majorlinux/MajorWiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94907817407996c7daf757f4fea2247350e06d92
MajorWiki/03-opensource/privacy-security/vaultwarden.md
MajorLinux 9490781740 wiki: remove Obsidian-style hashtag tags from 12 articles 
These #hashtag tag lines render as plain text on MkDocs. All articles
already have tags in YAML frontmatter, so the inline tags were redundant.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 11:03:28 -04:00

2.7 KiB
Raw Blame History

Vaultwarden — Self-Hosted Password Manager

Problem

Password managers are a necessity, but handing your credentials to a third-party cloud service is a trust problem. Bitwarden is open source and privacy-respecting, but if you're already running a homelab, there's no reason to depend on their servers.

Solution

Vaultwarden is an unofficial, lightweight Bitwarden-compatible server written in Rust. It exposes the same API that all official Bitwarden clients speak — desktop apps, browser extensions, mobile apps — so you get the full Bitwarden UX pointed at your own hardware.

Your passwords never leave your network.

Deployment (Docker + Caddy)

docker-compose.yml

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=false   # disable after creating your account
    volumes:
      - ./vw-data:/data
    ports:
      - "8080:80"

Start it:

sudo docker compose up -d

Caddy reverse proxy

vault.yourdomain.com {
    reverse_proxy localhost:8080
}

Caddy handles TLS automatically. No extra cert config needed.

Initial Setup

  1. Browse to https://vault.yourdomain.com and create your account
  2. Set SIGNUPS_ALLOWED=false in the compose file and restart the container
  3. Install any official Bitwarden client (browser extension, desktop, mobile)
  4. In the client, set the Server URL to https://vault.yourdomain.com before logging in

That's it. The client has no idea it's not talking to Bitwarden's servers.

Access Model

On MajorInfrastructure, Vaultwarden runs on majorlab and is accessible:

  • Internally — via Caddy on the local network
  • Remotely — via Tailscale; vault is reachable from any device on the tailnet without exposing it to the public internet

This means the Caddy vhost does not need to be publicly routable. You can choose to expose it publicly (Let's Encrypt works fine) or keep it Tailscale-only.

Backup

Vaultwarden stores everything in a single SQLite database at ./vw-data/db.sqlite3. Back it up like any file:

# Simple copy (stop container first for consistency, or use sqlite backup mode)
sqlite3 /path/to/vw-data/db.sqlite3 ".backup '/path/to/backup/vw-backup-$(date +%F).sqlite3'"

Or include the vw-data/ directory in your regular rsync backup run.

Why Not Bitwarden (Official)?

The official Bitwarden server is also open source but requires significantly more resources (multiple services, SQL Server). Vaultwarden runs in a single container on minimal RAM and handles everything a personal or family vault needs.

Reference in New Issue View Git Blame Copy Permalink