VaultWarden: Difference between revisions

From FlowerHouseWiki
m (Tropaion moved page BitWarden to VaultWarden)
 
(52 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{ContainerInfo
{{ContainerInfo
|image = Bitwarden.png
|image = Bitwarden.png
|Domain = [https://keys.flowerhouse.at keys.flowerhouse.at]
|Domain = [https://vault.flowerhouse.at vault.flowerhouse.at]
|IP = 192.168.88.??
|IP = 192.168.88.15
|MAC = B6:04:55:14:93:89
|MAC = B6:04:55:14:93:89
|Privileged = No
|Privileged = No
|OS = Debian Buster
|OS = Debian Bullseye
|RAM = 512MB
|RAM = 512MB
|Cores = 1
|Cores = 1
|Files = [[Bitwarden.env]]
}}
}}


<p>The BitWarden-LXC is reachable under <syntaxhighlight lang="Bash" inline>192.168.88.??</syntaxhighlight> which is located in the ServerVLAN.</p>
<p>The BitWarden-LXC is reachable under <syntaxhighlight lang="Bash" inline>192.168.88.15</syntaxhighlight> which is located in the ServerVLAN.</p>
<p>The subdomain is [https://keys.flowerhouse.at keys.flowerhouse.at] which is handled by the [[ReverseProxy]].</p>
<p>The subdomain is [https://vault.flowerhouse.at vault.flowerhouse.at] which is handled by the [[ReverseProxy]].</p>
__TOC__
__TOC__
== Basic Setup ==
== Building ==
<p>The original BitWarden-Server is only available with docker, this an alternative software programmed with rust.</p>
<p>The original BitWarden-Server is only available with docker, this an alternative software programmed with rust.</p>
<p>Install the required packages:</p>
<p>Install the required packages for building:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
apt install git curl wget htop pkg-config openssl libssl-dev build-essential
apt install git curl wget htop pkg-config openssl libssl-dev build-essential libmariadb-dev-compat libmariadb-dev
</syntaxhighlight>
</syntaxhighlight>


Line 23: Line 24:
<p>Download script and follow installer:</p>
<p>Download script and follow installer:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
curl https://sh.rustup.rs -sSf | sh
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
</syntaxhighlight>
</syntaxhighlight>


Line 42: Line 43:
</syntaxhighlight>
</syntaxhighlight>


=== NodeJS ===
=== vaultwarden ===
<p>Download latest NodeJS package:</p>
<p>To build bitwarden_rs at least 1GB RAM is needed for it to work.</p>
<p>Clone the bitwarden_rs repository and use cargo to build it:</p>
<syntaxhighlight lang="console" line>
cd /opt
wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.23.1.tar.gz
tar -xvf 1.23.1.tar.gz
pushd vaultwarden-1.23.1
cargo clean && cargo build --features mysql --release
file target/release/vaultwarden
</syntaxhighlight>
 
<p>Now the build bitwarden_rs binary is located at:</p>
<syntaxhighlight lang="console">
cd /opt/vaultwarden/target/release/
</syntaxhighlight>
 
<p>Enable root-ssh:</p>
<syntaxhighlight lang="console">
nano /etc/ssh/sshd_config
</syntaxhighlight>
 
<p>Change following line:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
wget https://nodejs.org/dist/latest/node-v15.10.0-linux-x64.tar.xz
#PermitRootLogin prohibit-password -> PermitRootLogin yes
</syntaxhighlight>
</syntaxhighlight>


<p>Unpack and move folder:</p>
<p>Restart ssh-service:</p>
<syntaxhighlight lang="console" line>
<syntaxhighlight lang="console">
tar -xvf nnode-v15.10.0-linux-x64.tar.xz
service sshd restart
mv node-v15.10.0-linux-x64.tar.xz /opt/
</syntaxhighlight>
</syntaxhighlight>


<p>Create link:</p>
<p>Only vaultwarden is needed for deployment.</p>
 
== Deploying ==
<p>Required packages for deployment:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
ln -sf /opt/node-v15.10.0-linux-x64 /opt/node
apt install openssl libmariadb-dev
</syntaxhighlight>
</syntaxhighlight>


