Skip to content

Vaultwarden

Create your docker-compose.yaml:

version: '3.9'
services:
  vaultwarden:
    image: vaultwarden/server:alpine
    restart: always
    env_file: .vaultwarden.env
    ports:
      - "[::1]:8003:80"
      - "[::1]:3012:3012"
    volumes:
      - "/srv/vaultwarden:/data/"
    networks:
      - database
networks:
  database:
    name: database
    external: true

Then create a .env-File:

# .vaultwarden.env
DOMAIN=https://vault.domain.tld/
SIGNUPS_ALLOWED=false
INVITATIONS_ALLOWED=false
SHOW_PASSWORD_HINT=false
DATABASE_URL=postgresql://<user>:<password>@postgres:5432/<database>
ADMIN_TOKEN=<yoursecureadmintoken>
WEBSOCKET_ENABLED=true

Issue a certificate and create a VHosts-File like here. Your VHosts-File should look like this:

# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.6
server {
    server_name vault.domain.tld;
    listen 0.0.0.0:443 ssl http2;

    ssl_certificate /home/<username>/.acme.sh/vault.domain.tld/fullchain.cer;
    ssl_certificate_key /home/<username>/.acme.sh/vault.domain.tld/vault.domain.tld.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    ssl_stapling on;
    ssl_stapling_verify on;

    location / {
            proxy_pass http://[::1]:8003/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    }

    location /notifications/hub/negotiate {
            proxy_pass http://[::1]:8003/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    }

    location /notifications/hub {
        proxy_pass http://[::1]:3012/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
    }
}

Now you may go to https://vault.domain.tld/admin and enter your admin secret. Here you can manage your Vaultwarden instance.