Best advise ever: make a backup before doing any operations described below
sudo apt-get update
sudo apt-get install -y --no-install-recommends build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconfIf you're going to compile ARMv8 binaries on RPi then install a compiler toolchain as follows
sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnugit clone https://github.com/dani-garcia/vaultwarden
cd vaultwarden
git checkout refs/tags/1.30.1 # check for latest available version on https://github.com/dani-garcia/vaultwarden/releases
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# press enter if asked for installation options, we are okay with the defaultsOptionally, if you're doing rust update you may need to clean up the crates cache first
cargo install cargo-cache --force
cargo cache -aCheck all available targets and pick one you are going to use from the list
rustup target listIn this example I am going to use armv7-unknown-linux-gnueabihf as the build target.
The rustup CLI tool has many targets already defined for you, and you should try to use them first. However, if something goes wrong you can always add your own target by using rustup target add ....
This is an example of ARMv7 profile
echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config
echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/configFor ARMv8 build you could try the following configuration
echo '[target.aarch64-unknown-linux-gnu]' >> ~/.cargo/config
echo 'linker = "aarch64-linux-gnu-gcc"' >> ~/.cargo/config
echo 'rustflags = ["-L/usr/lib/aarch64-linux-gnu"]' >> ~/.cargo/configAll paths here are relevant to Debian and Ubuntu based Linux OS
This process may take some time, be patient.
cargo test --features "sqlite,mysql,postgresql" --target=armv7-unknown-linux-gnueabihf --release # optional
cargo build --features "sqlite,mysql,postgresql" --target=armv7-unknown-linux-gnueabihf --releaseFeel free to change supported storage backends according to your needs, for example:
cargo build --features "sqlite" --target=armv7-unknown-linux-gnueabihf --release # for sqlite support onlyFor ARMv8 build set target to
aarch64-unknown-linux-gnu
sudo addgroup --system vaultwarden
sudo adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwardenIf you have vaultwarden service already running, stop it first (you did not forget to make a backup)
sudo systemctl stop vaultwarden.servicels -la target/armv7-unknown-linux-gnueabihf/release/
sudo mkdir -p /opt/vaultwarden/bin
sudo mkdir -p /opt/vaultwarden/data
sudo cp target/armv7-unknown-linux-gnueabihf/release/vaultwarden /opt/vaultwarden/bin/ARMv8 binary should be available in another folder
target/aarch64-unknown-linux-gnu/release/
If you have vaultwarden already running then I'd suggest to stop it and delete previous web-vault frontend installation first
sudo systemctl stop vaultwarden.service
sudo rm -rf /opt/vaultwarden/web-vault/After that proceed with the web-vault installation
curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/v2023.12.0/bw_web_v2023.12.0.tar.gz # check latest available version on https://github.com/dani-garcia/bw_web_builds/releases
sudo tar -zxf bw_web_v2023.12.0.tar.gz -C /opt/vaultwarden/
rm -f bw_web_v2023.12.0.tar.gzIf you have vaultwarden service already in place but stopped, then try to start it again
sudo systemctl start vaultwarden.serviceCreate /opt/vaultwarden/.env file
DATA_FOLDER=/opt/vaultwarden/data/
DATABASE_MAX_CONNS=10
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault/
WEB_VAULT_ENABLED=true
Check all available settings in env.template configuration file
Click to see my configuration file
DATA_FOLDER=/opt/vaultwarden/data/
DATABASE_MAX_CONNS=10
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault/
WEB_VAULT_ENABLED=true
ROCKET_ENV=staging
ROCKET_ADDRESS=192.168.1.200
ROCKET_PORT=8000
ROCKET_TLS={certs="/opt/vaultwarden/cert/rocket.pem",key="/opt/vaultwarden/cert/rocket-key.pem"}
ADMIN_TOKEN=eGQfXCqESvdo4BrWhkYCOO61cMKbBb1vw2YktDgk1+n05iyZ7vLgKlr6hTtVQSt7
DISABLE_ADMIN_TOKEN=false
INVITATIONS_ALLOWED=false
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=192.168.1.200
WEBSOCKET_PORT=3012
IP_HEADER=none
ORG_CREATION_USERS=local@admin
DOMAIN=https://192.168.1.200:8000
SHOW_PASSWORD_HINT=false
ICON_CACHE_TTL=86400
DISABLE_ICON_DOWNLOAD=true
ICON_BLACKLIST_NON_GLOBAL_IPS=true
HIBP_API_KEY=xxx
SIGNUPS_ALLOWED=false
SMTP_HOST=smtp.gmail.com
SMTP_FROM=xxx@gmail.com
SMTP_FROM_NAME=Vaultwarden
SMTP_PORT=587
SMTP_SSL=true
SMTP_EXPLICIT_TLS=true
SMTP_USERNAME=xxx@gmail.com
SMTP_PASSWORD=xxx
SMTP_TIMEOUT=15
SMTP_AUTH_MECHANISM="Plain"
REQUIRE_DEVICE_EMAIL=false
Generate your own ADMIN_TOKEN using openssl rand -base64 48 command
Enable less-secure apps in Gmail to be able to use SMTP
You may want to disable favicons
ICON_CACHE_TTL=0
DISABLE_ICON_DOWNLOAD=false
I do not recommend setting ENABLE_DB_WAL to false on sqlite3 databases, you may check active mode using:
sudo -u vaultwarden sqlite3 /opt/vaultwarden/data/db.sqlite3 'PRAGMA journal_mode'It should return wal if Write-Ahead Logging was enabled (which is default behavior if ENABLE_DB_WAL was not set)
sudo chown -R vaultwarden:vaultwarden /opt/vaultwarden/
sudo chown root:root /opt/vaultwarden/bin/vaultwarden
sudo chmod +x /opt/vaultwarden/bin/vaultwarden
sudo chown -R root:root /opt/vaultwarden/web-vault/
sudo chmod +r /opt/vaultwarden/.envRun sudo nano /etc/systemd/system/vaultwarden.service to create a systemd service unit
[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target
[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=-/opt/vaultwarden/.env
ExecStart=/opt/vaultwarden/bin/vaultwarden
LimitNOFILE=65535
LimitNPROC=4096
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
DevicePolicy=closed
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
WorkingDirectory=/opt/vaultwarden
ReadWriteDirectories=/opt/vaultwarden/data
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable vaultwarden.service
sudo systemctl start vaultwarden.service
sudo systemctl status vaultwarden.serviceIf for some reason the service has not started or status has errors then refer to logs for more details
journalctl -xeu vaultwarden.serviceWhat's happening? You cannot submit web-forms over un-encrypted HTTP connections, the solution is to enable TLS.
sudo curl -fsSL https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-arm -o /usr/local/bin/mkcert
sudo chmod +x /usr/local/bin/mkcert
sudo mkcert -install
sudo update-ca-certificates
sudo mkdir /opt/vaultwarden/cert
sudo mkcert -cert-file /opt/vaultwarden/cert/rocket.pem -key-file /opt/vaultwarden/cert/rocket-key.pem example.org 1.2.3.4 # change hostname and ip to your own
sudo chown -R vaultwarden:vaultwarden /opt/vaultwarden/cert
sudo openssl verify -verbose -CAfile ~/.local/share/mkcert/rootCA.pem /opt/vaultwarden/cert/rocket.pemAdd the following line into the /opt/vaultwarden/.env file
ROCKET_TLS={certs="/opt/vaultwarden/cert/rocket.pem",key="/opt/vaultwarden/cert/rocket-key.pem"}
Restart the service
sudo systemctl restart vaultwarden.service
sudo systemctl status vaultwarden.serviceA self-signed CA certificate which is created by mkcert tool should be imported into the client's operating system trust store
sudo mkcert -CAROOT
Pi 4b is 64bit armv8