# Vaultwarden

**🔴 Security Service**

## 📋 Service Overview

| Property | Value |
|----------|-------|
| **Service Name** | vaultwarden |
| **Host** | Atlantis |
| **Category** | Security |
| **Difficulty** | 🔴 |
| **Docker Image** | `vaultwarden/server:testing` (SSO requires testing image) |
| **Compose File** | `hosts/synology/atlantis/vaultwarden.yaml` |
| **Directory** | `hosts/synology/atlantis/` |
| **External URL** | `https://pw.vish.gg` |

## 🎯 Purpose

Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients.

## 🚀 Quick Start

### Prerequisites
- Docker and Docker Compose installed
- Basic understanding of REDACTED_APP_PASSWORD
- Access to the host system (Atlantis)

### Deployment
```bash
# Navigate to service directory
cd Atlantis

# Start the service
docker-compose up -d

# Check service status
docker-compose ps

# View logs
docker-compose logs -f vaultwarden
```

## 🔧 Configuration

### Docker Compose Configuration
```yaml
container_name: Vaultwarden
cpu_shares: 1024
depends_on:
  db:
    condition: service_started
environment:
  ADMIN_TOKEN: "REDACTED_TOKEN"
  DATABASE_URL: postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden
  DISABLE_ADMIN_TOKEN: false
  DOMAIN: https://pw.vish.gg
  ROCKET_PORT: 4020
  SMTP_FROM: your-email@example.com
  SMTP_HOST: smtp.gmail.com
  SMTP_PASSWORD: "REDACTED_PASSWORD"
  SMTP_PORT: 587
  SMTP_SECURITY: starttls
  SMTP_USERNAME: your-email@example.com
hostname: vaultwarden
image: vaultwarden/server:latest
mem_limit: 256m
mem_reservation: 96m
ports:
- 4080:4020
restart: on-failure:5
security_opt:
- no-new-privileges:true
user: 1026:100
volumes:
- /volume1/docker/vaultwarden/data:/data:rw

```

### Environment Variables
| Variable | Value | Description |
|----------|-------|-------------|
| `ROCKET_PORT` | `4020` | Configuration variable |
| `DATABASE_URL` | `postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden` | Database connection string |
| `ADMIN_TOKEN` | `***MASKED***` | Configuration variable |
| `DISABLE_ADMIN_TOKEN` | `***MASKED***` | Configuration variable |
| `DOMAIN` | `https://pw.vish.gg` | Service domain name |
| `SMTP_HOST` | `smtp.gmail.com` | Configuration variable |
| `SMTP_FROM` | `your-email@example.com` | Configuration variable |
| `SMTP_PORT` | `587` | Configuration variable |
| `SMTP_SECURITY` | `starttls` | Configuration variable |
| `SMTP_USERNAME` | `your-email@example.com` | Configuration variable |
| `SMTP_PASSWORD` | `***MASKED***` | Configuration variable |


### Port Mappings
| Host Port | Container Port | Protocol | Purpose |
|-----------|----------------|----------|----------|
| 4080 | 4020 | TCP | Service port |


### Volume Mappings
| Host Path | Container Path | Type | Purpose |
|-----------|----------------|------|----------|
| `/volume1/docker/vaultwarden/data` | `/data` | bind | Application data |


## 🌐 Access Information

Service ports: 4080:4020

## 🔐 SSO / Authentik Integration

Vaultwarden has SSO configured but local login is the primary method due to security key/2FA dependency.

| Setting | Value |
|---------|-------|
| **Authentik App Slug** | `vaultwarden` |
| **Authentik Provider PK** | `20` |
| **SSO Authority** | `https://sso.vish.gg/application/o/vaultwarden/` |
| **Redirect URI** | `https://pw.vish.gg/identity/connect/oidc-signin` |

### SSO Notes
- Requires `vaultwarden/server:testing` image (SSO not in `:latest`)
- `SSO_ONLY=false` — local login remains available
- `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true` — required because Authentik sends `email_verified: False`
- Custom Authentik scope mapping `email_verified true` applied to this provider
- Login via `https://pw.vish.gg/#/sso` → enter any identifier (e.g. `vish`)
- **Recommended:** Use local login + security key for day-to-day access

### Status
- **SSO**: ✅ Working (added 2026-03-16)
- **Local Login**: ✅ Working (primary method)
- **2FA/Security Key**: ✅ Works with local login only

## 🔒 Security Considerations

- ✅ Security options configured
- ✅ Non-root user configured
- ✅ HTTPS via NPM reverse proxy (`pw.vish.gg`)
- ✅ SMTP configured (Gmail) for password reset emails
- 🔒 Admin panel: `https://pw.vish.gg/admin`
- 🔒 Regular database backups (pg_dump daily)

## 📊 Resource Requirements

No resource limits configured

### Recommended Resources
- **Minimum RAM**: 512MB
- **Recommended RAM**: 1GB+
- **CPU**: 1 core minimum
- **Storage**: Varies by usage

### Resource Monitoring
Monitor resource usage with:
```bash
docker stats
```

## 🔍 Health Monitoring

⚠️ No health check configured
Consider adding a health check:
```yaml
healthcheck:
  test: ["CMD", "curl", "-f", "http://localhost:PORT/health"]
  interval: 30s
  timeout: 10s
  retries: 3
```

### Manual Health Checks
```bash
# Check container health
docker inspect --format='{{.State.Health.Status}}' CONTAINER_NAME

# View health check logs
docker inspect --format='{{range .State.Health.Log}}{{.Output}}{{end}}' CONTAINER_NAME
```

## 🚨 Troubleshooting

### Common Issues
**Service won't start**
- Check Docker logs: `docker-compose logs service-name`
- Verify port availability: `netstat -tulpn | grep PORT`
- Check file permissions on mounted volumes

**Can't access web interface**
- Verify service is running: `docker-compose ps`
- Check firewall settings
- Confirm correct port mapping

**Performance issues**
- Monitor resource usage: `docker stats`
- Check available disk space: `df -h`
- Review service logs for errors

**Authentication issues**
- Verify credentials are correct
- Check LDAP/SSO configuration
- Review authentication logs

### Useful Commands
```bash
# Check service status
docker-compose ps

# View real-time logs
docker-compose logs -f vaultwarden

# Restart service
docker-compose restart vaultwarden

# Update service
docker-compose pull vaultwarden
docker-compose up -d vaultwarden

# Access service shell
docker-compose exec vaultwarden /bin/bash
# or
docker-compose exec vaultwarden /bin/sh
```

## 📚 Additional Resources

- **Official Documentation**: Check the official docs for vaultwarden
- **Docker Hub**: [vaultwarden/server:latest](https://hub.docker.com/r/vaultwarden/server:latest)
- **Community Forums**: Search for community discussions and solutions
- **GitHub Issues**: Check the project's GitHub for known issues

## 🔗 Related Services

Services REDACTED_APP_PASSWORD vaultwarden:
- Vaultwarden
- Authelia
- Pi-hole
- WireGuard

---

*This documentation is auto-generated from the Docker Compose configuration. For the most up-to-date information, refer to the official documentation and the actual compose file.*

**Last Updated**: 2026-03-16  
**Configuration Source**: `hosts/synology/atlantis/vaultwarden.yaml`