MajorLinux
6592eb4fea
- Fixed 4 broken markdown links (bad relative paths in See Also sections) - Corrected n8n port binding to 127.0.0.1:5678 (matches actual deployment) - Updated SnapRAID article with actual majorhome paths (/majorRAID, disk1-3) - Converted 67 Obsidian wikilinks to relative markdown links or plain text - Added YAML frontmatter to 35 articles missing it entirely - Completed frontmatter on 8 articles with missing fields Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3.0 KiB
title, domain, category, tags, status, created, updated
| title | domain | category | tags | status | created | updated | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Vaultwarden — Self-Hosted Password Manager | opensource | privacy-security |
|
published | 2026-04-02 | 2026-04-02 |
Vaultwarden — Self-Hosted Password Manager
Problem
Password managers are a necessity, but handing your credentials to a third-party cloud service is a trust problem. Bitwarden is open source and privacy-respecting, but if you're already running a homelab, there's no reason to depend on their servers.
Solution
Vaultwarden is an unofficial, lightweight Bitwarden-compatible server written in Rust. It exposes the same API that all official Bitwarden clients speak — desktop apps, browser extensions, mobile apps — so you get the full Bitwarden UX pointed at your own hardware.
Your passwords never leave your network.
Deployment (Docker + Caddy)
docker-compose.yml
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
- DOMAIN=https://vault.yourdomain.com
- SIGNUPS_ALLOWED=false # disable after creating your account
volumes:
- ./vw-data:/data
ports:
- "8080:80"
Start it:
sudo docker compose up -d
Caddy reverse proxy
vault.yourdomain.com {
reverse_proxy localhost:8080
}
Caddy handles TLS automatically. No extra cert config needed.
Initial Setup
- Browse to
https://vault.yourdomain.comand create your account - Set
SIGNUPS_ALLOWED=falsein the compose file and restart the container - Install any official Bitwarden client (browser extension, desktop, mobile)
- In the client, set the Server URL to
https://vault.yourdomain.combefore logging in
That's it. The client has no idea it's not talking to Bitwarden's servers.
Access Model
On MajorInfrastructure, Vaultwarden runs on majorlab and is accessible:
- Internally — via Caddy on the local network
- Remotely — via Tailscale; vault is reachable from any device on the tailnet without exposing it to the public internet
This means the Caddy vhost does not need to be publicly routable. You can choose to expose it publicly (Let's Encrypt works fine) or keep it Tailscale-only.
Backup
Vaultwarden stores everything in a single SQLite database at ./vw-data/db.sqlite3. Back it up like any file:
# Simple copy (stop container first for consistency, or use sqlite backup mode)
sqlite3 /path/to/vw-data/db.sqlite3 ".backup '/path/to/backup/vw-backup-$(date +%F).sqlite3'"
Or include the vw-data/ directory in your regular rsync backup run.
Why Not Bitwarden (Official)?
The official Bitwarden server is also open source but requires significantly more resources (multiple services, SQL Server). Vaultwarden runs in a single container on minimal RAM and handles everything a personal or family vault needs.