-
-
Notifications
You must be signed in to change notification settings - Fork 2k
Deployment examples
This page is an index of standalone deployment examples. If adding a new example, please create a new category if appropriate, and keep things organized in general.
This section documents different options to host Vaultwarden on your own hardware or any infrastructure that is primarily managed by yourself.
This Ansible deployment sets up a highly available Vaultwarden cluster using the following components:
Key Features:
- Nginx: Handles SSL offloading and load balancing for optimal performance and security.
- Certbot: Automatically generates and manages SSL certificates for secure communication.
- Vaultwarden: Serves as the main backend for password management.
- Keepalived: Provides virtual IP and redundancy for high availability.
- PostgreSQL: Uses an external database for storing data.
- Docker and Docker Compose: Deploy all services with docker compose.
-
https://github.com/guerzon/ansible-role-vaultwarden
Ansible role that currently supports EL8 and EL9 distributions. Under active development and support and has a working MVP version.
-
https://github.com/martient/vaultwarden-ansible
Ansible deployment for vaultwarden on raspberry pi, for migrate from the previous configuration, follow the guides linked on the page.
-
DietPi is a lightweight Debian-based distribution (image) for all kinds of devices like Raspberry Pi, Odroid, NanoPi and others. It offers a software script for installing various programs including Vaultwarden. That spares the user tinkering with installation commands.
For installing Vaultwarden on DietPi just type
dietpi-software install 183
on the command line. More information about the installation process and first access to Vaultwarden on DietPi can be found at https://dietpi.com/docs/software/cloud/#vaultwarden -
https://mijo.remotenode.io/posts/tailscale-caddy-docker/
A walkthrough guide for securing access to Vaultwarden with Tailscale and Caddy. All services are containerized and managed with Docker Compose, hosted on a Raspberry Pi.
-
https://github.com/AlphanAksoyoglu/vaultwarden-rpi/
A docker-compose based, modular, self-hosted Vaultwarden deployment.
Options:
- LAN only, or LAN + Tailscale (Access from everywhere through VPN)
- Your domain (Cloudflare) or DuckDNS domain
- Optional Backup Service which does not rely on 3rd party containers
- Optional UFW and IPTABLES Hardening
Comes with a convenient installer:
- just run
install.sh --init
andinstall.sh --install
and an extensive README.
-
https://github.com/jjlin/vaultwarden-shared-hosting
Sample config for running
vaultwarden
on DreamHost, but should be readily adaptable to many other shared hosting services. -
https://lab.uberspace.de/guide_vaultwarden.html?highlight=bitwarden
Instructions on how to install from source and run on Uberspace shared hosting provider.
There's a example bitwarden config for NixOS. It's not very complex, you have the backend option, for the type of Database you wanna use, the Backupdir for a dedicated Backup systemdserive, the option to enable it and the config Option. For the Config Option you simply pass the .env Variables from the .env template in nix syntax. Secrets ( SMTP_PASSWORD,... ) store inside another .env file outside /nix/store and include by services.vaultwarden.environmentFile See Proxy Examples for a nixos-nginx example config.
Example Config
{ pkgs, ... }:
{
services.bitwarden_rs = {
enable = true;
backupDir = "/mnt/bitwarden";
config = {
WEB_VAULT_FOLDER = "${pkgs.bitwarden_rs-vault}/share/bitwarden_rs/vault";
WEB_VAULT_ENABLED = true;
LOG_FILE = "/var/log/bitwarden";
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "0.0.0.0";
WEBSOCKET_PORT = 3012;
SIGNUPS_VERIFY = true;
# ADMIN_TOKEN = (import /etc/nixos/secret/bitwarden.nix).ADMIN_TOKEN;
DOMAIN = "https://exmaple.com";
# YUBICO_CLIENT_ID = (import /etc/nixos/secret/bitwarden.nix).YUBICO_CLIENT_ID;
# YUBICO_SECRET_KEY = (import /etc/nixos/secret/bitwarden.nix).YUBICO_SECRET_KEY;
YUBICO_SERVER = "https://api.yubico.com/wsapi/2.0/verify";
SMTP_HOST = "mx.example.com";
SMTP_FROM = "bitwarden@example.com";
SMTP_FROM_NAME = "Bitwarden_RS";
SMTP_PORT = 587;
SMTP_SECURITY = starttls;
# SMTP_USERNAME = (import /etc/nixos/secret/bitwarden.nix).SMTP_USERNAME;
# SMTP_PASSWORD = (import /etc/nixos/secret/bitwarden.nix).SMTP_PASSWORD;
SMTP_TIMEOUT = 15;
ROCKET_PORT = 8812;
};
environmentFile = "/etc/nixos/secret/bitwarden.env";
};
}
If you have any Questions about this part, feel Free to contact me. I on @litschi:litschi.xyz on matrix an litschi on IRC (hackint and freenode) or simply ask in the vaultwarden matrix.org chanel.
You can install Vaultwarden into your secure network-attached storage (NAS) with Let's Encrypt. Due to the QNAP's built-in HTTP(S) server, you cannot publish Vaultwarden on the standard HTTP(S) port (80 / 443).
