help install these tools locally
+# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation
+# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64
+#
+# Or use a Docker image which modifies your host system to support this.
+# The GitHub Actions Workflow uses the same image as used below.
+# See: https://github.com/tonistiigi/binfmt
+# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
+# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
+#
+# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
+FROM --platform=$TARGETPLATFORM docker.io/library/debian:bookworm-slim
+
+ENV ROCKET_PROFILE="release" \
+    ROCKET_ADDRESS=0.0.0.0 \
+    ROCKET_PORT=80 \
+    DEBIAN_FRONTEND=noninteractive
+
+# Create data folder and Install needed libraries
+RUN mkdir /data && \
+    apt-get update && apt-get install -y \
+        --no-install-recommends \
+        ca-certificates \
+        curl \
+        libmariadb-dev-compat \
+        libpq5 \
+        openssl && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+VOLUME /data
+EXPOSE 80
+EXPOSE 3012
+
+# Copies the files from the context (Rocket.toml file and web-vault)
+# and the binary from the "build" stage to the current stage
+WORKDIR /
+
+COPY docker/healthcheck.sh /healthcheck.sh
+COPY docker/start.sh /start.sh
+
+COPY --from=vault /web-vault ./web-vault
+COPY --from=build /app/target/final/vaultwarden .
+
+HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
+
+CMD ["/start.sh"]

docker/Makefile

@@ -1,15 +1,4 @@
-OBJECTS := $(shell find ./ -mindepth 2 -name 'Dockerfile*')
-
-all: $(OBJECTS)
-
-%/Dockerfile: Dockerfile.j2 render_template
-	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-
-%/Dockerfile.alpine: Dockerfile.j2 render_template
-	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-
-%/Dockerfile.buildkit: Dockerfile.j2 render_template
-	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
-
-%/Dockerfile.buildkit.alpine: Dockerfile.j2 render_template
-	./render_template "$<" "{\"target_file\":\"$@\"}" > "$@"
+all:
+	./render_template Dockerfile.j2 '{"base": "debian"}' > Dockerfile.debian
+	./render_template Dockerfile.j2 '{"base": "alpine"}' > Dockerfile.alpine
+.PHONY: all

docker/README.md

@@ -1,3 +1,183 @@
-The arch-specific directory names follow the arch identifiers used by the Docker official images:
+# Vaultwarden Container Building
 
