From c9826baa33876f8c796d2fc89974fea75c240d21 Mon Sep 17 00:00:00 2001
From: fntyler <71953103+fntyler@users.noreply.github.com>
Date: Thu, 11 Jun 2026 16:09:00 -0400
Subject: [PATCH] [BRE-2009] fix(marketplace): run setup wizard on demand, not
 on login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[BRE-2009](https://bitwarden.atlassian.net/browse/BRE-2009)

The edition-selection wizard auto-launched on every login via
/etc/profile.d, blocking any login-shell session — including the Azure
Marketplace certification harness — on its `read` prompt. Stop
auto-launching it; advertise it through the MOTD and let the user run it
on demand. Robust for every session type (PTY or non-PTY, login or
command exec) and fixes the latent hang for non-interactive SSH
(scp/automation) against customer VMs.

* Delete the /etc/profile.d/bitwarden-first-login.sh auto-launch trigger
  and its references in the Azure/AWS/DO packer builds
* MOTD now instructs the user to run `sudo bitwarden-setup` when no
  edition has been selected
* Symlink setup-wizard.sh to /usr/local/bin/bitwarden-setup; drop the
  wizard's self-removal of the trigger
* Update the 001_onboot comment to reference the on-demand wizard
---
 AWSMarketplace/marketplace-image.pkr.hcl         | 10 ++--------
 AzureMarketplace/marketplace-image.pkr.hcl       | 10 ++--------
 .../files/etc/profile.d/bitwarden-first-login.sh | 16 ----------------
 .../files/etc/update-motd.d/99-bitwarden-welcome |  6 ++++--
 .../files/opt/bitwarden/setup-wizard.sh          |  3 ---
 .../lib/cloud/scripts/per-instance/001_onboot    |  5 +++--
 CommonMarketplace/scripts/01-setup-first-run.sh  |  6 ++++++
 .../marketplace-image.pkr.hcl                    |  1 -
 8 files changed, 17 insertions(+), 40 deletions(-)
 delete mode 100644 CommonMarketplace/files/etc/profile.d/bitwarden-first-login.sh

diff --git a/AWSMarketplace/marketplace-image.pkr.hcl b/AWSMarketplace/marketplace-image.pkr.hcl
index d3ac470e..729d1e8a 100644
--- a/AWSMarketplace/marketplace-image.pkr.hcl
+++ b/AWSMarketplace/marketplace-image.pkr.hcl
@@ -121,11 +121,6 @@ build {
     destination = "/tmp/001_onboot"
   }
 
-  provisioner "file" {
-    source      = "../CommonMarketplace/files/etc/profile.d/bitwarden-first-login.sh"
-    destination = "/tmp/bitwarden-first-login.sh"
-  }
-
   # Move staged files to their final system locations
   provisioner "shell" {
     inline = [
@@ -136,9 +131,8 @@ build {
       "sudo mv /tmp/install-standard.sh /opt/bitwarden/install-standard.sh",
       "sudo mv /tmp/install-lite.sh /opt/bitwarden/install-lite.sh",
       "sudo mv /tmp/001_onboot /var/lib/cloud/scripts/per-instance/001_onboot",
-      "sudo mv /tmp/bitwarden-first-login.sh /etc/profile.d/bitwarden-first-login.sh",
-      "sudo chown root:root /etc/update-motd.d/99-bitwarden-welcome /etc/ufw/applications.d/bitwarden /opt/bitwarden/setup-wizard.sh /opt/bitwarden/install-standard.sh /opt/bitwarden/install-lite.sh /var/lib/cloud/scripts/per-instance/001_onboot /etc/profile.d/bitwarden-first-login.sh",
-      "sudo chmod 644 /etc/ufw/applications.d/bitwarden /etc/profile.d/bitwarden-first-login.sh"
+      "sudo chown root:root /etc/update-motd.d/99-bitwarden-welcome /etc/ufw/applications.d/bitwarden /opt/bitwarden/setup-wizard.sh /opt/bitwarden/install-standard.sh /opt/bitwarden/install-lite.sh /var/lib/cloud/scripts/per-instance/001_onboot",
+      "sudo chmod 644 /etc/ufw/applications.d/bitwarden"
     ]
   }
 
diff --git a/AzureMarketplace/marketplace-image.pkr.hcl b/AzureMarketplace/marketplace-image.pkr.hcl
index ef43c2a9..61e192ba 100644
--- a/AzureMarketplace/marketplace-image.pkr.hcl
+++ b/AzureMarketplace/marketplace-image.pkr.hcl
@@ -141,11 +141,6 @@ build {
     destination = "/tmp/001_onboot"
   }
 
