Kategorien
Software

Self-hosted Bitwarden Password Manager

Another RPi application is a self-hosted Bitwarden Password Manager.

The advantages of that solution are:

  • You own your data, as it’s not in the cloud
  • Reduced risk that your passwords get stolen
  • Passwords are synced over all your devices

What you need is:

  • RPi
  • Docker installed
  • NPM Nginx Proxy Manager
  • Subdomain configured

I installed it based on the following setup guide: https://pimylifeup.com/raspberry-pi-bitwarden

Self-hosted Bitwarden Password Manager

Just make sure that you configure the container with the correct ports without the IP Address, like 

sudo docker run -d --name bitwarden \
    --restart=always \
    -v /bw-data/:/data/ \
    -p 8080:80 \
    -p 3012:3012 \
    vaultwarden/server:latest

You need a domain configured at your DNS provider with a CNAME entry like 

bitwarden.example.de

If you are using a Dynamic DNS Provider, route the traffic there.

It is also necessary to have SSL terminated, in this case, at the NPM Proxy Manager.

Configure the Proxy Host with the following parameter:

Details
IP: The IP Address of your server, e.g. 192.168.178.34
Forward Port: 8080
Block Common Exploits
Websockets Support

SSL
Force SSL
HTTP/2 Support
HSTS Enabled
HSTS Subdomains

Advanced
 location /admin {
  return 404;
  }

  location / {
    proxy_pass http://YOURIP:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
    proxy_pass http://YOURIP:3012;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://YOURIP:8080;
  }

Refer also to https://vaultwarden.discourse.group/t/vaultwarden-and-nginx-proxy-manager/1307/17

Actually, we have installed vaultwarden now.

Now you should be able to set up a user and a vault.

Also consider setting up a backup solution, just take a look at

https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#examples and https://dizzytech.de/posts/backing_up_vaultwarden/

I’m using bruceforce with the following command:

docker run -d --restart=always --name vaultwarden-backup --volumes-from=bitwarden -e BACKUP_DIR=/myBackup -e TIMESTAMP=true -e DELETE_AFTER=30 -e TZ=CEST -v /bw-data/myBackup:/myBackup bruceforce/vaultwarden-backup

You should also accompany this with backing up the files on at least two different physical devices, either via rsync or FTP or rclone, best running via a cron job.

Restore

There is no automated restore process to prevent accidental data loss. So if you need to restore a backup, you need to do this manually by following the steps below (assuming your backups are located at ./backup/ and your vaultwarden data is located at /var/lib/docker/volumes/vaultwarden/_data/)

# Delete any existing sqlite3 files
rm /var/lib/docker/volumes/vaultwarden/_data/db.sqlite3*

# Extract the archive
# You may need to install xz first
tar -xJvf ./backup/data.tar.xz -C /var/lib/docker/volumes/vaultwarden/_data/

Von Gerhard Vogt

Born in Munich, but living more then 10 years now in the lovely Stuttgart area.
Grown up in a technical environment, moved then into the project and people management.
I'm interested in plenty of outdoor sports like sailing, biking, skiing, hiking, but also ball sports like tennis and badminton.
Travelling the world, and making photos is another hobby.
Never get bored! :-)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert