# Bitwarden_rs in docker ###### guide by example ![logo](https://i.imgur.com/tT3FQLJ.png) ## Purpose Password manager. RS version is simpler and lighter than the official bitwarden. * [Official site](https://bitwarden.com/) * [Github](https://github.com/dani-garcia/bitwarden_rs) * [DockerHub](https://hub.docker.com/r/bitwardenrs/server) ## Files and directory structure ``` /home └── ~ └── docker └── bitwarden ├── 🗁 bitwarden-data ├── 🗋 .env ├── 🗋 docker-compose.yml └── 🗋 bitwarden-backup-script.sh ``` ## docker-compose [Documentation](https://github.com/dani-garcia/bitwarden_rs/wiki/Using-Docker-Compose) on compose. `docker-compose.yml` ``` version: "3" services: bitwarden: image: bitwardenrs/server hostname: bitwarden container_name: bitwarden restart: unless-stopped env_file: .env volumes: - ./bitwarden-data/:/data/ networks: default: external: name: $DEFAULT_NETWORK ``` `.env` ``` # GENERAL MY_DOMAIN=blabla.org DEFAULT_NETWORK=caddy_net TZ=Europe/Prague # BITWARDEN ADMIN_TOKEN=YdLo1TM4MYEQ948GOVZ29IF4fABSrZMpk9 SIGNUPS_ALLOWED=false WEBSOCKET_ENABLED=true # USING SENDGRID FOR SENDING EMAILS DOMAIN=https://passwd.blabla.org SMTP_SSL=true SMTP_EXPLICIT_TLS=true SMTP_HOST=smtp.sendgrid.net SMTP_PORT=465 SMTP_USERNAME=apikey SMTP_PASSWORD=SG.MOQQegA3bgfodRN4IG2Wqwe.s23Ld4odqhOQQegf4466A4 SMTP_FROM=admin@blabla.org ``` **All containers must be on the same network**.
If one does not exist yet: `docker network create caddy_net` ## Reverse proxy Caddy v2 is used, details [here.](https://github.com/DoTheEvo/Caddy-v2-docker-example-setup)
Bitwarden_rs documentation has a [section on reverse proxy.](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples) `Caddyfile` ``` { # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory } passwd.{$MY_DOMAIN} { header / { X-XSS-Protection "1; mode=block" X-Frame-Options "DENY" X-Robots-Tag "none" -Server } encode gzip reverse_proxy /notifications/hub/negotiate bitwarden:80 reverse_proxy /notifications/hub bitwarden:3012 reverse_proxy bitwarden:80 } ``` ## Forward port 3012 TCP on your router [WebSocket](https://youtu.be/2Nt-ZrNP22A) protocol is used for notifications, so that all web based clients can immediatly sync when a change happens on server. Enviromental variable `WEBSOCKET_ENABLED=true` needs to be set.
Reverse proxy needs to route `/notifications/hub` to port 3012.
Router needs to **forward port 3012** to docker host, same as port 80 and 443 are forwarded. To test if websocket works, have the desktop app open and make changes through browser extension, or through the website. Changes should immediatly appear in the desktop app. If it is not working, you need to manually sync for changes to appear. ## Extra info **bitwarden can be managed** at `/admin` and entering `ADMIN_TOKEN` set in the `.env` file. Especially if signups are disabled it is the only way to invite users. --- ![interface-pic](https://i.imgur.com/5LxEUsA.png) ## Update * [watchtower](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/watchtower) updates the image automaticly * manual image update
`docker-compose pull`
`docker-compose up -d`
`docker image prune` ## Backup and restore * **backup** using [borgbackup setup](https://github.com/DoTheEvo/selfhosted-apps-docker/tree/master/borg_backup) that makes daily snapshot of the entire directory * **restore**
down the bitwarden container `docker-compose down`
delete the entire bitwarden directory
from the backup copy back the bitwarden directortory
start the container `docker-compose up -d` ## Backup of just user data user-data daily export using the [official procedure.](https://github.com/dani-garcia/bitwarden_rs/wiki/Backing-up-your-vault)
For bitwarden_rs it means sqlite database dump and backing up `attachments` directory. The created backup files are overwriten on every run of the script, but borg backup is daily making snapshot of the entire directory. * **create a backup script**
placed inside `bitwarden` directory on the host `bitwarden-backup-script.sh` ``` #!/bin/bash # CREATE SQLITE BACKUP docker container exec bitwarden sqlite3 /data/db.sqlite3 ".backup '/data/BACKUP.bitwarden.db.sqlite3'" # BACKUP ATTACHMENTS docker container exec bitwarden tar -czPf /data/BACKUP.attachments.tar.gz /data/attachments ``` the script must be **executabe** - `chmod +x bitwarden-backup-script.sh` * **cronjob** on the host
`crontab -e` - add new cron job
`0 2 * * * /home/bastard/docker/bitwarden/bitwarden-backup-script.sh` - run it [at 02:00](https://crontab.guru/#0_2_*_*_*)
`crontab -l` - list cronjobs ## Restore the user data Assuming clean start. * start the bitwarden container: `docker-compose up -d` * let it run so it creates its file structure * down the container `docker-compose down` * in `bitwarden/bitwarden-data/`
replace `db.sqlite3` with the backup one `BACKUP.bitwarden.db.sqlite3`
replace `attachments` directory with the one from the archive `BACKUP.attachments.tar.gz` * start the container `docker-compose up -d`