海运的博客

安装rust环境：

apt install git make gcc libssl-dev pkg-config curl
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env

编译安装bitwarden_rs：

git clone https://github.com/dani-garcia/bitwarden_rs/
cd bitwarden_rs/
cargo build --features sqlite --release
mkdir /usr/local/bitwarden
cp target/release/bitwarden_rs /usr/local/bitwarden/  

交叉编译arm64/aarch64版本bitwarden_rs：

#wget https://releases.linaro.org/components/toolchain/binaries/latest-7/aarch64-linux-gnu/gcc-linaro-7.5.0-2019.12-x86_64_aarch64-linux-gnu.tar.xz
#tar -Jxvf gcc-linaro-7.5.0-2019.12-x86_64_aarch64-linux-gnu.tar.xz 
#export PATH=$PATH:`pwd`/gcc-linaro-7.5.0-2019.12-x86_64_aarch64-linux-gnu/bin/
apt install gcc-aarch64-linux-gnu
git clone https://github.com/dani-garcia/bitwarden_rs/
cd bitwarden_rs/
mkdir .cargo
rustup target install aarch64-unknown-linux-gnu
echo '[target.aarch64-unknown-linux-gnu]' > .cargo/config
echo 'linker = "aarch64-linux-gnu-gcc"' >> .cargo/config
sed -i '/\[features\]/a\openssl-vendored = ["openssl/vendored"]' Cargo.toml 
cargo build --target="aarch64-unknown-linux-gnu" --release --features "sqlite" --features "openssl-vendored"

编译安装web-vault，内存需4G以上，不然可能会出错。已编译版本：https://github.com/dani-garcia/bw_web_builds/releases

curl -sL https://deb.nodesource.com/setup_10.x | bash -
apt install nodejs
git clone https://github.com/bitwarden/web.git web-vault
cd web-vault
git checkout v2.18.2
#2.18版本先执行再patch
npm run sub:init
wget https://raw.githubusercontent.com/dani-garcia/bw_web_builds/master/patches/v2.18.1.patch
git apply v2.18.1.patch
npm install
npm run dist
#新版本
npm run dist:oss:selfhost
cp -r build /usr/local/bitwarden/web-vault
export PATH=/usr/local/bitwarden/:$PATH

也可使用docker build：

apt install docker.io
git clone https://github.com/dani-garcia/bw_web_builds.git
cd bw_web_builds/
git checkout v2022.10.2
make docker-extract

如果遇到以下错误：
ERROR in node_modules/sweetalert/typings/sweetalert.d.ts(4,9): error TS2403: Subsequent variable declarations must have the same type. Variable 'swal' must be of type 'typeof import("/usr/local/src/web-vault/node_modules/sweetalert/typings/sweetalert")', but here has type 'SweetAlert'.
则：

sed -i 's/const swal/\/\/const swal/' node_modules/sweetalert/typings/sweetalert.d.ts

启动：

export WEB_VAULT_FOLDER=/usr/local/bitwarden/web-vault
export DATA_FOLDER=/usr/local/bitwarden/data
bitwarden_rs

systemd：

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
After=network.target

[Service]
User=bitwarden
Group=bitwarden
EnvironmentFile=/etc/bitwarden/config.env
ExecStart=/usr/local/bin/bitwarden_rs
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/etc/bitwarden/
ReadWriteDirectories=/etc/bitwarden/
ReadWriteDirectories=/run/log/bitwarden/
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=always
RestartSec=5
StartLimitBurst=3
StartLimitInterval=60
StandardOutput=null
StandardError=null

[Install]
WantedBy=multi-user.target

添加运行用户：

useradd -r bitwarden  -s /usr/sbin/nologin

/etc/bitwarden/config.env文件：

WEB_VAULT_FOLDER="/usr/local/web-vault"
DATA_FOLDER="/etc/bitwarden/data"
ROCKET_ADDRESS="127.0.0.1"
ROCKET_PORT="8080"
SIGNUPS_ALLOWED="false"
INVITATIONS_ALLOWED="false"
DOMAIN="https://www.haiyun.me"
SHOW_PASSWORD_HINT="false"
LOG_FILE="/run/log/bitwarden/bitwarden.log"
EXTENDED_LOGGING="true"
#"trace", "debug", "info", "warn", "error" or "off".
LOG_LEVEL="info"

nginx配置：

server {
  listen       0.0.0.0:443 ssl http2;
  server_name www.haiyun.me;

  ssl_certificate /etc/acme/www.haiyun.me_ecc/fullchain.cer;
  ssl_certificate_key /etc/acme/www.haiyun.me_ecc/www.haiyun.me.key;
  ssl_protocols      TLSv1.2 TLSv1.3;
  #ssl_ciphers         HIGH:!aNULL:!MD5;
  ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA;
  ssl_prefer_server_ciphers   off; 

  ssl_early_data on;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;

