Nick Peers – Writer, Editor, Translator

Nick Peers

Writer, Editor, Translator

Here’s some quick scripts to set up the Vaultwarden – a self-hosted Bitwarden instance – password manager on your server.

1. Create pod

We need to place Vaultwarden in a pod, so we can run our database backup script to back up your passwords periodically. We’re placing the pod in the same network as Nginx Proxy Manager (bridge-for-podman in our example) to allow it to be accessed securely via a domain. So, step one is to create a pod:

podman pod create \
--replace \
-p 8080:8080 \
--network bridge-for-podman \
--name vaultwarden-pod

2. Create Vaultwarden container

Vaultwarden itself doesn’t require a huge amount of configuration. Before running the script below, create a suitable folder (/home/username/container-data/vaultwarden in the example below):

podman run -d \
–replace \
--pod=vaultwarden-pod \
--name vaultwarden \
--label "io.containers.autoupdate=registry" \
-v /home/username/container-data/vaultwarden/:/data/:Z \
-e ROCKET_PORT=8080 \
-e SIGNUPS_ALLOWED=true \
docker.io/vaultwarden/server:latest

3. Configure Nginx Proxy Manager

As things stand, if you go to http://192.168.x.y:8080/ in your web browser, all you’ll see is the Vaultwarden logo and a spinning wheel. This means that the instance is up and running, but you can’t access it through a web browser via an insecure (http) connection. You need web access to set up users, so what’s the solution? Trying https won’t work because you need a valid SSL certificate to encrypt the connection.

The solution is to configure your proxy server to redirect a subdomain or dynamic DNS domain to point to your Bitwarden instance. For that we recommend Nginx Proxy Manager. Find out how to set it up here.

Once configured, select Hosts > Proxy Hosts. Click Add Proxy Host, then set it up as follows:

  • Domain names: Your domain name or Dynamic hostname
  • Scheme: http
  • Forward Hostname/IP: your server’s IP address
  • Forward Port: 8080

Flick both Block Common Exploits and Websockets Support switches to on.

Now switch to the SSL tab. Click None and select Request a new SSL Certificate from the dropdown menu. Flick Force SSL and HTTP/2 Support switches to on. Input your email address, agree to the terms of service and finally click Save.

Once done, type your domain name or dynamic hostname into your browser’s Address Bar. If all is configured correctly, you should find yourself staring at the Vaultwarden login screen. Click Create Account to get started.

4. Limit access

Once you’ve set up your account, consider locking out all other potential users. After all, anyone could input your domain/dynamic hostname into their browser and use your Vaultwarden instance for themselves. To prevent this, paste the Podman command script from above again, with one subtle difference (marked in bold below):
podman run -d \
–replace \
--pod=vaultwarden-pod \
--name vaultwarden \
-v /home/username/container-data/vaultwarden/:/data/:Z \
-e ROCKET_PORT=8080 \
-e SIGNUPS_ALLOWED=false\
docker.io/vaultwarden/server:latest

5. Set to autostart

Run these lines to have Vaultwarden restart with your server:

podman generate systemd --new --name vaultwarden -f
mv -v container-vaultwarden.service ~/.config/systemd/user/
systemctl --user daemon-reload
systemctl --user enable container-vaultwarden.service

4. Set up database backup

What happens if your hard drive dies? It’ll take all your passwords with it. So here’s a container to take a backup of your database at periodic intervals – the database will be stored, encrypted, in a backup folder inside your Vaultwarden container data folder, so remember to add this folder (~/container-data/vaultwarden/backup in our example) to your backup scripts (or Duplicati jobs, as I’ve done).

podman run \
--pod=vaultwarden-pod \
--name vaultwarden-backup \
--volumes-from=vaultwarden \
-e BACKUP_DIR=/data/backup \
-e BACKUP_DIR_PERMISSIONS=777 \
-e ENCRYPTION_PASSWORD=strong123$%password \
-e TIMESTAMP=true \
-e TZ=Europe/London \
-e DELETE_AFTER=180 \
docker.io/bruceforce/vaultwarden-backup manual

The container runs once, backs up your database, then terminates. Because my server is configured under crontab to reboot once a week (see below), all I need to do is set the backup container to autostart with my server:

$ podman generate systemd --new --name vaultwarden-backup -f
$ mv -v container-vaultwarden-backup.service ~/.config/systemd/user/
$ systemctl --user daemon-reload
$ systemctl --user enable container-vaultwarden-backup.service

Reboot on a schedule

The following quick addition to crontab will ensure your Debian-based server reboots once a week:

$ sudo crontab -e

Add the following line:

30 03 * * 1 /sbin/shutdown -r now

Save and exit. Your server will now reboot every Monday morning at 3 am.