Vaultwarden (Bitwarden_RS) is an open source password manager. A lightweight fork of the well-known Bitwarden, written in Rust. SQLite, MariaDB, PostgreSQL are used as a database
Preparation
Let’s update the OS, install the necessary packages
$ sudo dnf -y install epel-release
$ sudo dnf -y update
$ sudo dnf -y install tar nano wget gcc cmake openssl-devel sqlite-devel postgresql-devel mariadb-devel
Add a user on whose behalf the Vaultwarden service will run
$ sudo useradd -m -U -r -d /opt/vaultwarden vaultwarden
$ sudo chmod 750 /opt/vaultwarden
Installing Rust
Switch to the created user
$ sudo su - vaultwarden
Install Rust, according to the official manual
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
1) Proceed with installation (default)
Setting up the shell
$ source ~/.profile
$ source ~/.cargo/env
Checking
$ rustc -V
rustc 1.55.0 (c8dfcfe04 2021-09-06)
Switch back to sudo-user
$ exit
Installing Node JS
Create a directory for node and install node there
$ sudo mkdir /opt/node
$ cd /opt/node
$ sudo wget https://nodejs.org/dist/latest-v16.x/node-v16.11.1-linux-x64.tar.xz
$ sudo tar xJvf node-v16.11.1-linux-x64.tar.xz
$ sudo ln -s /opt/node/node-v16.11.1-linux-x64 /opt/node/current
$ for f in $(ls -1 /opt/node/current/bin/); do sudo ln -s "/opt/node/current/bin/${f}" /usr/sbin/; done
Installing Vaultwarden (Bitwarden_RS)
Switch to the created user and install the service
$ sudo su - vaultwarden
$ wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.22.2.tar.gz
$ tar xzvf 1.22.2.tar.gz
$ cd vaultwarden-1.22.2
$ cargo build --features postgresql --release
Installing the web interface
$ cd target/release
$ wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.23.0/bw_web_v2.23.0.tar.gz
$ tar xzvf bw_web_v2.23.0.tar.gz
Create a data directory, which we will later specify in the settings
$ cd
$ mkdir data
Let’s create a config file for Vaultwarden
$ nano /opt/vaultwarden/vaultwarden-1.22.2/target/release/.env
DATA_FOLDER=/opt/vaultwarden/data
DATABASE_URL='postgresql://pguser:[email protected]:5432/vaultwarden_db'
DATABASE_MAX_CONNS=10
# openssl rand -base64 48
ADMIN_TOKEN='Q8rKXS3l6jmUYrcJGlwueZhiiIZWteGMVZe7Db/qFe0nQ68C5P5H4Bdi/1AMv4xU'
DOMAIN='https://vault.itdraft.ru'
#LOG_FILE=/var/log/vaultwarden.log
USE_SYSLOG=true
LOG_LEVEL=info
ENABLE_DB_WAL=true
DB_CONNECTION_RETRIES=15
DISABLE_ICON_DOWNLOAD=true
ICON_DOWNLOAD_TIMEOUT=10
ICON_BLACKLIST_REGEX='^(192.168.0.[0-9]+|192.168.1.[0-9]+)$'
#SIGNUPS_ALLOWED=false
#SIGNUPS_VERIFY=false
#SMTP_HOST=
#SMTP_FROM=
#SMTP_FROM_NAME=
#SMTP_PORT=587
#SMTP_SSL=true
#SMTP_USERNAME=
#SMTP_PASSWORD=
#SMTP_TIMEOUT=
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=4756
WEBSOCKET_ENABLED=true
WEBSOCKET_PORT=3658
ORG_CREATION_USERS=admin
TRASH_AUTO_DELETE_DAYS=7
All parameters of the configuration file are described in the template, from the downloaded archive
Switch to sudo-user
$ exit
Installing PostgreSQL
Disable postgresql from the system repository
$ sudo dnf -qy module disable postgresql
$ sudo dnf module list postgresql
Install PostgreSQL from the Postgres repository
$ sudo dnf -y install https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
$ sudo dnf -y install postgresql13 postgresql13-server
We initiate the base, start the service
$ sudo /usr/pgsql-13/bin/postgresql-13-setup initdb
$ sudo systemctl enable --now postgresql-13
$ systemctl status postgresql-13
Create a database user and base, as in the configuration file
$ sudo su - postgres
$ psql
=# CREATE DATABASE vaultwarden_db;
=# c vaultwarden_db;
=# CREATE ROLE "pguser" WITH LOGIN PASSWORD 'pgpass';
=# GRANT ALL PRIVILEGES ON DATABASE "vaultwarden_db" TO "pguser";
=# GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "pguser";
=# q
$ exit
Systemd Unit
Create Systemd Unit
$ sudo nano /etc/systemd/system/vaultwarden.service
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden/
# If you use a database like mariadb,mysql or postgresql,
# you have to add them like the following and uncomment them
# by removing the `# ` before it. This makes sure that your
# database server is started before bitwarden_rs ("After") and has
# started successfully before starting bitwarden_rs ("Requires").
# Only sqlite
#After=network.target
# PostgreSQL
After=network.target mariadb.service
Requires=postgresql-13.service
# Mysql
# After=network.target mysqld.service
# Requires=mysqld.service
# PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service
[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden-1.22.2/target/release/.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden-1.22.2/target/release/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
##ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden-1.22.2/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden-1.22.2/target/release/
# Allow bitwarden_rs to bind ports in the range of 0-1024
#AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
We start the service, check
$ sudo systemctl daemon-reload
$ sudo systemctl enable vaultwarden --now
$ sudo systemctl status vaultwarden
Installing and configuring Nginx
Add the repository
$ sudo nano /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/
centos
/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=https://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
Install Nginx, disable the default config
$ sudo dnf -y install nginx
$ sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled
Create config for vaultwarden
$ sudo nano /etc/nginx/conf.d/vaultwarden.conf
server {
listen 80;
server_name vault.itdraft.ru;
return 301 https://vault.itdraft.ru$request_uri;
}
server {
listen 443 ssl http2;
server_name vault.itdraft.ru;
ssl_certificate /etc/nginx/ssl/vault.crt;
ssl_certificate_key /etc/nginx/ssl/vault.key;
error_log /var/log/nginx/vaultwarden_error.log;
access_log /var/log/nginx/vaultwarden_access.log;
# Allow large attachments
client_max_body_size 128M;
location / {
proxy_pass https://127.0.0.1:4756;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass https://127.0.0.1:3658;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass https://127.0.0.1:4756;
}
# Optionally add extra authentication besides the AUTH_TOKEN
# If you don't want this, leave this part out
location /admin {
# See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Private";
# auth_basic_user_file /etc/nginx/passwd/bwAdmin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://127.0.0.1:4756;
}
}
Checking the config, launching Nginx
$ sudo nginx -t
$ sudo systemctl enable --now nginx
Configuring Firewall, Disabling SELinux
Opening web ports
$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload
Disable SELinux
$ sudo nano /etc/sysconfig/selinux
SELINUX=disabled
$ sudo setenforce 0
Installation is complete. Go to the desired URL in the browser, create a user, export passwords