selfhosted-apps-docker/bitwarden_rs/readme.md

236 lines
7.3 KiB
Markdown
Raw Normal View History

2020-04-09 22:52:11 +00:00
# Bitwarden_rs in docker
###### guide by example
2020-04-16 22:05:54 +00:00
![logo](https://i.imgur.com/tT3FQLJ.png)
2020-04-09 22:52:11 +00:00
2020-05-06 22:33:58 +00:00
# Purpose & Overview
2020-04-09 22:52:11 +00:00
2020-05-06 22:32:45 +00:00
Password manager.
2020-04-09 22:52:11 +00:00
* [Official site](https://bitwarden.com/)
* [Github](https://github.com/dani-garcia/bitwarden_rs)
2020-04-10 09:55:22 +00:00
* [DockerHub](https://hub.docker.com/r/bitwardenrs/server)
2020-04-09 22:52:11 +00:00
2020-05-06 22:32:45 +00:00
Bitwarden is a modern popular open source password manager
with wide cross platform support.
2020-05-06 22:37:49 +00:00
But the official Bitwarden server is bit over-engineered,
requiring Microsoft SQL server among other things,
which makes it not an ideal fit for smaller deployments
2020-05-06 22:32:45 +00:00
So here is where Bitwarden_rs by Daniel García comes in.</br>
It is a Bitwarden API implementation written in Rust.
It's very resource efficient, uses about 10MB of RAM,
and close to no CPU.</br>
2020-05-06 22:41:31 +00:00
Webapp part is build using Rocket, a web framework for Rust,
2020-05-06 22:32:45 +00:00
and user data are stored in a simple sqlite database file.
All the client apps are still officials coming from bitwarden,
only the server is a different implementation.
2020-04-24 21:33:34 +00:00
# Files and directory structure
2020-04-09 22:52:11 +00:00
2020-04-25 22:44:34 +00:00
```
2020-05-01 09:38:43 +00:00
/home/
└── ~/
└── docker/
└── bitwarden/
├── bitwarden-data/
├── .env
├── docker-compose.yml
└── bitwarden-backup-script.sh
2020-04-25 22:44:34 +00:00
```
2020-04-09 22:52:11 +00:00
2020-05-05 15:39:05 +00:00
* `bitwarden-data/` - a directory where bitwarden will store its database and other data
* `.env` - a file containing environmental variables for docker compose
* `docker-compose.yml` - a docker compose file, telling docker how to build bitwarden container
* `bitwarden-backup-script.sh` - a backup script if you want it
You only need to provide the files.</br>
The directory is created by docker compose on the first run.
2020-04-24 21:33:34 +00:00
# docker-compose
2020-04-09 22:52:11 +00:00
2020-04-25 22:44:34 +00:00
[Documentation](https://github.com/dani-garcia/bitwarden_rs/wiki/Using-Docker-Compose) on compose.
