Skip to content

Instantly share code, notes, and snippets.

@martignoni

martignoni/vaultwarden_install.md

Forked from avoidik/README.md
Last active January 30, 2022 15:48
Show Gist options
  • Save martignoni/974acc6f8b51f147caeafbf68a5ec621 to your computer and use it in GitHub Desktop.
Save martignoni/974acc6f8b51f147caeafbf68a5ec621 to your computer and use it in GitHub Desktop.
Download ZIP
Compile vaultwarden (ex. bitwarden_rs) on Raspberry Pi
Raw
vaultwarden_install.md

How to build and install vaultwarden (ex. bitwarden_rs) on Raspberry Pi

See also: https://github.com/negbie/vaultwarden-rpi.

Steps

Prepare prerequisites

sudo apt-get update
sudo apt-get install -y --no-install-recommends git libssl-dev pkgconf

For MariaDB and postgresQL support, use

sudo apt-get install -y --no-install-recommends git libssl-dev pkgconf libmariadb-dev-compat libpq-dev

Clone repository

git clone https://github.com/dani-garcia/vaultwarden
cd vaultwarden
# replace latest vaultwarden git tag in the `checkout` command below
git checkout refs/tags/1.23.1
curl https://sh.rustup.rs -sSf | sh -s -- --profile minimal --default-toolchain $(cat ./rust-toolchain) -y
# press enter if asked for installation options
source $HOME/.cargo/env

Build or clean up the crates cache

This will take up to 10 minutes. Be patient!

cargo install cargo-cache
cargo cache -a

Configure build profile

rm ~/.cargo/config
echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config
echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config

Test & compile

This will take some time. Be patient! On a Raspberry Pi 4B,

  • first command takes around 20 minutes, and
  • second one takes a bit more than 5 minutes.

For sqlite support only, use

cargo test --features "sqlite" --target=armv7-unknown-linux-gnueabihf --release
cargo build --features "sqlite" --target=armv7-unknown-linux-gnueabihf --release

For more storage backends, use e.g.

cargo test --features "sqlite,mysql,postgresql" --target=armv7-unknown-linux-gnueabihf --release
cargo build --features "sqlite,mysql,postgresql" --target=armv7-unknown-linux-gnueabihf --release

Add service user & group

sudo mkdir -p /opt/vaultwarden
sudo addgroup --system vaultwarden
sudo adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden

Copy artifacts

If you have vaultwarden service already running, stop it first

sudo systemctl stop vaultwarden.service
# ls -la target/armv7-unknown-linux-gnueabihf/release/
sudo mkdir -p /opt/vaultwarden/{bin,data}
sudo cp target/armv7-unknown-linux-gnueabihf/release/vaultwarden /opt/vaultwarden/bin/

Download web-vault

If you're doing in-place upgrade, delete previous web-vault folder first (uncomment first two commented lines).

# sudo systemctl stop vaultwarden.service
# sudo rm -rf /opt/vaultwarden/web-vault/
curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/v2.25.1/bw_web_v2.25.1.tar.gz
sudo tar -zxf bw_web_v2.25.1.tar.gz -C /opt/vaultwarden/
rm -f bw_web_v2.25.1.tar.gz
# sudo systemctl start vaultwarden.service

Create systemd configuration

Create or replace /opt/vaultwarden/.env file.

Check all available settings in env.template configuration file.

Generate your own ADMIN_TOKEN using openssl rand -base64 48 command.

sudo tee /opt/vaultwarden/.env > /dev/null <<EOF
DATA_FOLDER=/opt/vaultwarden/data/
DATABASE_MAX_CONNS=10
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault/
WEB_VAULT_ENABLED=true
ROCKET_ENV=staging
ROCKET_ADDRESS=192.168.1.160
ROCKET_PORT=8000
ROCKET_TLS={certs="/opt/vaultwarden/cert/rocket.pem",key="/opt/vaultwarden/cert/rocket-key.pem"}
ADMIN_TOKEN=${vaultwarden_admin_token}
DISABLE_ADMIN_TOKEN=false
INVITATIONS_ALLOWED=false
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=192.168.1.160
WEBSOCKET_PORT=3012
IP_HEADER=none
ORG_CREATION_USERS=local@admin
DOMAIN=https://192.168.1.160:8000
SHOW_PASSWORD_HINT=false
ICON_CACHE_TTL=86400
DISABLE_ICON_DOWNLOAD=true
ICON_BLACKLIST_NON_GLOBAL_IPS=true
SIGNUPS_ALLOWED=false
EOF

You may want to disable favicons

ICON_CACHE_TTL=0
DISABLE_ICON_DOWNLOAD=false

I do not recommend setting ENABLE_DB_WAL to false on sqlite3 databases, you may check active mode using:

sudo -u vaultwarden sqlite3 /opt/vaultwarden/data/db.sqlite3 'PRAGMA journal_mode'

It should return wal if Write-Ahead Logging was enabled (which is default behavior if ENABLE_DB_WAL was not set)

Set permissions

sudo chown -R vaultwarden:vaultwarden /opt/vaultwarden/
sudo chown root:root /opt/vaultwarden/bin/vaultwarden
sudo chmod +x /opt/vaultwarden/bin/vaultwarden
sudo chown -R root:root /opt/vaultwarden/web-vault/
sudo chmod +r /opt/vaultwarden/.env

Enable TLS

Don't forget to change your hostname and ip!

sudo curl -fsSL https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-arm -o /usr/local/bin/mkcert
sudo chmod +x /usr/local/bin/mkcert
sudo mkcert -install
sudo update-ca-certificates
sudo mkdir /opt/vaultwarden/cert
sudo mkcert -cert-file /opt/vaultwarden/cert/rocket.pem -key-file /opt/vaultwarden/cert/rocket-key.pem example.org 1.2.3.4
sudo chown -R vaultwarden:vaultwarden /opt/vaultwarden/cert
sudo openssl verify -verbose -CAfile /root/.local/share/mkcert/rootCA.pem /opt/vaultwarden/cert/rocket.pem

Self-signed CA which is created by mkcert tool require you to import CA certificate into the client's systems trust store

sudo mkcert -CAROOT

Create systemd service

Create sudo nano /etc/systemd/system/vaultwarden.service file

sudo tee /etc/systemd/system/vaultwarden.service > /dev/null <<EOF
[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target

[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=-/opt/vaultwarden/.env
ExecStart=/opt/vaultwarden/bin/vaultwarden
LimitNOFILE=65535
LimitNPROC=4096
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
DevicePolicy=closed
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
WorkingDirectory=/opt/vaultwarden
ReadWriteDirectories=/opt/vaultwarden/data
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
EOF

Enable systemd service

sudo systemctl daemon-reload
sudo systemctl enable vaultwarden.service
sudo systemctl start vaultwarden.service
sudo systemctl status vaultwarden.service

The End

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment