### Example GET Request with Access Token Source: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide This example shows a GET request used for establishing a WSS connection for notifications. It highlights the `access_token` parameter, which should be redacted in logs if your reverse proxy or log store supports it. ```http /notifications/hub?access_token=[this part is always the same].eyJuYmYi[redacted]sImV4cCI6MTcxNzc1NzQ1OCwiaXN[redacted]M6Ly92YXVsdC5zZWMuYXJwYXxsb2dpbiIsInN1YiI6ImY5YmVhN[redacted]tNGJjNS05MDY2LTQ3NjFlZmY4ND[redacted]sInByZW1pdW0iOnRydWU[redacted]JjaXBoZXIiLCJlbWFpbCI6ImNpc[redacted]ljdSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJzc3RhbXAiOiJlZjM3[redacted]MjctODE2OS1hZTQ3NmFjNDc4MGQiLCJkZX[redacted]02ZTk3LTQ2N2M[redacted]jM3NmEiLCJzY29wZSI6WyJhcG[redacted]5lX2FjY2VzcyJdLCJhbXIiOlsiQXBwbGljY[redacted]hGDeCNdjTs1cOL2fV_OR96Sey-gA5eRa8OCGNgCrDeyYAPyk[redacted]BkQGwjEhD7fcWILxRYqQ7W6rkC2o[redacted]LB_nztpAgeRUbsPgsd3RNTWJDKdlH8aMf1[redacted]vB_doENJPeyaeMuEG85KqpAN2A[redacted]GeeCztxmQIe21PMtBG-SAgGeI[redacted]X_9mmyv0nISHBuHjhQ_km[redacted]VCLoFneb-MEzN[redacted]T8VcXSKhGXpwJUx8j1[redacted]k_nH27vrD2Dg ``` -------------------------------- ### Docker Example: Setting up MySQL and Vaultwarden Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-the-MariaDB-(MySQL)-Backend Demonstrates how to start a MySQL container and then run the Vaultwarden container, linking them via a Docker network and setting the DATABASE_URL. ```bash # Start a mysql container docker run --name mysql --net \ -e MYSQL_ROOT_PASSWORD=\ -e MYSQL_DATABASE=vaultwarden\ -e MYSQL_USER=\ -e MYSQL_PASSWORD= -d mysql:5.7 # Start vaultwarden with MySQL Env Vars set. docker run -d --name vaultwarden --net \ -v $(pwd)/vw-data/:/data/ -v :/ssl/\ -p 443:80 -e ROCKET_TLS='{certs="/ssl/",key="/ssl/"}'\ -e RUST_BACKTRACE=1 -e DATABASE_URL='mysql://:@mysql/vaultwarden'\ -e ADMIN_TOKEN=\ -e ENABLE_DB_WAL='false' ``` -------------------------------- ### Log Format Example Source: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup This is an example of the log format to look for when testing Fail2ban setup. Ensure your Vaultwarden instance is configured to log to a file. ```text [YYYY-MM-DD hh:mm:ss][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: XXX.XXX.XXX.XXX. Username: email@domain.com. ``` -------------------------------- ### Install QEMU binfmt support on Fedora Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Installs the necessary packages for QEMU binfmt support on Fedora. ```bash dnf install qemu-user-static ``` -------------------------------- ### Install QEMU binfmt support on Ubuntu/Debian Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Installs the necessary packages for QEMU binfmt support on Debian-based systems. ```bash apt install binfmt-support qemu-user-static ``` -------------------------------- ### Start Docker Compose Services Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-Docker-Compose Command to create and start the services defined in the docker-compose.yaml file in detached mode. Use `docker-compose` if you have a standalone installation. ```bash docker compose up -d # or `docker-compose up -d` if using standalone Docker Compose ``` -------------------------------- ### Start Vaultwarden with Keycloak Source: https://github.com/dani-garcia/vaultwarden/blob/main/playwright/README.md Run the full Vaultwarden stack including Keycloak. Ensure the profile 'vaultwarden' is active and an .env file is present for configuration. Wait for the Keycloak setup container to exit successfully. ```bash > docker compose --profile vaultwarden --env-file .env up .... keycloakSetup_1 | Logging into http://127.0.0.1:8080 as user admin of realm master keycloakSetup_1 | Created new realm with id 'test' keycloakSetup_1 | 74af4933-e386-4e64-ba15-a7b61212c45e oidc_keycloakSetup_1 exited with code 0 ``` -------------------------------- ### Install Vaultwarden on FreeBSD Source: https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages Installs Vaultwarden using the FreeBSD package manager. A sample configuration file is provided for service setup. ```bash pkg install vaultwarden ``` -------------------------------- ### Build Docker Image with Default SQLite Backend Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-your-own-docker-image Use this command to build the Docker image with the default SQLite database support. This is the simplest way to get started. ```sh # Build the docker image with all databases supported: docker buildx build -t vaultwarden . ``` -------------------------------- ### Docker Compose Configuration Example Source: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page Example of a docker-compose.yaml file referencing the admin token from an environment variable. ```yaml services: vaultwarden: image: ghcr.io/dani-garcia/vaultwarden container_name: vaultwarden restart: unless-stopped volumes: - /path/to/vaultwarden/data/:/data/ environment: - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN} ``` -------------------------------- ### Example Connection String for Non-Docker MySQL Server Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-the-MariaDB-(MySQL)-Backend Provides a direct example of a DATABASE_URL for connecting to an existing MySQL server outside of Docker. ```text Server IP/Port 192.168.1.10:3306 UN: dbuser / PW: yourpassword / DB: vaultwarden mysql://dbuser:yourpassword@192.168.1.10:3306/vaultwarden ``` -------------------------------- ### Install QEMU binfmt support on Arch Linux Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Installs the necessary packages for QEMU binfmt support on Arch Linux and its derivatives. ```bash pacman -S qemu-user-static qemu-user-static-binfmt ``` -------------------------------- ### Set Vaultwarden port and run for Cloudflare setup Source: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let's-Encrypt-certs Export the ROCKET_PORT environment variable to match the port configured in Caddyfile for the Cloudflare setup, then start the Vaultwarden service. ```bash export ROCKET_PORT=8080 ./vaultwarden ``` -------------------------------- ### Install and Uninstall QEMU binfmt support using Docker Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Manages QEMU binfmt support using a Docker container. Use the install command to add support for specified architectures and the uninstall command to remove it. ```bash # To install and activate docker run --privileged --rm tonistiigi/binfmt --install arm64,arm # To uninstall docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*' ``` -------------------------------- ### Run Podman Built Image Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Starts a container from a Podman-built image. Note the `localhost/` prefix and the image tag. ```bash podman run --rm -it \ -e DISABLE_ADMIN_TOKEN=true \ -e I_REALLY_WANT_VOLATILE_STORAGE=true \ -p8080:80 --platform=linux/arm64 \ localhost/vaultwarden/server:testing-arm64 ``` -------------------------------- ### Install Vaultwarden on Void Linux Source: https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages Install Vaultwarden using the xbps-install command. The web vault can be optionally installed as well. ```bash xbps-install vaultwarden ``` ```bash xbps-install vaultwarden-web ``` -------------------------------- ### Install Vaultwarden via Snap Source: https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages Use this command to install Vaultwarden from the Snap Store. The configuration file is located at /var/snap/vaultwarden/current/vaultwarden.conf. ```bash sudo snap install vaultwarden ``` -------------------------------- ### Dokku Vaultwarden Setup Script Source: https://github.com/dani-garcia/vaultwarden/wiki/Deployment-examples This script automates the setup of Vaultwarden on a Dokku instance, including Let's Encrypt configuration and Docker image deployment. It prompts for necessary information and configures ports and domains. ```bash #!/usr/bin/env bash set -euo pipefail APPNAME="" read -rp "Enter the name of the app: " APPNAME # check if app name is empty if [ -z "$APPNAME" ]; then echo "App name empty. Using default name: vaultwarden" APPNAME="vaultwarden" fi # check if dokku plugin exists if ! dokku plugin:list | grep letsencrypt; then sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git fi # check if global email for letsencrypt is set if ! dokku config:get --global DOKKU_LETSENCRYPT_EMAIL; then read -rp "Enter email address for letsencrypt: " EMAIL dokku config:set --global DOKKU_LETSENCRYPT_EMAIL="$EMAIL" fi # pull the latest image IMAGE_NAME="vaultwarden/server" docker pull $IMAGE_NAME image_sha="$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_NAME)" echo "Calculated image sha: $image_sha" dokku apps:create "$APPNAME" dokku storage:ensure-directory "$APPNAME" dokku storage:mount "$APPNAME" /var/lib/dokku/data/storage/"$APPNAME":/data dokku domains:add $APPNAME $APPNAME."$(cat /home/dokku/VHOST)" dokku letsencrypt:enable "$APPNAME" dokku proxy:ports-add "$APPNAME" http:80:80 dokku proxy:ports-add "$APPNAME" https:443:80 dokku proxy:ports-remove "$APPNAME" http:80:5000 dokku proxy:ports-remove "$APPNAME" https:443:5000 dokku git:from-image "$APPNAME" "$image_sha" ``` -------------------------------- ### Start Vaultwarden Service Source: https://github.com/dani-garcia/vaultwarden/wiki/Setup-as-a-systemd-service Command to start the Vaultwarden service manually. ```bash $ sudo systemctl start vaultwarden.service ``` -------------------------------- ### Enable Vaultwarden Autostart Source: https://github.com/dani-garcia/vaultwarden/wiki/Setup-as-a-systemd-service Enables the Vaultwarden service to start automatically on system boot. ```bash $ sudo systemctl enable vaultwarden.service ``` -------------------------------- ### Set Vaultwarden port and run Source: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let's-Encrypt-certs Export the ROCKET_PORT environment variable to match the port configured in Caddyfile, then start the Vaultwarden service. ```bash export ROCKET_PORT=8001 ./vaultwarden ``` -------------------------------- ### Example Docker Environment Variable for PostgreSQL Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-the-PostgreSQL-Backend An example of how to set the `DATABASE_URL` environment variable when running Vaultwarden in a Docker container. Ensure to replace placeholders with your actual credentials and host information. ```bash -e 'DATABASE_URL=postgresql://user_name:user_password@db_host:5432/vaultwarden' ``` -------------------------------- ### Initialize Buildx Builder Instance Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Creates and uses a new buildx builder instance named 'vaultwarden' that connects to the host network. This is a one-time setup step. ```bash # Create and use a new buildx builder instance which connects to the host network docker buildx create --name vaultwarden --use --driver-opt network=host # Validate it runs docker buildx inspect --bootstrap # Create a local container registry directly reachable on the localhost docker run -d --name registry --network host registry:2 ``` -------------------------------- ### Install Bitwarden Dev/Debug APK Source: https://github.com/dani-garcia/vaultwarden/wiki/Bitwarden-Android-troubleshooting Installs the developer version of the Bitwarden Android client using ADB. ```bash adb install com.x8bit.bitwarden.dev.apk ``` -------------------------------- ### Install Fail2ban on Debian/Ubuntu/Raspberry Pi OS Source: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup Installs the Fail2ban package using apt-get. This is a prerequisite for setting up log monitoring and IP banning. ```bash sudo apt-get install fail2ban -y ``` -------------------------------- ### Start Caddy in the background Source: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let's-Encrypt-certs After the initial run, start Caddy in the background using the specified environment file for ongoing operation. ```bash caddy start --envfile caddy.env ``` -------------------------------- ### Install Fail2ban on Fedora/CentOS Source: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup Installs Fail2ban on Fedora or CentOS systems. Requires the EPEL repository for CentOS 7. ```bash sudo yum install epel-release sudo yum install fail2ban -y ``` -------------------------------- ### Start Server and Launch Playwright Codegen Source: https://github.com/dani-garcia/vaultwarden/blob/main/playwright/README.md Starts the Vaultwarden server manually and then launches the Playwright Codegen tool to record user interactions for writing new scenarios. This is useful for identifying UI elements. ```bash DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env up Vaultwarden npx playwright codegen "http://127.0.0.1:8003" ``` -------------------------------- ### Build Web Vault using Host Node/NPM Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-binary Builds the web-vault using the Node.js and NPM installed on the host system. Ensure you have compatible versions installed. ```sh git clone https://github.com/dani-garcia/bw_web_builds.git bw_web_builds cd bw_web_builds make full ``` -------------------------------- ### Mount Custom Startup Script for Container Source: https://github.com/dani-garcia/vaultwarden/wiki/Starting-a-Container To run a custom script when the Vaultwarden container starts, mount a single script to `/etc/vaultwarden.sh` or a directory of scripts to `/etc/vaultwarden.d`. ```sh docker run -d --name vaultwarden -v $(pwd)/init.sh:/etc/vaultwarden.sh vaultwarden/server:latest ``` -------------------------------- ### Vaultwarden Environment Configuration Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-Podman Example of an environment file used to configure container variables for Vaultwarden. ```conf ROCKET_PORT=8080 ``` -------------------------------- ### Run Vaultwarden with Custom Web-Vault Source: https://github.com/dani-garcia/vaultwarden/blob/main/playwright/README.md Starts the Vaultwarden service using a Docker Compose configuration that includes a custom web-vault. After starting, you can check diagnostics at `http://127.0.0.1:8003/admin/diagnostics`. ```bash DOCKER_BUILDKIT=1 docker compose --profile playwright --env-file test.env up Vaultwarden ``` -------------------------------- ### Build the Web Vault Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-binary Install dependencies and build the self-hosted web vault using npm. Note that 'npm audit fix' might break functionality. ```bash npm ci # Read the note below (we do use this for our docker builds). # npm audit fix # Change to the web-vault directory cd apps/web # Build the web-vault npm run dist:oss:selfhost ``` -------------------------------- ### Build Default Debian Container Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Triggers a default Debian build using the host's architecture. Ensure QEMU binfmt support is installed if building for a different architecture. ```bash docker buildx bake --file docker/docker-bake.hcl ``` -------------------------------- ### Enable and Start Vaultwarden Systemd Service Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-Podman Enable and start the generated systemd service file for the Vaultwarden container. This allows managing the container like a standard system service. ```sh $ systemctl enable /etc/systemd/system/container-vaultwarden.service $ systemctl start container-vaultwarden.service ``` -------------------------------- ### Analyze SELinux Denials with audit2why Source: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup Pipe the relevant audit log entries to audit2why to get a human-readable explanation of the SELinux denial. ```bash grep 'type=AVC msg=audit(1571777936.719:2193)' /var/log/audit/audit.log | audit2why ``` -------------------------------- ### Docker Compose Configuration for Vaultwarden Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-your-own-docker-image Example of how to configure Vaultwarden in a docker-compose.yml file, specifying the image and build arguments for the database backend. ```yaml vaultwarden: image: vaultwarden build: context: vaultwarden args: DB: postgresql ``` -------------------------------- ### Run Caddy with Duck DNS environment file Source: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let's-Encrypt-certs Start Caddy for the first time, loading configuration from the specified environment file. This step obtains the initial Let's Encrypt certificates. ```bash caddy run --envfile caddy.env ``` -------------------------------- ### Configure Gentoo USE flags and Install Vaultwarden Source: https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages Customizes the Vaultwarden build on Gentoo using USE flags for database (mysql/sqlite/postgresql) and features (web/cli). After setting flags, the package is emerged. ```bash echo "app-admin/vaultwarden " >> /etc/portage/package.use/vaultwarden emerge app-admin/vaultwarden ``` -------------------------------- ### Idempotent Initialization Script Example Source: https://github.com/dani-garcia/vaultwarden/wiki/Starting-a-Container To ensure custom startup scripts run only once and are idempotent, use a flag file mechanism. This prevents unintended side effects if the script is executed multiple times. ```sh if [ ! -e /.init ]; then touch /.init # run your init steps... fi ``` -------------------------------- ### NixOS Nginx Configuration for Vaultwarden Source: https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples Example NixOS configuration for Nginx to serve Vaultwarden. This setup includes automatic ACME certificate generation and proxying. ```nix { config, ... }: { security.acme = { defaults = { acceptTerms = true; email = "me@example.com"; }; certs."vaultwarden.example.tld".group = "vaultwarden"; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { "vaultwarden.example.tld" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8000"; proxyWebsockets = true; }; }; }; }; } ``` -------------------------------- ### Extract Vaultwarden Binaries without Docker Source: https://github.com/dani-garcia/vaultwarden/wiki/Pre-built-binaries Utilize the `docker-image-extract` script to pull and extract Vaultwarden binaries if Docker is not installed. This example shows extraction for the x86-64 platform. ```bash $ mkdir vw-image $ cd vw-image $ wget https://raw.githubusercontent.com/jjlin/docker-image-extract/main/docker-image-extract $ chmod +x docker-image-extract $ ./docker-image-extract vaultwarden/server:latest-alpine Getting multi-arch manifest list... Platform linux/amd64 resolved to 'sha256:8e344ffce9aef3a18687d21e53e7355a2d924299029c4af0d94acdd25048f292'... Getting API token... Getting image manifest for vaultwarden/server:latest-alpine... Fetching and extracting layer 96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa... Fetching and extracting layer cd8bc2d8ff321b604bfbaeaf05d5d003d151dff16ba8c9401b2454ce2523d4a8... Fetching and extracting layer 822e55e7fca73a44ec8200bcae5ff098df0449884bb1489226104e13d861b1d2... Fetching and extracting layer 639668723db6e831c0c74eea526afd5dc86fb186ca31b70bcb49bcaf687811c6... Fetching and extracting layer 12f58a7c9a5158fe8b56a294dd7f597aa564c881d8af327ae84e4fe42f301c81... Fetching and extracting layer 205fba48648467a1b138596797b694ae18b3506ffd5f77ccb968090fef127ed6... Image contents extracted into ./output. $ ls -ld output/{vaultwarden,web-vault} -rwxr-xr-x 1 user user 53602704 Nov 5 23:57 output/vaultwarden drwxr-xr-x 8 user user 4096 Nov 3 15:23 output/web-vault ``` -------------------------------- ### Set ROCKET_WORKERS to 20 Source: https://github.com/dani-garcia/vaultwarden/wiki/Changing-the-number-of-workers Override the default number of workers by setting the ROCKET_WORKERS environment variable in your docker run command. This example starts Vaultwarden with 20 workers. ```sh docker run -d --name vaultwarden \ -e ROCKET_WORKERS=20 \ -v /vw-data/:/data/ \ -p 80:80 \ vaultwarden/server:latest ``` -------------------------------- ### Build Multi-Arch Alpine Container using bake.sh Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Builds a Multi-Arch Alpine container and pushes it to a localhost registry using the `bake.sh` script. Assumes initialization steps are completed. ```bash CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ ./bake.sh alpine-multi ``` -------------------------------- ### Build Multi-Architecture Alpine Images Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Builds multi-architecture Alpine images and pushes them to a local registry. Ensure the buildx builder and local registry are set up first. Replace 'alpine' with 'debian' to build Debian multi-arch images. ```bash # Start a buildx bake using a debug build CARGO_PROFILE=dev \ SOURCE_COMMIT="$(git rev-parse HEAD)" \ CONTAINER_REGISTRIES="localhost:5000/vaultwarden/server" \ docker buildx bake --file docker/docker-bake.hcl alpine-multi ``` -------------------------------- ### Install Playwright Dependencies Source: https://github.com/dani-garcia/vaultwarden/blob/main/playwright/README.md Installs necessary dependencies and Playwright browsers when running Playwright outside of Docker. Requires Node.js. ```bash npm ci --ignore-scripts npx playwright install-deps npx playwright install firefox ``` -------------------------------- ### Get Let's Encrypt certs with lego CLI Source: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let's-Encrypt-certs Use this command to register with Let's Encrypt and fetch a certificate for your domain via the DuckDNS challenge. Ensure you replace placeholders with your actual token, domain, and email. ```bash DUCKDNS_TOKEN= ./lego -a --dns duckdns -d my-vw.duckdns.org -m me@example.com run ``` -------------------------------- ### Install Diesel CLI for SQLite Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-binary Install the diesel-cli tool with SQLite support using cargo. This is required for managing database schemas. ```bash cargo install diesel_cli --no-default-features --features sqlite-bundled ``` -------------------------------- ### Prepare Host Directory for Non-Root User Source: https://github.com/dani-garcia/vaultwarden/wiki/Running-docker-container-with-non-root-user Ensure the host directory intended for data persistence is writable by the non-root user inside the container. This example uses user ID 65534 (often 'nobody') and grants full permissions. ```bash sudo mkdir /vw-data # Set the owner using user id. # Note that the ownership must match user in /etc/passwd *inside* the container, not on your host sudo chown 65534 /vw-data # Give the owner full rights to the folder sudo chmod u+rwx /vw-data ``` -------------------------------- ### Troubleshooting Sandboxing Options Source: https://github.com/dani-garcia/vaultwarden/wiki/Setup-as-a-systemd-service Workaround for older systemd versions that may not support certain sandboxing options. Comment out problematic lines in the service file. ```bash # PrivateTmp=true # PrivateDevices=true # ProtectHome=true # ProtectSystem=strict # ReadWritePaths=/var/lib/vaultwarden ``` -------------------------------- ### Start Fail2ban Docker Container on Synology Source: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup Starts the Fail2ban Docker container in detached mode using Docker Compose. Ensure you are in the directory containing the 'docker-compose.yml' file. ```bash cd /volumeX/docker/fail2ban docker-compose up -d ``` -------------------------------- ### Build Specific Platform Container with bake.sh and Print Bake Arguments Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Builds a specific platform container (e.g., Alpine all architectures) using `bake.sh` and appends '--print' to show the bake arguments. You can append '-amd64', '-arm64', '-armv7', or '-armv6' to the target to build for a specific platform. ```bash docker/bake.sh alpine-all --print ``` -------------------------------- ### Backup SQLite Database using VACUUM INTO Source: https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault Alternatively, use the VACUUM INTO command to back up the SQLite database. This command also compacts empty space but may take longer. ```bash sqlite3 data/db.sqlite3 "VACUUM INTO '/path/to/backups/db-$(date '+%Y%m%d-%H%M').sqlite3'" ``` -------------------------------- ### Add Fedora Repository and Install Vaultwarden Source: https://github.com/dani-garcia/vaultwarden/wiki/Third-party-packages Installs Vaultwarden and its web vault on Fedora by adding a third-party repository. This package is built as a universal binary for SQLite, MySQL, and PostgreSQL, and sets up a systemd service. ```bash dnf config-manager --add-repo https://evermeet.cx/pub/repo/fedora/evermeet.repo dnf install vaultwarden vaultwarden-webvault ``` -------------------------------- ### Build Caddy with DNS Challenge Support using xcaddy Source: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let's-Encrypt-certs Use xcaddy to create a custom Caddy build that includes modules for specific DNS providers, enabling the ACME DNS challenge. This is necessary because DNS challenge support is not included in the default Caddy binary. ```bash xcaddy build --with github.com/caddy-dns/cloudflare --with github.com/caddy-dns/duckdns ``` -------------------------------- ### Example of Generated Table Conversion Queries Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-the-MariaDB-(MySQL)-Backend This is an example of the SQL statements generated and executed to convert all tables to the 'utf8mb4' character set and 'utf8mb4_unicode_ci' collation, wrapped with foreign key checks disabled and re-enabled. ```mysql SET foreign_key_checks=0; ALTER TABLE `__diesel_schema_migrations` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `attachments` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `ciphers_collections` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `ciphers` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `collections` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `devices` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `emergency_access` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `favorites` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `folders_ciphers` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `folders` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `invitations` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `org_policies` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `organizations` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `sends` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `twofactor_incomplete` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `twofactor` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `users_collections` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `users_organizations` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; ALTER TABLE `users` CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; SET foreign_key_checks=1; ``` -------------------------------- ### Initialize WAF Rule Files Source: https://github.com/dani-garcia/vaultwarden/wiki/Docker---Traefik---ModSecurity-Setup Creates empty configuration files for ModSecurity exclusion rules before and after the main CRS rules are applied. These files are used to customize WAF behavior by excluding specific requests or responses. ```bash touch /opt/docker/waf-rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf && touch /opt/docker/waf-rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ``` -------------------------------- ### Vaultwarden SCSS Customization Examples Source: https://github.com/dani-garcia/vaultwarden/wiki/Customize-Vaultwarden-CSS This SCSS code provides examples for customizing Vaultwarden's appearance, including logos, sidebar width, and hiding specific 2FA providers. It utilizes variables and mixins for easier management. ```css /* File location: /data/templates/scss/user.vaultwarden.scss.hbs */ /* --- Variables --- */ /* You can set different logos for the Vault (User) and the Admin Console (Org) */ $logo-default: url('/vw_static/logo-gray.png'); $logo-admin: url('/vw_static/logo-gray.png'); /* Sidebar Customization */ $sidebar-width: 15rem; /* Set this to match your logo width if needed */ /* --- Mixins --- */ @mixin hide-element { display: none !important; } /* --- Hiding 2FA Providers --- */ /* 0: Authenticator App, 1: Email, 2: Duo, 3: YubiKey OTP, 7: FIDO2 WebAuthn */ /* .providers-2fa-0, .providers-2fa-1, .providers-2fa-2, .providers-2fa-3, .providers-2fa-7 { @include hide-element; } */ /* --- Loading Screen --- */ app-root img.new-logo-themed { content: $logo-default !important; } /* --- Login Screen --- */ auth-anon-layout bit-landing-header { bit-svg { /* Hide original SVG */ > svg { @include hide-element; } /* Inject Custom Logo */ &::before { display: block !important; content: "" !important; width: 100% !important; height: 42px !important; background: $logo-default no-repeat center left !important; background-size: contain !important; } } } /* --- Dashboard Sidebar --- */ bit-nav-logo { /* Apply if you want logo to be less cropped when minimized if you have a logo like the one Vaultwarden and Bitwarden have */ /* > div { padding-right: 2px !important; } */ bit-svg { > svg { @include hide-element; } &::before { display: block !important; content: "" !important; width: 100% !important; height: 42px !important; background-repeat: no-repeat !important; background-size: auto 42px !important; background-position: center left !important; } } } /* --- Dashboard Sidebar --- */ app-user-layout bit-nav-logo bit-svg::before { background-image: $logo-default !important; } app-organization-layout bit-nav-logo bit-svg::before { background-image: $logo-admin !important; } /* --- Sidebar Layout & Logic --- */ #bit-side-nav { /* Only override width if it matches the default '18rem' inline style. This ensures we don't break the 'Collapsed' state (4.5rem) or manual resizes. */ &[style*="18rem"] { max-width: $sidebar-width !important; } /* When sidebar is collapsed (width is usually 4.5rem), hide the custom logo so it doesn't look broken or clipped. */ &[style*="4.5rem"] { bit-nav-logo bit-svg::before { display: none !important; } /* Optional: Show original icon again when minimized? Remove the comment below to enable: */ /* bit-nav-logo bit-svg > svg { display: block !important; } */ } } ``` -------------------------------- ### Create Persistent Folders for Fail2ban on Synology Source: https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup Creates necessary directories for Fail2ban configuration and data persistence on Synology DSM. Adapt '/volumeX/' to your specific volume path. ```bash mkdir -p /volumeX/docker/fail2ban/action.d/ mkdir -p /volumeX/docker/fail2ban/jail.d/ mkdir -p /volumeX/docker/fail2ban/filter.d/ ``` -------------------------------- ### Deploy Vaultwarden Service Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-Podman Reloads the systemd user daemon and starts the Vaultwarden Podman service. ```bash systemctl --user daemon-reload systemctl --user start vaultwarden-pod.service ``` -------------------------------- ### Build Docker Image with MySQL Backend Only Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-your-own-docker-image Build the Docker image for the MySQL backend by specifying --build-arg DB=mysql. Ensure you have MySQL set up if you choose this option. ```bash # Build the docker image: docker buildx build -t vaultwarden --build-arg DB=mysql . ``` -------------------------------- ### Compile Vaultwarden with MySQL Backend Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-binary Compile Vaultwarden with only the MySQL backend enabled. Ensure you have the necessary development libraries installed for MySQL. ```sh cargo run --features mysql --release ``` ```sh cargo build --features mysql --release ``` -------------------------------- ### SQL: Create PostgreSQL Database Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-the-PostgreSQL-Backend SQL command to create a new, empty database for Vaultwarden and assign ownership to the previously created user. ```sql CREATE DATABASE vaultwarden OWNER vaultwarden; ``` -------------------------------- ### Disable and Stop Vaultwarden Service Source: https://github.com/dani-garcia/vaultwarden/wiki/Setup-as-a-systemd-service Disables the Vaultwarden service from starting on boot and stops the currently running instance. Use this before uninstalling. ```bash $ sudo systemctl disable --now vaultwarden.service ``` -------------------------------- ### Build Alpine arm64 Image with Podman Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Builds an Alpine arm64 image with specific database and memory allocator features enabled. Ensure you are in the repository root or docker directory. ```bash DB="sqlite,enable_mimalloc" \ ./podman-bake.sh alpine-arm64 ``` -------------------------------- ### Podman Quadlet Systemd Volume Definition Source: https://github.com/dani-garcia/vaultwarden/wiki/Using-Podman Defines persistent volumes for Podman containers. This example shows definitions for 'vaultwarden-app' and 'vaultwarden-db'. ```systemd [Volume] VolumeName=vaultwarden-app ``` ```systemd [Volume] VolumeName=vaultwarden-db ``` -------------------------------- ### Build Docker Image with PostgreSQL Backend Only Source: https://github.com/dani-garcia/vaultwarden/wiki/Building-your-own-docker-image Build the Docker image for the PostgreSQL backend by using the --build-arg DB=postgresql argument. This is suitable for users who prefer PostgreSQL. ```bash # Build the docker image: docker buildx build -t vaultwarden --build-arg DB=postgresql . ``` -------------------------------- ### Build Debian Container with Podman Source: https://github.com/dani-garcia/vaultwarden/blob/main/docker/README.md Builds a Debian container image. This command can be run from the repository root. ```bash docker/podman-bake.sh ```