banner
huqingye

huqingye

HomeArchives

Set up the password management software Vaultwarden (Bitwarden_rs) on Tencent Cloud's lightweight application server using a non-Docker solution (transfer)

230
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
Bitwarden is a free and open-source password management service that allows users to store sensitive information in an encrypted vault. It provides various client applications such as web interface, desktop app, browser extensions, mobile app, and command-line interface. Bitwarden offers cloud hosting services and also allows self-deployment for the open-source community. Vaultwarden, formerly known as Bitwarden_rs, is a Rust-based unofficial implementation of the Bitwarden server. It is compatible with the official Bitwarden client and requires minimal hardware resources compared to the official version. Vaultwarden supports most of the features of the official version except for some enterprise features. It can be deployed directly on the system without using Docker. The article provides instructions for installing Vaultwarden on a server and configuring the environment. It also explains how to compile Vaultwarden using Rust.

Preface#

Bitwarden is a free and open-source password management service that allows users to store sensitive information (such as website login credentials) in an encrypted vault. The Bitwarden platform offers various client applications, including a web user interface, desktop applications, browser extensions, mobile applications, and a command-line interface. As a commercial free software, its developing company provides cloud hosting services (bitwarden.com) while also offering self-hosting solutions for the broader open-source community.

Vaultwarden, originally named Bitwarden_rs, was renamed to Vaultwarden starting from version 2.21.0. The original Bitwarden server is written in C#, which makes deployment difficult and requires commercial software like MSSQL, needing more than 2GB of memory to run. In contrast, Vaultwarden is an unofficial Bitwarden server implementation written in Rust, compatible with the official Bitwarden client, and requires only 10MB of memory to run, making it an ideal choice for self-hosting deployments that do not want to use the official resource-heavy version.

Vaultwarden supports most features for free, except for some functionalities of the official enterprise version (such as event logs, directory synchronization, and SSO login). It also keeps up-to-date with the official version.

Vaultwarden implements most of the functionalities required by the Bitwarden API, allowing desktop, mobile, and browser extension clients to directly use the official Bitwarden client applications.

The recommended installation method for the Vaultwarden repository is to deploy it directly using Docker. This article will introduce a method to deploy Vaultwarden directly on the system without using Docker. With around 16MB of memory usage, combined with MySQL as a data storage option instead of the default SQLite, it can minimize its "power consumption."

I. Preparation#

1.1 Server and System Selection#

Since Vaultwarden consumes almost no system resources during operation, any model of lightweight application server can be selected; it is recommended to choose Ubuntu 18.04 or newer versions, as well as Debian 10 or newer versions of Linux distributions. Using CentOS may lead to unknown errors due to dependency package version issues.

Additionally, since deploying Vaultwarden will not have a destructive impact on the existing system environment, deploying Vaultwarden on a server that already has website services is also a good choice.

1.2 Environment Configuration#

1.2.1 Package and Dependency Configuration#

Execute the following commands in sequence to update package information, install necessary packages, and development tools:

apt update -y
apt install git nano curl wget htop pkg-config openssl libssl1.1 libssl-dev -y
apt install build-essential -y

be-install

be-install

1.2.2 Rust Environment Configuration#

Run curl https://sh.rustup.rs -sSf | sh to configure the Rust environment. (It may be slow in China.)

rust-install

rust-install

When you see Rust is installed now. Great!, it indicates that the installation is complete.

Execute the following commands in sequence to configure the environment variables for the cargo command:

echo 'export PATH=~/.cargo/bin:$PATH' >> ~/.bashrc
export PATH=~/.cargo/bin:$PATH 
which rustc

rustc-install

rustc-install

If it returns /root/.cargo/bin/rustc, it indicates that the Rust environment configuration is complete.

II. Compiling Vaultwarden#

Run git clone https://github.com/dani-garcia/vaultwarden && cd vaultwarden to pull the Vaultwarden repository (it may be slow in China):

vw-pull

vw-pull

Run cargo clean && cargo build --features mysql --release to start compiling Vaultwarden.

