mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2025-11-06 20:33:12 -05:00
9017ca265a
* Optimizations and build speedup With this commit I have changed several components to be more efficient. This can be less llvm-lines generated or less `clone()` calls. ### Config - Re-ordered the `make_config` macro to be more efficient - Created a custom Deserializer for `ConfigBuilder` less code and more efficient - Use struct's for the `prepare_json` function instead of generating a custom JSON object. This generates less code and is more efficient. - Updated the `get_support_string` function to handle the masking differently. This generates less code and also was able to remove some sub-macro-calls ### Error - Added an extra new call to prevent duplicate Strings in generated macro code. This generated less llvm-lines and seems to be more efficient. - Created a custom Serializer for `ApiError` and `CompactApiError` This makes that struct smaller in size, so better for memory, but also less llvm-lines. ### General - Removed `once_lock` and replace it all with Rust's std LazyLock - Added and fixed some Clippy lints which reduced `clone()` calls for example. - Updated build profiles for more efficiency Also added a new profile specifically for CI, which should decrease the build check - Updated several GitHub Workflows for better security and use the new `ci` build profile - Updated to Rust v1.90.0 which uses a new linker `rust-lld` which should help in faster building - Updated the Cargo.toml for all crates to better use the `workspace` variables - Added a `typos` Workflow and Pre-Commit, which should help in detecting spell error's. Also fixed a few found by it. Signed-off-by: BlackDex <black.dex@gmail.com> * Fix release profile Signed-off-by: BlackDex <black.dex@gmail.com> * Update typos and remove mimalloc check from pre-commit checks Signed-off-by: BlackDex <black.dex@gmail.com> * Misc fixes and updated typos Signed-off-by: BlackDex <black.dex@gmail.com> * Update crates and workflows Signed-off-by: BlackDex <black.dex@gmail.com> * Fix formating and pre-commit Signed-off-by: BlackDex <black.dex@gmail.com> * Update to Rust v1.91 and update crates Signed-off-by: BlackDex <black.dex@gmail.com> * Update web-vault to v2025.10.1 and xx to v1.8.0 Signed-off-by: BlackDex <black.dex@gmail.com> --------- Signed-off-by: BlackDex <black.dex@gmail.com>
160 lines
6.4 KiB
Docker
160 lines
6.4 KiB
Docker
# syntax=docker/dockerfile:1
|
|
# check=skip=FromPlatformFlagConstDisallowed,RedundantTargetPlatform
|
|
|
|
# This file was generated using a Jinja2 template.
|
|
# Please make your changes in `DockerSettings.yaml` or `Dockerfile.j2` and then `make`
|
|
# This will generate two Dockerfile's `Dockerfile.debian` and `Dockerfile.alpine`
|
|
|
|
# Using multistage build:
|
|
# https://docs.docker.com/develop/develop-images/multistage-build/
|
|
# https://whitfin.io/speeding-up-rust-docker-builds/
|
|
|
|
####################### VAULT BUILD IMAGE #######################
|
|
# The web-vault digest specifies a particular web-vault build on Docker Hub.
|
|
# Using the digest instead of the tag name provides better security,
|
|
# as the digest of an image is immutable, whereas a tag name can later
|
|
# be changed to point to a malicious image.
|
|
#
|
|
# To verify the current digest for a given tag name:
|
|
# - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
|
|
# click the tag name to view the digest of the image it currently points to.
|
|
# - From the command line:
|
|
# $ docker pull docker.io/vaultwarden/web-vault:v2025.10.1
|
|
# $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.10.1
|
|
# [docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa]
|
|
#
|
|
# - Conversely, to get the tag name from the digest:
|
|
# $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa
|
|
# [docker.io/vaultwarden/web-vault:v2025.10.1]
|
|
#
|
|
FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:50662dccf4908ac2128cd44981c52fcb4e3e8dd56f21823c8d5e91267ff741fa AS vault
|
|
|
|
########################## ALPINE BUILD IMAGES ##########################
|
|
## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
|
|
## And for Alpine we define all build images here, they will only be loaded when actually used
|
|
FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.91.0 AS build_amd64
|
|
FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.91.0 AS build_arm64
|
|
FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.91.0 AS build_armv7
|
|
FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.91.0 AS build_armv6
|
|
|
|
########################## BUILD IMAGE ##########################
|
|
# hadolint ignore=DL3006
|
|
FROM --platform=linux/amd64 build_${TARGETARCH}${TARGETVARIANT} AS build
|
|
ARG TARGETARCH
|
|
ARG TARGETVARIANT
|
|
ARG TARGETPLATFORM
|
|
|
|
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
|
|
|
# Build time options to avoid dpkg warnings and help with reproducible builds.
|
|
ENV DEBIAN_FRONTEND=noninteractive \
|
|
LANG=C.UTF-8 \
|
|
TZ=UTC \
|
|
TERM=xterm-256color \
|
|
CARGO_HOME="/root/.cargo" \
|
|
USER="root" \
|
|
# Use PostgreSQL v17 during Alpine/MUSL builds instead of the default v16
|
|
# Debian Trixie uses libpq v17
|
|
PQ_LIB_DIR="/usr/local/musl/pq17/lib"
|
|
|
|
|
|
# Create CARGO_HOME folder and don't download rust docs
|
|
RUN mkdir -pv "${CARGO_HOME}" && \
|
|
rustup set profile minimal
|
|
|
|
# Creates a dummy project used to grab dependencies
|
|
RUN USER=root cargo new --bin /app
|
|
WORKDIR /app
|
|
|
|
# Environment variables for Cargo on Alpine based builds
|
|
RUN echo "export CARGO_TARGET=${RUST_MUSL_CROSS_TARGET}" >> /env-cargo && \
|
|
# Output the current contents of the file
|
|
cat /env-cargo
|
|
|
|
RUN source /env-cargo && \
|
|
rustup target add "${CARGO_TARGET}"
|
|
|
|
# Copies over *only* your manifests and build files
|
|
COPY ./Cargo.* ./rust-toolchain.toml ./build.rs ./
|
|
COPY ./macros ./macros
|
|
|
|
ARG CARGO_PROFILE=release
|
|
|
|
# Configure the DB ARG as late as possible to not invalidate the cached layers above
|
|
# Enable MiMalloc to improve performance on Alpine builds
|
|
ARG DB=sqlite,mysql,postgresql,enable_mimalloc
|
|
|
|
# Builds your dependencies and removes the
|
|
# dummy project, except the target folder
|
|
# This folder contains the compiled dependencies
|
|
RUN source /env-cargo && \
|
|
cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
|
|
find . -not -path "./target*" -delete
|
|
|
|
# Copies the complete project
|
|
# To avoid copying unneeded files, use .dockerignore
|
|
COPY . .
|
|
|
|
ARG VW_VERSION
|
|
|
|
# Builds again, this time it will be the actual source files being build
|
|
RUN source /env-cargo && \
|
|
# Make sure that we actually build the project by updating the src/main.rs timestamp
|
|
# Also do this for build.rs to ensure the version is rechecked
|
|
touch build.rs src/main.rs && \
|
|
# Create a symlink to the binary target folder to easy copy the binary in the final stage
|
|
cargo build --features ${DB} --profile "${CARGO_PROFILE}" --target="${CARGO_TARGET}" && \
|
|
if [[ "${CARGO_PROFILE}" == "dev" ]] ; then \
|
|
ln -vfsr "/app/target/${CARGO_TARGET}/debug" /app/target/final ; \
|
|
else \
|
|
ln -vfsr "/app/target/${CARGO_TARGET}/${CARGO_PROFILE}" /app/target/final ; \
|
|
fi
|
|
|
|
|
|
######################## RUNTIME IMAGE ########################
|
|
# Create a new stage with a minimal image
|
|
# because we already have a binary built
|
|
#
|
|
# To build these images you need to have qemu binfmt support.
|
|
# See the following pages to help install these tools locally
|
|
# Ubuntu/Debian: https://wiki.debian.org/QemuUserEmulation
|
|
# Arch Linux: https://wiki.archlinux.org/title/QEMU#Chrooting_into_arm/arm64_environment_from_x86_64
|
|
#
|
|
# Or use a Docker image which modifies your host system to support this.
|
|
# The GitHub Actions Workflow uses the same image as used below.
|
|
# See: https://github.com/tonistiigi/binfmt
|
|
# Usage: docker run --privileged --rm tonistiigi/binfmt --install arm64,arm
|
|
# To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
|
|
#
|
|
# We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
|
|
FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.22
|
|
|
|
ENV ROCKET_PROFILE="release" \
|
|
ROCKET_ADDRESS=0.0.0.0 \
|
|
ROCKET_PORT=80 \
|
|
SSL_CERT_DIR=/etc/ssl/certs
|
|
|
|
# Create data folder and Install needed libraries
|
|
RUN mkdir /data && \
|
|
apk --no-cache add \
|
|
ca-certificates \
|
|
curl \
|
|
openssl \
|
|
tzdata
|
|
|
|
VOLUME /data
|
|
EXPOSE 80
|
|
|
|
# Copies the files from the context (Rocket.toml file and web-vault)
|
|
# and the binary from the "build" stage to the current stage
|
|
WORKDIR /
|
|
|
|
COPY docker/healthcheck.sh docker/start.sh /
|
|
|
|
COPY --from=vault /web-vault ./web-vault
|
|
COPY --from=build /app/target/final/vaultwarden .
|
|
|
|
HEALTHCHECK --interval=60s --timeout=10s CMD ["/healthcheck.sh"]
|
|
|
|
CMD ["/start.sh"]
|