Post

Add Vaultwarden to Pi-hole

If followed my last post about setting up Pi-hole on a Raspberry Pi, you will probably have a Raspberry Pi running all the time leaving still some resources unused. Why not add something useful? Like a password manager?

Bitwarden is a popular open source choice and you can run your own server. However, their default server setup is a little complicated and requires quite some resources. They also offer a “Unified Deployment” which uses less resources and is easier to setup. It’s still in beta though. So I went for Vaultwarden, which is a re-write of Bitwarden’s original server. It does not require a lot of resources and you can run it using Podman as non-root user. My installation currently takes around 1,2 GB of disk space and around 300 MB of RAM (Pi-hole + Vaultwarden). Of course, this may vary depending on your usage.

NOTE: The installation described below is not meant to be exposed to the internet, it’s solely for home network usage with trusted devices/users!

Preparation

Install Podman

You can install Podman right away from Debian’s repositories:

1
$ sudo apt install podman

No further configuration required.

Add a non privileged user for Vaultwarden

We will now add a user which will be running the Vautlwarden docker image:

1
2
3
4
$ VUSER=vaultuser
$ sudo groupadd ${VUSER}
$ sudo useradd -d /home/${VUSER} -m -c "Vaultwarden user" -s /bin/bash -g ${VUSER} ${VUSER}
$ sudo passwd -l ${VUSER}

Install Vaultwarden

Create installation directories

To install Vaultwarden switch to the Vaultwarden user and create a directory for Vaultwarden’s data. I.e.:

1
2
$ sudo su - ${VUSER}
$ mkdir -m 700 -p vault/data

Configure environment

Copy a default environment file from here to vault/vaultwarden.conf. You should edit a few things here:

  • DOMAIN=https://<YOUR_RASPBERRYPI_NAME>/vaultwarden
  • IP_HEADER=X-Forwarded-For
  • ROCKET_PORT=8080
  • all SMTP_ settings you require to make email work

Download and run Vaultwarden

Download and install Vaultwarden docker image:

1
$ podman run -d --cgroup-manager=cgroupfs --name vaultwarden -v /home/`whoami`/vault/data/:/data/ --env-file=/home/`whoami`/vault/vaultwarden.conf -p 127.0.0.1:8080:8080 docker.io/vaultwarden/server:latest

You will now have Vaultwarden running, listening on localhost port 8080.

Add a reverse proxy configuration

As Pi-hole already installed lighttpd as webserver for its admin page, we will also use it as reverse proxy for Vaultwarden. If you followed my previous post, https should already be configured. If not, do this now. Then create a new configuration file for lighttpd /etc/lighttpd/conf-available/20-vault.conf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
server.modules += ( "mod_proxy" )

$HTTP["host"] == "<YOUR_RASPBERRYPI_NAME>" {

    $HTTP["url"] =~ "^/vaultwarden$" {
       url.redirect = ( "/vaultwarden" => "/vaultwarden/" )
    }

    $HTTP["url"] =~ "/vaultwarden" {
       proxy.server  = ( "" => ("vaultwarden" => ( "host" => "127.0.0.1", "port" => 8080 )))
       proxy.forwarded = ( "for" => 1 )
       proxy.header = (
           "https-remap" => "enable",
           "upgrade" => "enable",
           "connect" => "enable"
       )
    }
}

Without redirect, you will not be able to connect to Vaultwarden’s web vault without a trailing “/” (this really drove me nuts until I figured that out…). Activate the new configuration:

1
2
$ sudo ln -s /etc/lighttpd/conf-available/20-vault.conf /etc/lighttpd/conf-enabled/20-vault.conf
$ sudo systemctl restart lighttpd

You can now open your web browser, go to https://<YOUR_RASPBERRYPI_NAME>/vaultwarden/ and create your Vaultwarden account.

Enabling autostart

As of now, Vaultwarden will not start automatically if you reboot your Raspberry Pi. To get that done, we’ll create a systemd unit file. As vaultwarden user run:

1
$ podman generate systemd --name vaultwarden

Copy the output to /etc/systemd/system/vaultwarden.service. You need to be your primary Raspberry Pi user for this as it requires sudo privileges. Edit the file and add User=<YOUR_VAULT_USER> and Group=<YOUR_VAULT_USERS_GROUP> to the [Service] section. Then reload systemd and enable the service:

1
2
$ sudo systemctl daemon-reload
$ sudo systemctl enable vaultwarden

CAUTION: Upon each docker image update, you’ll have to modify PIDFile= as the container ID will change!

Update Vaultwarden

If there’s a new release of Vaultwarden available, you can update the docker image like this:

1
2
3
4
5
6
7
8
$ sudo systemctl stop vaultwarden
$ sudo su - {VUSER}
$ podman pull docker.io/vaultwarden/server:latest
$ podman rm vaultwarden
$ podman run -d --cgroup-manager=cgroupfs --name vaultwarden -v /home/`whoami`/vault/data/:/data/ --env-file=/home/`whoami`/vault/vaultwarden.conf -p 127.0.0.1:8080:8080 docker.io/vaultwarden/server:latest
$ podman stop vaultwarden
$ podman generate systemd --name vaultwarden
$ exit

Now update PIDFile= in /etc/systemd/system/vaultwarden.service (check output of podman generate systemd --name vaultwarden), reload systemd and start Vaultwarden again:

1
2
$ sudo systemctl daemon-reload
$ sudo systemctl start vaultwarden

Backup (VERY important!)

It’s important to backup all files within /home/${VUSER}/vault to a safe place. In case your Pi’s SD card is failing, you will be able to restore everything with those files.

Bitwarden client

To access your Vaultwarden server you can also download Bitwarden’s client, either from their website or your OS’ app store.

This post is licensed under CC BY-SA 4.0 by the author.