Here, mysql can be any combination of sqlite and postgresql. When choosing to compile mysql or postgresql, the system must have MySQL or PostgreSQL installed; otherwise, it will prompt:

linking with `cc` failed: exit status: 1
...
= note: /usr/bin/ld: cannot find -lmysqlclient
          collect2: error: ld returned 1 exit status

If you do not want to install MySQL, you can only install its Client library suitable for Rust (limited to Ubuntu or Debian):

apt install librust-mysqlclient-sys-dev -y

Compiling requires about 3GB of memory; if memory is insufficient, you can adjust the virtual memory, with a recommended free space of about 2GB; compiling takes a long time, and on a single-core server with a LemonBench score of around 800, it took 28 minutes and 54 seconds.

cpmdone

cpmdone

III. Installing Vaultwarden#

3.1 Moving the Vaultwarden Binary File#

Execute the following commands in sequence:

cp target/release/vaultwarden /usr/bin/vaultwarden
chmod +x /usr/bin/vaultwarden

This places the Vaultwarden binary file into the system executable directory and grants execution permissions.

3.2 Configuring a Dedicated User for Vaultwarden#

Execute the following commands in sequence:

useradd -s /sbin/nologin -M vaultwarden
mkdir -p /var/lib/vaultwarden/data
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/

3.3 Deploying the Vaultwarden Web UI#

Execute the following commands in sequence:

wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.28.0/bw_web_v2.28.0.tar.gz
tar -xf bw_web_v2.28.0.tar.gz -C /var/lib/vaultwarden/

Where v2.28.0 is the version number at the time of writing, and the download address is https://github.com/dani-garcia/bw_web_builds/releases/latest, please keep it updated.

3.4 Writing the Vaultwarden Configuration File#

Execute touch /etc/vaultwarden.env and write the following content:

DATA_FOLDER=/var/lib/vaultwarden/data/
DATABASE_URL=mysql://[database username]:[database password]@127.0.0.1:3306/[database name]
IP_HEADER=X-Real-IP
WEB_VAULT_FOLDER=/var/lib/vaultwarden/web-vault/
WEB_VAULT_ENABLED=true
ADMIN_TOKEN=[base64 code]
DOMAIN=https://vaultwarden.iks.moe

Where [database username] is the MySQL database username, [database password] is the password for the MySQL database user, and [database name] is the MySQL database name, all three must be created in advance; 127.0.0.1 must not be filled in as localhost, [base64 code] can be obtained by executing openssl rand -base64 48, and https://vaultwarden.iks.moe is your domain, with the protocol header must be https://.

b64

b64

simple-env

simple-env

3.5 Writing the Vaultwarden SystemD File#

Execute touch /etc/systemd/system/vaultwarden.service and write the following content:

[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden

# Uncomment the next line when using SQLite
# After=network.target

# Uncomment the next two lines when using MariaDB
# After=network.target mariadb.service
# Requires=mariadb.service

# Uncomment the next two lines when using MySQL
# After=network.target mysqld.service
# Requires=mysqld.service

# Uncomment the next two lines when using PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service

[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=/etc/vaultwarden.env
ExecStart=/usr/bin/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Remove the commented lines, and the final configuration should look like the image:

sdc

sdc

3.6 Starting Vaultwarden#

Execute the following commands in sequence:

systemctl enable --now vaultwarden.service
systemctl start vaultwarden.service
systemctl status vaultwarden.service

If it starts normally, the prompt will look like the image below:

st-img

st-img

IV. Using Nginx to Reverse Proxy Vaultwarden#

This article takes the Baota panel as an example; other environments operate similarly.

4.1 Creating a New Site#

Create a new site, filling in the domain from step 3.4, and configure the SSL certificate.

bt-newsite

bt-newsite

4.2 Configuring Reverse Proxy#

Name it as desired, with the target URL as http://127.0.0.1:8000, and leave the others as default.

image-20220503012246612

image-20220503012246612

For non-Baota users, the Nginx reverse proxy configuration is:

location /
{
    proxy_pass http://127.0.0.1:8000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;
    add_header Cache-Control no-cache;
}

V. Usage#

Access the domain and click Create Account to start the first step of password management.

mainpage

mainpage

VI. Subsequent Updates for Vaultwarden#

Redo steps II, 3.1, and 3.3, and execute systemctl restart vaultwarden.service to complete.

References#

https://nickhuber.ca/blog/bitwarden-rs-without-docker

https://gist.github.com/tavinus/59c314f4ccd70879db7f11074eacb6cc****

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.