selfhosted-apps-docker/bitwarden_rs

Bitwarden_rs in docker

guide by example

Purpose

Password manager. RS version is simpler and lighter than the official bitwarden.

• Official site
• Github
• DockerHub

Files and directory structure

/home
└── ~
    └── docker
        └── bitwarden
            ├── 🗁 bitwarden-data
            ├── 🗋 .env
            ├── 🗋 docker-compose.yml
            └── 🗋 bitwarden-backup-script.sh

docker-compose

Documentation on compose.

docker-compose.yml

version: "3"
services:

  bitwarden:
    image: bitwardenrs/server
    hostname: bitwarden
    container_name: bitwarden
    restart: unless-stopped
    volumes:
      - ./bitwarden-data/:/data/
    environment:
      - TZ
      - ADMIN_TOKEN
      - DOMAIN
      - SIGNUPS_ALLOWED
      - SMTP_SSL
      - SMTP_EXPLICIT_TLS
      - SMTP_HOST
      - SMTP_PORT
      - SMTP_USERNAME
      - SMTP_PASSWORD
      - SMTP_FROM

networks:
  default:
    external:
      name: $DEFAULT_NETWORK

.env

# GENERAL
MY_DOMAIN=blabla.org
DEFAULT_NETWORK=caddy_net
TZ=Europe/Prague

# BITWARDEN
ADMIN_TOKEN=YdLo1TM4MYEQ948GOVZ29IF4fABSrZMpk9
SIGNUPS_ALLOWED=true

# USING SENDGRID FOR SENDING EMAILS
DOMAIN=https://passwd.blabla.org
SMTP_SSL=true
SMTP_EXPLICIT_TLS=true
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=465
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG.MOQQegA3bgfodRN4IG2Wqwe.s23Ld4odqhOQQegf4466A4
SMTP_FROM=admin@blabla.org

Reverse proxy

Caddy v2 is used, details here.
Bitwarden_rs documentation has a section on reverse proxy.

Caddyfile

{
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

passwd.{$MY_DOMAIN} {
    encode gzip
    reverse_proxy /notifications/hub/negotiate bitwarden:80
    reverse_proxy /notifications/hub bitwarden:3012
    reverse_proxy bitwarden:80
}

Forward port 3012 on your router

• websocket protocol used for some kind of notifications

Extra info

• bitwarden can be managed at <url>/admin and entering ADMIN_TOKEN set in the .env file

Update

• watchtower updates the image automaticly

• manual image update
  docker-compose pull
docker-compose up -d
docker image prune

Backup and restore

• backup using borgbackup setup that makes daily snapshot of the entire directory

• restore
  down the bitwarden container docker-compose down
  delete the entire bitwarden directory
  from the backup copy back the bitwarden directortory
  start the container docker-compose up -d

Backup of just user data

For additional peace of mind, user-data daily export using the official procedure.
For bitwarden_rs it means sqlite database dump and backing up attachments directory. The created backup files are overwriten on every run of the script, but borg backup is daily making snapshot of the entire directory.

• create a backup script
  placed inside bitwarden directory on the host

  bitwarden-backup-script.sh

  #!/bin/bash
  
  # CREATE SQLITE BACKUP
  docker container exec bitwarden sqlite3 /data/db.sqlite3 ".backup '/data/BACKUP.bitwarden.db.sqlite3'"
  
  # BACKUP ATTACHMENTS
  docker container exec bitwarden tar -czPf /data/BACKUP.attachments.tar.gz /data/attachments
  

  the script must be executabe - chmod +x bitwarden-backup-script.sh

• cronjob on the host
  crontab -e - add new cron job
  0 2 * * * /home/bastard/docker/bitwarden/bitwarden-backup-script.sh - run it at 02:00
  crontab -l - list cronjobs

Restore the user data

Assuming clean start.

• start the bitwarden container: docker-compose up -d
• let it run so it creates its file structure
• down the container docker-compose down
• in bitwarden/bitwarden-data/
  replace db.sqlite3 with the one from the backup BACKUP.bitwarden.db.sqlite3
  replace attachments directory with the one from the archive BACKUP.attachments.tar.gz
• start the container docker-compose up -d