How to install Vaultwarden from source

Introduction

Hello, and welcome to this tutorial on how to install Vaultwarden from source. In this tutorial, we will be installing Vaultwarden from source on a server running Debian 12 without the use of containerization (Docker/Docker-Compose).

What is Vaultwarden?

Vaultwarden is the unofficial open-source server implementation of the Bitwarden API written in Rust. It is compatible with Bitwarden clients and can be used as a replacement for the official Bitwarden server.

Prerequisites

This guide presumes that you have a server running Debian 12, and that you have root access to it. Debian derivatives like Ubuntu should work as well, but are out of scope for this tutorial.

This tutorial uses SQLite backend for Vaultwarden, but you can use MySQL/MariaDB or PostgreSQL as well. This tutorial also uses nginx as a reverse proxy for Vaultwarden, but you can use Apache or Caddy as well.

For example:

• Server running Debian 12
• A domain name pointing to your server's IP address

  Brokie's like me can use the reverse DNS hostname provided by Hetzner - static.<your-ip-in-reverse>.clients.your-server.de. To doublecheck, you can run traceroute <your-ip-address> on your server.

• Passwords to store, lol.

Step 1 - Installing Rust

In this step, we will install Rust to build Vaultwarden from source.

We will be using rustup to install Rust. This will also install cargo, the package manager for Rust.

# choose stable version and proceed with installation
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env

Step 2 - Installing other dependencies to build Vaultwarden

In this step, we will install the other dependencies required to build Vaultwarden from source, such as build-essential, git, libssl-dev, pkg-config etc.

apt update && apt install -y build-essential git libssl-dev pkg-config libsqlite3-dev nginx certbot

Step 3 - Building Vaultwarden from source

In this step, we will build Vaultwarden from source.

mkdir ~/source && cd ~/source
git clone https://github.com/dani-garcia/vaultwarden.git # clones the repo
cd vaultwarden                                           # changes directory to vaultwarden
cargo build --features sqlite --release                  # builds vaultwarden with SQLite backend

Step 4 - Creating directories to store Vaultwarden data

In this step, we will create the directories to store Vaultwarden data, and download a .env file template.

mkdir -p /var/lib/vaultwarden && cd /var/lib/vaultwarden
mkdir -p data
wget https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/.env.template
mv .env.template .env

Step 4.1 - Downloading Vaultwarden's web vault

In this step, we will download "web-vault" to enable access to Vaultwarden via the web client.

If you do not need web-based access to Vaultwarden, you can skip this step.

Go to github.com/dani-garcia/bw_web_builds and grab the latest release of the web vault.

cd /var/lib/vaultwarden
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2023.12.0/bw_web_v2023.12.0.tar.gz
tar -xvf bw_web_v2023.12.0.tar.gz
rm bw_web_v2023.12.0.tar.gz

Step 4.2 - Configuring Vaultwarden

In this step, we will configure Vaultwarden by editing the .env file.

nano /var/lib/vaultwarden/.env

DATA_FOLDER=data
DATABASE_URL=data/db.sqlite3
PUSH_ENABLED=true
PUSH_INSTALLATION_ID=CHANGEME      # source this id from https://bitwarden.com/host
PUSH_INSTALLATION_KEY-CHANGEME     # source this key from https://bitwarden.com/host
LOG_FILE=data/vaultwarden.log
LOG_LEVEL=error
DOMAIN=https://static.<your-ip-in-reverse>.clients.your-server.de
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=8000
SMTP_HOST=smtp.domain.tld          # CHANGE THIS
SMTP_FROM=vaultwarden@domain.tld
SMTP_PORT=587
SMTP_SECURITY=starttls
SMTP_USERNAME=username
SMTP_PASSWORD=password
SMTP_TIMEOUT=15

Use the env above for a start and change the values as per your requirements. But I would recommend you to read the template file and change the values accordingly, as per your requirements.

Step 5 - Creating systemd service for Vaultwarden

In this step, we will create a systemd service for Vaultwarden, and change the directory permissions.

We will also move the binary to /usr/local/bin/, so that we can run it from anywhere.

cp ~/source/vaultwarden/target/release/vaultwarden /usr/local/bin/vaultwarden
chmod +x /usr/local/bin/vaultwarden
useradd -m -d /var/lib/vaultwarden vaultwarden
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden

You will probably get a warning that the home directory already exists and no file was copied from skel directory. You can ignore this warning and the user should be created. To check, you can use cat /etc/passwd.

Now that we have created a user for Vaultwarden, we will create a systemd service for Vaultwarden.

nano /etc/systemd/system/vaultwarden.service # use the configuration below
systemctl daemon-reload
systemctl enable vaultwarden
systemctl start vaultwarden

Configuration for /etc/systemd/system/vaultwarden.service:

[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden

After=network.target

[Service]
User=vaultwarden
Group=vaultwarden
ExecStart=/usr/local/bin/vaultwarden
LimitNOFILE=1048576
LimitNPROC=64
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
WorkingDirectory=/var/lib/vaultwarden
ReadWriteDirectories=/var/lib/vaultwarden
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Step 6 - Configuring nginx

In this step, we will configure nginx as a reverse proxy for Vaultwarden server and web vault.

cd /etc/nginx/sites-available
nano vaultwarden.conf          # use the configuration below
ln -s /etc/nginx/sites-available/vaultwarden.conf /etc/nginx/sites-enabled/vaultwarden.conf
nginx -t                       # check if the configuration is valid
certbot --nginx                # make sure to choose redirect to https option

Configuration for /etc/nginx/sites-available/vaultwarden.conf

# configuration adapted from GitHub repo.
upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:8000;
  keepalive 2;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

server {
    listen 80;
    server_name static.<your-ip-in-reverse>.clients.your-server.de;

    client_max_body_size 525M;

    location / {
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      proxy_pass http://vaultwarden-default;
    }

}

Step 7 - Configuring Hetzner Firewall to only allow access from your IP address

In this step, we will configure Hetzner Firewall to only allow access to Vaultwarden from your IP address.

Login to Hetzner Cloud Console and navigate to your project's page. Click on the Firewall tab, and click on the Add Firewall button. Give your firewall a name and add an inbound rule to allow access to Vaultwarden from your IP address.

Protocol should be TCP and port should be 443.

Apply it to your server, and you are done.

Conclusion

Congrats!

We have successfully installed Vaultwarden from source and configured it to run behind nginx as a reverse proxy.

You can now access Vaultwarden at https://static.<your-ip-in-reverse>.clients.your-server.de

License: MIT