Skip to content

Instantly share code, notes, and snippets.

@vsajip

vsajip/README.md

Forked from avoidik/README.md
Created March 23, 2022 09:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save vsajip/6205872a89eac7f49161aab444a906c3 to your computer and use it in GitHub Desktop.
Save vsajip/6205872a89eac7f49161aab444a906c3 to your computer and use it in GitHub Desktop.
Download ZIP
Compile vaultwarden (ex. bitwarden_rs) on Raspberry Pi
Raw
README.md

How to build and install vaultwarden (ex. bitwarden_rs) on Raspberry Pi

Steps

Prepare prerequisites

sudo apt-get update
sudo apt-get install -y --no-install-recommends build-essential libmariadb-dev-compat libpq-dev libssl-dev pkgconf

Clone repository

git clone https://github.com/dani-garcia/vaultwarden
cd vaultwarden
git checkout refs/tags/1.23.1
curl https://sh.rustup.rs -sSf | sh -s -- --profile minimal --default-toolchain $(cat ./rust-toolchain)
# press enter if asked for installation options

Optionally, if you're doing rust update you may need to clean up the crates cache

cargo install cargo-cache
cargo cache -a

Configure build profile

echo '[target.armv7-unknown-linux-gnueabihf]' >> ~/.cargo/config
echo 'linker = "arm-linux-gnueabihf-gcc"' >> ~/.cargo/config
echo 'rustflags = ["-L/usr/lib/arm-linux-gnueabihf"]' >> ~/.cargo/config

Test & compile

cargo test --features "sqlite,mysql,postgresql" --target=armv7-unknown-linux-gnueabihf --release
cargo build --features "sqlite,mysql,postgresql" --target=armv7-unknown-linux-gnueabihf --release

Feel free to change storage backend according to your needs

cargo build --features "sqlite" --target=armv7-unknown-linux-gnueabihf --release # for sqllite support only

Add service user & group

sudo addgroup --system vaultwarden
sudo adduser --system --home /opt/vaultwarden --shell /usr/sbin/nologin --no-create-home --gecos 'vaultwarden' --ingroup vaultwarden --disabled-login --disabled-password vaultwarden

Copy artifacts

If you have vaultwarden service already running, stop it first

sudo systemctl stop vaultwarden.service
ls -la target/armv7-unknown-linux-gnueabihf/release/
sudo mkdir -p /opt/vaultwarden/bin
sudo mkdir -p /opt/vaultwarden/data
sudo cp target/armv7-unknown-linux-gnueabihf/release/vaultwarden /opt/vaultwarden/bin/

Download web-vault

# sudo systemctl stop vaultwarden.service
# sudo rm -rf /opt/vaultwarden/web-vault/
curl -fsSLO https://github.com/dani-garcia/bw_web_builds/releases/download/v2.25.0/bw_web_v2.25.0.tar.gz
sudo tar -zxf bw_web_v2.25.0.tar.gz -C /opt/vaultwarden/
rm -f bw_web_v2.25.0.tar.gz
# sudo systemctl start vaultwarden.service

If you're doing in-place upgrade I'd suggest to delete previous web-vault folder first (check first two commented lines).

Create systemd configuration

Create /opt/vaultwarden/.env file

DATA_FOLDER=/opt/vaultwarden/data/
DATABASE_MAX_CONNS=10
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault/
WEB_VAULT_ENABLED=true

