wiki: add Vaultwarden article to privacy-security section
Add 03-opensource/privacy-security/vaultwarden.md covering deployment with Docker Compose, Caddy reverse proxy, client setup, access model via Tailscale, and SQLite backup. Remove KeePassXC from backlog. Article count: 31 → 32. Open source section: 4 → 5. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
95
03-opensource/privacy-security/vaultwarden.md
Normal file
95
03-opensource/privacy-security/vaultwarden.md
Normal file
@@ -0,0 +1,95 @@
|
||||
# Vaultwarden — Self-Hosted Password Manager
|
||||
|
||||
## Problem
|
||||
|
||||
Password managers are a necessity, but handing your credentials to a third-party cloud service is a trust problem. Bitwarden is open source and privacy-respecting, but if you're already running a homelab, there's no reason to depend on their servers.
|
||||
|
||||
## Solution
|
||||
|
||||
[Vaultwarden](https://github.com/dani-garcia/vaultwarden) is an unofficial, lightweight Bitwarden-compatible server written in Rust. It exposes the same API that all official Bitwarden clients speak — desktop apps, browser extensions, mobile apps — so you get the full Bitwarden UX pointed at your own hardware.
|
||||
|
||||
Your passwords never leave your network.
|
||||
|
||||
---
|
||||
|
||||
## Deployment (Docker + Caddy)
|
||||
|
||||
### docker-compose.yml
|
||||
|
||||
```yaml
|
||||
services:
|
||||
vaultwarden:
|
||||
image: vaultwarden/server:latest
|
||||
container_name: vaultwarden
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- DOMAIN=https://vault.yourdomain.com
|
||||
- SIGNUPS_ALLOWED=false # disable after creating your account
|
||||
volumes:
|
||||
- ./vw-data:/data
|
||||
ports:
|
||||
- "8080:80"
|
||||
```
|
||||
|
||||
Start it:
|
||||
|
||||
```bash
|
||||
sudo docker compose up -d
|
||||
```
|
||||
|
||||
### Caddy reverse proxy
|
||||
|
||||
```
|
||||
vault.yourdomain.com {
|
||||
reverse_proxy localhost:8080
|
||||
}
|
||||
```
|
||||
|
||||
Caddy handles TLS automatically. No extra cert config needed.
|
||||
|
||||
---
|
||||
|
||||
## Initial Setup
|
||||
|
||||
1. Browse to `https://vault.yourdomain.com` and create your account
|
||||
2. Set `SIGNUPS_ALLOWED=false` in the compose file and restart the container
|
||||
3. Install any official Bitwarden client (browser extension, desktop, mobile)
|
||||
4. In the client, set the **Server URL** to `https://vault.yourdomain.com` before logging in
|
||||
|
||||
That's it. The client has no idea it's not talking to Bitwarden's servers.
|
||||
|
||||
---
|
||||
|
||||
## Access Model
|
||||
|
||||
On MajorInfrastructure, Vaultwarden runs on **majorlab** and is accessible:
|
||||
|
||||
- **Internally** — via Caddy on the local network
|
||||
- **Remotely** — via Tailscale; vault is reachable from any device on the tailnet without exposing it to the public internet
|
||||
|
||||
This means the Caddy vhost does not need to be publicly routable. You can choose to expose it publicly (Let's Encrypt works fine) or keep it Tailscale-only.
|
||||
|
||||
---
|
||||
|
||||
## Backup
|
||||
|
||||
Vaultwarden stores everything in a single SQLite database at `./vw-data/db.sqlite3`. Back it up like any file:
|
||||
|
||||
```bash
|
||||
# Simple copy (stop container first for consistency, or use sqlite backup mode)
|
||||
sqlite3 /path/to/vw-data/db.sqlite3 ".backup '/path/to/backup/vw-backup-$(date +%F).sqlite3'"
|
||||
```
|
||||
|
||||
Or include the `vw-data/` directory in your regular rsync backup run.
|
||||
|
||||
---
|
||||
|
||||
## Why Not Bitwarden (Official)?
|
||||
|
||||
The official Bitwarden server is also open source but requires significantly more resources (multiple services, SQL Server). Vaultwarden runs in a single container on minimal RAM and handles everything a personal or family vault needs.
|
||||
|
||||
---
|
||||
|
||||
## Tags
|
||||
|
||||
#vaultwarden #bitwarden #passwords #privacy #self-hosting #docker #linux
|
||||
Reference in New Issue
Block a user