selfhosted-apps-docker/bitwarden_rs/readme.md

Bitwarden_rs in docker

guide by example

Purpose

Password manager. RS version is simpler and lighter than the official bitwarden.

• Official site
• Github
• DockerHub image used

Files and directory structure

/home
└── ~
    └── docker
        └── bitwarden
            ├── 🗁 bitwarden-backup
            ├── 🗁 bitwarden-data
            ├── 🗋 .env
            ├── 🗋 docker-compose.yml
            └── 🗋 bitwarden-backup-script.sh

docker-compose

Documentation on compose.

docker-compose.yml

version: "3"
services:

  bitwarden:
    image: bitwardenrs/server
    hostname: bitwarden
    container_name: bitwarden
    restart: unless-stopped
    volumes:
      - ./bitwarden-data/:/data/
    environment:
      - TZ
      - ADMIN_TOKEN
      - DOMAIN
      - SIGNUPS_ALLOWED
      - SMTP_SSL
      - SMTP_EXPLICIT_TLS
      - SMTP_HOST
      - SMTP_PORT
      - SMTP_USERNAME
      - SMTP_PASSWORD
      - SMTP_FROM

networks:
  default:
    external:
      name: $DEFAULT_NETWORK

.env

# GENERAL
MY_DOMAIN=blabla.org
DEFAULT_NETWORK=caddy_net
TZ=Europe/Prague

# BITWARDEN
ADMIN_TOKEN=YdLo1TM4MYEQ948GOVZ29IF4fABSrZMpk9
DOMAIN=https://passwd.blabla.org
SIGNUPS_ALLOWED=true

# USING SENDGRID FOR SENDING EMAILS
SMTP_SSL=true
SMTP_EXPLICIT_TLS=true
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=465
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG.MOQQegA3bgfodRN4IG2Wqwe.s23Ld4odqhOQQegf4466A4
SMTP_FROM=admin@blabla.org

Reverse proxy

Caddy v2 is used, details here.
Bitwarden_rs documentation has a section on reverse proxy.

Caddyfile

{
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

passwd.{$MY_DOMAIN} {
    encode gzip
    reverse_proxy /notifications/hub/negotiate bitwarden:80
    reverse_proxy /notifications/hub bitwarden:3012
    reverse_proxy bitwarden:80
}

Forward port 3012 on your router

• websocket protocol used for some kind of notifications

Extra info

• bitwarden can be managed at passwd.blabla.org/admin and entering ADMIN_TOKEN set in the .env file

Update

• watchtower updates the image automaticly

• manual image update
  docker-compose pull
docker-compose up -d
docker image prune

Backup and restore

• backup using borgbackup setup that makes daily backup of the entire directory

• restore
  down the bitwarden container docker-compose down
  delete the entire bitwarden directory
  from the backup copy back the bitwarden directortory
  start the container docker-compose up -d

Backup of just user data

For additional peace of mind. Having user-data daily exported using the official procedure.
For bitwarden_rs it means sqlite database dump and the content of the attachments folder. The backup files are overwriten on every run of the script, but borg backup is backing the entire directory in to snapshots daily, so no need for some keeping-last-X consideration.

• install sqlite on the host system

• create backup script
  placed inside bitwarden directory on the host

  make_bitwarden_backup.sh

  #!/bin/sh
  
  # GO IN TO THE DIRECTORY WHERE THIS SCRIPT RESIDES
  cd "${0%/*}"
  
  # CREATE BACKUP DIRECTORY IF IT DOES NOT EXIST
  mkdir -p ./bitwarden-backup
  
  # CREATE SQLITE BACKUP
  sqlite3 ./bitwarden-data/db.sqlite3 ".backup './bitwarden-BACKUP.db.sqlite3'"
  
  # BACKUP ATTACHMENTS
  tar -czvf ./bitwarden-backup/attachments.tar.gz ./bitwarden-data/attachments
  

  the script must be executabe - chmod +x make_bitwarden_backup.sh

• cronjob on the host
  crontab -e - add new cron job
  0 2 * * * /home/bastard/docker/bitwarden/bitwarden-backup-script.sh - run it at 02:00
  crontab -l - list cronjobs

Restore the user data

• down the container docker-compose down
  
• replace db.sqlite3 with the one from the backup
• replace attachments folder with the one from the backup
• start the container docker-compose up -d