-https://github.com/docker-library/official-images/blob/master/README.md#architectures-other-than-amd64
+To build and release new testing and stable releases of Vaultwarden we use `docker buildx bake`.<br>
+This can be used locally by running the command yourself, but it is also used by GitHub Actions.
+
+This makes it easier for us to test and maintain the different architectures we provide.<br>
+We also just have two Dockerfile's one for Debian and one for Alpine based images.<br>
+With just these two files we can build both Debian and Alpine images for the following platforms:
+ - amd64 (linux/amd64)
+ - arm64 (linux/arm64)
+ - armv7 (linux/arm/v7)
+ - armv6 (linux/arm/v6)
+
+To build these containers you need to enable QEMU binfmt support to be able to run/emulate architectures which are different then your host.<br>
+This ensures the container build process can run binaries from other architectures.<br>
+
+**NOTE**: Run all the examples below from the root of the repo.<br>
+
+
+## How to install QEMU binfmt support
+
+This is different per host OS, but most support this in some way.<br>
+
+### Ubuntu/Debian
+```bash
+apt install binfmt-support qemu-user-static
+```
+
+### Arch Linux (others based upon it)
+```bash
+pacman -S qemu-user-static qemu-user-static-binfmt
+```
+
+### Fedora
+```bash
+dnf install qemu-user-static
+```
+
+### Others
+There also is an option to use an other docker container to provide support for this.
+```bash
+# To install and activate
+docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
+# To unistall
+docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
+```
+
+
+## Single architecture container building
+
+You can build a container per supported architecture as long as you have QEMU binfmt support installed on your system.<br>
+
+```bash
+# Default bake triggers a Debian build using the hosts architecture
+docker buildx bake --file docker/docker-bake.hcl
+
+# Bake Debian ARM64 using a debug build
+CARGO_PROFILE=dev \
+SOURCE_COMMIT="$(git rev-parse HEAD)" \
+docker buildx bake --file docker/docker-bake.hcl debian-arm64
+
+# Bake Alpine ARMv6 as a release build
+SOURCE_COMMIT="$(git rev-parse HEAD)" \
+docker buildx bake --file docker/docker-bake.hcl alpine-armv6
+```
+
+
+## Local Multi Architecture container building
+
+Start the initialization, this only needs to be done once.
+
+```bash
+# Create and use a new buildx builder instance which connects to the host network
+docker buildx create --name vaultwarden --use --driver-opt network=host
+
+# Validate it runs
+docker buildx inspect --bootstrap
+
+# Create a local container registry directly reachable on the localhost
+docker run -d --name registry --network host registry:2
+```
+
+After that is done, you should be able to build and push to the local registry.<br>
+Use the following command with the modified variables to bake the Alpine images.<br>
+Replace `alpine` with `debian` if you want to build the debian multi arch images.
+
+```bash
+# Start a buildx bake using a debug build
+CARGO_PROFILE=dev \
+SOURCE_COMMIT="$(git rev-parse HEAD)" \
+CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \
+docker buildx bake --file docker/docker-bake.hcl alpine-multi
+```
+
+
+## Using the `bake.sh` script
+
+To make it a bit more easier to trigger a build, there also is a `bake.sh` script.<br>
+This script calls `docker buildx bake` with all the right parameters and also generates the `SOURCE_COMMIT` and `SOURCE_VERSION` variables.<br>
+This script can be called from both the repo root or within the docker directory.
+
+So, if you want to build a Multi Arch Alpine container pushing to your localhost registry you can run this from within the docker directory. (Just make sure you executed the initialization steps above first)
+```bash
+CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \
+./bake.sh alpine-multi
+```
+
+Or if you want to just build a Debian container from the repo root, you can run this.
+```bash
+docker/bake.sh
+```
+
+You can append both `alpine` and `debian` with `-amd64`, `-arm64`, `-armv7` or `-armv6`, which will trigger a build for that specific platform.<br>
+This will also append those values to the tag so you can see the builded container when running `docker images`.
+
+You can also append extra arguments after the target if you want. This can be useful for example to print what bake will use.
+```bash
+docker/bake.sh alpine-all --print
+```
+
+### Testing baked images
+
+To test these images you can run these images by using the correct tag and provide the platform.<br>
+For example, after you have build an arm64 image via `./bake.sh debian-arm64` you can run:
+```bash
+docker run --rm -it \
+  -e DISABLE_ADMIN_TOKEN=true \
+  -e I_REALLY_WANT_VOLATILE_STORAGE=true \
+  -p8080:80 --platform=linux/arm64 \
+  vaultwarden/server:testing-arm64
+```
+
+
+## Using the `podman-bake.sh` script
+
+To also make building easier using podman, there is a `podman-bake.sh` script.<br>
+This script calls `podman buildx build` with the needed parameters and the same as `bake.sh`, it will generate some variables automatically.<br>
+This script can be called from both the repo root or within the docker directory.
+
+**NOTE:** Unlike the `bake.sh` script, this only supports a single `CONTAINER_REGISTRIES`, and a single `BASE_TAGS` value, no comma separated values. It also only supports building separate architectures, no Multi Arch containers.
+
+To build an Alpine arm64 image with only sqlite support and mimalloc, run this:
+```bash
+DB="sqlite,enable_mimalloc" \
+./podman-bake.sh alpine-arm64
+```
+
+Or if you want to just build a Debian container from the repo root, you can run this.
+```bash
+docker/podman-bake.sh
+```
+
+You can append extra arguments after the target if you want. This can be useful for example to disable cache like this.
+```bash
+./podman-bake.sh alpine-arm64 --no-cache
+```
+
+For the podman builds you can, just like the `bake.sh` script, also append the architecture to build for that specific platform.<br>
+
+### Testing podman builded images
+
+The command to start a podman built container is almost the same as for the docker/bake built containers. The images start with `localhost/`, so you need to prepend that.
+
+```bash
+podman run --rm -it \
+  -e DISABLE_ADMIN_TOKEN=true \
+  -e I_REALLY_WANT_VOLATILE_STORAGE=true \
+  -p8080:80 --platform=linux/arm64 \
+  localhost/vaultwarden/server:testing-arm64
+```
+
+
+## Variables supported
+| Variable              | default | description |
+| --------------------- | ------------------ | ----------- |
+| CARGO_PROFILE         | null               | Which cargo profile to use. `null` means what is defined in the Dockerfile                                         |
+| DB                    | null               | Which `features` to build. `null` means what is defined in the Dockerfile                                          |
+| SOURCE_REPOSITORY_URL | null               | The source repository form where this build is triggered                                                           |
+| SOURCE_COMMIT         | null               | The commit hash of the current commit for this build                                                               |
+| SOURCE_VERSION        | null               | The current exact tag of this commit, else the last tag and the first 8 chars of the source commit                 |
+| BASE_TAGS             | testing            | Tags to be used. Can be a comma separated value like "latest,1.29.2"                                               |
+| CONTAINER_REGISTRIES  | vaultwarden/server | Comma separated value of container registries. Like `ghcr.io/dani-garcia/vaultwarden,docker.io/vaultwarden/server` |
+| VW_VERSION            | null               | To override the `SOURCE_VERSION` value. This is also used by the `build.rs` code for example                       |