`docker-compose.yml`
```yml
version: "3"
services:
bitwarden:
image: bitwardenrs/server
container_name: bitwarden
hostname: bitwarden
restart: unless-stopped
env_file: .env
volumes:
- ./bitwarden-data/:/data/
networks:
default:
external:
name: $DEFAULT_NETWORK
```
`.env`
2020-04-25 22:45:46 +00:00
```bash
2020-04-25 22:44:34 +00:00
# GENERAL
MY_DOMAIN=blabla.org
DEFAULT_NETWORK=caddy_net
2020-05-02 20:48:23 +00:00
TZ=Europe/Bratislava
2020-04-25 22:44:34 +00:00
# BITWARDEN
ADMIN_TOKEN=YdLo1TM4MYEQ948GOVZ29IF4fABSrZMpk9
SIGNUPS_ALLOWED=false
WEBSOCKET_ENABLED=true
# USING SENDGRID FOR SENDING EMAILS
DOMAIN=https://passwd.blabla.org
SMTP_SSL=true
SMTP_EXPLICIT_TLS=true
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=465
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG.MOQQegA3bgfodRN4IG2Wqwe.s23Ld4odqhOQQegf4466A4
SMTP_FROM=admin@blabla.org
```
**All containers must be on the same network**.</br>
2020-05-07 19:45:04 +00:00
If one does not exist yet: `docker network create caddy_net`
2020-04-16 22:05:54 +00:00
2020-04-24 21:33:34 +00:00
# Reverse proxy
2020-04-09 22:52:11 +00:00
2020-05-01 09:51:20 +00:00
Caddy v2 is used, details
[here](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/caddy_v2).</br>
Bitwarden_rs documentation has a
[section on reverse proxy.](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples)
2020-04-25 22:44:34 +00:00
`Caddyfile`
```
passwd.{$MY_DOMAIN} {
header / {
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Robots-Tag "none"
-Server
}
encode gzip
reverse_proxy /notifications/hub/negotiate bitwarden:80
reverse_proxy /notifications/hub bitwarden:3012
reverse_proxy bitwarden:80
}
```
2020-04-09 22:52:11 +00:00
2020-04-24 21:33:34 +00:00
# Forward port 3012 TCP on your router
2020-04-09 22:52:11 +00:00
2020-05-07 19:13:42 +00:00
[WebSocket](https://youtu.be/2Nt-ZrNP22A) protocol is used for notifications
so that all web based clients, including desktop app,
2020-05-07 19:22:52 +00:00
can immediately sync when a change happens on the server.
2020-04-09 22:52:11 +00:00
2020-05-07 19:22:52 +00:00
* environmental variable `WEBSOCKET_ENABLED=true` needs to be set in the `.env` file</br>
2020-05-07 19:13:42 +00:00
* reverse proxy needs to route `/notifications/hub` to port 3012</br>
* your router/firewall needs to **forward port 3012** to the docker host,
same as port 80 and 443 are forwarded
2020-04-24 07:50:11 +00:00
To test if websocket works, have the desktop app open
and make changes through browser extension, or through the website.
2020-05-07 19:22:52 +00:00
Changes should immediately appear in the desktop app. If it's not working,
2020-04-24 07:50:11 +00:00
you need to manually sync for changes to appear.
2020-04-24 21:33:34 +00:00
# Extra info
2020-04-09 22:52:11 +00:00
2020-05-07 19:13:42 +00:00
**Bitwarden can be managed** at `<url>/admin` and entering `ADMIN_TOKEN`
2020-05-07 19:22:52 +00:00
set in the `.env` file. Especially if sign ups are disabled it is the only way
2020-04-24 07:50:11 +00:00
to invite users.
2020-04-09 22:52:11 +00:00
2020-05-07 19:13:42 +00:00
**Push notifications** are not working at this moment.
2020-05-06 22:51:30 +00:00
[Github issue](https://github.com/dani-garcia/bitwarden_rs/issues/126).</br>
The purpose of [Push notifications](https://www.youtube.com/watch?v=8D1NAezC-Dk)
2020-05-07 19:13:42 +00:00
is the same as WebSocket notifications, to tell the clients that a change
2020-05-07 19:22:52 +00:00
happened on the server so that they are synced immediately.
2020-05-07 19:13:42 +00:00
But they are for apps on mobile devices and it would likely take releasing and
2020-05-07 19:22:52 +00:00
maintaining own bitwarden_rs version of the Android/iOS mobile apps
2020-05-07 19:13:42 +00:00
to have them working.</br>
2020-05-06 22:51:30 +00:00
So you better manually sync before making changes.
