Vaultwarden Instaleation Lightweight Bitwarden
Vaultwarden is a lightweight, Rust-based implementation of the Bitwarden password manager server, offering significantly lower resource requirements than the official Bitwarden server. Perfect for small deployments and resource-constrained environments, Vaultwarden maintains full compatibility with Bitwarden clients. This guide covers Docker installation, Nginx configuration, SSL setup, admin panel, user management, and backup strategy.
Tabla de contenidos
- Prerequisites
- System Requirements
- Docker Instaleation
- Vaultwarden Implementement
- Nginx Configuration
- SSL Certificate Setup
- Admin Panel Setup
- User Management
- Backup and Updates
- Troubleshooting
- Conclusion
Requisitos previos
Ensure you have:
- Ubuntu 20.04 LTS or later
- Root or sudo access
- A registered domain name
- Minimum 1GB RAM (2GB+ recommended)
- 10GB available disk space
- Basic Linux administration knowledge
Update system:
sudo apt update && sudo apt upgrade -y
Requisitos del sistema
Verifique las especificaciones del sistema:
Check OS version:
cat /etc/os-release
uname -m
Check available resources:
free -h
df -h
Docker Instaleation
Instale Docker and Docker Compose:
sudo apt install -y docker.io docker-compose
Add user to docker group:
sudo usermod -aG docker $USER
newgrp docker
Verifique installation:
docker --version
docker-compose --version
Start Docker:
sudo systemctl start docker
sudo systemctl enable docker
Vaultwarden Implementement
Cree Vaultwarden directory:
mkdir -p /opt/vaultwarden
cd /opt/vaultwarden
Cree docker-compose.yml:
nano docker-compose.yml
Add configuration:
version: '3'
services:
vaultwarden:
image: vaultwarden/server:latest
restart: always
ports:
- "80:80"
volumes:
- /opt/vaultwarden/data:/data
environment:
DOMAIN: https://vault.example.com
SIGNUPS_ALLOWED: "false"
INVITATIONS_ORG_ALLOW: "true"
SHOW_PASSWORD_HINT: "false"
LOG_LEVEL: info
LOG_FILE: /data/vaultwarden.log
EXTENDED_LOGGING: "true"
EXTENDED_LOGGING_FILE: /data/vaultwarden-extended.log
DATABASE_URL: sqlite:///data/db.sqlite3
ADMIN_TOKEN: $(openssl rand -base64 32)
ICON_CACHE_TTL: 2592000
ICON_CACHE_NEGTTL: 259200
ICON_DOWNLOAD_TIMEOUT: 10
INCOMPLETE_2FA_TIME_LIMIT: 3
INCOMPLETE_2FA_TIME_LIMIT_MS: false
TRASH_AUTO_DELETE_DAYS: 30
TRASH_AUTO_DELETE_MS: false
DISABLE_ICON_DOWNLOAD: "false"
ICON_BLACKLIST_REGEX: "^https?://127\\.0|^https?://10\\.|^https?://172\\.(1[6-9]|2[0-9]|3[01])\\.|^https?://192\\.168\\.|^https?://localhost"
ALLOWED_IFRAME_ANCESTORS: ""
RELOAD_TEMPLATES: "false"
LOG_LEVEL_DB: "warning"
Cree data directory:
mkdir -p /opt/vaultwarden/data
Start Vaultwarden container:
docker-compose up -d
Verifique container is running:
docker-compose ps
docker-compose logs -f vaultwarden
Wait for initialization to complete.
Configuración de Nginx
Instale Nginx:
sudo apt install -y nginx
Cree Nginx configuration:
sudo nano /etc/nginx/sites-available/vaultwarden
Add configuration:
upstream vaultwarden {
server localhost:80;
}
server {
listen 80;
listen [::]:80;
server_name vault.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name vault.example.com;
ssl_certificate /etc/letsencrypt/live/vault.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vault.example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
client_max_body_size 100M;
location / {
proxy_pass http://vaultwarden;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
location /notifications/hub {
proxy_pass http://vaultwarden;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /identity/connect/token {
proxy_pass http://vaultwarden;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Enable site:
sudo ln -s /etc/nginx/sites-available/vaultwarden /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl start nginx
sudo systemctl enable nginx
Configuración del certificado SSL
Instale Certbot:
sudo apt install -y certbot python3-certbot-nginx
Obtain SSL certificate:
sudo certbot certonly --standalone -d vault.example.com
Verifique certificate:
sudo openssl x509 -in /etc/letsencrypt/live/vault.example.com/fullchain.pem -noout -dates
Configure auto-renewal:
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
Admin Panel Setup
Generate admin token:
openssl rand -base64 32
Access admin panel:
Navigate to https://vault.example.com/admin
Log in with generated admin token.
Configure admin settings:
-
Organization
- Cree organization
- Set organization name
-
Users
- Invite users
- Manage permissions
- Enable/disable accounts
-
Settings
- Configure signups policy
- Set password requirements
- Configure 2FA
User Management
Invite users to Vaultwarden:
- Admin Panel → Users
- Click "Invite User"
- Enter email address
- Send invitation
Users accept invitation:
- Click invitation link
- Cree master password
- Activate account
Cree organization:
- Admin Panel → Organizations
- Click "New Organization"
- Set organization details
- Invite members
Configure collection sharing:
- Organization → Collections
- Cree collection
- Add items to collection
- Share with team members
Copia de seguridad y actualizaciones
Cree backup script:
sudo nano /usr/local/bin/vaultwarden-backup.sh
Add:
#!/bin/bash
BACKUP_DIR="/backups/vaultwarden"
VAULTWARDEN_DIR="/opt/vaultwarden"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR
# Stop Vaultwarden
docker-compose -f $VAULTWARDEN_DIR/docker-compose.yml stop
# Data backup
tar -czf "$BACKUP_DIR/vaultwarden-data-$DATE.tar.gz" "$VAULTWARDEN_DIR/data"
# Start Vaultwarden
docker-compose -f $VAULTWARDEN_DIR/docker-compose.yml start
# Keep only 30 days
find $BACKUP_DIR -type f -mtime +30 -delete
echo "Backup completed: $DATE"
Make executable:
sudo chmod +x /usr/local/bin/vaultwarden-backup.sh
Schedule daily backups:
sudo crontab -e
Add:
0 2 * * * /usr/local/bin/vaultwarden-backup.sh >> /var/log/vaultwarden-backup.log 2>&1
Update Vaultwarden:
cd /opt/vaultwarden
docker-compose pull
docker-compose down
docker-compose up -d
Monitor logs:
docker-compose logs -f vaultwarden
Solución de problemas
Check container status:
docker-compose ps
View container logs:
docker-compose logs vaultwarden
docker-compose logs -f vaultwarden
Reinicie container:
docker-compose restart vaultwarden
Test connectivity:
curl -s https://vault.example.com | head -20
Check Nginx configuration:
sudo nginx -t
sudo systemctl status nginx
Conclusión
Vaultwarden is now deployed as a lightweight, self-hosted password manager. With minimal resource consumption, Nginx reverse proxy, SSL encryption, and full Bitwarden compatibility, you have an efficient password vault solution. Cree organizations, manage users, and maintain strong password policies. Regular backups ensure password recovery and data protection. Vaultwarden's low resource footprint makes it perfect for small teams and resource-constrained environments.