VaultWarden - vincios/rpi-setup GitHub Wiki

Overview

VaultWarden is an unofficial Bitwarden compatible server written in Rust.

Install VaultWarden [🦆]

Warning

Vaultwarden requires docker.

  1. Create a vaultwarden folder somewhere

  2. Clone the docker-compose.yml

    $ wget https://raw.githubusercontent.com/vincios/rpi-setup/main/General/VaultWarden/docker-compose.yml

  3. Clone the default .env file

    $ wget -O .env https://raw.githubusercontent.com/vincios/rpi-setup/main/General/VaultWarden/example.env

  4. Setup the .env file

    • Set the DOMAIN variable, edit it according to your domain
    • Only after first run, set SIGNUPS_ALLOWED to false.

  5. Configure fail2ban

  6. Configure logrotate

  7. Configure SMTP

Tip

SMTP could be configured via .env variables or via the Admin page (if enabled).

You could rely on external SMTP Severs (like Resend or these) but note that this requires you are able to verify your domain through DNS Records.

  1. Configure your reverse proxy (traefik)

  2. Configure your backup strategy

  3. Follow first run steps

Configure fail2ban

Warning

Make sure you have installed fail2ban

Follow official docs.

Default filter/jail configuration snippets should be enough (vault / admin), follow the other note and/or tips only in case of trouble.

In case of trouble, make sure you satisfy pre-requisiteş and follow accurately the tips in this paragraph.

Important

Logs file location is ./vw-data/logs/vaultwarden.log, make sure to specify your full path into the jails configuration parameters.

Configure logrotate

  1. Create the logrotate file

    $ sudo nano /etc/logrotate.d/vaultwarden

  2. Paste the following content

    /your/logs/path/*.log {
    # Rotate daily
    daily
    # Rotate when the size is bigger than 5MB
    size 5M
    # Compress old log files
    compress
    # Keep 4 rotations of log files before removing or mailing to the address specified in a mail directive
    rotate 4
    # Truncate the original log file in place after creating a copy
    copytruncate
    # Don't panic if not found
    missingok
    # Don't rotate log if file is empty
    notifempty
    # Add date instead of number to rotated log file
    dateext
}

Important

Logs file location is ./vw-data/logs/vaultwarden.log, make sure to specify your full path at the top of the logrotate file.

Traefik configuration

Follow Annex: Add custom dynamic configuration.

Use this example as reference.

✨ Click to see the code 
http:
  routers:
    # We split the http router (my-router-http) from the https router (my-router) to better handle the cases where we need a http connection
    # But in most cases, the http router doesn't need to be touched, since it simply redirects to the https router (where all the router configuration must be set). Just set its 'rule' and 'service' parameter>    vaultwarden-http:
      rule: (Host(`subdomain.{{ env "DUCKDNS_DOMAIN"}}.duckdns.org`) && PathPrefix(`/subpath/`))
      entrypoints:
        - web
      middlewares:
        - redirect-to-https
      service: "vaultwarden"

    vaultwarden:
      rule: (Host(`subdomain.{{ env "DUCKDNS_DOMAIN"}}.duckdns.org`) && PathPrefix(`/subpath/`))
      entrypoints:
        - websecure
      service: "vaultwarden"

      # Middlewares to which the request will be forwarded when the route is activated
      # Optional
      middlewares:

      # Enable the TLS encryption
      # Normally, you should not need to edit this section
      tls:
        certResolver: "duckdnsResolver"
        domains:
          - main: "{{ env "DUCKDNS_DOMAIN"}}.duckdns.org"
            sans:
              - "*.{{ env "DUCKDNS_DOMAIN"}}.duckdns.org"

  # Service's urls where the request will be forwarded
  services:
    vaultwarden:
      loadBalancer:
        servers:
        - url: "http://127.0.0.1:8666/subpath/"

Note: Since IP access is limited to localhost (via docker-compose.yml port), the Service IP must be http://127.0.0.1:8666. Make sure that the reverse proxy is on the same host of the vaultwarden server.

Note: If you use a subpath (like advised here), make sure that all your subpath (like PathPrefix or Service URL) MUST end with a trailing /.

First run

Note

Access via IP is limited only to localhost (see port entry of docker-compose.yml), so you cannot access to the service using the server LAN IP.

Make sure to setup HTTPS access via reverse proxy before to continue.

If you want to enable the Admin page and generate the ADMIN_TOKEN via a temporary container, follow the steps 1-3.

Otherwise, skip to the step 4.

In the docker-compose.yml folder

  1. Pull the container

    $ docker compose pull

  2. Generate the ADMIN_TOKEN

    $ docker run --rm -it vaultwarden/server /vaultwarden hash --preset owasp

  3. Paste the result into the .env file

  4. (Temporarily) enable user registration

    • Set the SIGNUPS_ALLOWED variable into the .env file to true

Tip

If the Admin page is enabled, you can skip this step and register the user via an Admin invitation mail.

  1. Start the container

    $ docker compose up -d

  2. (Optional) Configure via Admin page

  3. Create the account

  4. ⚠️ Disable user registration

    • Set the SIGNUPS_ALLOWED variable into the .env file to false

  5. ⚠️Setup your backups!

⚠️ **GitHub.com Fallback** ⚠️