VaultWarden

From FlowerHouseWiki
Bitwarden.png

Network


IP: 192.168.88.15
MAC: B6:04:55:14:93:89
Domain: vault.flowerhouse.at

System


OS: Debian Buster
Files: Bitwarden.env
RAM: 512MB
Cores: 1
Privileged: No

The BitWarden-LXC is reachable under 192.168.88.15 which is located in the ServerVLAN.

The subdomain is vault.flowerhouse.at which is handled by the ReverseProxy.

Building

The original BitWarden-Server is only available with docker, this an alternative software programmed with rust.

Install the required packages for building:

apt install git curl wget htop pkg-config openssl libssl-dev build-essential libmariadb-dev-compat libmariadb-dev

Rust

Download script and follow installer:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Create environment variable:

echo 'export PATH=~/.cargo/bin:$PATH' >> ~/.bashrc
export PATH=~/.cargo/bin:$PATH

After running following command:

which rustc

It should show the path:

/root/.cargo/bin/rustc

vaultwarden

To build bitwarden_rs at least 1GB RAM is needed for it to work.

Clone the bitwarden_rs repository and use cargo to build it:

cd /opt
git clone https://github.com/dani-garcia/vaultwarden && pushd vaultwarden 
cargo clean && cargo build --features mysql --release
file target/release/vaultwarden

Now the build bitwarden_rs binary is located at:

cd /opt/vaultwarden/target/release/

Enable root-ssh:

nano /etc/ssh/sshd_config

Change following line:

#PermitRootLogin prohibit-password -> PermitRootLogin yes

Restart ssh-service:

service sshd restart

Only vaultwarden is needed for deployment.

Deploying

Required packages for deployment:

apt install openssl libmariadb-dev

vaultwarden

Create folders for deployment and move the vaultwarden binary to the folder /opt/bitwarden/:

mkdir /opt/vaultwarden
mkdir /opt/vaultwarden/data

Set permissions:

chmod 775 vaultwarden

Create .env file and paste Bitwarden.env:

nano /opt/vaultwarden/.env

Install WebVault

It is not needed to build WebVault, you can use one of the prepatched branches

Move to the vaultwarden_rs release folder and download WebVault:

wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1d/bw_web_v2.18.1d.tar.gz

Unpack and delete:

tar -xvf bw_web_v2.18.1d.tar.gz
rm bw_web_v2.18.1d.tar.gz

systemd service

Create a service file for vaultwarden:

nano /etc/systemd/system/vaultwarden.service

And paste following:

[Unit]
Description=Vaultwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden

# Only sqlite
After=network.target

[Service]
# The user/group vaultwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=root
Group=root
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
# Isolate bitwarden_rs from the rest of the system
# PrivateTmp=true
# PrivateDevices=true
# ProtectHome=true
# ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/
ReadWriteDirectories=/opt/vaultwarden/
# Allow bitwarden_rs to bind ports in the range of 0-1024
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Start and check if service is running:

systemctl daemon-reload
systemctl start vaultwarden
systemctl status vaultwarden

Enable service to start at boot:

systemctl enable vaultwarden

Sources