Check all available settings in env.template configuration file

Click to see my configuration file 
DATA_FOLDER=/opt/vaultwarden/data/
DATABASE_MAX_CONNS=10
WEB_VAULT_FOLDER=/opt/vaultwarden/web-vault/
WEB_VAULT_ENABLED=true
ROCKET_ENV=staging
ROCKET_ADDRESS=192.168.1.200
ROCKET_PORT=8000
ROCKET_TLS={certs="/opt/vaultwarden/cert/rocket.pem",key="/opt/vaultwarden/cert/rocket-key.pem"}
ADMIN_TOKEN=eGQfXCqESvdo4BrWhkYCOO61cMKbBb1vw2YktDgk1+n05iyZ7vLgKlr6hTtVQSt7
DISABLE_ADMIN_TOKEN=false
INVITATIONS_ALLOWED=false
WEBSOCKET_ENABLED=true
WEBSOCKET_ADDRESS=192.168.1.200
WEBSOCKET_PORT=3012
IP_HEADER=none
ORG_CREATION_USERS=local@admin
DOMAIN=https://192.168.1.200:8000
SHOW_PASSWORD_HINT=false
ICON_CACHE_TTL=86400
DISABLE_ICON_DOWNLOAD=true
ICON_BLACKLIST_NON_GLOBAL_IPS=true
HIBP_API_KEY=xxx
SIGNUPS_ALLOWED=false
SMTP_HOST=smtp.gmail.com
SMTP_FROM=xxx@gmail.com
SMTP_FROM_NAME=Vaultwarden
SMTP_PORT=587
SMTP_SSL=true
SMTP_EXPLICIT_TLS=true
SMTP_USERNAME=xxx@gmail.com
SMTP_PASSWORD=xxx
SMTP_TIMEOUT=15
SMTP_AUTH_MECHANISM="Plain"
REQUIRE_DEVICE_EMAIL=false

Generate your own ADMIN_TOKEN using openssl rand -base64 48 command

Enable less-secure apps in Gmail to be able to use SMTP

You may want to disable favicons

ICON_CACHE_TTL=0
DISABLE_ICON_DOWNLOAD=false

I do not recommend setting ENABLE_DB_WAL to false on sqlite3 databases, you may check active mode using:

sudo -u vaultwarden sqlite3 /opt/vaultwarden/data/db.sqlite3 'PRAGMA journal_mode'

It should return wal if Write-Ahead Logging was enabled (which is default behavior if ENABLE_DB_WAL was not set)

Set permissions

sudo chown -R vaultwarden:vaultwarden /opt/vaultwarden/
sudo chown root:root /opt/vaultwarden/bin/vaultwarden
sudo chmod +x /opt/vaultwarden/bin/vaultwarden
sudo chown -R root:root /opt/vaultwarden/web-vault/
sudo chmod +r /opt/vaultwarden/.env

Create systemd service

Create sudo nano /etc/systemd/system/vaultwarden.service file

[Unit]
Description=Vaultwarden Server
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target

[Service]
User=vaultwarden
Group=vaultwarden
EnvironmentFile=-/opt/vaultwarden/.env
ExecStart=/opt/vaultwarden/bin/vaultwarden
LimitNOFILE=65535
LimitNPROC=4096
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
DevicePolicy=closed
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
WorkingDirectory=/opt/vaultwarden
ReadWriteDirectories=/opt/vaultwarden/data
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Enable systemd service

sudo systemctl daemon-reload
sudo systemctl enable vaultwarden.service
sudo systemctl start vaultwarden.service
sudo systemctl status vaultwarden.service

Unable to register the first account

What's happening? You cannot submit web-forms over un-encrypted HTTP connections, the solution is to enable TLS.

sudo curl -fsSL https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-arm -o /usr/local/bin/mkcert
sudo chmod +x /usr/local/bin/mkcert
sudo mkcert -install
sudo update-ca-certificates
sudo mkdir /opt/vaultwarden/cert
sudo mkcert -cert-file /opt/vaultwarden/cert/rocket.pem -key-file /opt/vaultwarden/cert/rocket-key.pem example.org 1.2.3.4 # change hostname and ip to yours
sudo chown -R vaultwarden:vaultwarden /opt/vaultwarden/cert
sudo openssl verify -verbose -CAfile ~/.local/share/mkcert/rootCA.pem /opt/vaultwarden/cert/rocket.pem

Add the following line into the /opt/vaultwarden/.env file

ROCKET_TLS={certs="/opt/vaultwarden/cert/rocket.pem",key="/opt/vaultwarden/cert/rocket-key.pem"}

Restart service

sudo systemctl restart vaultwarden.service
sudo systemctl status vaultwarden.service

Self-signed CA which is created by mkcert tool require you to import CA certificate into the client's systems trust store

sudo mkcert -CAROOT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment