Skip to content

heartnerds/vaultwarden

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.env
.env
 
 
README.org
README.org
 
 
docker-compose.yml
docker-compose.yml
 
 
nginx.conf
nginx.conf
 
 

Repository files navigation

Gitea

Nginx Setup

Certginx is used for simplicity.

Copy nginx.conf to ./nginx/conf.d/subdomain.domain.com.conf in the Certginx directory.

Then follow the steps here.

Optional Configuration

You can add credentials to connect to the admin panel. If you don’t want this NGINX protection, please remove the last block with `location /admin` of your nginx configuration or you will not be able to access the admin panel.

To generate your htpasswd user:

htpasswd -c nginx/htpasswd/.htpasswd your_username

Add this to docker-compose.yml to use your htpasswd users.

- ./nginx/htpasswd:/etc/nginx/htpasswd

Docker Setup

User Configuration

Match the user with your UID and GID.

Environment Variables

Environment variables are in data/docker-config.env.

Full documentation [here](https://github.com/dani-garcia/vaultwarden/blob/main/.env.template).

Docker Backup

Share

Create the shared directory.

mkdir /home/vaultwarden-shared

Add the shared group.

addgroup vaultwarden-shared

Update the permissions of the shared directory for the group.

chown :vaultwarden-shared /home/vaultwarden-shared

Add the users to the shared group (Duplicate this for the other user).

usermod -aG vaultwarden-shared vaultwarden

Update the permissions of the shared directory

chmod 1770 /home/vaultwarden-shared

Sharing the Dump

Update the permission of the file

chown :vaultwarden-shared /path/to/your/dumps.zip

Move the file to your shared directory

cp /home/vaultwarden/backups/* /home/vaultwarden-shared

Script

Automation for the Dumping, encrypt the dumped file with gpg, then move the encrypted file to the shared directory.

#!/bin/bash
GPG_EMAILS=(
    "[email protected]"
    "[email protected]"
)

DATA_DIR="/home/vaultwarden/vaultwarden/data"
SHARE_DIR="/home/vaultwarden-shared"
TAR_BACKUP_DIR="/home/vaultwarden/backups"
BACKUP_DURATION_IN_DAYS=28

BACKUP_NAME="bitwarden-$(date '+%Y%m%d-%H%M').tar.xz"
DATA_TO_BACKUP=("db.sqlite3" "rsa_key.pem" "rsa_key.pub.pem" "config.json" "attachments" "sends")

# DO NOT CHANGE BELOW THIS LINE
rm -rf $TAR_BACKUP_DIR
mkdir -p $TAR_BACKUP_DIR

SCRIPT_FOLDER="$( cd "$(dirname "${0}")" >/dev/null 2>&1 ; pwd -P )"

cd ${SCRIPT_FOLDER} && \
    docker compose down || exit 1

for file in "${DATA_TO_BACKUP[@]}"; do
    cp -r "${DATA_DIR}/${file}" "${TAR_BACKUP_DIR}" 2>/dev/null
done

cd ${SCRIPT_FOLDER} && \
    docker compose up -d || exit 1

cd ${TAR_BACKUP_DIR} && \
    tar -Jcf "${TAR_BACKUP_DIR}/${BACKUP_NAME}" ${DATA_TO_BACKUP[@]} 2>/dev/null

for email in "${GPG_EMAILS[@]}"; do
    echo "[$(date '+%Y-%m-%d %H:%M')] Encrypting '${BACKUP_NAME}' for ${email}"
    gpg -r ${email} -o "${SHARE_DIR}/${email}_${BACKUP_NAME}.gpg" -e "${TAR_BACKUP_DIR}/${BACKUP_NAME}" || exit 1
    chown :vaultwarden-shared "${SHARE_DIR}/${email}_${BACKUP_NAME}.gpg" || exit 1
done

rm -rf ${TAR_BACKUP_DIR}

find ${SHARE_DIR} -type f -mtime +${BACKUP_DURATION_IN_DAYS} -delete

for email in "${GPG_EMAILS[@]}"; do
    [ -f "${SHARE_DIR}/${email}_${BACKUP_NAME}.gpg" ] \
        && echo "[$(date '+%Y-%m-%d %H:%M')] Success (${SHARE_DIR}/${email}_${BACKUP_NAME}.gpg)" \
        || echo "[$(date '+%Y-%m-%d %H:%M')] Failed (${SHARE_DIR}/${email}_${BACKUP_NAME}.gpg)"
done

Automatic Backup

You can use crontab with crontab -e to automate your backups. In the example below you have two backups per day, one at midnight and one at noon.

#!/bin/bash
# m h  dom mon dow   command
0 0 * * * ${HOME}/path_to_backup_script/backup.sh >> ${HOME}/path_to_backup_folder/backups.log
0 12 * * * ${HOME}/path_to_backup_script/backup.sh >> ${HOME}/path_to_backup_folder/backups.log

Security (fail2ban)

Add /etc/fail2ban/jail.local:

[vaultwarden]
enabled = true
port = 80,443,8081
filter = vaultwarden
action = iptables-allports[name=vaultwarden, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 6
bantime = 30m
findtime = 10m

[vaultwarden-admin]
enabled = true
port = 80,443
filter = vaultwarden-admin
action = iptables-allports[name=vaultwarden-admin, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 2
bantime = 24h
findtime = 24h

Create /etc/fail2ban/filter.d/vaultwarden.local:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

Create /etc/fail2ban/filter.d/vaultwarden-admin.local:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =

Documentation

HTTP Basic Authentication

More informations about the HTTP Basic Authentication

Vaultwarden configuration

Vaultwarden Github

Vaultwarden Wiki

Vaultwarden Env Template

About

No description or website provided.

Topics

docker selfhost vaultwarden

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository