VaultWarden: Difference between revisions
| m (Tropaion moved page BitWarden to VaultWarden) | |||
| (33 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
| |MAC = B6:04:55:14:93:89 | |MAC = B6:04:55:14:93:89 | ||
| |Privileged = No | |Privileged = No | ||
| |OS = Debian  | |OS = Debian Bullseye | ||
| |RAM = 512MB | |RAM = 512MB | ||
| |Cores = 1 | |Cores = 1 | ||
| |Files = [[Bitwarden.env]] | |||
| }} | }} | ||
| Line 13: | Line 14: | ||
| <p>The subdomain is [https://vault.flowerhouse.at vault.flowerhouse.at] which is handled by the [[ReverseProxy]].</p> | <p>The subdomain is [https://vault.flowerhouse.at vault.flowerhouse.at] which is handled by the [[ReverseProxy]].</p> | ||
| __TOC__ | __TOC__ | ||
| ==  | == Building == | ||
| <p>The original BitWarden-Server is only available with docker, this an alternative software programmed with rust.</p> | <p>The original BitWarden-Server is only available with docker, this an alternative software programmed with rust.</p> | ||
| <p>Install the required packages:</p> | <p>Install the required packages for building:</p> | ||
| <syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| apt install git curl wget htop pkg-config openssl libssl-dev build-essential libmariadb-dev-compat libmariadb-dev | apt install git curl wget htop pkg-config openssl libssl-dev build-essential libmariadb-dev-compat libmariadb-dev | ||
| Line 42: | Line 43: | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| ===  | === vaultwarden === | ||
| <p>To build bitwarden_rs | <p>To build bitwarden_rs at least 1GB RAM is needed for it to work.</p> | ||
| <p>Clone the bitwarden_rs repository and use cargo to build it:</p> | <p>Clone the bitwarden_rs repository and use cargo to build it:</p> | ||
| <syntaxhighlight lang="console" line> | <syntaxhighlight lang="console" line> | ||
| cd /opt | cd /opt | ||
| wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.23.1.tar.gz | |||
| tar -xvf 1.23.1.tar.gz | |||
| pushd vaultwarden-1.23.1 | |||
| cargo clean && cargo build --features mysql --release | cargo clean && cargo build --features mysql --release | ||
| file target/release/ | file target/release/vaultwarden | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| <p>Create  | <p>Now the build bitwarden_rs binary is located at:</p> | ||
| <syntaxhighlight lang="console"> | |||
| cd /opt/vaultwarden/target/release/ | |||
| </syntaxhighlight> | |||
| <p>Enable root-ssh:</p> | |||
| <syntaxhighlight lang="console"> | |||
| nano /etc/ssh/sshd_config | |||
| </syntaxhighlight> | |||
| <p>Change following line:</p> | |||
| <syntaxhighlight lang="console"> | |||
| #PermitRootLogin prohibit-password -> PermitRootLogin yes | |||
| </syntaxhighlight> | |||
| <p>Restart ssh-service:</p> | |||
| <syntaxhighlight lang="console"> | |||
| service sshd restart | |||
| </syntaxhighlight> | |||
| <p>Only vaultwarden is needed for deployment.</p> | |||
| == Deploying == | |||
| <p>Required packages for deployment:</p> | |||
| <syntaxhighlight lang="console"> | |||
| apt install openssl libmariadb-dev | |||
| </syntaxhighlight> | |||
| === vaultwarden === | |||
| <p>Create folders for deployment and move the vaultwarden binary to the folder <syntaxhighlight lang="console" inline>/opt/bitwarden/ | |||
| </syntaxhighlight>:</p> | |||
| <syntaxhighlight lang="console" line> | <syntaxhighlight lang="console" line> | ||
| mkdir /opt/ | mkdir /opt/vaultwarden | ||
| mkdir /opt/ | mkdir /opt/vaultwarden/data | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| <p> | <p>Set permissions:</p> | ||
| <syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| nano /opt/ | chmod 775 vaultwarden | ||
| </syntaxhighlight> | |||
| <p>Create .env file and paste [[Bitwarden.env]]:</p> | |||
| <syntaxhighlight lang="console"> | |||
| nano /opt/vaultwarden/.env | |||
| </syntaxhighlight> | </syntaxhighlight> | ||
| === Install WebVault === | === Install WebVault === | ||
| <p>It is not needed to build WebVault, you can use one of the [https://github.com/dani-garcia/bw_web_builds prepatched branches]</p> | <p>It is not needed to build WebVault, you can use one of the [https://github.com/dani-garcia/bw_web_builds prepatched branches]</p> | ||
| <p>Move to the  | <p>Move to the vaultwarden_rs release folder and download WebVault:</p> | ||
| <syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1d/bw_web_v2.18.1d.tar.gz | wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1d/bw_web_v2.18.1d.tar.gz | ||
| Line 79: | Line 115: | ||
| === systemd service === | === systemd service === | ||
| <p>Create a service file for  | <p>Create a service file for vaultwarden:</p> | ||
| <syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| nano /etc/systemd/system/ | nano /etc/systemd/system/vaultwarden.service | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| Line 87: | Line 123: | ||
| <syntaxhighlight lang="console" line> | <syntaxhighlight lang="console" line> | ||
| [Unit] | [Unit] | ||
| Description= | Description=Vaultwarden Server (Rust Edition) | ||
| Documentation=https://github.com/dani-garcia/ | Documentation=https://github.com/dani-garcia/vaultwarden | ||
| # Only sqlite | # Only sqlite | ||
| Line 94: | Line 130: | ||
| [Service] | [Service] | ||
| # The user/group  | # The user/group vaultwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group | ||
| User=root | User=root | ||
| Group=root | Group=root | ||
| # The location of the .env file for configuration | # The location of the .env file for configuration | ||
| EnvironmentFile=/opt/ | EnvironmentFile=/opt/vaultwarden/.env | ||
| # The location of the compiled binary | # The location of the compiled binary | ||
| ExecStart=/opt/ | ExecStart=/opt/vaultwarden/vaultwarden | ||
| # Set reasonable connection and process limits | # Set reasonable connection and process limits | ||
| LimitNOFILE=1048576 | LimitNOFILE=1048576 | ||
| Line 109: | Line 145: | ||
| # ProtectSystem=strict | # ProtectSystem=strict | ||
| # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) | # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) | ||
| WorkingDirectory=/opt/ | WorkingDirectory=/opt/vaultwarden/ | ||
| ReadWriteDirectories=/opt/ | ReadWriteDirectories=/opt/vaultwarden/ | ||
| # Allow bitwarden_rs to bind ports in the range of 0-1024 | # Allow bitwarden_rs to bind ports in the range of 0-1024 | ||
| AmbientCapabilities=CAP_NET_BIND_SERVICE | AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
| Line 120: | Line 156: | ||
| <p>Start and check if service is running:</p> | <p>Start and check if service is running:</p> | ||
| <syntaxhighlight lang="console" line> | <syntaxhighlight lang="console" line> | ||
| systemctl start  | systemctl daemon-reload | ||
| systemctl status  | systemctl start vaultwarden | ||
| systemctl status vaultwarden | |||
| </syntaxhighlight> | </syntaxhighlight> | ||
| <p>Enable service to start at boot:</p> | <p>Enable service to start at boot:</p> | ||
| <syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
| systemctl enable  | systemctl enable vaultwarden | ||
| </syntaxhighlight> | </syntaxhighlight> | ||
| Line 150: | Line 171: | ||
| * [https://github.com/dani-garcia/bw_web_builds WebVault] | * [https://github.com/dani-garcia/bw_web_builds WebVault] | ||
| * [https://github.com/dani-garcia/bitwarden_rs/wiki/Setup-as-a-systemd-service bitwarden.service] | * [https://github.com/dani-garcia/bitwarden_rs/wiki/Setup-as-a-systemd-service bitwarden.service] | ||
| * [https://github.com/dani-garcia/bitwarden_rs/blob/master/.env.template template configuration] | |||
Latest revision as of 22:31, 4 December 2023
| IP: | 192.168.88.15 | 
|---|---|
| MAC: | B6:04:55:14:93:89 | 
| Domain: | vault.flowerhouse.at | 
| OS: | Debian Bullseye | 
|---|---|
| Files: | Bitwarden.env | 
| RAM: | 512MB | 
| Cores: | 1 | 
| Privileged: | No | 
The BitWarden-LXC is reachable under 192.168.88.15 which is located in the ServerVLAN.
The subdomain is vault.flowerhouse.at which is handled by the ReverseProxy.
Building
The original BitWarden-Server is only available with docker, this an alternative software programmed with rust.
Install the required packages for building:
apt install git curl wget htop pkg-config openssl libssl-dev build-essential libmariadb-dev-compat libmariadb-dev
Rust
Download script and follow installer:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Create environment variable:
echo 'export PATH=~/.cargo/bin:$PATH' >> ~/.bashrc
export PATH=~/.cargo/bin:$PATH
After running following command:
which rustc
It should show the path:
/root/.cargo/bin/rustc
vaultwarden
To build bitwarden_rs at least 1GB RAM is needed for it to work.
Clone the bitwarden_rs repository and use cargo to build it:
cd /opt
wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.23.1.tar.gz
tar -xvf 1.23.1.tar.gz
pushd vaultwarden-1.23.1
cargo clean && cargo build --features mysql --release
file target/release/vaultwarden
Now the build bitwarden_rs binary is located at:
cd /opt/vaultwarden/target/release/
Enable root-ssh:
nano /etc/ssh/sshd_config
Change following line:
#PermitRootLogin prohibit-password -> PermitRootLogin yes
Restart ssh-service:
service sshd restart
Only vaultwarden is needed for deployment.
Deploying
Required packages for deployment:
apt install openssl libmariadb-dev
vaultwarden
Create folders for deployment and move the vaultwarden binary to the folder /opt/bitwarden/:
mkdir /opt/vaultwarden
mkdir /opt/vaultwarden/data
Set permissions:
chmod 775 vaultwarden
Create .env file and paste Bitwarden.env:
nano /opt/vaultwarden/.env
Install WebVault
It is not needed to build WebVault, you can use one of the prepatched branches
Move to the vaultwarden_rs release folder and download WebVault:
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1d/bw_web_v2.18.1d.tar.gz
Unpack and delete:
tar -xvf bw_web_v2.18.1d.tar.gz
rm bw_web_v2.18.1d.tar.gz
systemd service
Create a service file for vaultwarden:
nano /etc/systemd/system/vaultwarden.service
And paste following:
[Unit]
Description=Vaultwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
# Only sqlite
After=network.target
[Service]
# The user/group vaultwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=root
Group=root
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
# Isolate bitwarden_rs from the rest of the system
# PrivateTmp=true
# PrivateDevices=true
# ProtectHome=true
# ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/
ReadWriteDirectories=/opt/vaultwarden/
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
Start and check if service is running:
systemctl daemon-reload
systemctl start vaultwarden
systemctl status vaultwarden
Enable service to start at boot:
systemctl enable vaultwarden