-  provisioner "file" {
-    source      = "../CommonMarketplace/files/etc/profile.d/bitwarden-first-login.sh"
-    destination = "/tmp/bitwarden-first-login.sh"
-  }
-
   provisioner "file" {
     source      = "../CommonMarketplace/files/etc/systemd/system/disable-swap.service"
     destination = "/tmp/disable-swap.service"
@@ -161,10 +156,9 @@ build {
       "sudo mv /tmp/install-standard.sh /opt/bitwarden/install-standard.sh",
       "sudo mv /tmp/install-lite.sh /opt/bitwarden/install-lite.sh",
       "sudo mv /tmp/001_onboot /var/lib/cloud/scripts/per-instance/001_onboot",
-      "sudo mv /tmp/bitwarden-first-login.sh /etc/profile.d/bitwarden-first-login.sh",
       "sudo mv /tmp/disable-swap.service /etc/systemd/system/disable-swap.service",
-      "sudo chown root:root /etc/update-motd.d/99-bitwarden-welcome /etc/ufw/applications.d/bitwarden /opt/bitwarden/setup-wizard.sh /opt/bitwarden/install-standard.sh /opt/bitwarden/install-lite.sh /var/lib/cloud/scripts/per-instance/001_onboot /etc/profile.d/bitwarden-first-login.sh /etc/systemd/system/disable-swap.service",
-      "sudo chmod 644 /etc/ufw/applications.d/bitwarden /etc/profile.d/bitwarden-first-login.sh /etc/systemd/system/disable-swap.service",
+      "sudo chown root:root /etc/update-motd.d/99-bitwarden-welcome /etc/ufw/applications.d/bitwarden /opt/bitwarden/setup-wizard.sh /opt/bitwarden/install-standard.sh /opt/bitwarden/install-lite.sh /var/lib/cloud/scripts/per-instance/001_onboot /etc/systemd/system/disable-swap.service",
+      "sudo chmod 644 /etc/ufw/applications.d/bitwarden /etc/systemd/system/disable-swap.service",
       "sudo systemctl enable disable-swap.service"
     ]
   }
diff --git a/CommonMarketplace/files/etc/profile.d/bitwarden-first-login.sh b/CommonMarketplace/files/etc/profile.d/bitwarden-first-login.sh
deleted file mode 100644
index 02a4b1d6..00000000
--- a/CommonMarketplace/files/etc/profile.d/bitwarden-first-login.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-#
-# First-login trigger for Bitwarden installation.
-# This script runs once on the first interactive login, then removes itself.
-# Skip for the bitwarden service account (it doesn't have sudo).
-
-if [ "$(whoami)" = "bitwarden" ]; then
-  return 0 2>/dev/null || exit 0
-fi
-
-if [ -f /opt/bitwarden/setup-wizard.sh ]; then
-  # Wait for cloud-init to finish before running the setup wizard
-  echo "Waiting for cloud-init to complete..."
-  sudo cloud-init status --wait > /dev/null 2>&1
-  sudo /opt/bitwarden/setup-wizard.sh
-fi
diff --git a/CommonMarketplace/files/etc/update-motd.d/99-bitwarden-welcome b/CommonMarketplace/files/etc/update-motd.d/99-bitwarden-welcome
index 61311cd6..ca1bb77d 100644
--- a/CommonMarketplace/files/etc/update-motd.d/99-bitwarden-welcome
+++ b/CommonMarketplace/files/etc/update-motd.d/99-bitwarden-welcome
@@ -111,8 +111,10 @@ else
 Welcome to your Bitwarden server
   https://bitwarden.com
 
-  Setup has not been completed. Please log in to complete the Bitwarden
-  edition selection and installation wizard.
+  Setup has not been completed. To choose your deployment edition
+  (Standard or Lite) and install, run:
+
+      sudo bitwarden-setup
 
 ********************************************************************************
 EOF
diff --git a/CommonMarketplace/files/opt/bitwarden/setup-wizard.sh b/CommonMarketplace/files/opt/bitwarden/setup-wizard.sh
index 5cd0f1aa..8bba7cb6 100644
--- a/CommonMarketplace/files/opt/bitwarden/setup-wizard.sh
+++ b/CommonMarketplace/files/opt/bitwarden/setup-wizard.sh
@@ -66,6 +66,3 @@ if [ "$EDITION" = "standard" ]; then
 else
     /opt/bitwarden/install-lite.sh
 fi
-
-# Remove the first-login trigger so this wizard doesn't run again
-rm -f /etc/profile.d/bitwarden-first-login.sh
diff --git a/CommonMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot b/CommonMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot
index a29660ca..4c05efde 100644
--- a/CommonMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot
+++ b/CommonMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot
@@ -4,5 +4,6 @@
 # created from your image.  Things like generating passwords, configuration requiring IP address
 # or other items that will be unique to each instance should be done in scripts here.
 
-# The Bitwarden edition selection and installation wizard runs on the first interactive login.
-# See /etc/profile.d/bitwarden-first-login.sh
+# The Bitwarden edition selection and installation wizard is run on demand by
+# the user via `sudo bitwarden-setup` (advertised in the message of the day).
+# See /opt/bitwarden/setup-wizard.sh
diff --git a/CommonMarketplace/scripts/01-setup-first-run.sh b/CommonMarketplace/scripts/01-setup-first-run.sh
index 6e871928..a1bf88c8 100644
--- a/CommonMarketplace/scripts/01-setup-first-run.sh
+++ b/CommonMarketplace/scripts/01-setup-first-run.sh
@@ -29,3 +29,9 @@ chmod +x /etc/update-motd.d/99-bitwarden-welcome
 chmod +x /opt/bitwarden/setup-wizard.sh
 chmod +x /opt/bitwarden/install-standard.sh
 chmod +x /opt/bitwarden/install-lite.sh
+
+#
+# Expose the setup wizard as `bitwarden-setup` (advertised by the MOTD)
+#
+
+ln -sf /opt/bitwarden/setup-wizard.sh /usr/local/bin/bitwarden-setup
diff --git a/DigitalOceanMarketplace/marketplace-image.pkr.hcl b/DigitalOceanMarketplace/marketplace-image.pkr.hcl
index aef33609..d65f5185 100644
--- a/DigitalOceanMarketplace/marketplace-image.pkr.hcl
+++ b/DigitalOceanMarketplace/marketplace-image.pkr.hcl
@@ -92,7 +92,6 @@ build {
       "chmod +x /opt/bitwarden/setup-wizard.sh",
       "chmod +x /opt/bitwarden/install-standard.sh",
       "chmod +x /opt/bitwarden/install-lite.sh",
-      "chmod 644 /etc/profile.d/bitwarden-first-login.sh",
       "chmod 644 /etc/ufw/applications.d/bitwarden"
     ]
   }