Vaultwarden - Setup - Habitats Open Tech

# [[Vaultwarden]] behind [[Proxy]] We will put [[Vaultwarden]] behind [[Traefik-Proxy]] so we can securely access it over the [[Internet]]. | Host | Resource name | IPv4 | Notes | | ----------------- | ----------------------- | --------------- | -------------------- | | [[Vaultwarden]] | `vaultwarden.mdn.com` | `192.168.0.222` | [[PVE]] [[LXC]] host | | [[Traefik-Proxy]] | `traefik-proxy.mdn.com` | `192.168.0.11` | [[PVE]] [[LXC]] host | # [[Traefik-Proxy]] Setup > [!cli]+ <code class="g-code">nano /etc/traefik/dynamic/hosts-https.yaml</code> > >```YAML >http: > > routers: > > vaultwarden: > entryPoints: > - "https" > rule: "Host(`vaultwarden.mdn.com`)" > middlewares: > - internal-https-hosts > tls: > certResolver: cloudflare > service: vaultwarden > > services: > > vaultwarden: > loadBalancer: > servers: > - url: "http://192.168.0.222:8088" > passHostHeader: true > >``` > # [[Vaultwarden]] Setup ## Create the Vault https://vaultwarden.mdn.com - access the [[Vaultwarden]] vault When we create an account we in effect create a vault, which the account we create is the owner. The master password associated with this account is irretrievable by anyone, so save it in a very safe place. Create Account ![[vaultwarden-login-0.png]] Fill in the details and Create Account ![[vaultwarden-login-1.png]] If you see the below message change your password, do not ignore the warning. ![[vaultwarden-login-2.png]] > [!attention] Security > As we have not setup the ability to send emails, at this point, none of the steps we take are a security risk! We can now login to our vault. ![[vaultwarden-login-3.png]] ![[vaultwarden-login-4.png]] At this point we can start adding items to our vault or configuring our account. We will do so at a later stage, as we first need to further setup the [[Vaultwarden]] [[Docker]] container. For a quick primer, the vault is a store of [[Vaultwarden#Organisation|users and items]], with everything else being a different view of these two entities. ![[vaultwarden-dashboard-0.png]] ## [[SMTP]]/[[e-mail]] For proper administration of the vault, we need to setup [[SMTP]] for [[Vaultwarden]] to be able to send emails. If you do not have a local [[SMTP]] setup, I suggest [[SendGrid - Setup|SendGrid]], a public [[SMTP]] service. [[Google]] and [[Microsoft]] only support [[OAuth]] accounts, and since neither [[Bitwarden]] nor [[Vaultwarden]] support it, the best option is [[SendGrid]], which is easy to setup and has a free [[e-mail]] tier. Once you have enabled the [[e-mail]] settings you will see "VERIFY EMAIL" on your dashboard, which you SHOULD complete. ![[vaultwarden-dashboard-1.png]] ## Setup [[Docker]] Container <code class="g-code">openssl rand -base64 48</code> - generate the ADMIN_TOKEN - `1EbxJWpA3tslgIrqaEuGJ07I6cbi2w` <code class="g-code">docker exec -it vaultwarden /vaultwarden hash</code> - a [more secure AUTH_TOKEN](https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token) > [!cli]+ <code class="g-code">nano compose.yaml</code> > >```YAML services: > > vaultwarden: > > image: vaultwarden/server:latest > container_name: vaultwarden > restart: always > > ports: > - 8088:80 # debian 8088 mapped to docker 80 > > volumes: > - /vw-data:/data:rw # debian /vw-data mapped to docker /data > > environment: > - DOMAIN=https://vaultwarden.mdn.com/ # REPLACE - required when vaultwarden is behind a reverse proxy - the URL MUST end in a "/" > - ADMIN_TOKEN=1EbxJWpA3tslgIrqaEuGJ07I6cbi2w # REPLACE > - WEBSOCKET_ENABLED=true > - SIGNUPS_ALLOWED=false # set to "false" following account creation, so that no strangers can register > - SMTP_HOST=smtp.sendgrid.net # REPLACE if not Sendgrid > - [email protected] # REPLACE > - SMTP_PORT=587 > - SMTP_SSL=465 > - SMTP_USERNAME=apikey # REPLACE if not sendgrid > - SMTP_PASSWORD=SG.X2C0MM3UT-BYG9WoddPvZ4 # REPLACE - Sendgrid API key > >``` > <code class="g-code">docker compose pull && docker compose up -d && docker compose logs -f</code> <code class="g-code">reboot</code> - test if [[Vaultwarden]] will survive a reboot Changes to the admin password, require recomposing [[Vaultwarden]]. Issue the following commands ay any time. You will not lose your configuration settings. <code class="g-code">docker stop vaultwarden</code> - stops the container <code class="g-code">docker rm vaultwarden</code> - removes the container <code class="g-code">docker compose pull && docker compose up -d</code> - pulls the latest container image and runs the container <code class="g-code">reboot</code> - test if [[Vaultwarden]] will survive a reboot ## Admin If you have declared an admin token in `compose.yaml` you can access the admin page at: https://vaultwarden.mdn.com/admin ![[vaultwarden-admin-0.png]] Enter the right token and then you will have access to the admin dashboard. ![[vaultwarden-admin-1.png]] ![[Vaultwarden#References]] # Follow or Support me -> <a href='https://ko-fi.com/S6S0K9U5Q' target='_blank'><img height='36' style='border:0px;height:36px;float:right; ' src='https://storage.ko-fi.com/cdn/kofi1.png?v=3' border='0' alt='Buy Me a Coffee at ko-fi.com' /></a>