Skip to content

Instantly share code, notes, and snippets.

@vpnwall-services

vpnwall-services/Vaultwarden-install-without-docker.md

Created October 24, 2024 09:56
Show Gist options
  • Save vpnwall-services/9822ce1c825679e86731d8b4af927ce6 to your computer and use it in GitHub Desktop.
Save vpnwall-services/9822ce1c825679e86731d8b4af927ce6 to your computer and use it in GitHub Desktop.
Download ZIP
Vaultwarden 101
Raw
Vaultwarden-install-without-docker.md

Prepare folders, image extraction and user

Create folder and change directory

mkdir vw-image
cd vw-image

Download docker-image-extract

wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod +x docker-image-extract

Run docker-image-extract to download and extract vaultwarden docker image

./docker-image-extract vaultwarden/server:alpine

Create needed folders #add sudo if needed

sudo mkdir /opt/vaultwarden
sudo mkdir /var/lib/vaultwarden
sudo mkdir /var/lib/vaultwarden/data

Add a vaultwarden user and change permissions for the work folder

useradd vaultwarden
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden

Move the extracted docker image data in the needed folders

mv output/vaultwarden /opt/vaultwarden
mv output/web-vault /var/lib/vaultwarden

Clean extracted files

rm -Rf output
rm -Rf docker-image-extract

Configure Vaultwarden

Create a hash

/opt/vaultwarden/vaultwarden hash

Create an .env file for storing settings (replace domain with personal domain)

cat << EOF > /var/lib/vaultwarden/.env
DOMAIN=https://vault.xxxxx.xxx/vaultwarden/
[email protected]
ADMIN_TOKEN='<hash produced by vaultwarden hash earlier>'
SIGNUPS_ALLOWED=false
SMTP_HOST=smtp.example.com
[email protected]
SMTP_FROM_NAME=Vaultwarden
SMTP_PORT=587
SMTP_SSL=true 
SMTP_EXPLICIT_TLS=false
[email protected]
SMTP_PASSWORD=mysmtppassword
SMTP_TIMEOUT=15
EOF

Create a systemd service file

cat << EOF > /etc/systemd/system/vaultwarden.service
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target

[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=/var/lib/vaultwarden/.env
ExecStart=/opt/vaultwarden/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
EOF

Enable service at boot and start service now

systemctl enable vaultwarden
systemctl start vaultwarden
systemctl status vaultwarden | less

Should be listening now. Open browser at http://127.0.0.1:8000

SSL Certificate and nginx as reverse proxy

Generate self-signed certificate (Install mkcert)

sudo apt update
sudo apt install mkcert wget libnss3-tools

Generate CA key and certificate (run only first time)

sudo mkcert -install

Generate wildcard certificate for custom domain (like *.xxxxx.xxx)

mkcert "*.xxxxx.xxx"

Copy created certificates to folders

cat _wildcard.xxxxx.xxx.pem > _wildcard.xxxxx.xxx_chain.pem
cat _wildcard.xxxxx.xxx-key.pem >> _wildcard.xxxxx.xxx_chain.pem
sudo mv _wildcard.xxxxx.xxx.pem /etc/ssl/certs/
sudo mv _wildcard.xxxxx.xxx-key.pem /etc/ssl/private/
sudo mv _wildcard.xxxxx.xxx_chain.pem /etc/ssl/certs
sudo mv ~/.local/share/mkcert/rootCA.pem /etc/ssl/certs/rootCA.pem

Install nginx

sudo apt install nginx

Create nginx vhost configuration

cat << EOF > /etc/nginx/sites-enabled/100-vault.xxxxx.xxx.conf
server {
#   if ($blockedagent) {
#        return 403;
#   }
   client_max_body_size 20m;
   listen <private_ip_address>:443 ssl http2;
   server_name vault.xxxxx.xxx;

      access_log  /var/log/nginx/access_wan.log;
      ssl_certificate /etc/ssl/certs/_wildcard.xxxxx.xxx_chain.pem;
      ssl_certificate_key /etc/ssl/private/_wildcard.xxxxx.xxx-key.pem;
      ssl_session_timeout 1d;
      ssl_session_cache shared:SSL:50m;
      ssl_session_tickets off;

      #ssl_dhparam /etc/ssl/certs/dhparam.pem;

      location / {
          return 301 https://vault.xxxxx.xxx/vaultwarden/;
      }
      ssl_protocols TLSv1.2 TLSv1.3;
      ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES';
      ssl_ecdh_curve secp384r1;

      ssl_prefer_server_ciphers on;
      add_header Strict-Transport-Security max-age=15768000;
#     resolver 192.168.XXX.XXX;
#     server_tokens versteckt die NGINX Version bei Abfragen
      server_tokens off;
      access_log on;
      error_log on;

      location /vaultwarden/ {
      	proxy_pass http://127.0.0.1:8000/vaultwarden/;
      	proxy_pass_request_headers on;
      	proxy_set_header Host $host;
      	proxy_set_header X-Real-IP $remote_addr;
      	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      	proxy_set_header X-Forwarded-Host $server_name;
      	proxy_set_header X-Forwarded-Proto https;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
      }
}
EOF

Restart nginx and test

sudo service nginx restart
sudo lsof -i :443 #(should return an nginx output with 443)
firefox https://vault.xxxxx.xxx/vaultwarden

On workstation, to avoid ssl errors in browser

Install ca-certificates

sudo apt install ca-certificates

Copy ~/.local/share/mkcert/rootCA.pem from vault server to workstation

Create a folder for the domain

sudo mkdir /usr/share/ca-certificates/xxxxx.xxx
cp rootCA.pem /usr/share/ca-certificates/xxxxx.xxx

Add conf to ca-certificates to parse the new folder

vim /etc/ca-certificates/ # or nano or other editor
# add this at the end of file
xxxxx.xxx/rootCA.pem

Update certificates

sudo update-ca-certificates

Test with curl (if there is no ssl error)

curl -IL https://vault.xxxxx.xxx/vaultwarden

Add entry in /etc/hosts on workstation to reach the vault with its domain name

sudo echo '<private_ip_address> vault.xxxxx.xxxx'

Test access from browser on workstation

firefox https://vault.xxxxx.xxx/vaultwarden
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment