Andre Franca

How to self-host Vaultwarden with Podman on a VPS

Published: September 27, 2022
1515 words · 6 minutes to read
Tagged: #self-hosting#security#privacy#password-manager.

I would say that one of the most important things in our digital life is to have good passwords, then to have a proper way to secure and manage those passwords. Thankfully, we have different solutions.

Today I’m going to show you how to self-host Vaultwarden with Podman1.

Vaultwarden is described by its creator as an

alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.

Considerations

If you’re setting up locally, let’s say on a Raspberry Pi, I wouldn’t mess with port forwarding, unless you know what you’re doing.

I’d instead look for a tool like Tailscale (which is great, free and will allow you to access your passwords even when you’re not at home).

Requirements

Install Podman

# Ubuntu 20.10 and newer
sudo apt -y update
sudo apt -y install podman

For other distros, or if you’d like to install from source, see the podman documentation.

Install Caddy

# Ubuntu 20.10 and newer
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt -y update
sudo apt -y install caddy

For other distros, or if you’d like to install from source, see the caddy documentation.

Enabling firewall ports

I like to use UFW to manage my firewall rules. If you’re running newer versions of Ubuntu, it should be pre-installed. Otherwise, you may search for it in your package manager. Feel free to use any firewall to manage your rules if you feel like it.

Before enabling UFW, make sure to allow ssh access, so you don’t get kicked out of your server.

sudo ufw allow <your-ssh-port>/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable

Install Vaultwarden

By default, root-less podman containers won’t start at boot or keep started when a user is logged out. To allow it to run in the background:

sudo loginctl enable-linger <your-username>

Now, we need to create a volume to mount our container, so we can make sure our data remains permanent after we restart our container.

podman volume create vaultwarden

Let’s create a podman container for Vaultwarden3:

podman run --detach --name vaultwarden --volume vaultwarden:/data/ --restart always --memory 256m --publish 8080:80 --publish 3012:3012 --env WEBSOCKET_ENABLED=true docker.io/vaultwarden/server:latest

By now, you should have your container up and running. You can verify that by running podman ps.

CONTAINER ID  IMAGE                                COMMAND            CREATED      STATUS             PORTS                                         NAMES
15e928a3d92e  docker.io/vaultwarden/server:latest  /start.sh          2 weeks ago  Up 43 seconds ago  0.0.0.0:8080->80/tcp, 0.0.0.0:3012->3012/tcp  vaultwarden

Set up Caddy as Reverse Proxy

Open the file /etc/caddy/Caddyfile

sudo nano /etc/caddy/Caddyfile

Comment out all existing lines or just delete them, then add the following lines:

example.com {
        reverse_proxy localhost:8080
        reverse_proxy /notifications/hub localhost:3012
	reverse_proxy /notifications/hub/negotiate localhost:8080

        tls <your-email> {
                protocols tls1.3
        }
        header {
                # enable HSTS
                Strict-Transport-Security max-age=31536000;
        }
        encode gzip
}

Make sure to edit the first line with your own domain.tld, and the sixth line with the email you’d like to use when generating your SSL certificate.

Caddy will take care of the certificate automatically for you.

Reload the caddy service:

sudo systemctl reload caddy

Now you should be able to access your Vaultwarden container in your browser by accessing https://your-domain.tld.

Initial Setup

Additional Steps

Configure systemd

Navigate to the ~/.config/systemd/<your-user folder.

cd ~/.config/systemd/<your-user>

If the folder does not exist, just create it it

mkdir -p ~/.config/systemd/<your-user>

Now, you have to create a systemd unit file that can be used to control the container. Luckily podman can help us by issuing the following command:

# Generate systemd unit file
podman generate systemd --files --name vaultwarden

# Enabling our file to start at boot
systemctl --user enable container-vaultwarden.service

The “–user” is a flag, and you should not replace it with your real user.

Reboot your server, then podman ps to confirm that the container started without any problems.

Update

The updating process basically consists of pulling a new image, removing the old one, then recreating our container.

# Check if there's any update for your container image
podman pull docker.io/vaultwarden/server:latest

# If any update, you should stop and delete your current container
podman stop vaultwarden && podman rm vaultwarden

# Now we can recreate our Vaultwarden container
podman run --detach --name vaultwarden --volume vaultwarden:/data/ --restart always --memory 256m --publish 8080:80 --publish 3012:3012 --env WEBSOCKET_ENABLED=true docker.io/vaultwarden/server:latest

# Check if it's up and running
podman ps

Feel free to automatize this process if you would like to.

Official Documentation

https://github.com/dani-garcia/vaultwarden/wiki

The official Wiki page provides lots of useful information and specific additional configurations you may be interested in like:

Using Vaultwarden

The Vaultwarden container we just created is compatible with upstream Bitwarden clients.

Remember to edit the settings of the application before login. You must point to your custom Server URL.

If you need additional help, check out the Bitwarden Help Center.

Additional Tip

If you want to learn about password manager4 alternatives, for instance local-based password managers, the page bellow is great:

https://www.privacyguides.org/passwords/

  1. Why Podman instead of Docker?

    I have run into trouble running docker on low-end hardware (like a Raspberry Pi), while Podman works seamlessly.

    In terms of capabilities, as of today I haven’t found any missing features on my use cases. 

  2. You can try to get a certificate using other methods like acme.sh

  3. Flags explained:

    detach - daemonizes the container to run in the background;
    name - defines a name for the container;
    volume - uses the persisted volume vaultwarden created in the step before;
    restart - this flag ensures that our container will try to stay up in case of something goes wrong;
    memory - limits to total amount of memory used by the container (you can definitely change this value as needed or even ignore this flag;
    publish - defines which host ports will be exposed to the container ports respectively:
    env WEBSOCKET_ENABLED=true environment variable enables the websocket server for our container. 

  4. Password managers basically allow you to securely store and manage passwords and other credentials.

    A cloud-based password manager allows you to sync all your passwords on a cloud server for easy accessibility and safety against device loss, as I’m going to demonstrate in this post.

    A local-based password manager allows you to manage an encrypted password database locally. 

Questions, comments or concerns?
I'd love to hear your thoughts! Please share them through email or Mastodon.

<~ Previous: Ghost as my blogging platform

~> Next: Hurricane Ian

Articles from blogs I follow around the world wide web

Bring Back the Humble Forum

Social media is fucking us all up. I’d love to go back to the days of forums, where there was no popularity contests, or “influencers”. I’ve been ruminating about my use of social media a lot recently and to be honest, I’m still not that …

via Kev Quirk July 26, 2023

The web I want

The web I want is powered by passion, not money. The web I want doesn't need to ask for permission to track me because they know that tracking me is not the right thing to do. The web I want doesn't make me waste bandwidth by loading pointless vid…

via Manuel Moreale RSS Feed July 25, 2023

Flexibility

I worked in a cafe that was a family-run business. The owner's mother would tell us, the employees, how to mop the floor. It wasn't the most efficient way to do it, but she insisted this particular set of steps was THE way to clean the floor. My c…

via Rach Smith's digital garden July 17, 2023

Generated by openring