=== Build bitwarden_rs ===
=== vaultwarden ===
<p>To build bitwarden_rs, enough CPU and RAM is needed for it to work, with 4 Cores and 1GB RAM it worked fine.</p>
<p>Create folders for deployment and move the vaultwarden binary to the folder <syntaxhighlight lang="console" inline>/opt/bitwarden/
<p>Clone the bitwarden_rs repository and use cargo to build it:</p>
</syntaxhighlight>:</p>
<syntaxhighlight lang="console" line>
<syntaxhighlight lang="console" line>
git clone https://github.com/dani-garcia/bitwarden_rs && pushd bitwarden_rs
mkdir /opt/vaultwarden
cargo clean && cargo build --features sqlite --release
mkdir /opt/vaultwarden/data
file target/release/bitwarden_rs
</syntaxhighlight>
</syntaxhighlight>


<p>Create folder and move bitwarden_rs:</p>
<p>Set permissions:</p>
<syntaxhighlight lang="console" line>
<syntaxhighlight lang="console">
mkdir /opt/bitwarden
chmod 775 vaultwarden
mkdir /opt/bitwarden/data
cd ~/bitwarden_rs/target/release
mv ~/bitwarden_rs/target/release/bitwarden_rs /opt/bitwarden
rm -r ~/bitwarden_rs
</syntaxhighlight>
</syntaxhighlight>


<p>Create .env file and paste [https://github.com/dani-garcia/bitwarden_rs/blob/master/.env.template template configuration]:</p>
<p>Create .env file and paste [[Bitwarden.env]]:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
nano /opt/bitwarden/.env
nano /opt/vaultwarden/.env
</syntaxhighlight>
</syntaxhighlight>


=== Install WebVault ===
=== Install WebVault ===
<p>It is not needed to build WebVault, you can use one of the [https://github.com/dani-garcia/bw_web_builds prepatched branches]</p>
<p>It is not needed to build WebVault, you can use one of the [https://github.com/dani-garcia/bw_web_builds prepatched branches]</p>
<p>Move to the bitwarden_rs release folder and download WebVault:</p>
<p>Move to the vaultwarden_rs release folder and download WebVault:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1d/bw_web_v2.18.1d.tar.gz
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1d/bw_web_v2.18.1d.tar.gz
</syntaxhighlight>
</syntaxhighlight>


<p>Unpack and rename folder:</p>
<p>Unpack and delete:</p>
<syntaxhighlight lang="console" line>
<syntaxhighlight lang="console" line>
tar -xvf bw_web_v2.18.1d.tar.gz
tar -xvf bw_web_v2.18.1d.tar.gz
mv bw_web_v2.18.1d.tar.gz web-vault
rm bw_web_v2.18.1d.tar.gz
</syntaxhighlight>
</syntaxhighlight>


=== systemd service ===
=== systemd service ===
<p>Create a service file for bitwarden_rs:</p>
<p>Create a service file for vaultwarden:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
nano /etc/systemd/system/bitwarden.service
nano /etc/systemd/system/vaultwarden.service
</syntaxhighlight>
</syntaxhighlight>


Line 104: Line 123:
<syntaxhighlight lang="console" line>
<syntaxhighlight lang="console" line>
[Unit]
[Unit]
Description=Bitwarden Server (Rust Edition)
Description=Vaultwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
Documentation=https://github.com/dani-garcia/vaultwarden


# Only sqlite
# Only sqlite
Line 111: Line 130:


[Service]
[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
# The user/group vaultwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=root
User=root
Group=root
Group=root
# The location of the .env file for configuration
# The location of the .env file for configuration
EnvironmentFile=/opt/bitwarden/.env
EnvironmentFile=/opt/vaultwarden/.env
# The location of the compiled binary
# The location of the compiled binary
ExecStart=/opt/bitwarden/bitwarden_rs
ExecStart=/opt/vaultwarden/vaultwarden
# Set reasonable connection and process limits
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNOFILE=1048576
Line 126: Line 145:
# ProtectSystem=strict
# ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/bitwarden/data/
WorkingDirectory=/opt/vaultwarden/
ReadWriteDirectories=/opt/bitwarden/data/
ReadWriteDirectories=/opt/vaultwarden/
# Allow bitwarden_rs to bind ports in the range of 0-1024
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
Line 137: Line 156:
<p>Start and check if service is running:</p>
<p>Start and check if service is running:</p>
<syntaxhighlight lang="console" line>
<syntaxhighlight lang="console" line>
systemctl start bitwarden
systemctl daemon-reload
systemctl status bitwarden
systemctl start vaultwarden
systemctl status vaultwarden
</syntaxhighlight>
</syntaxhighlight>


<p>Enable service to start at boot:</p>
<p>Enable service to start at boot:</p>
<syntaxhighlight lang="console">
<syntaxhighlight lang="console">
systemctl enable bitwarden
systemctl enable vaultwarden
</syntaxhighlight>
</syntaxhighlight>


Line 151: Line 171:
* [https://github.com/dani-garcia/bw_web_builds WebVault]
* [https://github.com/dani-garcia/bw_web_builds WebVault]
* [https://github.com/dani-garcia/bitwarden_rs/wiki/Setup-as-a-systemd-service bitwarden.service]
* [https://github.com/dani-garcia/bitwarden_rs/wiki/Setup-as-a-systemd-service bitwarden.service]
* [https://github.com/dani-garcia/bitwarden_rs/blob/master/.env.template template configuration]

Latest revision as of 22:31, 4 December 2023

Bitwarden.png

Network


IP: 192.168.88.15
MAC: B6:04:55:14:93:89
Domain: vault.flowerhouse.at

System


OS: Debian Bullseye
Files: Bitwarden.env
RAM: 512MB
Cores: 1
Privileged: No

The BitWarden-LXC is reachable under 192.168.88.15 which is located in the ServerVLAN.

The subdomain is vault.flowerhouse.at which is handled by the ReverseProxy.

Building

The original BitWarden-Server is only available with docker, this an alternative software programmed with rust.

Install the required packages for building:

apt install git curl wget htop pkg-config openssl libssl-dev build-essential libmariadb-dev-compat libmariadb-dev

Rust

Download script and follow installer:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Create environment variable:

echo 'export PATH=~/.cargo/bin:$PATH' >> ~/.bashrc
export PATH=~/.cargo/bin:$PATH

After running following command:

which rustc

It should show the path:

/root/.cargo/bin/rustc

vaultwarden

To build bitwarden_rs at least 1GB RAM is needed for it to work.

Clone the bitwarden_rs repository and use cargo to build it:

cd /opt
wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.23.1.tar.gz
tar -xvf 1.23.1.tar.gz
pushd vaultwarden-1.23.1
cargo clean && cargo build --features mysql --release
file target/release/vaultwarden

Now the build bitwarden_rs binary is located at:

cd /opt/vaultwarden/target/release/

Enable root-ssh:

nano /etc/ssh/sshd_config

Change following line:

#PermitRootLogin prohibit-password -> PermitRootLogin yes

Restart ssh-service:

service sshd restart

Only vaultwarden is needed for deployment.

Deploying

Required packages for deployment:

apt install openssl libmariadb-dev

vaultwarden

Create folders for deployment and move the vaultwarden binary to the folder /opt/bitwarden/:

mkdir /opt/vaultwarden
mkdir /opt/vaultwarden/data

Set permissions:

chmod 775 vaultwarden

Create .env file and paste Bitwarden.env:

nano /opt/vaultwarden/.env

Install WebVault

It is not needed to build WebVault, you can use one of the prepatched branches

Move to the vaultwarden_rs release folder and download WebVault:

wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1d/bw_web_v2.18.1d.tar.gz

Unpack and delete:

tar -xvf bw_web_v2.18.1d.tar.gz
rm bw_web_v2.18.1d.tar.gz

systemd service

Create a service file for vaultwarden:

nano /etc/systemd/system/vaultwarden.service

And paste following:

[Unit]
Description=Vaultwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden

# Only sqlite
After=network.target

[Service]
# The user/group vaultwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=root
Group=root
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
# Isolate bitwarden_rs from the rest of the system
# PrivateTmp=true
# PrivateDevices=true
# ProtectHome=true
# ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/
ReadWriteDirectories=/opt/vaultwarden/
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Start and check if service is running:

systemctl daemon-reload
systemctl start vaultwarden
systemctl status vaultwarden

Enable service to start at boot:

systemctl enable vaultwarden

Sources