Sanitized mirror from private repository - 2026-03-18 10:31:50 UTC

2026-03-18 10:31:50 +00:00
commit 8e49624d78
1221 changed files with 304405 additions and 0 deletions
--- a/docs/services/individual/vaultwarden.md
+++ b/docs/services/individual/vaultwarden.md
@@ -0,0 +1,246 @@
+# Vaultwarden
+
+**🔴 Security Service**
+
+## 📋 Service Overview
+
+| Property | Value |
+|----------|-------|
+| **Service Name** | vaultwarden |
+| **Host** | Atlantis |
+| **Category** | Security |
+| **Difficulty** | 🔴 |
+| **Docker Image** | `vaultwarden/server:testing` (SSO requires testing image) |
+| **Compose File** | `hosts/synology/atlantis/vaultwarden.yaml` |
+| **Directory** | `hosts/synology/atlantis/` |
+| **External URL** | `https://pw.vish.gg` |
+
+## 🎯 Purpose
+
+Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients.
+
+## 🚀 Quick Start
+
+### Prerequisites
+- Docker and Docker Compose installed
+- Basic understanding of REDACTED_APP_PASSWORD
+- Access to the host system (Atlantis)
+
+### Deployment
+```bash
+# Navigate to service directory
+cd Atlantis
+
+# Start the service
+docker-compose up -d
+
+# Check service status
+docker-compose ps
+
+# View logs
+docker-compose logs -f vaultwarden
+```
+
+## 🔧 Configuration
+
+### Docker Compose Configuration
+```yaml
+container_name: Vaultwarden
+cpu_shares: 1024
+depends_on:
+  db:
+    condition: service_started
+environment:
+  ADMIN_TOKEN: "REDACTED_TOKEN"
+  DATABASE_URL: postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden
+  DISABLE_ADMIN_TOKEN: false
+  DOMAIN: https://pw.vish.gg
+  ROCKET_PORT: 4020
+  SMTP_FROM: your-email@example.com
+  SMTP_HOST: smtp.gmail.com
+  SMTP_PASSWORD: "REDACTED_PASSWORD"
+  SMTP_PORT: 587
+  SMTP_SECURITY: starttls
+  SMTP_USERNAME: your-email@example.com
+hostname: vaultwarden
+image: vaultwarden/server:latest
+mem_limit: 256m
+mem_reservation: 96m
+ports:
+- 4080:4020
+restart: on-failure:5
+security_opt:
+- no-new-privileges:true
+user: 1026:100
+volumes:
+- /volume1/docker/vaultwarden/data:/data:rw
+
+```
+
+### Environment Variables
+| Variable | Value | Description |
+|----------|-------|-------------|
+| `ROCKET_PORT` | `4020` | Configuration variable |
+| `DATABASE_URL` | `postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden` | Database connection string |
+| `ADMIN_TOKEN` | `***MASKED***` | Configuration variable |
+| `DISABLE_ADMIN_TOKEN` | `***MASKED***` | Configuration variable |
+| `DOMAIN` | `https://pw.vish.gg` | Service domain name |
+| `SMTP_HOST` | `smtp.gmail.com` | Configuration variable |
+| `SMTP_FROM` | `your-email@example.com` | Configuration variable |
+| `SMTP_PORT` | `587` | Configuration variable |
+| `SMTP_SECURITY` | `starttls` | Configuration variable |
+| `SMTP_USERNAME` | `your-email@example.com` | Configuration variable |
+| `SMTP_PASSWORD` | `***MASKED***` | Configuration variable |
+
+
+### Port Mappings
+| Host Port | Container Port | Protocol | Purpose |
+|-----------|----------------|----------|----------|
+| 4080 | 4020 | TCP | Service port |
+
+
+### Volume Mappings
+| Host Path | Container Path | Type | Purpose |
+|-----------|----------------|------|----------|
+| `/volume1/docker/vaultwarden/data` | `/data` | bind | Application data |
+
+
+## 🌐 Access Information
+
+Service ports: 4080:4020
+
+## 🔐 SSO / Authentik Integration
+
+Vaultwarden has SSO configured but local login is the primary method due to security key/2FA dependency.
+
+| Setting | Value |
+|---------|-------|
+| **Authentik App Slug** | `vaultwarden` |
+| **Authentik Provider PK** | `20` |
+| **SSO Authority** | `https://sso.vish.gg/application/o/vaultwarden/` |
+| **Redirect URI** | `https://pw.vish.gg/identity/connect/oidc-signin` |
+
+### SSO Notes
+- Requires `vaultwarden/server:testing` image (SSO not in `:latest`)
+- `SSO_ONLY=false` — local login remains available
+- `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true` — required because Authentik sends `email_verified: False`
+- Custom Authentik scope mapping `email_verified true` applied to this provider
+- Login via `https://pw.vish.gg/#/sso` → enter any identifier (e.g. `vish`)
+- **Recommended:** Use local login + security key for day-to-day access
+
+### Status
+- **SSO**: ✅ Working (added 2026-03-16)
+- **Local Login**: ✅ Working (primary method)
+- **2FA/Security Key**: ✅ Works with local login only
+
+## 🔒 Security Considerations
+
+- ✅ Security options configured
+- ✅ Non-root user configured
+- ✅ HTTPS via NPM reverse proxy (`pw.vish.gg`)
+- ✅ SMTP configured (Gmail) for password reset emails
+- 🔒 Admin panel: `https://pw.vish.gg/admin`
+- 🔒 Regular database backups (pg_dump daily)
+
+## 📊 Resource Requirements
+
+No resource limits configured
+
+### Recommended Resources
+- **Minimum RAM**: 512MB
+- **Recommended RAM**: 1GB+
+- **CPU**: 1 core minimum
+- **Storage**: Varies by usage
+
+### Resource Monitoring
+Monitor resource usage with:
+```bash
+docker stats
+```
+
+## 🔍 Health Monitoring
+
+⚠️ No health check configured
+Consider adding a health check:
+```yaml
+healthcheck:
+  test: ["CMD", "curl", "-f", "http://localhost:PORT/health"]
+  interval: 30s
+  timeout: 10s
+  retries: 3
+```
+
+### Manual Health Checks
+```bash
+# Check container health
+docker inspect --format='{{.State.Health.Status}}' CONTAINER_NAME
+
+# View health check logs
+docker inspect --format='{{range .State.Health.Log}}{{.Output}}{{end}}' CONTAINER_NAME
+```
+
+## 🚨 Troubleshooting
+
+### Common Issues
+**Service won't start**
+- Check Docker logs: `docker-compose logs service-name`
+- Verify port availability: `netstat -tulpn | grep PORT`
+- Check file permissions on mounted volumes
+
+**Can't access web interface**
+- Verify service is running: `docker-compose ps`
+- Check firewall settings
+- Confirm correct port mapping
+
+**Performance issues**
+- Monitor resource usage: `docker stats`
+- Check available disk space: `df -h`
+- Review service logs for errors
+
+**Authentication issues**
+- Verify credentials are correct
+- Check LDAP/SSO configuration
+- Review authentication logs
+
+### Useful Commands
+```bash
+# Check service status
+docker-compose ps
+
+# View real-time logs
+docker-compose logs -f vaultwarden
+
+# Restart service
+docker-compose restart vaultwarden
+
+# Update service
+docker-compose pull vaultwarden
+docker-compose up -d vaultwarden
+
+# Access service shell
+docker-compose exec vaultwarden /bin/bash
+# or
+docker-compose exec vaultwarden /bin/sh
+```
+
+## 📚 Additional Resources
+
+- **Official Documentation**: Check the official docs for vaultwarden
+- **Docker Hub**: [vaultwarden/server:latest](https://hub.docker.com/r/vaultwarden/server:latest)
+- **Community Forums**: Search for community discussions and solutions
+- **GitHub Issues**: Check the project's GitHub for known issues
+
+## 🔗 Related Services
+
+Services REDACTED_APP_PASSWORD vaultwarden:
+- Vaultwarden
+- Authelia
+- Pi-hole
+- WireGuard
+
+---
+
+*This documentation is auto-generated from the Docker Compose configuration. For the most up-to-date information, refer to the official documentation and the actual compose file.*
+
+**Last Updated**: 2026-03-16  
+**Configuration Source**: `hosts/synology/atlantis/vaultwarden.yaml`