Installing VaultWarden on a Bare Metal Instance
VaultWarden is a lightweight and self hosted implementation of BitWarden. It is available only as a docker container. The VaultWarden wiki does have a post on how to use a docker image extractor to extract the contents of the docker file, but doesn’t go into much more detail. This post hopes to address that gap.
- First let us create a temporary working folder in our home directory.
cd
mkdir vaultwarden-extract
cd vaultwarden-extract - Next, let us download the script that allows us to extract contents of docker images. It is available on GitHub and is built by jjlin.
wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract
chmod u+x docker-image-extract - Then let us extract the contents of the vaultwarden docker container.
./docker-image-extract vaultwarden/server:latest-alpine
This will extract the contents of the container for the architecture of your system. If you’d like to download it for a different architecture, use the-ptag.
For example, to download the contents for a arm64 system, use the tag./docker-image-extract -p linux/arm64 vaultwarden/server:latest-alpine
This will create a folder called output which contains the contents of the docker container. - The binaries that we have downloaded are for an entire docker container, which means they have their own home, media, mnt,usr directories, none of which we need. The only things we need are the following:
datafoldervaultwardenexecutableweb-vaultfolder
- Let us create a directory called
vaultwardenin/optand move just these files & folders to that directory. We can then delete the temporary directory we created inside our home directory.sudo mkdir /opt/vaultwarden sudo mv -t /opt/vaultwarden/ web-vault/ vaultwarden data/ sudo rm -R ~/vaultwarden-extract - Next, let us create a user called vaultwarden, who will run the service we create in the next step. We will also change ownership of all files under /opt/vaultwarden to the newly created user.
sudo useradd -Mrs /usr/sbin/nologin vaultwarden
sudo chown -R vaultwarden:vaultwarden /opt/vaultwarden - Now let us create an env file inside the directory /opt/vaultwarden. In this file, we will define the configuration that we want vaultwarden to use. For a full list of accepted configuration parameters, see here. Note that several features can also be modified via the GUI on the endpoint
/admin. To learn how to configure Vaultwarden, see this post.
The file that we are going to create is going to have only 2 parameters, the IP address and port to bind to.
By default, Vaultwarden binds to all available IPs on port 80 (it has it’s own webserver), however, Vaultwarden requires HTTPS to work efficiently. There are 2 ways to achieve this, use the inbuilt rocket-server to serve HTTPS content with a self signed certificate (not recommended) or delegate the duty to a dedicated web-server like Apache by placing it behind a reverse proxy that supports HTTPS (Preferred).
The .env file contains the following parameters.
Comments(#) are for you to understand the code.sudo touch /opt/vaultwarden/.env
sudo chown vaultwarden:vaultwarden /opt/vaultwarden/.env
sudo nano /opt/vaultwarden/.envROCKET_ADDRESS=127.0.0.1 #The address that the inbuilt web-server binds to. #We are keeping it as localhost and reverse proxying this service via Apache. ROCKET_PORT=8001 #The port that the inbuilt web-server binds to.
- Next, we need to create a systemd service file that will start the vaultwarden executable at boot.
The service file contains the following parameters.
Comments(#) are for you to understand the code.sudo nano /etc/systemd/system/vaultwarden.service[Unit] Description = VaultWarden Server #Description of the service Documentation = https://github.com/dani-garcia/vaultwarden #Where further documentation about the service can be found After = network.target #Start this service after network.target is started. [Service] Type = simple User = vaultwarden #The user who will run the service. Group = vaultwarden #The group who will run the service. EnvironmentFile = /opt/vaultwarden/.env #The .env file that vaultwarden needs to look for. ExecStart = /opt/vaultwarden/vaultwarden #Execute this executable at start of service. WorkingDirectory = /opt/vaultwarden #All workings are to remain inside this directory. ReadWritePaths = /opt/vaultwarden #Read and Write permissions are provided only for this path. LimitNOFILE = 1048576 LimitNPROC = 64 #The above 2 limit the number of connections and processes to a reasonable number. PrivateTmp = true #Do not use the /tmp directory. Instead create one of your own. PrivateDevices = true #Do not allow access to physically mounted devices in /dev. ProtectHome = true #Prevent access to the home directory of the user running the service. ProtectSystem = strict #Mounts entire filesystem as read-only except the read-write paths mentioned. [Install] WantedBy = multi-user.target #Who can use this service.
- Now we can start and enable the service.
sudo systemctl daemon-reload
sudo systemctl start vaultwarden.service
sudo systemctl enable vaultwarden.service - With this, vaultwarden is up and running. To understand how to create a Virtualhost config for Apache Reverse Proxy, see this post. Remember, you will need HTTPS for vaultwarden to function optimally. As a quick and dirty workaround, if you do not have Apache or any other reverse proxy installed, you can add the following line of code into your .env file.
Remember to set the ROCKET_ADDRESS to 0.0.0.0 .
To check how to generate a self signed certificate, see here.
Also ensure that the paths are readable by vaultwarden user (preferably inside the /opt directory itself.)
ROCKET_TLS={certs=<path-to-cert>,key=<path-to-key>} - To learn how to configure vaultwarden using the admin panel, see here.
