CodePre.com

Free Online Tutorials

Home Linux Installing Vaultwarden (Bitwarden_RS) and non-docker PostgreSQL on Centos 8 / Rocky Linux

Installing Vaultwarden (Bitwarden_RS) and non-docker PostgreSQL on Centos 8 / Rocky Linux

Vaultwarden (Bitwarden_RS) is an open source password manager. A lightweight fork of the well-known Bitwarden, written in Rust. SQLite, MariaDB, PostgreSQL are used as a database

Preparation

Let’s update the OS, install the necessary packages

$ sudo dnf -y install epel-release
$ sudo dnf -y update
$ sudo dnf -y install tar nano wget gcc cmake openssl-devel sqlite-devel postgresql-devel mariadb-devel

Add a user on whose behalf the Vaultwarden service will run

$ sudo useradd -m -U -r -d /opt/vaultwarden vaultwarden
$ sudo chmod 750 /opt/vaultwarden

Installing Rust

Switch to the created user

$ sudo su - vaultwarden

Install Rust, according to the official manual

$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
1) Proceed with installation (default)

Setting up the shell

$ source ~/.profile
$ source ~/.cargo/env

Checking

$ rustc -V
rustc 1.55.0 (c8dfcfe04 2021-09-06)

Switch back to sudo-user

$ exit

Installing Node JS

Create a directory for node and install node there

$ sudo mkdir /opt/node
$ cd /opt/node
$ sudo wget https://nodejs.org/dist/latest-v16.x/node-v16.11.1-linux-x64.tar.xz
$ sudo tar xJvf node-v16.11.1-linux-x64.tar.xz
$ sudo ln -s /opt/node/node-v16.11.1-linux-x64 /opt/node/current
$ for f in $(ls -1 /opt/node/current/bin/); do sudo ln -s "/opt/node/current/bin/${f}" /usr/sbin/; done

Installing Vaultwarden (Bitwarden_RS)

Switch to the created user and install the service

$ sudo su - vaultwarden
$ wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.22.2.tar.gz
$ tar xzvf 1.22.2.tar.gz
$ cd vaultwarden-1.22.2
$ cargo build --features postgresql --release

Installing the web interface

$ cd target/release
$ wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.23.0/bw_web_v2.23.0.tar.gz
$ tar xzvf bw_web_v2.23.0.tar.gz

Create a data directory, which we will later specify in the settings

$ cd
$ mkdir data

Let’s create a config file for Vaultwarden

$ nano /opt/vaultwarden/vaultwarden-1.22.2/target/release/.env

DATA_FOLDER=/opt/vaultwarden/data
DATABASE_URL='postgresql://pguser:pg[email protected]:5432/vaultwarden_db'
DATABASE_MAX_CONNS=10

# openssl rand -base64 48
ADMIN_TOKEN='Q8rKXS3l6jmUYrcJGlwueZhiiIZWteGMVZe7Db/qFe0nQ68C5P5H4Bdi/1AMv4xU'
DOMAIN='https://vault.itdraft.ru'
#LOG_FILE=/var/log/vaultwarden.log
USE_SYSLOG=true
LOG_LEVEL=info
ENABLE_DB_WAL=true
DB_CONNECTION_RETRIES=15
DISABLE_ICON_DOWNLOAD=true
ICON_DOWNLOAD_TIMEOUT=10
ICON_BLACKLIST_REGEX='^(192.168.0.[0-9]+|192.168.1.[0-9]+)$'
#SIGNUPS_ALLOWED=false
#SIGNUPS_VERIFY=false
#SMTP_HOST=
#SMTP_FROM=
#SMTP_FROM_NAME=
#SMTP_PORT=587
#SMTP_SSL=true
#SMTP_USERNAME=
#SMTP_PASSWORD=
#SMTP_TIMEOUT=
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=4756
WEBSOCKET_ENABLED=true
WEBSOCKET_PORT=3658
ORG_CREATION_USERS=admin
TRASH_AUTO_DELETE_DAYS=7

All parameters of the configuration file are described in the template, from the downloaded archive

Switch to sudo-user

$ exit

Installing PostgreSQL

Disable postgresql from the system repository

$ sudo dnf -qy module disable postgresql
$ sudo dnf module list postgresql

Install PostgreSQL from the Postgres repository

$ sudo dnf -y install https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
$ sudo dnf -y install postgresql13 postgresql13-server

We initiate the base, start the service

$ sudo /usr/pgsql-13/bin/postgresql-13-setup initdb
$ sudo systemctl enable --now postgresql-13
$ systemctl status postgresql-13

