BitWarden - self hosted password manager using vaultwarden/server image

Docker BitWarden - self hosted password manager using vaultwarden/server image

Currently reading
Docker BitWarden - self hosted password manager using vaultwarden/server image

Rusty

Moderator
NAS Support
3,761
1,084
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I have one question:
what exactly should I do to have my data to be stored in that local "/data" subfolder? I configured it as you described (the only difference, I did not named it /data, instead of this I used /mydata), but In File Station under docker/bitwarden I cannot see any subfolder nor data files...
Thank you.
As @jphermans said. Be sure not to change the /data folder right from the :
Thats the value of the folder inside the container thats actually holding the data. So change only the left side (your host side) location.
 
42
15
NAS
DS1618+, DS918+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Hi, thank you. I changed the right thing back to /data. And I see now some data files (db.sqlite3, rsa_key etc.) now there via File Station.
But now I have a problem: when I try to login to my bitwarden, it say Error, username or password is incorrect, Try again.
Do you have some advices how to correct it? (Thankfully at the same time I also had another web browser opened, so I - just in case I would need it - made an export of my Vault...)
 

Rusty

Moderator
NAS Support
3,761
1,084
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
The reason at this point might be that you have now"lost" the DB due to change that you have done regarding /data. As you said, now you can see the data inside your FS in the path that you have mapped. If you have it all exported, my suggesstion would be to nuke this installation and redo it again considering that authentification with your current account is not working.

One thing you could do is map your BW back to the initial directory to avoid this, but in that case any further updates of this image/container might break it again (considering that the image is using /data as the destination for the DB to begin with).

So recap, export the data, nuke the container and recreate it (with correct mappings) then import your data back in.
 
42
15
NAS
DS1618+, DS918+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
OK, I'll recreate it again from the scratch.
Btw. as I plan later for my family (wife, son) to use bitwarden as well (all of them are just regular users, not admins, with some more specific permissions allowed), should I create more folder, I mean separate folder for every user and add these folders in container settings under Volume section? Or how it shloud be configured for multi-user behaviour? Are there for bitwarden some specific setting to achieve proper scenario (every user should have access to his vault via bitwarden UI, but should not be able to destroy/delete other users' vault).
 

Rusty

Moderator
NAS Support
3,761
1,084
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I mean separate folder for every user and add these folders in container settings under Volume section?
No need for this
Are there for bitwarden some specific setting to achieve proper scenario (every user should have access to his vault via bitwarden UI, but should not be able to destroy/delete other users' vault).
By default, BW is a password "server" platform. Meaning that multiple useres can use the same server while being "sandboxed" by default. So no matter how much permissions you have you will not see other vaults/users on the same server.
Personally my server is being used by multiple users and I have 0 knowladge of their vaults, or any items in them.
So, by default this platform is multy user ready.
 
50
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+ | DS920x
Router
  1. RT2600ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thanks a lot Rusty - it's working like a charm: web/mac/iOS, including Letsencrypt Cert…
Before switching over I will test a little more. A few questions that came up in the meantime:
  • How can you trust this image, as it's developed by one single person and not the official version?
    No installation id or key; no audit?
  • How do you know he keeps patching CVEs? (or doesn't even do harm)
  • If your BW is open to the web (for using apps), how do you restrict unauthorized account creations?
  • Is there a server management UI (does it support sending notification mails etc.)?
sorry for bothering - great tutorial !
thanks a lot,
paradeiser
 

Rusty

Moderator
NAS Support
3,761
1,084
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thanks a lot Rusty - it's working like a charm: web/mac/iOS, including Letsencrypt Cert…
Before switching over I will test a little more. A few questions that came up in the meantime:
  • How can you trust this image, as it's developed by one single person and not the official version?
    No installation id or key; no audit?
  • How do you know he keeps patching CVEs? (or doesn't even do harm)
  • If your BW is open to the web (for using apps), how do you restrict unauthorized account creations?
  • Is there a server management UI (does it support sending notification mails etc.)?
sorry for bothering - great tutorial !
thanks a lot,
paradeiser
All valid questions. Considering I use it as a personal platform I choose to trust it. The main thing for me is that its in active development and support. If this is somehting that needs to be pushed as an alternative in a business setup I would ofc recommend using the official version.

In full featured version usually these features are activated using the global.override.env file that can be modified. In that file you can place SMTP settings as well as the option to open or close signups.

