Running Vaultwarden
Table of Contents
Vaultwarden; unofficial BitWarden API implementation; https://github.com/dani-garcia/vaultwarden
1 Idea
To run VW in a container, and to utilize HAProxy to beef up security a bit. The service should only be accessible from trusted networks or from clients which can present a valid client certificate.
2 Vaultwarden container environment
You'll probably want something like the following env:
WEBSOCKET_ENABLED=true SIGNUPS_ALLOWED=false INVITATIONS_ALLOWED=false ADMIN_TOKEN=like_whatevs
The latter of which controls access to the /admin endpoint.
3 HAProxy configuration snippet
Adapt as needed.
frontend vault
bind 1.2.3.4:443 ssl crt /path/to/vault.pem ca-file /usr/local/share/ca-certificates/bobcats.crt verify optional
option forwardfor
acl client_cert_supplied ssl_c_used 1 && ssl_c_verify 0 && ssl_c_s_dn(CN) -m end .is.a.bobcat.localdomain.dk
acl trusted_client_net src 10.1.2.3 20.21.22.23
# Only allow admin if a client TLS certificate is supplied
http-request deny if { path_beg /admin } !client_cert_supplied
# Only allow general access from trusted networks OR if client cert supplied
http-request deny if !trusted_client_net !client_cert_supplied
use_backend vault_ws if { path_beg /notifications/hub } !{ path_beg /notifications/hub/negotiate }
default_backend vault
backend vault
# vault http server
server vault 127.0.0.1:9083 check
backend vault_ws
# vault websocket server
server vault_ws 127.0.0.1:3012
4 Backup
I have something like the following in Cron:
0 4 * * * root /usr/bin/sqlite3 /path/to/vault/data/db.sqlite3 ".backup /path/to/backup/db.daily.$(date +\%u.\%a).sqlite3"
Make sure to include this backup destination in your regular backup routine.
The /data folder in which the db.sqlite3 folder resides is also home to an RSA key pair (rsa_key{,.pub}.pem).
I can't seem to figure out what this key pair is used for, but it doesn't appear to affect what's stored in the database.
To verify that this was actually the case, I copied the DB file to an empty folder and ran a dummy VW like so on my personal workstation:
# docker run --rm -it vaultwarden/server:latest -v /path/to/db_folder:/data -p 8080:80
Then visiting http://localhost:8080 in a browser gave me access to my passwords.