  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/acme/www.haiyun.me_ecc/ca.cer;

  root   /var/www/html;
  index  index.html index.htm;

  location / {
    proxy_redirect off;
    #proxy_pass http://127.0.0.1:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  access_log /run/log/nginx/www.haiyun.me.log ssl;
  error_log  /run/log/nginx/www.haiyun.me_error.log;
}

https://github.com/dani-garcia/bitwarden_rs/wiki/Building-binary
https://github.com/t4t5/sweetalert/issues/890
https://www.reddit.com/r/Bitwarden/comments/dg78bi/building_selfhosted_bitwarden_via_bitwarden_rs/
https://www.ixsystems.com/community/threads/how-to-build-your-own-bitwarden_rs-jail.81389/

alpine从硬盘grub引导到内存中运行，重启后会破坏原硬盘分区，使用alpine官方推荐的使用ipxe netboot。
生成ipxe grub引导脚本，ssh_key为后续ssh登录目标系统操作的机器ssh public key，grub引导的ipxe lkrn可自行编译。

#!/bin/bash
#set -x
network=static
dns=8.8.8.8
ssh_key="ssh_key=https://www.haiyun.me/id_rsa.pub"
mirror="http://mirrors.aliyun.com/alpine/v3.11"
ipxe_file="https://www.haiyun.me/ipxe.lkrn"

valid_ip() {
  [[ $1 =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
  state=$?
  return $state 
}
cidr2mask() {
    value=$(( 0xffffffff ^ ((1 << (32 - $1)) - 1) ))
    echo "$(( ($value >> 24) & 0xff )).$(( ($value >> 16) & 0xff )).$(( ($value >> 8) & 0xff )).$(( $value & 0xff ))"
}
which wget &> /dev/null && which ip &> /dev/null || {
  echo '请先安装wget和ip'
  exit
}
alpine_addr="ip=dhcp"
if [ "$network" == 'static' ]; then
  address=$(ip -o -f inet addr show | awk '/scope global/ {print $4}' | head -n 1)
  addr=$(echo $address | awk -F'/' '{print $1}')
  cidr=$(echo $address | awk -F'/' '{print $2}')
  gw=$(ip rou | awk '/default via/ {print $3}')
  mask=$(cidr2mask $cidr)
  alpine_addr="ip=${addr}::${gw}:${mask}::::${dns}:"
  echo 'ip：' $addr
  echo 'route：' $gw
  echo 'netmask：' $mask
  valid_ip "$addr" && valid_ip "$mask" && valid_ip "$gw" || {
    echo '获取网络信息失败'
    exit
  }
  read -r -p "以上IP信息是否正确? [Y/n] " input
  if [[ $input != "y" && $input != "Y" ]]; then
    echo "abort"
    exit
  fi
fi

if [ -f "/etc/redhat-release" ]; then
  grubfile=/boot/grub2/grub.cfg
  grubcmd=grub2-mkconfig
else
  grubfile=/boot/grub/grub.cfg
  grubcmd=grub-mkconfig
fi
#root=`grep "set root" $grubfile|sed -e 's/^[ \t]*//'|head -n 1`
root=$(grep 'set root' $grubfile | sed -e 's/^[ \t]*//' | sort | uniq -c | head -n 1 | awk '{print $2,$3}')
if mount | grep -q /boot; then
  dir=/
else
  dir=/boot/
fi
vmlinuzfile=${dir}ipxe.lkrn
initrdfile=${dir}ipxe.initrd
wget -q $ipxe_file -O /boot/ipxe.lkrn
cat > /boot/ipxe.initrd << EOF
#!ipxe
imgfree
set net0/ip ${addr}
set net0/netmask ${mask}
set net0/gateway ${gw}
set dns ${dns}
ifopen net0

