Need help with passbolt_docker?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

passbolt
534 Stars 127 Forks GNU Affero General Public License v3.0 485 Commits 6 Opened issues

Description

Get started with Passbolt CE using docker!

Services available

!
?

Need anything else?

Contributors list

       ____                  __          ____          .-.
      / __ \____  _____ ____/ /_  ____  / / /_    .--./ /      _.---.,
     / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/     '-,  (__..-`       \
    / ____/ /_/ (__  |__  ) /_/ / /_/ / / /_          \                |
   /_/    \__,_/____/____/_,___/\____/_/\__/           `,.__.   ^___.-/
                                                         `-./ .'...--`
  The open source password manager for teams                `'
  (c) 2021 Passbolt SA
  https://www.passbolt.com

Codacy Badge Docker Pulls GitHub release license Twitter Follow

What is passbolt?

Passbolt is a free and open source password manager that allows team members to store and share credentials securely.

Requirements

  • rng-tools or haveged might be required on host machine to speed up entropy generation on containers. This way gpg key creation on passbolt container will be faster.
  • mariadb/mysql >= 5.0

Usage

docker-compose

Usage:

$ docker-compose up

Users are encouraged to use official docker image from the docker hub.

Start passbolt instance

Passbolt requires mysql to be running. The following example use mysql official docker image with the default passbolt credentials.

$ docker run -e MYSQL_ROOT_PASSWORD= \
             -e MYSQL_DATABASE= \
             -e MYSQL_USER= \
             -e MYSQL_PASSWORD= \
             mariadb

Then you can start passbolt just by providing the database container ip in the

DATASOURCES_DEFAULT_HOST
environment variable.
$ docker run --name passbolt \
             -p 80:80 \
             -p 443:443 \
             -e DATASOURCES_DEFAULT_HOST= \
             -e DATASOURCES_DEFAULT_PASSWORD= \
             -e DATASOURCES_DEFAULT_USERNAME= \
             -e DATASOURCES_DEFAULT_DATABASE= \
             -e APP_FULL_BASE_URL=https://mydomain.com \
             passbolt/passbolt:develop-debian

Once the container is running create your first admin user:

$ docker exec passbolt su -m -c "bin/cake passbolt register_user -u [email protected] -f yourname -l surname -r admin" -s /bin/sh www-data

This registration command will return a single use url required to continue the web browser setup and finish the registration. Your passbolt instance should be available browsing

https://yourdomain.com

Configure passbolt

Environment variables reference

Passbolt docker image provides several environment variables to configure different aspects:

| Variable name | Description | Default value | ----------------------------------- | -------------------------------- | ------------------- | APPBASE | it allows people to specify the base subdir the application is running in | null | APPFULLBASEURL | Passbolt base url | false | DATASOURCESDEFAULTHOST | Database hostname | localhost | DATASOURCESDEFAULTPORT | Database port | 3306 | DATASOURCESDEFAULTUSERNAME | Database username | '' | DATASOURCESDEFAULTPASSWORD | Database password | '' | DATASOURCESDEFAULTDATABASE | Database name | '' | DATASOURCESDEFAULTSSLKEY | Database SSL Key | '' | DATASOURCESDEFAULTSSLCERT | Database SSL Cert | '' | DATASOURCESDEFAULTSSLCA | Database SSL CA | '' | EMAILTRANSPORTDEFAULTCLASSNAME | Email classname | Smtp | EMAILDEFAULTFROM | From email address | [email protected] | EMAILDEFAULTTRANSPORT | Sets transport method | default | EMAILTRANSPORTDEFAULTHOST | Server hostname | localhost | EMAILTRANSPORTDEFAULTPORT | Server port | 25 | EMAILTRANSPORTDEFAULTTIMEOUT | Timeout | 30 | EMAILTRANSPORTDEFAULTUSERNAME | Username for email server auth | null | EMAILTRANSPORTDEFAULTPASSWORD | Password for email server auth | null | EMAILTRANSPORTDEFAULTCLIENT | Client | null | EMAILTRANSPORTDEFAULTTLS | Set tls | null | EMAILTRANSPORTDEFAULTURL | Set url | null | GNUPGHOME | path to gnupghome directory | /var/lib/passbolt/.gnupg | PASSBOLTKEYLENGTH | Gpg desired key length | 2048 | PASSBOLTSUBKEYLENGTH | Gpg desired subkey length | 2048 | PASSBOLTKEYNAME | Key owner name | Passbolt default user | PASSBOLTKEYEMAIL | Key owner email address | [email protected] | PASSBOLTKEYEXPIRATION | Key expiration date | 0, never expires | PASSBOLTGPGSERVERKEYFINGERPRINT | GnuPG fingerprint | null | PASSBOLTGPGSERVERKEYPUBLIC | Path to GnuPG public server key | /etc/passbolt/gpg/serverkey.asc | PASSBOLTGPGSERVERKEYPRIVATE | Path to GnuPG private server key | /etc/passbolt/gpg/serverkeyprivate.asc | PASSBOLTPLUGINSEXPORTENABLED | Enable export plugin | true | PASSBOLTPLUGINSIMPORTENABLED | Enable import plugin | true | PASSBOLTREGISTRATIONPUBLIC | Defines if users can register | false | PASSBOLTSSLFORCE | Redirects http to https | true | PASSBOLTSECURITYSETHEADERS | Send CSP Headers | true | SECURITYSALT | CakePHP security salt | SALT

For more env variables supported please check default.php and app.default.php

Configuration files

What if you already have a set of gpg keys and custom configuration files for passbolt? It it possible to mount the desired configuration files as volumes.

  • /etc/passbolt/app.php
  • /etc/passbolt/passbolt.php
  • /etc/passbolt/gpg/serverkey.asc
  • /etc/passbolt/gpg/serverkey_private.asc
  • /usr/share/php/passbolt/webroot/img/public/images

SSL certificate files

It is also possible to mount a ssl certificate on the following paths:

  • /etc/ssl/certs/certificate.crt
  • /etc/ssl/certs/certificate.key

Database SSL certificate files

If Database SSL certs provided, you must mount mysql/mariadb specific conf on the following paths: * /etc/mysql/conf.d # if using mysql * /etc/mysql/mariadb.conf.d/ #if using mariadb

Example:

[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

CLI healthcheck

In order to run the healtcheck from the CLI on the container:

On a root docker image:

$ su -s /bin/bash www-data
$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:[email protected]} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
$ bin/cake passbolt healthcheck

Non root image:

$ export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:[email protected]} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
$ bin/cake passbolt healthcheck

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.