Vaultwarden Rootless Podman
Posted on
System Info
Public IP Address: 192.227.abc.xyz
Private IP Address: 192.168.1.155
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ podman version
Version: 3.0.1
API Version: 3.0.0
Go Version: go1.15.15
Built: Thu Jan 1 00:00:00 1970
OS/Arch: linux/amd64
Prepare working dir and files
$ mkdir -p ~/vw
$ mkdir -p ~/vw/vaultwarden-data
$ mkdir -p ~/vw/caddy-config
$ mkdir -p ~/vw/caddy-data
$ mkdir -p ~/ssl # do not forget to put your valid ssl here
$ cd ~/vw
$ cat <<- EOF > ~/vw/Caddyfile
(access_log_stdout) {
log {
output stdout
format json
}
}
mysub.domain.tld {
tls /ssl/my-cert.pem /ssl/my-key.pem
encode zstd gzip
reverse_proxy 192.168.1.155:8080
import access_log_stdout
header {
-Server
-X-Powered-By
X-Robots-Tag none
X-XSS-Protection "1; mode=block"
X-Frame-Options "SAMEORIGIN"
}
}
EOF
$ cat << EOF > ~/vw/.env
ROCKET_PORT=8080
DOMAIN=https://mysub.domain.tld
LOG_LEVEL=error
ORG_EVENTS_ENABLED=true
EVENTS_DAYS_RETAIN=7
# because i use cloudflare proxy
IP_HEADER=CF-Connecting-IP
SIGNUPS_ALLOWED=false
SIGNUPS_VERIFY=true
SIGNUPS_DOMAINS_WHITELIST=domain.tld
# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
ADMIN_TOKEN=your-admin-token-here
SMTP_HOST=your-smtp-host
SMTP_FROM=your-smtp-from-address
SMTP_FROM_NAME=your-smtp-from-name
SMTP_SECURITY=starttls
SMTP_PORT=587
SMTP_USERNAME=your-smtp-username
SMTP_PASSWORD=your-smtp-passwd
# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
PUSH_ENABLED=true
PUSH_INSTALLATION_ID=your-push-id
PUSH_INSTALLATION_KEY=your-push-key
EOF
Final working dir structure
/home/sumar/vw
|-- .env
|-- Caddyfile
|-- caddy-config
|-- caddy-data
|-- ssl
| |-- my-cert.pem
| `-- my-key.pem
`-- vaultwarden-data
Enable service to run event user not log in
$ sudo loginctl enable-linger $(id -u $(whoami))
Set DBUS session address
$ echo 'export XDG_RUNTIME_DIR="/run/user/$UID"' | tee -a ~/.profile
$ echo 'export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"' | tee -a ~/.profile
Allow container to bind port 80 and 443
$ echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/sysctl.d/99-sysctl.conf
$ sudo sysctl -p
Run vaultwarden container
podman run --detach --name vaultwarden --publish 192.168.1.155:8080:8080 --env-file=/home/sumar/vw/.env --volume /home/sumar/vw/vaultwarden-data/:/data/:Z vaultwarden/server:latest
Run caddy container
podman run --detach --name caddy --publish 192.227.abc.xyz:80:80 --publish 192.227.abc.xyz:443:443 --volume /home/sumar/vw/Caddyfile:/etc/caddy/Caddyfile:Z --volume /home/sumar/vw/ssl:/ssl:Z --volume /home/sumar/vw/caddy-data:/data:Z --volume /home/sumar/vw/caddy-config:/config:Z caddy:2-alpine
Generate systemd service
$ podman generate systemd --new --name vaultwarden > container-vaultwarden.service
$ podman generate systemd --new --name caddy > container-caddy.service
$ mkdir -p ~/.config/systemd/user/
$ cp container-vaultwarden.service ~/.config/systemd/user/
$ cp container-caddy.service ~/.config/systemd/user/
Start and enable systemd service
$ systemctl --user daemon-reload
$ systemctl --user enable --now container-vaultwarden.service
$ systemctl --user enable --now container-caddy.service
Important, do not forget to Setup firewall, bisa ambil contoh: UFW Allow HTTP HTTPS From Cloudflare IP Address
Note: Kenapa tidak pakai podman network? krn buggy rootless podman network sering error joining network namespace for container.