6.7 KiB
6.7 KiB
Vaultwarden
🔴 Security Service
📋 Service Overview
| Property | Value |
|---|---|
| Service Name | vaultwarden |
| Host | Atlantis |
| Category | Security |
| Difficulty | 🔴 |
| Docker Image | vaultwarden/server:testing (SSO requires testing image) |
| Compose File | hosts/synology/atlantis/vaultwarden.yaml |
| Directory | hosts/synology/atlantis/ |
| External URL | https://pw.vish.gg |
🎯 Purpose
Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients.
🚀 Quick Start
Prerequisites
- Docker and Docker Compose installed
- Basic understanding of REDACTED_APP_PASSWORD
- Access to the host system (Atlantis)
Deployment
# Navigate to service directory
cd Atlantis
# Start the service
docker-compose up -d
# Check service status
docker-compose ps
# View logs
docker-compose logs -f vaultwarden
🔧 Configuration
Docker Compose Configuration
container_name: Vaultwarden
cpu_shares: 1024
depends_on:
db:
condition: service_started
environment:
ADMIN_TOKEN: "REDACTED_TOKEN"
DATABASE_URL: postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden
DISABLE_ADMIN_TOKEN: false
DOMAIN: https://pw.vish.gg
ROCKET_PORT: 4020
SMTP_FROM: your-email@example.com
SMTP_HOST: smtp.gmail.com
SMTP_PASSWORD: "REDACTED_PASSWORD"
SMTP_PORT: 587
SMTP_SECURITY: starttls
SMTP_USERNAME: your-email@example.com
hostname: vaultwarden
image: vaultwarden/server:latest
mem_limit: 256m
mem_reservation: 96m
ports:
- 4080:4020
restart: on-failure:5
security_opt:
- no-new-privileges:true
user: 1026:100
volumes:
- /volume1/docker/vaultwarden/data:/data:rw
Environment Variables
| Variable | Value | Description |
|---|---|---|
ROCKET_PORT |
4020 |
Configuration variable |
DATABASE_URL |
postgresql://vaultwardenuser:REDACTED_PASSWORD@vaultwarden-db:5432/vaultwarden |
Database connection string |
ADMIN_TOKEN |
***MASKED*** |
Configuration variable |
DISABLE_ADMIN_TOKEN |
***MASKED*** |
Configuration variable |
DOMAIN |
https://pw.vish.gg |
Service domain name |
SMTP_HOST |
smtp.gmail.com |
Configuration variable |
SMTP_FROM |
your-email@example.com |
Configuration variable |
SMTP_PORT |
587 |
Configuration variable |
SMTP_SECURITY |
starttls |
Configuration variable |
SMTP_USERNAME |
your-email@example.com |
Configuration variable |
SMTP_PASSWORD |
***MASKED*** |
Configuration variable |
Port Mappings
| Host Port | Container Port | Protocol | Purpose |
|---|---|---|---|
| 4080 | 4020 | TCP | Service port |
Volume Mappings
| Host Path | Container Path | Type | Purpose |
|---|---|---|---|
/volume1/docker/vaultwarden/data |
/data |
bind | Application data |
🌐 Access Information
Service ports: 4080:4020
🔐 SSO / Authentik Integration
Vaultwarden has SSO configured but local login is the primary method due to security key/2FA dependency.
| Setting | Value |
|---|---|
| Authentik App Slug | vaultwarden |
| Authentik Provider PK | 20 |
| SSO Authority | https://sso.vish.gg/application/o/vaultwarden/ |
| Redirect URI | https://pw.vish.gg/identity/connect/oidc-signin |
SSO Notes
- Requires
vaultwarden/server:testingimage (SSO not in:latest) SSO_ONLY=false— local login remains availableSSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true— required because Authentik sendsemail_verified: False- Custom Authentik scope mapping
email_verified trueapplied to this provider - Login via
https://pw.vish.gg/#/sso→ enter any identifier (e.g.vish) - Recommended: Use local login + security key for day-to-day access
Status
- SSO: ✅ Working (added 2026-03-16)
- Local Login: ✅ Working (primary method)
- 2FA/Security Key: ✅ Works with local login only
🔒 Security Considerations
- ✅ Security options configured
- ✅ Non-root user configured
- ✅ HTTPS via NPM reverse proxy (
pw.vish.gg) - ✅ SMTP configured (Gmail) for password reset emails
- 🔒 Admin panel:
https://pw.vish.gg/admin - 🔒 Regular database backups (pg_dump daily)
📊 Resource Requirements
No resource limits configured
Recommended Resources
- Minimum RAM: 512MB
- Recommended RAM: 1GB+
- CPU: 1 core minimum
- Storage: Varies by usage
Resource Monitoring
Monitor resource usage with:
docker stats
🔍 Health Monitoring
⚠️ No health check configured Consider adding a health check:
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:PORT/health"]
interval: 30s
timeout: 10s
retries: 3
Manual Health Checks
# Check container health
docker inspect --format='{{.State.Health.Status}}' CONTAINER_NAME
# View health check logs
docker inspect --format='{{range .State.Health.Log}}{{.Output}}{{end}}' CONTAINER_NAME
🚨 Troubleshooting
Common Issues
Service won't start
- Check Docker logs:
docker-compose logs service-name - Verify port availability:
netstat -tulpn | grep PORT - Check file permissions on mounted volumes
Can't access web interface
- Verify service is running:
docker-compose ps - Check firewall settings
- Confirm correct port mapping
Performance issues
- Monitor resource usage:
docker stats - Check available disk space:
df -h - Review service logs for errors
Authentication issues
- Verify credentials are correct
- Check LDAP/SSO configuration
- Review authentication logs
Useful Commands
# Check service status
docker-compose ps
# View real-time logs
docker-compose logs -f vaultwarden
# Restart service
docker-compose restart vaultwarden
# Update service
docker-compose pull vaultwarden
docker-compose up -d vaultwarden
# Access service shell
docker-compose exec vaultwarden /bin/bash
# or
docker-compose exec vaultwarden /bin/sh
📚 Additional Resources
- Official Documentation: Check the official docs for vaultwarden
- Docker Hub: vaultwarden/server:latest
- Community Forums: Search for community discussions and solutions
- GitHub Issues: Check the project's GitHub for known issues
🔗 Related Services
Services REDACTED_APP_PASSWORD vaultwarden:
- Vaultwarden
- Authelia
- Pi-hole
- WireGuard
This documentation is auto-generated from the Docker Compose configuration. For the most up-to-date information, refer to the official documentation and the actual compose file.
Last Updated: 2026-03-16
Configuration Source: hosts/synology/atlantis/vaultwarden.yaml