docker/amd64/Dockerfile

@@ -1,118 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM rust:1.68.2-bullseye as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-# Install build dependencies
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libmariadb-dev \
-        libpq-dev
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:bullseye-slim
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apt-get update && apt-get install -y \
-    --no-install-recommends \
-    ca-certificates \
-    curl \
-    libmariadb-dev-compat \
-    libpq5 \
-    openssl \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/amd64/Dockerfile.alpine

@@ -1,112 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:x86_64-musl-stable-1.68.2 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN rustup target add x86_64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80 \
-    SSL_CERT_DIR=/etc/ssl/certs
-
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apk add --no-cache \
-        ca-certificates \
-        curl \
-        openssl \
-        tzdata
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/amd64/Dockerfile.buildkit

@@ -1,118 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM rust:1.68.2-bullseye as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-# Install build dependencies
-RUN apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        libmariadb-dev \
-        libpq-dev
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM debian:bullseye-slim
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apt-get update && apt-get install -y \
-    --no-install-recommends \
-    ca-certificates \
-    curl \
-    libmariadb-dev-compat \
-    libpq5 \
-    openssl \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/amd64/Dockerfile.buildkit.alpine

@@ -1,112 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:x86_64-musl-stable-1.68.2 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add x86_64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=x86_64-unknown-linux-musl
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80 \
-    SSL_CERT_DIR=/etc/ssl/certs
-
-
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apk add --no-cache \
-        ca-certificates \
-        curl \
-        openssl \
-        tzdata
-
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/x86_64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/arm64/Dockerfile

@@ -1,139 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM rust:1.68.2-bullseye as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-# Install build dependencies for the arm64 architecture
-RUN dpkg --add-architecture arm64 \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-aarch64-linux-gnu \
-        libc6-dev:arm64 \
-        libmariadb-dev:arm64 \
-        libmariadb-dev-compat:arm64 \
-        libmariadb3:arm64 \
-        libpq-dev:arm64 \
-        libpq5:arm64 \
-        libssl-dev:arm64 \
-    #
-    # Make sure cargo has the right target config
-    && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
-    && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
-    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
-    CROSS_COMPILE="1" \
-    OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
-    OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN rustup target add aarch64-unknown-linux-gnu
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-debian:bullseye
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apt-get update && apt-get install -y \
-    --no-install-recommends \
-    ca-certificates \
-    curl \
-    libmariadb-dev-compat \
-    libpq5 \
-    openssl \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/arm64/Dockerfile.alpine

@@ -1,114 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:aarch64-musl-stable-1.68.2 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN rustup target add aarch64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80 \
-    SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apk add --no-cache \
-        ca-certificates \
-        curl \
-        openssl \
-        tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/arm64/Dockerfile.buildkit

