Compile vaultwarden from souce with mysql support
I did a massive bitwarden_rs to vaultwarden rename so you might have to do a little different then what this says!!
Here is how to install vaultwarden on Debian 10 with MYSQL support⌗
Below I will be writing how to install and configure vaultwarden to work with MYSQL without the need for Docker.
Install required softwre⌗
Not everything below is required, but I like to install it anyway⌗
apt install -y tmux
tmux
apt install -y build-essential git pkg-config libssl-dev libmariadb-dev-compat libmariadb-dev htop curl wget
Install Rust⌗
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Choose 1) Proceed with installation (default)
To configure your current shell, run the following or disconnect then reconnect to the SSH session
source $HOME/.cargo/env
Install Node⌗
mkdir /opt/node
cd /opt/node
wget https://nodejs.org/dist/latest-v11.x/node-v11.15.0-linux-x64.tar.xz
tar xJvf node-v11.15.0-linux-x64.tar.xz
ln -s /opt/node/node-v11.15.0-linux-x64 /opt/node/current
for f in $(ls -1 /opt/node/current/bin/); do ln -s "/opt/node/current/bin/${f}" /usr/sbin/; done
Compile with MYSQL Backend⌗
mkdir /opt/vaultwarden
cd /opt/vaultwarden
wget https://github.com/dani-garcia/vaultwarden/archive/1.19.0.tar.gz
tar xzvf 1.19.0.tar.gz
cd vaultwarden-1.19.0
cargo build --features mysql --release
This will put the bin in the target/release/vaultwarden file
Now it’s time for the web vault⌗
cd target/release
wget https://github.com/dani-garcia/bw_web_builds/releases/download/v2.18.1/bw_web_v2.18.1.tar.gz
tar xzvf bw_web_v2.18.1.tar.gz
It is now completed you should be good to copy the /opt/vaultwarden/vaultwarden-1.19.0/target/release to where ever you want to run it
Now it’s time to configure the systemd unit⌗
nano /etc/systemd/system/vaultwarden.service
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/vaultwarden
After=network.target mariadb.service
Requires=mariadb.service
[Service]
# The user/group vaultwarden is run under. the working directory (see below) should allow write and read access to this user/group
User=bitwarden
Group=bitwarden
# The location of the .env file for configuration
EnvironmentFile=/home/bitwarden/vault.domain.com/.env
# The location of the compiled binary
ExecStart=/home/bitwarden/vault.domain.com/vaultwarden
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate vaultwarden from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory=/home/bitwarden/vault.domain.com/
ReadWriteDirectories=/home/bitwarden/vault.domain.com/
[Install]
WantedBy=multi-user.target
Now we will start the daemon⌗
systemctl daemon-reload
systemctl enable vaultwarden --now
NGiNX Block⌗
nano /etc/nginx/conf.d/vault.domain.com
server {
listen 80;
server_name vault.domain.com;
return 301 https://vault.domain.com$request_uri;
}
server {
listen 443 ssl http2;
server_name vault.domain.com;
ssl_certificate /etc/nginx/ssl/vault.domain.com/fullchain-crt;
ssl_certificate_key /etc/nginx/ssl/vault.domain.com/key;
error_log /var/log/nginx/vault.domain.com_error.log;
access_log /var/log/nginx/vault.domain.com_access.log;
# Allow large attachments
client_max_body_size 128M;
location / {
proxy_pass http://127.0.0.1:4756;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /notifications/hub {
proxy_pass http://127.0.0.1:3658;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:4756;
}
# Optionally add extra authentication besides the AUTH_TOKEN
# If you don't want this, leave this part out
location /admin {
# See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
auth_basic "Private";
auth_basic_user_file /etc/nginx/passwd/bwAdmin;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:4756;
}
}
Now configure .env file⌗
nano /home/bitwarden/vault.domain.com/.env
DATABASE_URL='mysql://vaultusername:sqlpasswd@localhost:3306/dbName'
#ADMIN_TOKEN='supersecret'
#DOMAIN='https://vault.domain.com'
#SMTP_HOST=mx.domain.com
#[email protected]
#SMTP_PORT=587
#SMTP_SSL=true
#[email protected]
#SMTP_PASSWORD='smtp_passwd'
ROCKET_ADDRESS=127.0.0.1
ROCKET_PORT=4756
WEBSOCKET_ENABLED=true
WEBSOCKET_PORT=3658
As always this isn’t a 100% from start to finish, this is more of a template on how to do some of the things that I would forget when doing.⌗
Portwarden is great for backing up and restoring bitwarden/vaultwarden with attachments.
Below is a quick rundown from their page on how to use it
# If you are running self hosted instance, execute `bw config server https://MYSERVER.COM`
portwarden --passphrase 1234 --filename backup.portwarden encrypt
portwarden --passphrase 1234 --filename backup.portwarden decrypt
# RESTORE IS EXPERIMENTAL!! YOU MAY LOSE YOUR DATA
# IF YOU RESTORE TO YOUR MAIN ACCOUNT
# PLEASE MAKE SURE YOU KNOW WHAT YOU ARE DOING
# Please use a **spare** account for restoring backup
# Portwarden doesn't handle conflicts therefore a
# separate account is needed
# In fact we setup a check to make sure the account your
# are restoring to does not have any data in it
portwarden --passphrase 1234 --filename backup.portwarden restore
<- OTHERS ->