:boot
kernel ${mirror}/releases/x86_64/netboot/vmlinuz-virt ${alpine_addr} modules=loop,squashfs quiet nomodeset alpine_repo=${mirror}/main/ modloop=${mirror}/releases/x86_64/netboot/modloop-virt console=tty0 ${ssh_key} || goto boot
initrd ${mirror}/releases/x86_64/netboot/initramfs-virt || goto boot

boot || shell
EOF

[[ -f /boot/ipxe.lkrn ]] && [[ -f /boot/ipxe.initrd ]] || {
  echo '引导文件不存在'
  exit
}

cat > /etc/grub.d/40_custom << EOF
#!/bin/sh
exec tail -n +3 \$0
menuentry 'netinstall' {
$root
linux16 $vmlinuzfile
initrd16 $initrdfile
}
EOF
sed -i 's/GRUB_DEFAULT=.*/GRUB_DEFAULT="netinstall"/' /etc/default/grub
$grubcmd -o $grubfile
cat /etc/grub.d/40_custom

ssh登录到alpine系统，dd备份的系统镜像保存到sshfs挂载远程服务器上，也可使用nfs。

apk add sshfs
modprobe fuse
sshfs -p 22 www.haiyun.me:/mnt/ /mnt/
dd if=/dev/vda | gzip > /mnt/pr.img
sync
umount /mnt/

恢复备份系统的grub引导：

mount -t ext4 /dev/vda1 /mnt/
chmod 644 /mnt/boot/grub/grub.cfg
sed -i 's/default="netinstall"/default="0"/' /mnt/boot/grub/grub.cfg
chmod 444 /mnt/boot/grub/grub.cfg
sed -i 's/GRUB_DEFAULT="netinstall"/GRUB_DEFAULT="0"/' /mnt/etc/default/grub
umount /mnt/

将要dd的目标系统通过以上方法引导至alpine系统并挂载sshfs，然后将之前备份的img dd到目标系统：

gzip -dc /mnt/pr.img |dd of=/dev/vda

如果要dd的目标系统硬盘比备份的系统硬盘大，要进行linux系统分区扩容，如果要扩容的分区下面有swap分区，记住swap的扇区大小和要扩容的分区起始位置，根据总扇区大小计算要扩充的分区扇区大小，将swap分区和扩充的分区删除再新建。

apk add util-linux e2fsprogs-extra
#修改分区扇区大小及位置，方法见上面链接
fdisk /dev/vda
partprobe 
e2fsck -yf /dev/vda1
resize2fs /dev/vda1
#如果有删除并新建swap分区，后面还要修改fstab swap uuid
mkswap /dev/vda2

挂载恢复后硬盘镜像，修改目标系统的IP地址和启动项：

mount -t ext4 /dev/vda1 /mnt/
#如果有更改swap分区，修改fstab uuid
blkid
vim /mnt/etc/fstab 
vim /mnt/etc/network/interfaces
chmod 644 /mnt/boot/grub/grub.cfg
sed -i 's/default="netinstall"/default="0"/' /mnt/boot/grub/grub.cfg
chmod 444 /mnt/boot/grub/grub.cfg
sed -i 's/GRUB_DEFAULT="netinstall"/GRUB_DEFAULT="0"/' /mnt/etc/default/grub
umount /mnt/

虽然dnsmasq自带参数min-cache-ttl可修改服务器缓存最小值，但是首次请求返回给客户端的时正常ttl，使用以下patch可修改返回给客户端ttl时间，配合min-cache-ttl保持和dnsmasq缓存ttl时间一致，dnsmasq不开启缓存可单独修改min ttl。
适用于dnsmasq2.80版本，

