You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Mageas e78fa9e879
Fix: banaction was not working with docker
1 month ago
.env Update: better now 1 month ago Fix: banaction was not working with docker 1 month ago
docker-compose.yml Update: refactoring 1 month ago
nginx.conf Initial commit 1 year ago


Nginx Setup

Certginx is used for simplicity.

Copy nginx.conf to ./nginx/conf.d/ in the Certginx directory.

Then follow the steps here.

Optional Configuration

You can add credentials to connect to the admin panel. If you don't want this NGINX protection, please remove the last block with `location /admin` of your nginx configuration or you will not be able to access the admin panel.

To generate your htpasswd user:

htpasswd -c nginx/htpasswd/.htpasswd your_username

Add this to docker-compose.yml to use your htpasswd users.

- ./nginx/htpasswd:/etc/nginx/htpasswd

Docker Setup

User Configuration

Match the user with your UID and GID.

Environment Variables

Environment variables are in data/docker-config.env.

Full documentation [here](

Docker Backup


Create the shared directory.

mkdir /home/vaultwarden-shared

Add the shared group.

addgroup vaultwarden-shared

Update the permissions of the shared directory for the group.

chown :vaultwarden-shared /home/vaultwarden-shared

Add the users to the shared group (Duplicate this for the other user).

usermod -aG vaultwarden-shared vaultwarden

Update the permissions of the shared directory

chmod 1770 /home/vaultwarden-shared

Sharing the Dump

Update the permission of the file

chown :vaultwarden-shared /path/to/your/

Move the file to your shared directory

cp /home/vaultwarden/backups/* /home/vaultwarden-shared


Automation for the Dumping, encrypt the dumped file with gpg, then move the encrypted file to the shared directory.



BACKUP_NAME="bitwarden-$(date '+%Y%m%d-%H%M').tar.xz"
DATA_TO_BACKUP=("db.sqlite3" "rsa_key.pem" "" "config.json" "attachments" "sends")

mkdir -p $TAR_BACKUP_DIR

SCRIPT_FOLDER="$( cd "$(dirname "${0}")" >/dev/null 2>&1 ; pwd -P )"

cd ${SCRIPT_FOLDER} && \
    /usr/local/bin/docker-compose down || exit 1

for file in "${DATA_TO_BACKUP[@]}"; do
    cp -r "${DATA_DIR}/${file}" "${TAR_BACKUP_DIR}" 2>/dev/null

cd ${SCRIPT_FOLDER} && \
    /usr/local/bin/docker-compose up -d || exit 1

cd ${TAR_BACKUP_DIR} && \
    tar -Jcf "${TAR_BACKUP_DIR}/${BACKUP_NAME}" ${DATA_TO_BACKUP[@]} 2>/dev/null

for email in "${GPG_EMAILS[@]}"; do
    echo "[$(date '+%Y-%m-%d %H:%M')] Encrypting '${BACKUP_NAME}' for ${email}"
    gpg -r ${email} -o "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" -e "${TAR_BACKUP_DIR}/${BACKUP_NAME}" || exit 1
    chown :vaultwarden-shared "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" || exit 1

rm -rf ${TAR_BACKUP_DIR}

find ${SHARE_DIR} -type f -mtime +${BACKUP_DURATION_IN_DAYS} -delete

for email in "${GPG_EMAILS[@]}"; do
    [ -f "${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg" ] \
        && echo "[$(date '+%Y-%m-%d %H:%M')] Success (${SHARE_DIR}/${email}:${BACKUP_NAME}.gpg)" \
        || echo "[$(date '+%Y-%m-%d %H:%M')] Failed"

Automatic Backup

You can use crontab with crontab -e to automate your backups. In the example below you have two backups per day, one at midnight and one at noon.

# m h  dom mon dow   command
0 0 * * * ${HOME}/path_to_backup_script/ >> ${HOME}/path_to_backup_folder/backups.log
0 12 * * * ${HOME}/path_to_backup_script/ >> ${HOME}/path_to_backup_folder/backups.log

Security (fail2ban)

Add /etc/fail2ban/jail.local:

enabled = true
port = 80,443,8081
filter = vaultwarden
action = iptables-allports[name=vaultwarden, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 6
bantime = 30m
findtime = 10m

enabled = true
port = 80,443
filter = vaultwarden-admin
action = iptables-allports[name=vaultwarden-admin, chain=FORWARD]
logpath = /home/vaultwarden/vaultwarden/bitwarden/vaultwarden.log
maxretry = 2
bantime = 24h
findtime = 24h

Create /etc/fail2ban/filter.d/vaultwarden.local:

before = common.conf

failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

Create /etc/fail2ban/filter.d/vaultwarden-admin.local:

before = common.conf

failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =


HTTP Basic Authentication

More informations about the HTTP Basic Authentication