-
https://github.com/icicimov/kubernetes-bitwarden_rs
Sets up a fully functional and secure
vaultwarden
application in Kubernetes behind nginx-ingress-controller and AWS ELBv1. It provides a little bit more than just simple deployment but you can use all or just part of the manifests depending on your needs and setup.
-
https://github.com/Skeen/helm-bitwarden_rs
Sets up a fully functional and secure
vaultwarden
application in Kubernetes behind an nginx controller of your choice. It works well and is tested with the microk8s setup. There is support for generating SSL certificates via cert-manager too. -
https://github.com/guerzon/vaultwarden
Deploy
Vaultwarden
to Kubernetes clusters using Helm. This chart supports important customizations such as providing image tags and custom registry values, using an external MySQL or PostgreSQL database, using ingress controllers such as nginx-ingress and AWS LB Ingress Controller, using service accounts, configuring SMTP, and configuring storage options.This Helm chart is under active development and support.
This section presents different options to host Vaultwarden in the cloud or using Platform as a Service providers.
-
Deploy Vaultwarden in Amazon EKS using Terraform and Infrastructure-as-Code.
Installs vaultwarden on Sealos using all free addons. Takes about 1 minutes to install. Gracefully handle high concurrency and offer dynamic scalability.
-
https://github.com/dadatuputi/bitwarden_gcloud
Vaultwarden installation optimized for Google Cloud's 'always free' e2-micro compute instance
-
https://github.com/davidjameshowell/vaultwarden_heroku
Installs vaultwarden on Heroku using all free addons. Takes about 15 minutes to install.
Installs vaultwarden with SQLite database. But you need to create volume for database
flyctl volumes create vaultwarden_data -a [your app name] -s 1
Template to deploy Vaultwarden on Fly.io with websockets support (with caddy) and sqlite hourly backups using restic.
This is a script that automatically sets up vaultwarden using the docker image uploaded to DockerHub
and creates a Dokku app. The script assumes you have a global domain set
up (i.e. the file /home/dokku/VHOST
exists). Follow the prompts to set it up.
#!/usr/bin/env bash
set -euo pipefail
APPNAME=""
read -rp "Enter the name of the app: " APPNAME
# check if app name is empty
if [ -z "$APPNAME" ]; then
echo "App name empty. Using default name: vaultwarden"
APPNAME="vaultwarden"
fi
# check if dokku plugin exists
if ! dokku plugin:list | grep letsencrypt; then
sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
fi
# check if global email for letsencrypt is set
if ! dokku config:get --global DOKKU_LETSENCRYPT_EMAIL; then
read -rp "Enter email address for letsencrypt: " EMAIL
dokku config:set --global DOKKU_LETSENCRYPT_EMAIL="$EMAIL"
fi
# pull the latest image
IMAGE_NAME="vaultwarden/server"
docker pull $IMAGE_NAME
image_sha="$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)"
echo "Calculated image sha: $image_sha"
dokku apps:create "$APPNAME"
dokku storage:ensure-directory "$APPNAME"
dokku storage:mount "$APPNAME" /var/lib/dokku/data/storage/"$APPNAME":/data
dokku domains:add $APPNAME $APPNAME."$(cat /home/dokku/VHOST)"
dokku letsencrypt:enable "$APPNAME"
dokku proxy:ports-add "$APPNAME" http:80:80
dokku proxy:ports-add "$APPNAME" https:443:80
dokku proxy:ports-remove "$APPNAME" http:80:5000
dokku proxy:ports-remove "$APPNAME" https:443:5000
dokku git:from-image "$APPNAME" "$image_sha"
Copy the above script to your dokku host and run it. Once the script succeeds, the web vault will be
available at https://$APPNAME.dokku.me
.
To update your vaultwarden server, run the following (remembering to replace $APP_NAME
with your app's name):
docker rmi -f vaultwarden/server
docker pull vaultwarden/server:latest
image_sha="$(docker inspect --format='{{index .RepoDigests 0}}' vaultwarden/server)"
dokku git:from-image $APP_NAME $image_sha
-
https://github.com/adamhnat/vaultwarden-azure
Vaultwarden installation optimized for Azure Container App service with fileshare for data
-
https://github.com/HarrisonLeach1/vaultwarden_digitalocean
Vaultwarden installation for Digital Ocean's cheapest droplet. Resources setup via terraform
- Which container image to use
- Starting a container
- Updating the vaultwarden image
- Using Docker Compose
- Using Podman
- Building your own docker image
- Building binary
- Pre-built binaries
- Third-party packages
- Deployment examples
- Proxy examples
- Logrotate example
- Overview
- Disable registration of new users
- Disable invitations
- Enabling admin page
- Disable the admin token
- Enabling WebSocket notifications
- Enabling Mobile Client push notification
- Enabling U2F and FIDO2 WebAuthn authentication
- Enabling YubiKey OTP authentication
- Changing persistent data location
- Changing the API request size limit
- Changing the number of workers
- SMTP configuration
- Translating the email templates
- Password hint display
- Disabling or overriding the Vault interface hosting
- Logging
- Creating a systemd service
- Syncing users from LDAP
- Using an alternate base dir (subdir/subpath)
- Other configuration