Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Deploy Passbolt Through Docker

Steps

Create GPG Key

Create a GPG key with:

gpg --full-gen-key

Make sure not to set a passphrase.

Output the fingerprint of the key and make a note of it. We will need this later for our environment file.

gpg --list-keys --fingerprint

It should output something like:

54C6 4738 18D7 DB06 A133  E453 6531 F684 FED9 15E3

However, when you place it in your environment file later, you need to take out the spaces, so the above would become:

54C6473818D7DB06A133E4536531F684FED915E3

Execute the following commands to create an area for our Passbolt files, and output the kesy there in order for the passbolt container to be able to bind-mount them later:

EMAIL="my.email@mydomain.com"

mkdir -p ~/passbolt/gpg
gpg --armor --export-secret-keys $EMAIL > ~/passbolt/gpg/serverkey_private.asc
gpg --armor --export $EMAIL > ~/passbolt/gpg/serverkey.asc
chmod 640 ~/passbolt/gpg/serverkey*

EMAIL should be set to whatver email you set when creating the GPG key earlier.

Create SSL Certificates

It is up to you to create your TLS certificates in whichever way is appropriate to you (relevant tutorials).
I would suggest using something like Certbot with DNS challenges, but that is up to you.

Once you have the certificate files, make an area for them and put them there:

mkdir -p ~/passbolt/ssl/certs

Make sure they have the following names within that folder (or adjust the docker-compose.yaml file later according to what names you have).

  • certificate.crt:ro - the full chain file (e.g. the site certificate and the CA certificate(s) combined).
  • certificate.key - the private key

Create Env File

Create an environment file:

editor ~/passbolt/.env

And copy/paste the following into it, with the setting values as appropriate to you (e.g. see previous instructions about GPG key fingerprint etc).

# Specify the database details
DATABASE_NAME=passbolt
DATABASE_USERNAME=passbolt
DATABASE_PASSWORD=""


# Specify the fully qualified domain name (FQDN) for your passbolt server.
# E.g. passbolt.mydomain.com
FQDN=passbolt.mydomain.com


# Specify SMTP settings
# If using gmail, generate an app specific password here:
# https://security.google.com/settings/security/apppasswords
SMTP_EMAIL="my.email@gmail.com"
SMTP_HOST="smtp.gmail.com"
SMTP_PORT=587
SMTP_USERNAME="my.email@gmail.com"
SMTP_PASSWORD=""

# Specif a salt to be used by passbolt for encryption.
# You can generate this with
# head /dev/urandom | tr -dc A-Za-z0-9 | head -c24
SECURITY_SALT=""


# Specify the email address that was used when generating the GPG key
GPG_KEY_EMAIL="my.email@mydomain.com"

# Specify the fingerprint for the GPG key being used.
# You can find this by running gpg2 --list-keys
GPG_KEY_FINGERPRINT=

Create Docker Compose File

Now create the docker compose file:

editor ~/passbolt/docker-compose.yaml

Paste the following contente into it. You shouldn't need to change anything, but may wish to bump up the passbolt and MariaDB versions if they are out of date by the time you read this. I know that the versions below worked for me and is the latest verson of Passbolt at the time of writing this:

services:
  app:
    container_name: passbolt
    image: passbolt/passbolt:4.8.0-1-ce
    restart: always
    ports:
      - "80:80"
      - "443:443"
    depends_on:
      - db
    volumes:
      # This should be your certificates public certificate. This should
      # be the "nginx style" where any certificiate authority chain files
      # are included as well.
      - $HOME/passbolt/ssl/certificate.crt:/etc/ssl/certs/certificate.crt:ro

      # This should be the private key for your SSL certificate.
      # Often called private.pem
      - $HOME/passbolt/ssl/private.pem:/etc/ssl/certs/certificate.key:ro

      # These should be the public and private keys of the GPG key the server should
      # use.
      - $HOME/passbolt/gpg/serverkey_private.asc:/etc/passbolt/gpg/serverkey_private.asc:ro
      - $HOME/passbolt/gpg/serverkey.asc:/etc/passbolt/gpg/serverkey.asc:ro

    environment:
      - DATASOURCES_DEFAULT_HOST=db
      - DATASOURCES_DEFAULT_PASSWORD=${DATABASE_PASSWORD}
      - DATASOURCES_DEFAULT_USERNAME=${DATABASE_USERNAME}
      - DATASOURCES_DEFAULT_DATABASE=${DATABASE_NAME}
      - APP_FULL_BASE_URL=https://${FQDN}
      - EMAIL_DEFAULT_FROM=${SMTP_EMAIL}
      - EMAIL_TRANSPORT_DEFAULT_HOST=${SMTP_HOST}
      - EMAIL_TRANSPORT_DEFAULT_PORT=${SMTP_PORT}
      - EMAIL_TRANSPORT_DEFAULT_USERNAME=${SMTP_USERNAME}
      - EMAIL_TRANSPORT_DEFAULT_PASSWORD=${SMTP_PASSWORD}
      - EMAIL_TRANSPORT_DEFAULT_TLS=1
      - SECURITY_SALT=${SECURITY_SALT}
      - SERVER_KEY_EMAIL=${GPG_KEY_EMAIL}
      - PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=${GPG_KEY_FINGERPRINT}
      - PASSBOLT_GPG_SERVER_KEY_PUBLIC=/etc/passbolt/gpg/serverkey.asc
      - PASSBOLT_GPG_SERVER_KEY_PRIVATE=/etc/passbolt/gpg/serverkey_private.asc


  db:
    image: mariadb:10.11.8-jammy
    container_name: db
    restart: always
    volumes:
      - passbolt-db-data:/var/lib/mysql
    environment:
      - MARIADB_RANDOM_ROOT_PASSWORD=1
      - MARIADB_DATABASE=${DATABASE_NAME}
      - MARIADB_USER=${DATABASE_USERNAME}
      - MARIADB_PASSWORD=${DATABASE_PASSWORD}


volumes:
  passbolt-db-data:
    driver: local

Deploy

Now you can deploy by simply running:

docker compose up

On older setups, you may need to run docker-compose up instead.

Now navigate to your server's domain name in your browser, and step through the installation steps.

Updating

Updating should be as easy as changing the passbolt version in your docker-compose file, but you may wish to refer here if there has been a major version change.

Last updated: 28th June 2024
First published: 28th June 2024