How to self-host Vaultwarden with Podman on a VPS

How to self-host Vaultwarden with Podman on a VPS

I would say that one of the most important things in our digital life is to have good passwords, then to have a proper way to secure and manage those passwords. Thankfully, we have different solutions.

Today I'm going to show you how to self-host Vaultwarden with Podman.

Vaultwarden is described by its creator as an

alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.

Why Podman instead of Docker?

In terms of capabilities, as of today I haven't found any missing features on my use cases.

Also, I have run into trouble running docker on low-end hardware (like a Raspberry Pi), while Podman works seamlessly.

πŸ’‘
Password managers basically allow you to securely store and manage passwords and other credentials.

A cloud-based password manager allows you to sync all your passwords on a cloud server for easy accessibility and safety against device loss, as I'm going to demonstrate in this post.

A local-based password manager allows you to manage an encrypted password database locally.

Considerations

  • It is strongly recommended to set up an SSL certificate and make sure your server's firewall, ssh and any other security measures are already done (which I'm not covering in this post).
  • For the SSL certificate, make sure you have registered a domain name (for instance, example.com) and pointed the A and/or AAAA DNS records to the public IPv4 and/or IPv6 addresses of your VPS.
  • If you're setting up locally, let's say on a Raspberry Pi, I wouldn't mess with port forwarding, unless you know what you're doing. You can try to get a certificate using other methods like acme.sh (DNS API or DNS manual mode) or even Tailscale (which is great, free and will allow you to access your passwords when you're not at home), or not get an SSL certificate at all.

Requirements

Install Podman

# Ubuntu 20.10 and newer
sudo apt -y update
sudo apt -y install podman

For other distros, or if you'd like to install from source, see the podman documentation.

Install Caddy

# Ubuntu 20.10 and newer
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt -y update
sudo apt -y install caddy

For other distros, or if you'd like to install from source, see the caddy documentation.

Enabling firewall ports

I like to use UFW to manage my firewall rules. If you're running newer versions of Ubuntu, it should be pre-installed. Otherwise, you may search for it in your package manager. Feel free to use any firewall to manage your rules if you feel like it.

πŸ’‘
Before enabling UFW, make sure to allow ssh access, so you don't get kicked out of your server.
sudo ufw allow <your-ssh-port>/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable

Install Vaultwarden

By default, root-less podman containers won't start at boot or keep started when a user is logged out. β€Œβ€ŒTo allow it to run in the background:

sudo loginctl enable-linger <your-username>

Now, we need to create a volume to mount our container, so we can make sure our data remains permanent after we restart our container.

podman volume create vaultwarden

Let's create a podman container for Vaultwarden:

podman run --detach --name vaultwarden --volume vaultwarden:/data/ --restart always --memory 256m --publish 8080:80 --publish 3012:3012 --env WEBSOCKET_ENABLED=true docker.io/vaultwarden/server:latest

The above flags explained

--detach - daemonizes the container to run in the background;
--name - set a name for the container;
--volume - uses the persisted volume vaultwarden created in the step before;
--restart - this flag ensures that our container will try to stay up in case of something goes wrong;
--memory - limits to total amount of memory used by the container (you can definitely change this value as needed or even ignore this flag;
--publish - defines which host ports will be exposed to the container ports respectively:
--env - this WEBSOCKET_ENABLED=true environment variable enables the websocket server for our container.

By now, you should have your container up and running. You can verify that by running podman ps.

CONTAINER ID  IMAGE                                COMMAND            CREATED      STATUS             PORTS                                         NAMES
15e928a3d92e  docker.io/vaultwarden/server:latest  /start.sh          2 weeks ago  Up 43 seconds ago  0.0.0.0:8080->80/tcp, 0.0.0.0:3012->3012/tcp  vaultwarden

Set up Caddy as Reverse Proxy

Open the file /etc/caddy/Caddyfile

sudo nano /etc/caddy/Caddyfile

Comment out all existing lines or just delete them, then add the following lines:

example.com {
        reverse_proxy localhost:8080
        reverse_proxy /notifications/hub localhost:3012
	reverse_proxy /notifications/hub/negotiate localhost:8080

        tls <your-email> {
                protocols tls1.3
        }
        header {
                # enable HSTS
                Strict-Transport-Security max-age=31536000;
        }
        encode gzip
}
πŸ’‘
Make sure to edit the first line with your own domain.tld, and the sixth line with the email you'd like to use when generating your SSL certificate. Caddy will take care of the certificate automatically for you.

Reload the caddy service:

sudo systemctl reload caddy

Now you should be able to access your Vaultwarden container in your browser by accessing https://your-domain.tld.

Initial Setup

  1. Navigate to your domain;
  2. Create an account using a strong password;
  3. Now login with your credentials and voila... you're done!

Additional Steps

Configure systemd

  • Navigate to the ~/.config/systemd/<your-user> folder.

cd ~/.config/systemd/<your-user>

  • If the folder does not exist, just create it.

mkdir -p ~/.config/systemd/<your-user>

  • Now, you have to create a systemd unit file that can be used to control the container. Luckily podman can help us by issuing the following command:
# Generate systemd unit file
podman generate systemd --files --name vaultwarden

# Enabling our file to start at boot
systemctl --user enable container-vaultwarden.service
πŸ’‘
The "--user" is a flag, and you should not replace it with your real user.
  • Reboot your server, then podman ps to confirm that the container started without any problems.

Update

The updating process basically consists of pulling a new image, removing the old one, then recreating our container.

# Check if there's any update for your container image
podman pull docker.io/vaultwarden/server:latest

# If any update, you should stop and delete your current container
podman stop vaultwarden && podman rm vaultwarden

# Now we can recreate our Vaultwarden container
podman run --detach --name vaultwarden --volume vaultwarden:/data/ --restart always --memory 256m --publish 8080:80 --publish 3012:3012 --env WEBSOCKET_ENABLED=true docker.io/vaultwarden/server:latest

# Check if it's up and running
podman ps

Feel free to automatize this process if you would like to.

Official Documentation

Home Β· dani-garcia/vaultwarden Wiki
Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs - Home Β· dani-garcia/vaultwarden Wiki

The official Wiki page provides lots of useful information and specific additional configurations you may be interested in like:

  • Disable registration of new users;
  • Disable invitations;
  • Fail2Ban Setup (Recommended if your server is exposed to the internet);
  • SMTP Configuration.

Using Vaultwarden

The Vaultwarden container we just created is compatible with upstream Bitwarden clients.

Remember to edit the settings of the application before login. You must point to your custom Server URL.

If you need additional help, check out the Bitwarden Help Center.

Help Center | Bitwarden
The Bitwarden Help Center guides you on how to use a password manager, evaluating password manager capabilities, and answering the most frequently asked questions.

Additional Tip

If you want to learn about password manager alternatives, for instance local-based password managers, the page bellow is great.

Password Managers - Privacy Guides
Privacy Guides is your central privacy and security resource to protect yourself online.
Show Comments