@@ -1,139 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM rust:1.68.2-bullseye as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-# Install build dependencies for the arm64 architecture
-RUN dpkg --add-architecture arm64 \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-aarch64-linux-gnu \
-        libc6-dev:arm64 \
-        libmariadb-dev:arm64 \
-        libmariadb-dev-compat:arm64 \
-        libmariadb3:arm64 \
-        libpq-dev:arm64 \
-        libpq5:arm64 \
-        libssl-dev:arm64 \
-    #
-    # Make sure cargo has the right target config
-    && echo '[target.aarch64-unknown-linux-gnu]' >> "${CARGO_HOME}/config" \
-    && echo 'linker = "aarch64-linux-gnu-gcc"' >> "${CARGO_HOME}/config" \
-    && echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_aarch64_unknown_linux_gnu="/usr/bin/aarch64-linux-gnu-gcc" \
-    CROSS_COMPILE="1" \
-    OPENSSL_INCLUDE_DIR="/usr/include/aarch64-linux-gnu" \
-    OPENSSL_LIB_DIR="/usr/lib/aarch64-linux-gnu"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-gnu
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-gnu
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-debian:bullseye
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apt-get update && apt-get install -y \
-    --no-install-recommends \
-    ca-certificates \
-    curl \
-    libmariadb-dev-compat \
-    libpq5 \
-    openssl \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-gnu/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/arm64/Dockerfile.buildkit.alpine

@@ -1,114 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:aarch64-musl-stable-1.68.2 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add aarch64-unknown-linux-musl
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=aarch64-unknown-linux-musl
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/aarch64-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80 \
-    SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apk add --no-cache \
-        ca-certificates \
-        curl \
-        openssl \
-        tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/aarch64-unknown-linux-musl/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/armv6/Dockerfile

@@ -1,143 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM rust:1.68.2-bullseye as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-# Install build dependencies for the armel architecture
-RUN dpkg --add-architecture armel \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabi \
-        libc6-dev:armel \
-        libmariadb-dev:armel \
-        libmariadb-dev-compat:armel \
-        libmariadb3:armel \
-        libpq-dev:armel \
-        libpq5:armel \
-        libssl-dev:armel \
-    #
-    # Make sure cargo has the right target config
-    && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
-    && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
-    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
-    CROSS_COMPILE="1" \
-    OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
-    OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN rustup target add arm-unknown-linux-gnueabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/rpi-debian:bullseye
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apt-get update && apt-get install -y \
-    --no-install-recommends \
-    ca-certificates \
-    curl \
-    libmariadb-dev-compat \
-    libpq5 \
-    openssl \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
-# This symlink was there in the buster images, and for some reason this is needed.
-RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/armv6/Dockerfile.alpine

@@ -1,116 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM blackdex/rust-musl:arm-musleabi-stable-1.68.2 as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-# To be able to build the armv6 image with mimalloc we need to specifically specify the libatomic.a file location
-ENV RUSTFLAGS='-Clink-arg=/usr/local/musl/arm-unknown-linux-musleabi/lib/libatomic.a'
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN rustup target add arm-unknown-linux-musleabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-# Enable MiMalloc to improve performance on Alpine builds
-ARG DB=sqlite,mysql,postgresql,enable_mimalloc
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN cargo build --features ${DB} --release --target=arm-unknown-linux-musleabi
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/rpi-alpine:3.17
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80 \
-    SSL_CERT_DIR=/etc/ssl/certs
-
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apk add --no-cache \
-        ca-certificates \
-        curl \
-        openssl \
-        tzdata
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-musleabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]

docker/armv6/Dockerfile.buildkit

@@ -1,143 +0,0 @@
-# syntax=docker/dockerfile:1
-
-# This file was generated using a Jinja2 template.
-# Please make your changes in `Dockerfile.j2` and then `make` the individual Dockerfiles.
-# Using multistage build:
-# 	https://docs.docker.com/develop/develop-images/multistage-build/
-# 	https://whitfin.io/speeding-up-rust-docker-builds/
-####################### VAULT BUILD IMAGE  #######################
-# The web-vault digest specifies a particular web-vault build on Docker Hub.
-# Using the digest instead of the tag name provides better security,
-# as the digest of an image is immutable, whereas a tag name can later
-# be changed to point to a malicious image.
-#
-# To verify the current digest for a given tag name:
-# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
-#   click the tag name to view the digest of the image it currently points to.
-# - From the command line:
-#     $ docker pull vaultwarden/web-vault:v2023.3.0b
-#     $ docker image inspect --format "{{.RepoDigests}}" vaultwarden/web-vault:v2023.3.0b
-#     [vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee]
-#
-# - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee
-#     [vaultwarden/web-vault:v2023.3.0b]
-#
-FROM vaultwarden/web-vault@sha256:aa6ba791911a815ea570ec2ddc59992481c6ba8fbb65eed4f7074b463430d3ee as vault
-
-########################## BUILD IMAGE  ##########################
-FROM rust:1.68.2-bullseye as build
-
-# Build time options to avoid dpkg warnings and help with reproducible builds.
-ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
-    TZ=UTC \
-    TERM=xterm-256color \
-    CARGO_HOME="/root/.cargo" \
-    USER="root"
-
-# Create CARGO_HOME folder and don't download rust docs
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry mkdir -pv "${CARGO_HOME}" \
-    && rustup set profile minimal
-
-# Install build dependencies for the armel architecture
-RUN dpkg --add-architecture armel \
-    && apt-get update \
-    && apt-get install -y \
-        --no-install-recommends \
-        gcc-arm-linux-gnueabi \
-        libc6-dev:armel \
-        libmariadb-dev:armel \
-        libmariadb-dev-compat:armel \
-        libmariadb3:armel \
-        libpq-dev:armel \
-        libpq5:armel \
-        libssl-dev:armel \
-    #
-    # Make sure cargo has the right target config
-    && echo '[target.arm-unknown-linux-gnueabi]' >> "${CARGO_HOME}/config" \
-    && echo 'linker = "arm-linux-gnueabi-gcc"' >> "${CARGO_HOME}/config" \
-    && echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabi"]' >> "${CARGO_HOME}/config"
-
-# Set arm specific environment values
-ENV CC_arm_unknown_linux_gnueabi="/usr/bin/arm-linux-gnueabi-gcc" \
-    CROSS_COMPILE="1" \
-    OPENSSL_INCLUDE_DIR="/usr/include/arm-linux-gnueabi" \
-    OPENSSL_LIB_DIR="/usr/lib/arm-linux-gnueabi"
-
-# Creates a dummy project used to grab dependencies
-RUN USER=root cargo new --bin /app
-WORKDIR /app
-
-# Copies over *only* your manifests and build files
-COPY ./Cargo.* ./
-COPY ./rust-toolchain ./rust-toolchain
-COPY ./build.rs ./build.rs
-
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry rustup target add arm-unknown-linux-gnueabi
-
-# Configure the DB ARG as late as possible to not invalidate the cached layers above
-ARG DB=sqlite,mysql,postgresql
-
-# Builds your dependencies and removes the
-# dummy project, except the target folder
-# This folder contains the compiled dependencies
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi \
-    && find . -not -path "./target*" -delete
-
-# Copies the complete project
-# To avoid copying unneeded files, use .dockerignore
-COPY . .
-
-# Make sure that we actually build the project
-RUN touch src/main.rs
-
-# Builds again, this time it'll just be
-# your actual source files being built
-RUN --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/root/.cargo/registry cargo build --features ${DB} --release --target=arm-unknown-linux-gnueabi
-
-######################## RUNTIME IMAGE  ########################
-# Create a new stage with a minimal image
-# because we already have a binary built
-FROM balenalib/rpi-debian:bullseye
-
-ENV ROCKET_PROFILE="release" \
-    ROCKET_ADDRESS=0.0.0.0 \
-    ROCKET_PORT=80
-
-RUN [ "cross-build-start" ]
-
-# Create data folder and Install needed libraries
-RUN mkdir /data \
-    && apt-get update && apt-get install -y \
-    --no-install-recommends \
-    ca-certificates \
-    curl \
-    libmariadb-dev-compat \
-    libpq5 \
-    openssl \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# In the Balena Bullseye images for armv6/rpi-debian there is a missing symlink.
-# This symlink was there in the buster images, and for some reason this is needed.
-RUN ln -v -s /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3
-
-RUN [ "cross-build-end" ]
-
-VOLUME /data
-EXPOSE 80
-EXPOSE 3012
-
-# Copies the files from the context (Rocket.toml file and web-vault)
-# and the binary from the "build" stage to the current stage
-WORKDIR /
-COPY --from=vault /web-vault ./web-vault
-COPY --from=build /app/target/arm-unknown-linux-gnueabi/release/vaultwarden .
-
-COPY docker/healthcheck.sh /healthcheck.sh
-COPY docker/start.sh /start.sh
-
-HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
-
-CMD ["/start.sh"]