Create a database user and base, as in the configuration file

$ sudo su - postgres
$ psql
=# CREATE DATABASE vaultwarden_db;
=# c vaultwarden_db;
=# CREATE ROLE "pguser" WITH LOGIN PASSWORD 'pgpass';
=# GRANT ALL PRIVILEGES ON DATABASE "vaultwarden_db" TO "pguser";
=# GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "pguser";
=# q
$ exit

Systemd Unit

Create Systemd Unit

$ sudo nano /etc/systemd/system/vaultwarden.service

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden/
# If you use a database like mariadb,mysql or postgresql, 
# you have to add them like the following and uncomment them 
# by removing the `# ` before it. This makes sure that your 
# database server is started before bitwarden_rs ("After") and has 
# started successfully before starting bitwarden_rs ("Requires").

# Only sqlite
#After=network.target

# PostgreSQL
After=network.target mariadb.service
Requires=postgresql-13.service

# Mysql
# After=network.target mysqld.service
# Requires=mysqld.service

# PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden-1.22.2/target/release/.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden-1.22.2/target/release/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
##ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden-1.22.2/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden-1.22.2/target/release/
# Allow bitwarden_rs to bind ports in the range of 0-1024
#AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

We start the service, check

$ sudo systemctl daemon-reload
$ sudo systemctl enable vaultwarden --now
$ sudo systemctl status vaultwarden

Installing and configuring Nginx

Add the repository

$ sudo nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=https://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install Nginx, disable the default config

$ sudo dnf -y install nginx
$ sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled

Create config for vaultwarden

$ sudo nano /etc/nginx/conf.d/vaultwarden.conf
server {
    listen 80;

    server_name vault.itdraft.ru;
    return 301 https://vault.itdraft.ru$request_uri;
}

server {
  listen 443 ssl http2;
  server_name vault.itdraft.ru;

  ssl_certificate            /etc/nginx/ssl/vault.crt;
  ssl_certificate_key        /etc/nginx/ssl/vault.key;

  error_log /var/log/nginx/vaultwarden_error.log;
  access_log /var/log/nginx/vaultwarden_access.log;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass https://127.0.0.1:4756;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass https://127.0.0.1:3658;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass https://127.0.0.1:4756;
  }

  # Optionally add extra authentication besides the AUTH_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
#    auth_basic "Private";
#    auth_basic_user_file /etc/nginx/passwd/bwAdmin;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass https://127.0.0.1:4756;
  }
}

Checking the config, launching Nginx

$ sudo nginx -t
$ sudo systemctl enable --now nginx

Configuring Firewall, Disabling SELinux

Opening web ports

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload

Disable SELinux

$ sudo nano /etc/sysconfig/selinux
SELINUX=disabled

$ sudo setenforce 0

Installation is complete. Go to the desired URL in the browser, create a user, export passwords

Related Posts

So verwenden Sie den chmod-Befehl unter Linux

Steuern Sie, wer auf Dateien zugreifen, Verzeichnisse durchsuchen und Skripte ausführen kann, indem Sie die Linux- chmod Befehl. Dieser Befehl…

How to use the chown command on Linux

Files and directories on Linux systems all belong to someone. You can change their ownership with the. change chown Command.…

How to use pipes on Linux

Use Linux pipes to choreograph command line utilities to work together. Simplify complex processes and increase your productivity by using…

How to use the chgrp command on Linux

the chgrp Command on Linux changes group ownership of a file or directory. Why are you using it instead of?…

How to use the finger command in Linux

Knowing who is using your Linux or Unix-like system is a fundamental part of managing it. Pointing at someone may…

How to Create Aliases and Shell Functions on Linux

Create your own Linux commands using aliases and Bash shell functions. Tame repetitive tasks, truncate long-winded processes, and configure standard…

So kopieren und fügen Sie Text in der Linux-Bash-Shell ein

Möchten Sie in der Befehlszeile der Bash-Shell kopieren und einfügen? Wir zeigen Ihnen verschiedene Techniken, egal ob Sie die Tastatur…

How to Run and Control Background Processes on Linux

Use the Bash shell in Linux to manage foreground and background processes. You can use Bash’s job control functions and…

So verwenden Sie den chroot-Befehl unter Linux

Die chroot Befehl kann Sie ins Gefängnis schicken, Ihre Entwicklungs- oder Testumgebungen isoliert halten oder einfach nur die Sicherheit Ihres…

So verschieben Sie Ihr Linux-Home-Verzeichnis auf ein anderes Laufwerk

Möchten Sie Ihren Linux-Home-Ordner auf ein anderes Laufwerk verschieben? Hier ist eine einfache und schrittweise Vorgehensweise, die bei jeder Distribution…