Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab-optimized/docs/services/individual/vaultwarden.md
Gitea Mirror Bot e7652c8dab
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m3s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-04-20 01:32:01 UTC
2026-04-20 01:32:01 +00:00

247 lines
6.7 KiB
Markdown
Raw Permalink Blame History

# Vaultwarden
**🔴 Security Service**
## 📋 Service Overview
| Property | Value |
|----------|-------|
| **Service Name** | vaultwarden |
| **Host** | Atlantis |
| **Category** | Security |
| **Difficulty** | 🔴 |
| **Docker Image** | `vaultwarden/server:testing` (SSO requires testing image) |
| **Compose File** | `hosts/synology/atlantis/vaultwarden.yaml` |
| **Directory** | `hosts/synology/atlantis/` |
| **External URL** | `https://pw.vish.gg` |
## 🎯 Purpose
Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients.
## 🚀 Quick Start
### Prerequisites
- Docker and Docker Compose installed
- Basic understanding of REDACTED_APP_PASSWORD
- Access to the host system (Atlantis)
### Deployment
```bash
# Navigate to service directory
cd Atlantis
# Start the service
docker-compose up -d
# Check service status
docker-compose ps
# View logs
docker-compose logs -f vaultwarden
```
## 🔧 Configuration
### Docker Compose Configuration
```yaml
container_name: Vaultwarden
cpu_shares: 1024
depends_on:
db:
condition: service_started
environment:
ADMIN_TOKEN: "REDACTED_TOKEN"
DATABASE_URL: postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden
DISABLE_ADMIN_TOKEN: false
DOMAIN: https://pw.vish.gg
ROCKET_PORT: 4020
SMTP_FROM: your-email@example.com
SMTP_HOST: smtp.gmail.com
SMTP_PASSWORD: "REDACTED_PASSWORD"
SMTP_PORT: 587
SMTP_SECURITY: starttls
SMTP_USERNAME: your-email@example.com
hostname: vaultwarden
image: vaultwarden/server:latest
mem_limit: 256m
mem_reservation: 96m
ports:
- 4080:4020
restart: on-failure:5
security_opt:
- no-new-privileges:true
user: 1026:100
volumes:
- /volume1/docker/vaultwarden/data:/data:rw
```
### Environment Variables
| Variable | Value | Description |
|----------|-------|-------------|
| `ROCKET_PORT` | `4020` | Configuration variable |
| `DATABASE_URL` | `postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden` | Database connection string |
| `ADMIN_TOKEN` | `***MASKED***` | Configuration variable |
| `DISABLE_ADMIN_TOKEN` | `***MASKED***` | Configuration variable |
| `DOMAIN` | `https://pw.vish.gg` | Service domain name |
| `SMTP_HOST` | `smtp.gmail.com` | Configuration variable |
| `SMTP_FROM` | `your-email@example.com` | Configuration variable |
| `SMTP_PORT` | `587` | Configuration variable |
| `SMTP_SECURITY` | `starttls` | Configuration variable |
| `SMTP_USERNAME` | `your-email@example.com` | Configuration variable |
| `SMTP_PASSWORD` | `***MASKED***` | Configuration variable |
### Port Mappings
| Host Port | Container Port | Protocol | Purpose |
|-----------|----------------|----------|----------|
| 4080 | 4020 | TCP | Service port |
### Volume Mappings
| Host Path | Container Path | Type | Purpose |
|-----------|----------------|------|----------|
| `/volume1/docker/vaultwarden/data` | `/data` | bind | Application data |
## 🌐 Access Information
Service ports: 4080:4020
## 🔐 SSO / Authentik Integration
Vaultwarden has SSO configured but local login is the primary method due to security key/2FA dependency.
| Setting | Value |
|---------|-------|
| **Authentik App Slug** | `vaultwarden` |
| **Authentik Provider PK** | `20` |
| **SSO Authority** | `https://sso.vish.gg/application/o/vaultwarden/` |
| **Redirect URI** | `https://pw.vish.gg/identity/connect/oidc-signin` |
### SSO Notes
- Requires `vaultwarden/server:testing` image (SSO not in `:latest`)
- `SSO_ONLY=false` — local login remains available
- `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true` — required because Authentik sends `email_verified: False`
- Custom Authentik scope mapping `email_verified true` applied to this provider
- Login via `https://pw.vish.gg/#/sso` → enter any identifier (e.g. `vish`)
- **Recommended:** Use local login + security key for day-to-day access
### Status
- **SSO**: ✅ Working (added 2026-03-16)
- **Local Login**: ✅ Working (primary method)
- **2FA/Security Key**: ✅ Works with local login only
## 🔒 Security Considerations
- ✅ Security options configured
- ✅ Non-root user configured
- ✅ HTTPS via NPM reverse proxy (`pw.vish.gg`)
- ✅ SMTP configured (Gmail) for password reset emails
- 🔒 Admin panel: `https://pw.vish.gg/admin`
- 🔒 Regular database backups (pg_dump daily)
## 📊 Resource Requirements
No resource limits configured
### Recommended Resources
- **Minimum RAM**: 512MB
- **Recommended RAM**: 1GB+
- **CPU**: 1 core minimum
- **Storage**: Varies by usage
### Resource Monitoring
Monitor resource usage with:
```bash
docker stats
```
## 🔍 Health Monitoring
⚠️ No health check configured
Consider adding a health check:
```yaml
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:PORT/health"]
interval: 30s
timeout: 10s
retries: 3
```
### Manual Health Checks
```bash
# Check container health
docker inspect --format='{{.State.Health.Status}}' CONTAINER_NAME
# View health check logs
docker inspect --format='{{range .State.Health.Log}}{{.Output}}{{end}}' CONTAINER_NAME
```
## 🚨 Troubleshooting
### Common Issues
**Service won't start**
- Check Docker logs: `docker-compose logs service-name`
- Verify port availability: `netstat -tulpn | grep PORT`
- Check file permissions on mounted volumes
**Can't access web interface**
- Verify service is running: `docker-compose ps`
- Check firewall settings
- Confirm correct port mapping
**Performance issues**
- Monitor resource usage: `docker stats`
- Check available disk space: `df -h`
- Review service logs for errors
**Authentication issues**
- Verify credentials are correct
- Check LDAP/SSO configuration
- Review authentication logs
### Useful Commands
```bash
# Check service status
docker-compose ps
# View real-time logs
docker-compose logs -f vaultwarden
# Restart service
docker-compose restart vaultwarden
# Update service
docker-compose pull vaultwarden
docker-compose up -d vaultwarden
# Access service shell
docker-compose exec vaultwarden /bin/bash
# or
docker-compose exec vaultwarden /bin/sh
```
## 📚 Additional Resources
- **Official Documentation**: Check the official docs for vaultwarden
- **Docker Hub**: [vaultwarden/server:latest](https://hub.docker.com/r/vaultwarden/server:latest)
- **Community Forums**: Search for community discussions and solutions
- **GitHub Issues**: Check the project's GitHub for known issues
## 🔗 Related Services
Services REDACTED_APP_PASSWORD vaultwarden:
- Vaultwarden
- Authelia
- Pi-hole
- WireGuard
---
*This documentation is auto-generated from the Docker Compose configuration. For the most up-to-date information, refer to the official documentation and the actual compose file.*
**Last Updated**: 2026-03-16
**Configuration Source**: `hosts/synology/atlantis/vaultwarden.yaml`
Reference in New Issue View Git Blame Copy Permalink