diff -urN dnsmasq-2.80/src/dnsmasq.h dnsmasq-2.80-bak/src/dnsmasq.h
--- dnsmasq-2.80/src/dnsmasq.h  2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/dnsmasq.h      2020-01-13 10:38:16.940067371 +0800
@@ -1023,7 +1023,7 @@
   int max_logs;  /* queue limit */
   int cachesize, ftabsize;
   int port, query_port, min_port, max_port;
-  unsigned long local_ttl, neg_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
+  unsigned long local_ttl, neg_ttl, min_ttl, max_ttl, min_cache_ttl, max_cache_ttl, auth_ttl, dhcp_ttl, use_dhcp_ttl;
   char *dns_client_id;
   struct hostsfile *addn_hosts;
   struct dhcp_context *dhcp, *dhcp6;
diff -urN dnsmasq-2.80/src/option.c dnsmasq-2.80-bak/src/option.c
--- dnsmasq-2.80/src/option.c   2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/option.c       2020-01-13 17:21:13.925164926 +0800
@@ -106,6 +106,7 @@
 #define LOPT_PROXY         295
 #define LOPT_GEN_NAMES     296
 #define LOPT_MAXTTL        297
+#define LOPT_MINTTL        397
 #define LOPT_NO_REBIND     298
 #define LOPT_LOC_REBND     299
 #define LOPT_ADD_MAC       300
@@ -281,6 +282,7 @@
     { "dhcp-broadcast", 2, 0, LOPT_BROADCAST },
     { "neg-ttl", 1, 0, LOPT_NEGTTL },
     { "max-ttl", 1, 0, LOPT_MAXTTL },
+    { "min-ttl", 1, 0, LOPT_MINTTL },
     { "min-cache-ttl", 1, 0, LOPT_MINCTTL },
     { "max-cache-ttl", 1, 0, LOPT_MAXCTTL },
     { "dhcp-alternate-port", 2, 0, LOPT_ALTPORT },
@@ -409,6 +411,7 @@
   { 'T', ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for replies from /etc/hosts."), NULL },
   { LOPT_NEGTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for negative caching."), NULL },
   { LOPT_MAXTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for maximum TTL to send to clients."), NULL },
+  { LOPT_MINTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live in seconds for minimum TTL to send to clients."), NULL },
   { LOPT_MAXCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live ceiling for cache."), NULL },
   { LOPT_MINCTTL, ARG_ONE, "<integer>", gettext_noop("Specify time-to-live floor for cache."), NULL },
   { 'u', ARG_ONE, "<username>", gettext_noop("Change to this user after startup. (defaults to %s)."), CHUSER }, 
@@ -2664,6 +2667,7 @@
     case 'T':         /* --local-ttl */
     case LOPT_NEGTTL: /* --neg-ttl */
     case LOPT_MAXTTL: /* --max-ttl */
+    case LOPT_MINTTL: /* --min-ttl */
     case LOPT_MINCTTL: /* --min-cache-ttl */
     case LOPT_MAXCTTL: /* --max-cache-ttl */
     case LOPT_AUTHTTL: /* --auth-ttl */
@@ -2676,6 +2680,8 @@
          daemon->neg_ttl = (unsigned long)ttl;
        else if (option == LOPT_MAXTTL)
          daemon->max_ttl = (unsigned long)ttl;
+       else if (option == LOPT_MINTTL)
+         daemon->min_ttl = (unsigned long)ttl;
        else if (option == LOPT_MINCTTL)
          {
            if (ttl > TTL_FLOOR_LIMIT)
diff -urN dnsmasq-2.80/src/rfc1035.c dnsmasq-2.80-bak/src/rfc1035.c
--- dnsmasq-2.80/src/rfc1035.c  2018-10-19 02:21:55.000000000 +0800
+++ dnsmasq-2.80-bak/src/rfc1035.c      2020-01-13 17:12:25.455445871 +0800
@@ -669,11 +669,20 @@
                  GETSHORT(aqtype, p1); 
                  GETSHORT(aqclass, p1);
                  GETLONG(attl, p1);
+                  unsigned long mttl = 0;
                  if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
                    {
-                     (p1) -= 4;
-                     PUTLONG(daemon->max_ttl, p1);
+                      mttl = daemon->max_ttl;
+                   }
+                 if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+                   {
+                      mttl = daemon->min_ttl;
                    }
+                  if (mttl != 0)
+                  {
+                     (p1) -= 4;
+                     PUTLONG(mttl, p1);
+                  }
                  GETSHORT(ardlen, p1);
                  endrr = p1+ardlen;
                  
@@ -762,11 +771,20 @@
              GETSHORT(aqtype, p1); 
              GETSHORT(aqclass, p1);
              GETLONG(attl, p1);
+              unsigned long mttl = 0;
              if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
-               {
-                 (p1) -= 4;
-                 PUTLONG(daemon->max_ttl, p1);
-               }
+               {
+                  mttl = daemon->max_ttl;
+               }
+             if ((daemon->min_ttl != 0) && (attl < daemon->min_ttl) && !is_sign)
+               {
+                  mttl = daemon->min_ttl;
+               }
+              if (mttl != 0)
+              {
+                 (p1) -= 4;
+                 PUTLONG(mttl, p1);
+              }
              GETSHORT(ardlen, p1);
              endrr = p1+ardlen;