vaultwarden

About

Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, it is perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.

• Github
• Documentation
• Docker Image

Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault.

Table of Contents

• About
• Table of Contents
• Files structure
• Information
  • docker-compose
• Usage
  • Requirements
  • Configuration
• Update
• Security
• Backup

Files structure

.
|-- .env
|-- data/
`-- docker-compose.yml

• .env - a file containing all the environment variables used in the docker-compose.yml
• docker-compose.yml - a docker-compose file, use to configure your application’s services
• data/ - a directory used to store vaultwarden data

Please make sure that all the files and directories are present.

Information

docker-compose

Links to the following docker-compose.yml and the corresponding .env.

• docker-compose.yml

  version: "3"
  
  services:
    bitwardenrs:
      image: vaultwarden/server
      container_name: vaultwarden
      restart: unless-stopped
      volumes:
        - ./data:/data
      environment:
        - WEBSOCKET_ENABLED=true
        - WEB_VAULT_ENABLED=true
        - SIGNUPS_ALLOWED=false
        # Comment admin token to disable admin interface
        - ADMIN_TOKEN=${ADMIN_TOKEN}
      networks:
        - proxy
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.bitwarden.rule=Host(`${TRAEFIK_VAULTWARDEN}`)"
        - "traefik.http.routers.bitwarden.entrypoints=https"
        - "traefik.http.routers.bitwarden.tls=true"
        - "traefik.http.routers.bitwarden.tls.certresolver=mydnschallenge"
        # Watchtower Update
        - "com.centurylinklabs.watchtower.enable=true"
        # Ip filtering
        - "traefik.http.routers.bitwarden.middlewares=whitelist@file"
      logging:
        driver: "syslog"
        options:
          tag: "Bitwarden"
  
  networks:
    proxy:
      external: true

• .env

  TRAEFIK_VAULTWARDEN=vaultwarden.example.com
  ADMIN_TOKEN=xxxxxxxxxxxxxxxxx

Usage

Requirements

• Traefik up and running.
• A subdomain of your choice, this example uses vaultwarden.
  • You should be able to create a subdomain with your DNS provider, use a A record with the same IP address as your root domain.

Configuration

Replace the environment variable in .env with your own, then run :

sudo docker-compose up -d

You should then be able to access the bitwarden web-ui admin interface with the ADMIN_TOKEN.

Update

The image is automatically updated with watchtower thanks to the following label :

  # Watchtower Update
  - "com.centurylinklabs.watchtower.enable=true"

Security

Comment admin token to disable the admin interface after you have created your users. The IP filtering label is set in the docker-compose, you can restrict access to this service by modifying the traefik whitelist.

Backup

Docker volumes are globally backed up using borg-backup.