You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Mageas e78fa9e879
Fix: banaction was not working with docker
1 month ago
.env Update: better now 1 month ago
README.org Fix: banaction was not working with docker 1 month ago
docker-compose.yml Update: refactoring 1 month ago
nginx.conf Initial commit 1 year ago

README.org

Gitea

Nginx Setup

Certginx is used for simplicity.

Copy nginx.conf to ./nginx/conf.d/subdomain.domain.com.conf in the Certginx directory.

Then follow the steps here.

Optional Configuration

You can add credentials to connect to the admin panel. If you don't want this NGINX protection, please remove the last block with `location /admin` of your nginx configuration or you will not be able to access the admin panel.

To generate your htpasswd user:

htpasswd -c nginx/htpasswd/.htpasswd your_username

Add this to docker-compose.yml to use your htpasswd users.

- ./nginx/htpasswd:/etc/nginx/htpasswd

Docker Setup

User Configuration

Match the user with your UID and GID.

Environment Variables

Environment variables are in data/docker-config.env.

Full documentation [here](https://github.com/dani-garcia/vaultwarden/blob/main/.env.template).

Docker Backup

Share

Create the shared directory.

mkdir /home/vaultwarden-shared

Add the shared group.

addgroup vaultwarden-shared

Update the permissions of the shared directory for the group.

chown :vaultwarden-shared /home/vaultwarden-shared

Add the users to the shared group (Duplicate this for the other user).

usermod -aG vaultwarden-shared vaultwarden

Update the permissions of the shared directory

chmod 1770 /home/vaultwarden-shared

Sharing the Dump

Update the permission of the file

chown :vaultwarden-shared /path/to/your/dumps.zip

Move the file to your shared directory

cp /home/vaultwarden/backups/* /home/vaultwarden-shared

Script

Automation for the Dumping, encrypt the dumped file with gpg, then move the encrypted file to the shared directory.

#!/bin/bash
GPG_EMAILS=(
    "example1@mail.net"
    "example2@mail.net"
)

DATA_DIR="/home/vaultwarden/vaultwarden/data"
SHARE_DIR="/home/vaultwarden-shared"
TAR_BACKUP_DIR="/home/vaultwarden/backups"
BACKUP_DURATION_IN_DAYS=28

BACKUP_NAME="bitwarden-$(date '+%Y%m%d-%H%M').tar.xz"
DATA_TO_BACKUP=("db.sqlite3" "rsa_key.pem" "rsa_key.pub.pem" "config.json" "attachments" "sends")

# DO NOT CHANGE BELOW THIS LINE
rm -rf $TAR_BACKUP_DIR
mkdir -p $TAR_BACKUP_DIR

SCRIPT_FOLDER="$( cd "$(dirname "${0}")" >/dev/null 2>&1 ; pwd -P )"

cd ${SCRIPT_FOLDER} && \
    /usr/local/bin/docker-compose down || exit 1

for file in "${DATA_TO_BACKUP[@]}"; do
    cp -r "${DATA_DIR}/${file}" "${TAR_BACKUP_DIR}" 2>/dev/null
done

cd ${SCRIPT_FOLDER} && \
    /usr/local/bin/docker-compose up -d || exit 1

cd ${TAR_BACKUP_DIR} && \
    tar -Jcf "${TAR_BACKUP_DIR}/${BACKUP_NAME}" ${DATA_TO_BACKUP[@]} 2>/dev/null

for email in "${GPG_EMAILS[@]}"; do
    echo "[$(date '+%Y-%m-%d %H:%M')] Encrypting '${BACKUP_NAME}' for ${email}"
    gpg -r ${email} -o "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" -e "${TAR_BACKUP_DIR}/${BACKUP_NAME}" || exit 1
    chown :vaultwarden-shared "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" || exit 1
done

rm -rf ${TAR_BACKUP_DIR}

find ${SHARE_DIR} -type f -mtime +${BACKUP_DURATION_IN_DAYS} -delete

for email in "${GPG_EMAILS[@]}"; do
    [ -f "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" ] \
        && echo "[$(date '+%Y-%m-%d %H:%M')] Success (${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg)" \
        || echo "[$(date '+%Y-%m-%d %H:%M')] Failed"
done

Automatic Backup

You can use crontab with crontab -e to automate your backups. In the example below you have two backups per day, one at midnight and one at noon.

#!/bin/bash
# m h  dom mon dow   command
0 0 * * * ${HOME}/path_to_backup_script/backup.sh >> ${HOME}/path_to_backup_folder/backups.log
0 12 * * * ${HOME}/path_to_backup_script/backup.sh >> ${HOME}/path_to_backup_folder/backups.log

Security (fail2ban)

Add /etc/fail2ban/jail.local:

[vaultwarden]
enabled = true
port = 80,443,8081
filter = vaultwarden
action = iptables-allports[name=vaultwarden, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 6
bantime = 30m
findtime = 10m

[vaultwarden-admin]
enabled = true
port = 80,443
filter = vaultwarden-admin
action = iptables-allports[name=vaultwarden-admin, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 2
bantime = 24h
findtime = 24h

Create /etc/fail2ban/filter.d/vaultwarden.local:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

Create /etc/fail2ban/filter.d/vaultwarden-admin.local:

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =

Documentation

HTTP Basic Authentication

More informations about the HTTP Basic Authentication