CodePre.com

Free Online Tutorials
Home Linux Installing Vaultwarden (Bitwarden_RS) and non-docker PostgreSQL on Centos 8 / Rocky Linux

Installing Vaultwarden (Bitwarden_RS) and non-docker PostgreSQL on Centos 8 / Rocky Linux

Vaultwarden (Bitwarden_RS) is an open source password manager. A lightweight fork of the well-known Bitwarden, written in Rust. SQLite, MariaDB, PostgreSQL are used as a database

Preparation

Let’s update the OS, install the necessary packages 

                      
                        $ sudo dnf -y install epel-release
$ sudo dnf -y update
$ sudo dnf -y install tar nano wget gcc cmake openssl-devel sqlite-devel postgresql-devel mariadb-devel

Add a user on whose behalf the Vaultwarden service will run 

                      
                        $ sudo useradd -m -U -r -d /opt/vaultwarden vaultwarden
$ sudo chmod 750 /opt/vaultwarden

Installing Rust

Switch to the created user 

                      
                        $ sudo su - vaultwarden

Install Rust, according to the official manual 

                      
                        $ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
1) Proceed with installation (default)

Setting up the shell 

                      
                        $ source ~/.profile
$ source ~/.cargo/env

Checking 

                      
                        $ rustc -V
rustc 1.55.0 (c8dfcfe04 2021-09-06)

Switch back to sudo-user 

                      
                        $ exit

Installing Node JS

Create a directory for node and install node there 

                      
                        $ sudo mkdir /opt/node
$ cd /opt/node
$ sudo wget https://nodejs.org/dist/latest-v16.x/node-v16.11.1-linux-x64.tar.xz
$ sudo tar xJvf node-v16.11.1-linux-x64.tar.xz
$ sudo ln -s /opt/node/node-v16.11.1-linux-x64 /opt/node/current
$ for f in $(ls -1 /opt/node/current/bin/); do sudo ln -s "/opt/node/current/bin/${f}" /usr/sbin/; done

Installing Vaultwarden (Bitwarden_RS)

Switch to the created user and install the service 

                      
                        $ sudo su - vaultwarden
$ wget https://github.com/dani-garcia/vaultwarden/archive/refs/tags/1.22.2.tar.gz
$ tar xzvf 1.22.2.tar.gz
$ cd vaultwarden-1.22.2
$ cargo build --features postgresql --release

Installing the web interface 

                      
                        $ cd target/release
$ wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.23.0/bw_web_v2.23.0.tar.gz
$ tar xzvf bw_web_v2.23.0.tar.gz

Create a data directory, which we will later specify in the settings 

                      
                        $ cd
$ mkdir data

Let’s create a config file for Vaultwarden 

                      
                        $ nano /opt/vaultwarden/vaultwarden-1.22.2/target/release/.env

DATA_FOLDER=/opt/vaultwarden/data
DATABASE_URL='postgresql://pguser:[email protected]:5432/vaultwarden_db'
DATABASE_MAX_CONNS=10

# openssl rand -base64 48
ADMIN_TOKEN='Q8rKXS3l6jmUYrcJGlwueZhiiIZWteGMVZe7Db/qFe0nQ68C5P5H4Bdi/1AMv4xU'
DOMAIN='https://vault.itdraft.ru'
#LOG_FILE=/var/log/vaultwarden.log
USE_SYSLOG=true
LOG_LEVEL=info
ENABLE_DB_WAL=true
DB_CONNECTION_RETRIES=15
DISABLE_ICON_DOWNLOAD=true
ICON_DOWNLOAD_TIMEOUT=10
ICON_BLACKLIST_REGEX='^(192.168.0.[0-9]+|192.168.1.[0-9]+)$'
#SIGNUPS_ALLOWED=false
#SIGNUPS_VERIFY=false
#SMTP_HOST=
#SMTP_FROM=
#SMTP_FROM_NAME=
#SMTP_PORT=587
#SMTP_SSL=true
#SMTP_USERNAME=
#SMTP_PASSWORD=
#SMTP_TIMEOUT=
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=4756
WEBSOCKET_ENABLED=true
WEBSOCKET_PORT=3658
ORG_CREATION_USERS=admin
TRASH_AUTO_DELETE_DAYS=7

All parameters of the configuration file are described in the template, from the downloaded archive

Switch to sudo-user 

                      
                        $ exit

Installing PostgreSQL

Disable postgresql from the system repository 

                      
                        $ sudo dnf -qy module disable postgresql
$ sudo dnf module list postgresql

Install PostgreSQL from the Postgres repository 

                      
                        $ sudo dnf -y install https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
$ sudo dnf -y install postgresql13 postgresql13-server

We initiate the base, start the service 

                      
                        $ sudo /usr/pgsql-13/bin/postgresql-13-setup initdb
$ sudo systemctl enable --now postgresql-13
$ systemctl status postgresql-13

Create a database user and base, as in the configuration file 

                      
                        $ sudo su - postgres
$ psql
=# CREATE DATABASE vaultwarden_db;
=# c vaultwarden_db;
=# CREATE ROLE "pguser" WITH LOGIN PASSWORD 'pgpass';
=# GRANT ALL PRIVILEGES ON DATABASE "vaultwarden_db" TO "pguser";
=# GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "pguser";
=# q
$ exit

Systemd Unit

Create Systemd Unit 

                      
                        $ sudo nano /etc/systemd/system/vaultwarden.service

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden/
# If you use a database like mariadb,mysql or postgresql, 
# you have to add them like the following and uncomment them 
# by removing the `# ` before it. This makes sure that your 
# database server is started before bitwarden_rs ("After") and has 
# started successfully before starting bitwarden_rs ("Requires").

# Only sqlite
#After=network.target

# PostgreSQL
After=network.target mariadb.service
Requires=postgresql-13.service

# Mysql
# After=network.target mysqld.service
# Requires=mysqld.service

# PostgreSQL
# After=network.target postgresql.service
# Requires=postgresql.service

[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User=vaultwarden
Group=vaultwarden
# The location of the .env file for configuration
EnvironmentFile=/opt/vaultwarden/vaultwarden-1.22.2/target/release/.env
# The location of the compiled binary
ExecStart=/opt/vaultwarden/vaultwarden-1.22.2/target/release/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
##ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/opt/vaultwarden/vaultwarden-1.22.2/target/release/
ReadWriteDirectories=/opt/vaultwarden/vaultwarden-1.22.2/target/release/
# Allow bitwarden_rs to bind ports in the range of 0-1024
#AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

We start the service, check 

                      
                        $ sudo systemctl daemon-reload
$ sudo systemctl enable vaultwarden --now
$ sudo systemctl status vaultwarden

Installing and configuring Nginx

Add the repository 

                      
                        $ sudo nano /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=https://nginx.org/packages/
                        
                          centos
                        
                        /$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=https://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install Nginx, disable the default config 

                      
                        $ sudo dnf -y install nginx
$ sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf_disabled

Create config for vaultwarden 

                      
                        $ sudo nano /etc/nginx/conf.d/vaultwarden.conf
server {
    listen 80;

    server_name vault.itdraft.ru;
    return 301 https://vault.itdraft.ru$request_uri;
}

server {
  listen 443 ssl http2;
  server_name vault.itdraft.ru;

  ssl_certificate            /etc/nginx/ssl/vault.crt;
  ssl_certificate_key        /etc/nginx/ssl/vault.key;

  error_log /var/log/nginx/vaultwarden_error.log;
  access_log /var/log/nginx/vaultwarden_access.log;

  # Allow large attachments
  client_max_body_size 128M;

  location / {
    proxy_pass https://127.0.0.1:4756;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /notifications/hub {
    proxy_pass https://127.0.0.1:3658;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }

  location /notifications/hub/negotiate {
    proxy_pass https://127.0.0.1:4756;
  }

  # Optionally add extra authentication besides the AUTH_TOKEN
  # If you don't want this, leave this part out
  location /admin {
    # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
#    auth_basic "Private";
#    auth_basic_user_file /etc/nginx/passwd/bwAdmin;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_pass https://127.0.0.1:4756;
  }
}

Checking the config, launching Nginx 

                      
                        $ sudo nginx -t
$ sudo systemctl enable --now nginx

Configuring Firewall, Disabling SELinux

Opening web ports 

                      
                        $ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload

Disable SELinux 

                      
                        $ sudo nano /etc/sysconfig/selinux
SELINUX=disabled

$ sudo setenforce 0

Installation is complete. Go to the desired URL in the browser, create a user, export passwords

Related Posts

Cómo capturar tráfico de red en Linux con tcpdump

Linux viene equipado con una plétora de utilidades de red para elegir. tcpdump es una de esas poderosas herramientas de…

Los 7 mejores editores de texto de Linux y alternativas de Gedit

Gedit, el editor de texto predeterminado para Ubuntu y el entorno de escritorio GNOME, es una pequeña aplicación ingeniosa que…

8 formas de proteger las conexiones del servidor SSH en Linux

SSH es un protocolo ampliamente utilizado para acceder a servidores Linux de forma segura. La mayoría de los usuarios utilizan…
Terminal abierto de carpeta Rtw88

No se encontró ningún error de adaptador Wi-Fi en Ubuntu [Fixed]

Los problemas con el adaptador inalámbrico son un problema frecuente en muchos sistemas operativos y lo mismo en Ubuntu no…

Cómo crear un USB de arranque en Chromebook

Dado que los CD y DVD se han vuelto bastante obsoletos, los USB ahora son la herramienta principal para instalar…
Seleccione la versión de copia de seguridad y haga clic en el botón Restaurar para restaurar todo

Timeshift: una herramienta sencilla para realizar copias de seguridad y restaurar su sistema

Como todos sabemos, hacer una copia de seguridad de nuestros datos es realmente importante. Nunca se sabe realmente si será…
Cambiar el nombre lógico del dispositivo

Guía de configuración de red para Ubuntu

Ya sea para uso personal o para crear un servidor, Ubuntu ofrece una gran cantidad de herramientas para configurar adecuadamente…
Red de cortafuegos Portmaster

Portmaster: una alternativa de Glasswire gratuita y de código abierto para Linux

Hay toneladas de procesos en segundo plano que, si no se controlan, consumen una gran cantidad de datos mientras se…

7 formas en las que GNOME es el entorno de escritorio líder de Linux

Hay muchos entornos de escritorio Linux, pero entre todas las opciones, GNOME ha sido durante mucho tiempo el líder. Las…
Guardar los metadatos en un archivo de texto

Exiftool: elimine fácilmente los datos EXIF ​​de cualquier archivo (s)

Cada vez que hace clic en una imagen desde cualquier dispositivo, ya sea un teléfono, una cámara o una cámara…