Install a Vaultwarden Server for Bitwarden

This tutorial will demonstrate how to set up a Vaultwarden server for use with Bitwarden password manager clients. This tutorial will use a Debian 11 server and will install via Podman, using Apache as a reverse proxy. Watch the video version here.

Prerequisites: You will need a server running Debian 11 (visit linode.nots.co, digitalocean.nots.co, or vultr.nots.co if you don't have one.)

Example parameters: In this example, the server URL used for Vaultwarden/Bitwarden will be example.nerdonthestreet.com.


Part 1: Set Up the Vaultwarden Container

Step 1: Log into your server as root (or use sudo) and make sure your server is entirely up-to-date:

apt update
apt full-upgrade

Step 2: Install Podman and MariaDB:

apt install podman mariadb-server

Step 3: Create a directory for Vaultwarden's configuration and data files:

mkdir /vaultwarden-data

Step 4: Secure your MariaDB installation and create a MariaDB/MySQL database for Vaultwarden:

mysql_secure_installation
mariadb
CREATE DATABASE vaultwarden;
CREATE USER 'vaultwarden'@'localhost' IDENTIFIED BY 'Passw0rd';
GRANT ALL PRIVILEGES ON vaultwarden . * TO 'vaultwarden'@'localhost';
quit

Step 5: Fetch and start the Vaultwarden container:

podman run -d --name vaultwarden --network host -v /vaultwarden-data/:/data/:Z -e ROCKET_PORT=8080 -e DATABASE_URL='mysql://vaultwarden:Passw0rd@127.0.0.1:3306/vaultwarden' -e ADMIN_TOKEN='RANDOM_SECRET_STRING' docker://vaultwarden/server:latest

Command explanation:

  • podman : Invokes the podman container application.
  • run : Tells Podman to run a container (it will fetch the container first, if necessary.)
  • -d : Short for --detach; runs the container in the background (detached or daemon mode) and doesn't keep the terminal tied up.
  • --name vaultwarden : Sets the container's name to vaultwarden.
  • --network host : Configures the container to use the physical host's network instead of a virtual network. (This requires running podman in root mode to use.)
  • -p 8080:8080 : (Not required when using --network host!) Configures port 8080 within the container to be mapped to port 8080 on the host. (Even if you are not changing the port number, this configuration is still necessary to allow the host to communicate with the container on that port.)
  • -v /vaultwarden/:/data/:Z : Configures a "volume" to be mounted in the container. /vaultwarden/ is the directory on the host; /data/ is the directory within the container where it will be mounted (and /data/ is the default path that Vaultwarden will store its data in); :Z gives the container write permissions for the volume, and does not allow other containers to mount the volume (using a lowercase :z instead would allow other containers to mount the volume.)
  • -e ROCKET_PORT=8080 : Sets the ROCKET_PORT environment variable, which Vaultwarden will read to decide what port to serve itself on.
  • -e DATABASE_URL='mysql://vaultwarden:Passw0rd@127.0.0.1:3306/vaultwarden : Sets the DATABASE_URL environment variable, which Vaultwarden will read to determine how to connect to its database. The URL syntax is mysql://username:password@IP:port/dbname.
  • -e ADMIN_TOKEN='RANDOM_SECRET_STRING' : Sets the ADMIN_TOKEN environment variable, which Vaultwarden will use for authentication when performing administrative tasks.
  • docker://vaultwarden/server:latest : Specifies what container image for Podman to start. The docker:// prefix tells Podman to fetch an image from Docker Hub. From there, the syntax is organization/application:version.

Part 2: Set Up an Apache Reverse Proxy

Step 6: Install Apache httpd and Let's Encrypt certbot:

apt install apache2 certbot python3-certbot-apache

Step 7: Create an HTTP virtual host:

nano /etc/apache2/sites-available/vaultwarden.conf

Set the following configuration:

<VirtualHost *:80>
        ServerName example.nerdonthestreet.com
</VirtualHost>

Step 6: Enable the HTTP virtual host, then reload Apache to activate it:

a2ensite vaultwarden
systemctl reload apache2

Step 7: Use Certbot to obtain an SSL/TLS certificate and configure an HTTPS virtual host:

certbot --apache

Step 7: Configure the HTTPS virtual host to forward traffic to and from the Podman container:

nano /etc/apache2/sites-available/vaultwarden-le-ssl.conf

Add the following configuration:

        RewriteEngine On
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [P,L]
        ProxyPass / http://localhost:8080/

        ProxyPreserveHost On
        ProxyRequests Off
        RequestHeader set X-Real-IP %{REMOTE_ADDR}s

Step 8: Enable the necessary Apache modules to rewrite headers and proxy traffic to the container, then restart Apache to load the new modules and the updated virtual host configuration:

a2enmod proxy_http proxy_wstunnel headers systemctl restart apache2

Step 9: Access the configured URL in a web browser and proceed through the Bitwarden setup wizard.

Part 3: Configure the Vaultwarden Container to Start on Boot

Step 10: Confirm that the Apache service is enabled (starts on boot):

systemctl status apache2

Step 11: Generate a systemd service file for the Vaultwarden container:

podman generate systemd --name vault --files cat ./container-vault.service

Step 12: Move the service file into the systemd configuration directory and reload the configuration:

mv ./container-vault.service /etc/systemd/system/ systemctl daemon-reload

Step 13: Enable the systemd service for the Vaultwarden container:

systemctl enable container-vault.service

Step 14: Reboot and confirm that Bitwarden is accessible:

systemctl reboot

There are no pages beneath this page

Expand: Discussion Discussion (0 posts)