If your BW is open to the web (for using apps), how do you restrict unauthorized account creations?
I have signups closed (and open then up just when I want to allow someone to create an account and then close it again) using this enviromental variable: -e SIGNUPS_ALLOWED=false
Be sure to restart BW docker after this. Also this will not remove the "create" button on the main page but when someone tries to create an account this warning will pop up:

201


Is there a server management UI (does it support sending notification mails etc.)?
Email notifications can be configured using these enviroemtal variables:
Code:
-e SMTP_HOST=<smtp.domain.tld> \
-e SMTP_FROM=<[email protected]> \
-e SMTP_PORT=587 \
-e SMTP_SSL=true \
-e SMTP_USERNAME=<username> \
-e SMTP_PASSWORD=<password> \
More info on this - dani-garcia/bitwarden_rs

These smtp settings can also be set using the *.env file in the full bw instalation.

UPDATE: I have added signup variable method to the initial resourse.
 
351
91
NAS
DS418play
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
I have signups closed (and open then up just when I want to allow someone to create an account and then close it again) using this enviromental variable: -e SIGNUPS_ALLOWED=false
So I can add this via Environment tab in Advanced settings like this: SIGNUPS_ALLOWED as variable and false as value?
 

Rusty

Moderator
NAS Support
3,761
1,084
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
So I can add this via Environment tab in Advanced settings like this: SIGNUPS_ALLOWED as variable and false as value?
Correct. I have added this in the resource as well as a note
 
351
91
NAS
DS418play
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Added, and my Bitwarden is now a bit more secure. Thanks!
 
20
4
NAS
DS916+
Router
  1. RT2600ac
Thank you for detailed guide. My question now is how to back up your vault? Do I need to backup /data folder only to somewhere else?
 
50
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+ | DS920x
Router
  1. RT2600ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Email notifications can be configured using these enviroemtal variables:
Code:
-e SMTP_HOST=<smtp.domain.tld> \
-e SMTP_FROM=<[email protected]> \
-e SMTP_PORT=587 \
-e SMTP_SSL=true \
-e SMTP_USERNAME=<username> \
-e SMTP_PASSWORD=<password> \
More info on this - dani-garcia/bitwarden_rs

These smtp settings can also be set using the *.env file in the full bw instalation.

UPDATE: I have added signup variable method to the initial resourse.

dont ask me why, but for me it only worked dropping the lines
SMTP_PORT
SMTP_SSL
when using the default values it didn't work (587 / true)

and you might want to add:
DOMAIN=https://vault.example.com

so your emails also show the correct links and images etc.

PS: You can leave "SIGNUPS_ALLOWED : false" after you created your first account, because invites still work if set to "false"
 

Rusty

Moderator
NAS Support
3,761
1,084
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Thank you for detailed guide. My question now is how to back up your vault? Do I need to backup /data folder only to somewhere else?
Well having your /data volume backed up will save your entire setup (all users and all of the vaults), but ofc if you want just your vault you can do it via your UI interface:

202
 
50
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+ | DS920x
Router
  1. RT2600ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
this setup looks very solid to me.
Now I just need a way to manage user accounts - e.g. to lock/delete accounts I want to close on my server.
Is there a way?
 

Rusty

Moderator
NAS Support
3,761
1,084
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
this setup looks very solid to me.
Now I just need a way to manage user accounts - e.g. to lock/delete accounts I want to close on my server.
Is there a way?
Yes there is.

Have a look here: dani-garcia/bitwarden_rs

After you have set up the variable access it via https://your_bw_url/admin page

Be sure NOT to use this on a none https URL!
 
50
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+ | DS920x
Router
  1. RT2600ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Another question about shared folder permissions:
I realized my /docker share is readable to any user. Everyone has "read only" rights.
Seems not "optimal" to me to have every user see my bitwarden container db, icon previews and the config.json with plain-text PWs and tokens etc.

And I don't quite understand why: There is no specific setting for the /docker share in any of the control-panels like "Group", "User" or "Shared folder" to make it readable, hence imho there should be defaulted "No access".
Still, when opening settings for a specific user, it states under "Preview" and "Group Permissions": "Read only" - but no check mark.

Confusing… hope you got me.
 
50
11
NAS
DS209j | DS210j | DS410 | DS214 | DS216+II | DS916+ | DS920x
Router
  1. RT2600ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Whats stoping you to use Control Panel > Shared folders > docker > edit > permissions to tweak those permissions?
That's what I did - just wanted to point out to check if the config.json is readable to everyone by default.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top