2020-04-24 22:00:54 +00:00
2020-04-16 22:05:54 +00:00
---
2020-04-09 22:52:11 +00:00
![interface-pic](https://i.imgur.com/5LxEUsA.png)
2020-04-24 21:33:34 +00:00
# Update
2020-04-09 22:52:11 +00:00
2020-05-07 19:45:04 +00:00
* [watchtower](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/watchtower) updates the image automaticly
2020-04-09 22:52:11 +00:00
2020-05-07 19:45:04 +00:00
* manual image update</br>
`docker-compose pull`</br>
`docker-compose up -d`</br>
`docker image prune`
2020-04-09 22:52:11 +00:00
2020-04-24 21:33:34 +00:00
# Backup and restore
2020-04-09 22:52:11 +00:00
2020-05-07 19:45:04 +00:00
#### Backup
Using [borg](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/borg_backup)
that makes daily snapshot of the entire directory.
#### Restore
* down the bitwarden container `docker-compose down`</br>
* delete the entire bitwarden directory</br>
* from the backup copy back the bitwarden directory</br>
* start the container `docker-compose up -d`
2020-04-09 22:52:11 +00:00
2020-04-24 21:33:34 +00:00
# Backup of just user data
2020-04-09 22:52:11 +00:00
2020-05-07 19:45:04 +00:00
Users data daily export using the
[official procedure.](https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault)</br>
2020-04-24 21:30:48 +00:00
For bitwarden_rs it means sqlite database dump and backing up `attachments` directory.</br>
2020-04-24 22:00:54 +00:00
2020-05-07 19:13:42 +00:00
Daily [borg](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/borg_backup) run
2020-04-24 22:00:54 +00:00
takes care of backing up the directory.
2020-05-07 19:45:04 +00:00
So only database dump is needed.</br>
2020-05-07 19:22:52 +00:00
The created backup sqlite3 file is overwritten on every run of the script,
2020-05-07 19:13:42 +00:00
but that's ok since borg is making daily snapshots.
2020-04-09 22:52:11 +00:00
2020-05-07 19:13:42 +00:00
#### Create a backup script
Placed inside `bitwarden` directory on the host.
`bitwarden-backup-script.sh`
2020-05-07 19:45:04 +00:00
```bash
2020-05-07 19:13:42 +00:00
#!/bin/bash
# CREATE SQLITE BACKUP
docker container exec bitwarden sqlite3 /data/db.sqlite3 ".backup '/data/BACKUP.bitwarden.db.sqlite3'"
```
2020-05-07 19:22:52 +00:00
the script must be **executable** - `chmod +x bitwarden-backup-script.sh`
2020-04-09 22:52:11 +00:00
2020-05-07 19:13:42 +00:00
#### Cronjob
2020-04-09 22:52:11 +00:00
2020-05-07 19:22:52 +00:00
Running on the host, so that the script will be periodically run.
2020-04-09 22:52:11 +00:00
2020-05-07 19:13:42 +00:00
* `su` - switch to root
* `crontab -e` - add new cron job</br>
* `0 21 * * * /home/bastard/docker/bitwarden/bitwarden-backup-script.sh`</br>
runs it every day [at 21:00](https://crontab.guru/#0_21_*_*_*)
* `crontab -l` - list cronjobs to check
2020-04-09 22:52:11 +00:00
2020-04-24 21:33:34 +00:00
# Restore the user data
2020-04-09 22:52:11 +00:00
2020-05-07 19:22:52 +00:00
Assuming clean start.
2020-04-10 09:55:22 +00:00
2020-05-07 19:22:52 +00:00
* start the bitwarden container: `docker-compose up -d`
* let it run so it creates its file structure
* down the container `docker-compose down`
* in `bitwarden/bitwarden-data/`</br>
replace `db.sqlite3` with the backup one `BACKUP.bitwarden.db.sqlite3`</br>
2020-05-07 19:45:04 +00:00
replace `attachments` directory with the one from the borg repository
2020-05-07 19:22:52 +00:00
* start the container `docker-compose up -d`
2020-04-09 22:52:11 +00:00
2020-05-07 19:45:04 +00:00
Again, the above steps are based on the
[official procedure.](https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault)