Deploy Passbolt Through Docker
Steps
Create GPG Key
Create a GPG key with:
gpg --full-gen-key
Output the fingerprint of the key and make a note of it. We will need this later for our environment file.
gpg --list-keys --fingerprint
It should output something like:
54C6 4738 18D7 DB06 A133 E453 6531 F684 FED9 15E3
However, when you place it in your environment file later, you need to take out the spaces, so the above would become:
54C6473818D7DB06A133E4536531F684FED915E3
Execute the following commands to create an area for our Passbolt files, and output the kesy there in order for the passbolt container to be able to bind-mount them later:
EMAIL="my.email@mydomain.com"
mkdir -p ~/passbolt/gpg
gpg --armor --export-secret-keys $EMAIL > ~/passbolt/gpg/serverkey_private.asc
gpg --armor --export $EMAIL > ~/passbolt/gpg/serverkey.asc
chmod 640 ~/passbolt/gpg/serverkey*
EMAIL
should be set to whatver email you set when creating the GPG key earlier.
Create SSL Certificates
It is up to you to create your TLS certificates in whichever way is appropriate to you (relevant tutorials).
I would suggest using something like Certbot with DNS challenges, but that is up to you.
Once you have the certificate files, make an area for them and put them there:
mkdir -p ~/passbolt/ssl/certs
Make sure they have the following names within that folder (or adjust the docker-compose.yaml file later according to what names you have).
- certificate.crt:ro - the full chain file (e.g. the site certificate and the CA certificate(s) combined).
- certificate.key - the private key
Create Env File
Create an environment file:
editor ~/passbolt/.env
And copy/paste the following into it, with the setting values as appropriate to you (e.g. see previous instructions about GPG key fingerprint etc).
# Specify the database details
DATABASE_NAME=passbolt
DATABASE_USERNAME=passbolt
DATABASE_PASSWORD=""
# Specify the fully qualified domain name (FQDN) for your passbolt server.
# E.g. passbolt.mydomain.com
FQDN=passbolt.mydomain.com
# Specify SMTP settings
# If using gmail, generate an app specific password here:
# https://security.google.com/settings/security/apppasswords
SMTP_EMAIL="my.email@gmail.com"
SMTP_HOST="smtp.gmail.com"
SMTP_PORT=587
SMTP_USERNAME="my.email@gmail.com"
SMTP_PASSWORD=""
# Specif a salt to be used by passbolt for encryption.
# You can generate this with
# head /dev/urandom | tr -dc A-Za-z0-9 | head -c24
SECURITY_SALT=""
# Specify the email address that was used when generating the GPG key
GPG_KEY_EMAIL="my.email@mydomain.com"
# Specify the fingerprint for the GPG key being used.
# You can find this by running gpg2 --list-keys
GPG_KEY_FINGERPRINT=
Create Docker Compose File
Now create the docker compose file:
editor ~/passbolt/docker-compose.yaml
Paste the following contente into it. You shouldn't need to change anything, but may wish to bump up the passbolt and MariaDB versions if they are out of date by the time you read this. I know that the versions below worked for me and is the latest verson of Passbolt at the time of writing this:
services:
app:
container_name: passbolt
image: passbolt/passbolt:4.8.0-1-ce
restart: always
ports:
- "80:80"
- "443:443"
depends_on:
- db
volumes:
# This should be your certificates public certificate. This should
# be the "nginx style" where any certificiate authority chain files
# are included as well.
- $HOME/passbolt/ssl/certificate.crt:/etc/ssl/certs/certificate.crt:ro
# This should be the private key for your SSL certificate.
# Often called private.pem
- $HOME/passbolt/ssl/private.pem:/etc/ssl/certs/certificate.key:ro
# These should be the public and private keys of the GPG key the server should
# use.
- $HOME/passbolt/gpg/serverkey_private.asc:/etc/passbolt/gpg/serverkey_private.asc:ro
- $HOME/passbolt/gpg/serverkey.asc:/etc/passbolt/gpg/serverkey.asc:ro
environment:
- DATASOURCES_DEFAULT_HOST=db
- DATASOURCES_DEFAULT_PASSWORD=${DATABASE_PASSWORD}
- DATASOURCES_DEFAULT_USERNAME=${DATABASE_USERNAME}
- DATASOURCES_DEFAULT_DATABASE=${DATABASE_NAME}
- APP_FULL_BASE_URL=https://${FQDN}
- EMAIL_DEFAULT_FROM=${SMTP_EMAIL}
- EMAIL_TRANSPORT_DEFAULT_HOST=${SMTP_HOST}
- EMAIL_TRANSPORT_DEFAULT_PORT=${SMTP_PORT}
- EMAIL_TRANSPORT_DEFAULT_USERNAME=${SMTP_USERNAME}
- EMAIL_TRANSPORT_DEFAULT_PASSWORD=${SMTP_PASSWORD}
- EMAIL_TRANSPORT_DEFAULT_TLS=1
- SECURITY_SALT=${SECURITY_SALT}
- SERVER_KEY_EMAIL=${GPG_KEY_EMAIL}
- PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=${GPG_KEY_FINGERPRINT}
- PASSBOLT_GPG_SERVER_KEY_PUBLIC=/etc/passbolt/gpg/serverkey.asc
- PASSBOLT_GPG_SERVER_KEY_PRIVATE=/etc/passbolt/gpg/serverkey_private.asc
db:
image: mariadb:10.11.8-jammy
container_name: db
restart: always
volumes:
- passbolt-db-data:/var/lib/mysql
environment:
- MARIADB_RANDOM_ROOT_PASSWORD=1
- MARIADB_DATABASE=${DATABASE_NAME}
- MARIADB_USER=${DATABASE_USERNAME}
- MARIADB_PASSWORD=${DATABASE_PASSWORD}
volumes:
passbolt-db-data:
driver: local
Deploy
Now you can deploy by simply running:
docker compose up
docker-compose up
instead.
Now navigate to your server's domain name in your browser, and step through the installation steps.
Updating
Updating should be as easy as changing the passbolt version in your docker-compose file, but you may wish to refer here if there has been a major version change.
First published: 28th June 2024